Top Threat #4 to Cloud Computing: Lack of Cloud Security Architecture and Strategy
Published 09/17/2022
Written by the CSA Top Threats Working Group.
The CSA Top Threats to Cloud Computing Pandemic Eleven report aims to raise awareness of threats, vulnerabilities, and risks in the cloud. The latest report highlights the Pandemic Eleven top threats, in which the pandemic and the complexity of workloads, supply chains, and new technologies shifted the cloud security landscape.
This blog summarizes the fourth threat (of eleven) from the report: lack of cloud security architecture and strategy. Learn more about threat #2 here and threat #3 here.
What a Cloud Security Strategy Entails
Cloud security architecture and strategy encompasses cloud deployment models, cloud service models, cloud service providers (CSPs), service region availability zone, specific cloud services, general principles, and pre-determinations. A forward-looking design of IAM, networking and security controls across different cloud accounts, vendors, services, and environments are in scope. Consideration of strategy should precede and dictate design, but it is common that cloud challenges demand an incremental and agile approach to planning.
Inadequate Strategy in Cloud Endeavors
The fast pace of change and the prevalent, decentralized, self-service approach to cloud infrastructure administration hinder the ability to account for technical and business considerations and conscious design. However, security considerations and risks must not be ignored if cloud endeavors are to be successful and safe. Lacking such planning may lead to cloud environments and applications failing to become resilient to cyber attacks.
Business Impact
The absence of a cloud security strategy and architecture limits the viability for effective enterprise and infrastructure security architecture to be implemented. Failing to meet security or compliance goals results in fines and breaches, or in costly workarounds, refactoring and migrating.
What Are the Key Takeaways?
Here are some things to consider:
- Business objectives, risk, security threats, and legal compliance in cloud services and infrastructure design and decisions.
- Cloud services and infrastructure strategy and design principles.
- Due diligence and third-party vendor security assessments as foundational practices.
Example
In January 2021, a US clothing store, Bonobos, owned by Walmart, suffered a massive data breach exposing millions of customers’ personal information. A threat actor known as ShinyHunters posted their full database inclusive of customers’ addresses, phone numbers, partial credit card numbers, and orders made on the site. This occurred due to a compromise of an external cloud backup service hosting the backup file. A selection of access controls, encryption, vendor security, redundancy, and other domains can be employed to limit the impacts or likelihood of similar breaches.
Learn more about this threat and the other 10 top threats in our Top Threats to Cloud Computing Pandemic Eleven publication.
Related Articles:
CSA Community Spotlight: Nerding Out About Security with CISO Alexander Getsin
Published: 11/21/2024
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
Top Threat #5 - Third Party Tango: Dancing Around Insecure Resources
Published: 11/18/2024
Group-Based Permissions and IGA Shortcomings in the Cloud
Published: 11/18/2024