Top Threat #6 to Cloud Computing: Unsecure Third-Party Resources
Blog Article Published: 10/30/2022
Written by the CSA Top Threats Working Group.
The CSA Top Threats to Cloud Computing Pandemic Eleven report aims to raise awareness of threats, vulnerabilities, and risks in the cloud. The latest report highlights the Pandemic Eleven top threats, in which the pandemic and the complexity of workloads, supply chains, and new technologies shifted the cloud security landscape.
What is a Third-Party Resource?
With the increase in the adoption of cloud computing, third-party resources have come to mean different things: from open source code and SaaS products, to managed services provided by a cloud vendor. Risks from third-party resources are also considered supply chain vulnerabilities because third parties are involved in delivering your products or services. The risks exist in every product and service consumed.
Where is Your Weak Link?
Because a product or service is a sum of all others they are using, the exploit can take place at any point in the chain, and work from there. For the malicious hacker, this means that to achieve their goal, they only need to look for the weakest link in the chain that they can use as an entry point.
The direct business effects of unsecure third-party resources include:
- Loss or stoppage of key business processes.
- Business data being accessed by outside parties.
- Patching or fixing a security issue depends on the provider and how quickly they respond. The impact of this can be crucial depending on the importance of the application.
What Are the Key Takeaways?
Here are some key takeaways to consider:
- You can't prevent vulnerabilities in code that you didn’t create, but you can still try and make good decisions about which product to use.
- Identify and track the third parties you are using.
- Perform a periodic review of the third-party resources to remove products you don’t need and revoke access or permissions.
- Penetration-test your application, use secure coding practices, and use static and dynamic application security testing solutions.
From May 2019 until August 2021, the Volkswagen Group suffered from a data breach caused by one of its vendors, who left a storage service unprotected for almost two years. The breached data included Personally Identifiable Information (PII) and more sensitive financial data involving 3.3 million customers.
Learn more about this threat and the other 10 top threats in our Top Threats to Cloud Computing Pandemic Eleven publication.
Trending This Week
#1 What are the Most Common Cloud Computing Service Delivery Models?
#2 Zero Trust and AI: Better Together
#3 Top Threat #2 to Cloud Computing: Insecure Interfaces and APIs
#4 101 Guide on Cloud Security Architecture for Enterprises
#5 Demystifying Secure Architecture Review of Generative AI-Based Products and Services
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.