CSA Official Press Release
CSA Releases Top Threats to Cloud Computing: Deep Dive
Paper identifies chief cloud security risks, how they fit in a greater security analysis
BLACKHAT LAS VEGAS – AUGUST 8, 2018 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, today announced the release of the Top Threats to Cloud Computing: Deep Dive, a case-study analysis that provides more technical details dealing with architecture, compliance, risk and mitigations for each of the cloud computing threats and vulnerabilities identified in the Treacherous 12: Top Threats to Cloud Computing (2016).
“Last year’s Top Threats report cited multiple recent examples of issues found in the original Treacherous 12 survey, and while those anecdotes allowed cybersecurity managers to better communicate with executives and peers, they did not provide in-depth detail of how everything fits together from a security analysis standpoint,” said Jon-Michael C. Brook, co-chair of the Top Threats Working Group and a principal/Security, Cloud & Privacy at Guide Holdings. “This new report addresses those limitations and offers additional details and actionable information that identify where and how top threats fit in a greater security analysis, while simultaneously providing a clear understanding of how lessons, mitigations and concepts can be applied in real-world scenarios.”
“Security professionals recognize that the Treacherous 12 threats provide only a fraction of the whole picture. Other factors, such as actors, risk, vulnerabilities, and impacts, must also be considered,” said J.R. Santos, executive vice president/Research for CSA. “To address these missing elements, the Top Threats Working Group decided the next document would provide even greater context that could act as a springboard for architects and engineers conducting their own analysis of security issues in cloud computing and comparisons.”
This case study attempts to connect all the dots when it comes to risk management by using the following nine anecdotes cited in the Top Threats for its foundation:
- LinkedIn (Top Threats: Data Breaches; Insufficient Identity, Credential and Access Management; Account Hijacking; Denial of Service; Shared Technology Vulnerabilities)
- MongoDB (Top Threats: Data Breaches; Insufficient Identity, Credential and Access Management; Insecure Interfaces and APIs; Malicious Insiders; Data Loss)
- Dirty Cow (Top Threats: Insufficient Identity, Credential and Access Management; System Vulnerabilities)
- Zynga (Top Threats: Data Breaches; Insufficient Identity, Credential and Access Management; Malicious Insiders)
- Net Traveler (Top Threats: Data Breaches; Advanced Persistent Threats; Data Loss)
- Yahoo! (Top Threats: Data Breaches; Data Loss; Insufficient Due Diligence)
- Zepto (Top Threats: Data Breaches; Data Loss; Abuse and Nefarious Use of Cloud Services)
- DynDNS (Top Threats: Insufficient Identity, Credential and Access Management; Denial of Service)
- Cloudbleed Top Threats: Data Breaches; Shared Technology Vulnerabilities)
Each of the examples are presented as both a reference chart and detailed narrative. The reference chart’s format offers an attack-style synopsis of the actor, spanning from threats and vulnerabilities to associated controls and mitigations. The longer-form narratives provide additional context (such as how an incident came to pass or how it should be dealt with). For cases where details—such as impacts or mitigations—were not discussed publicly, the working group extrapolated to include expected outcomes and possibilities.
The paper goes on to outline recommended Cloud Controls Matrix (CCM) domains, sorted according to how often controls within the domains are relevant as a mitigating control. [Mitigations and controls applicable to the nine case studies cover 13 of the 16 Cloud Controls Matrix (CCM) domains.]
The CSA Top Threats Working Group is responsible for providing needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies. The CSA invites interested companies and individuals to support the group’s research and initiatives. Companies and individuals interested in learning more or joining the group can visit the Top Threats Working Group page.
Download the Top Threats to Cloud Computing: Deep Dive now.
About Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, follow us on Twitter @cloudsa.
For press inquiries, email Zenobia Godschalk of ZAG Communications or reach her by phone at 650.269.8315.