Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Top Threat #4 to Cloud Computing: Lack of Cloud Security Architecture and Strategy

Published 09/17/2022

Top Threat #4 to Cloud Computing: Lack of Cloud Security Architecture and Strategy

Written by the CSA Top Threats Working Group.

The CSA Top Threats to Cloud Computing Pandemic Eleven report aims to raise awareness of threats, vulnerabilities, and risks in the cloud. The latest report highlights the Pandemic Eleven top threats, in which the pandemic and the complexity of workloads, supply chains, and new technologies shifted the cloud security landscape.

This blog summarizes the fourth threat (of eleven) from the report: lack of cloud security architecture and strategy. Learn more about threat #2 here and threat #3 here.


What a Cloud Security Strategy Entails

Cloud security architecture and strategy encompasses cloud deployment models, cloud service models, cloud service providers (CSPs), service region availability zone, specific cloud services, general principles, and pre-determinations. A forward-looking design of IAM, networking and security controls across different cloud accounts, vendors, services, and environments are in scope. Consideration of strategy should precede and dictate design, but it is common that cloud challenges demand an incremental and agile approach to planning.

Inadequate Strategy in Cloud Endeavors

The fast pace of change and the prevalent, decentralized, self-service approach to cloud infrastructure administration hinder the ability to account for technical and business considerations and conscious design. However, security considerations and risks must not be ignored if cloud endeavors are to be successful and safe. Lacking such planning may lead to cloud environments and applications failing to become resilient to cyber attacks.

Business Impact

The absence of a cloud security strategy and architecture limits the viability for effective enterprise and infrastructure security architecture to be implemented. Failing to meet security or compliance goals results in fines and breaches, or in costly workarounds, refactoring and migrating.

What Are the Key Takeaways?

Here are some things to consider:

  1. Business objectives, risk, security threats, and legal compliance in cloud services and infrastructure design and decisions.
  2. Cloud services and infrastructure strategy and design principles.
  3. Due diligence and third-party vendor security assessments as foundational practices.

Example

In January 2021, a US clothing store, Bonobos, owned by Walmart, suffered a massive data breach exposing millions of customers’ personal information. A threat actor known as ShinyHunters posted their full database inclusive of customers’ addresses, phone numbers, partial credit card numbers, and orders made on the site. This occurred due to a compromise of an external cloud backup service hosting the backup file. A selection of access controls, encryption, vendor security, redundancy, and other domains can be employed to limit the impacts or likelihood of similar breaches.


Learn more about this threat and the other 10 top threats in our Top Threats to Cloud Computing Pandemic Eleven publication.

Share this content on your favorite social network today!