Cloud 101CircleEventsBlog
CSA's Continuous Audit Metrics Working Group is expanding! Help shape the future of cloud assurance.

CSA Official Press Release

Published 08/09/2019

CSA Releases New Research - Top Threats to Cloud Computing: 
Egregious Eleven

CSA Releases New Research - Top Threats to Cloud Computing: 
Egregious Eleven

Research shows traditional security issues falling by the wayside while those stemming from senior management decisions of increasing concern

LAS VEGAS – AUGUST 6, 2019 BLACKHAT2019 - The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, today announced the release of Top Threats to Cloud Computing: The Egregious Eleven, a new report which re-examines the risks inherent with cloud security and takes a new approach, examining the problems inherent in configuration and authentication, rather than the traditional focus on vulnerabilities and malware.

This year’s report differs from past iterations most noticeably in that many traditional cloud security issues that fall to cloud service providers (CSPs) — denial of service, shared technology vulnerabilities, CSP data loss and system vulnerabilities, etc. — which featured in the previous Treacherous 12, have dropped off the list. This suggests that traditional security issues are either being well addressed or are no longer perceived as a significant business risk of cloud adoption, while those that are the result of senior management decisions around cloud strategy and implementation are of increasing concern.

The latest report, which provides controls recommendations and reference examples meant to be of use to compliance, risk, and technology staff, highlights the following Egregious Eleven (ranked in order of significance):

  1. Data Breaches
  2. Misconfiguration and inadequate change control
  3. Lack of cloud security architecture and strategy
  4. Insufficient identity, credential, access and key management
  5. Account hijacking
  6. Insider threat
  7. Insecure interfaces and APIs
  8. Weak control plane
  9. Metastructure and applistructure failures
  10. Limited cloud usage visibility
  11. Abuse and nefarious use of cloud services

“New, top-ranking items in the survey are more nuanced, and suggest a maturation of security professionals’ understanding of the cloud, and the emerging issues that are harder to address as infrastructure becomes more secure and attackers more sophisticated. The new issues highlighted in this version of the report are inherently specific to the cloud and suggest a technology landscape where security professionals are actively considering cloud migration. We hope this Top Threats report raises organizational awareness of the top security issues that require more industry attention and research, ensuring that they are taken into consideration when budgeting for cloud migration and security,” said Jon-Michael C. Brook, co-chair of the Top Threats Working Group and a principal contributor to the industry.

“The complexity of cloud can be the perfect place for attackers to hide, offering concealment as a launchpad for further harm. Unawareness of the threats, risks and vulnerabilities makes it more challenging to protect organizations from data loss. The security issues outlined in this iteration of the Top Threats report, therefore, are a call to action for developing and enhancing cloud security awareness, configuration and identity management,” said John Yeoh, Global Vice President/Research for CSA.

The CSA Top Threats Working Group is responsible for providing needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies. Companies and individuals interested in learning more or joining the group can visit the Top Threats Working Group page.

Download the full report now.

Share this content on your favorite social network today!

About Cloud Security Alliance

The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, follow us on Twitter @cloudsa.

For press inquiries, email Zenobia Godschalk of ZAG Communications or reach her by phone at 650.269.8315.