Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersEventsBlog
Join us on September 3rd for The Evolution of Cloud Network Security webinar. Register now!

Research Topic

Top Threats

Latest ResearchWorking Group
Top Threats to Cloud Computing Pandemic Eleven
Top Threats to Cloud Computing Pandemic Eleven

Download

Research Topics
About Topic
Working Group
Discussion Community
Publications
Home
Research
Top Threats
The shift from traditional client/server to service-based models is transforming the way technology departments deliver computing technology and applications. However, cloud computing has also created new security vulnerabilities, including security issues whose full impacts are still emerging.

What is CSA doing to help address threats to cloud computing?
CSA created a bi-annual survey report to help the industry stay up to date on the latest threats, risks, and vulnerabilities in the cloud. Such issues are often the result of the shared, on-demand nature of cloud computing. In these reports we survey industry experts on security issues in the cloud industry and they rate salient threats, risks and vulnerabilities in their cloud environments. These reports allow cybersecurity managers to better communicate with executives and peers and provide context for discussions with technical staff.

How can your organization address these threats?
How have organizations dealt with these cloud threats in real life? CSA’s series of case studies help identify where and how those threats fit in a greater security analysis, while providing a clear understanding of how lessons and mitigation concepts can be applied in real-world scenarios. This group has also created a playbook for penetration testing in cloud environments and as well as guidance for how to approach threat modeling for cloud systems.


Top ThreatsCloud Incident Response

Discuss this topic in Circle

View discussion community

Participate

View the working group

Press MentionSourceDate
‘One of the key issues is a lack of experience’: Security teams struggle amid shift to cloudSC MagazineMay 26, 2022
Ransomware, bad and bogus. Updates on the cyber phases of Russia's hybrid war.The CyberWireJune 07, 2022
RSA Conference 2022 - Announcements Summary (Day 2)Security WeekJune 08, 2022
Cloud Security Alliance's Top Threats to Cloud Computing: Pandemic 11 Report Finds Traditional Cloud Security Issues Becoming Less ConcerningVMBlogJune 07, 2022
Cloud computing: Here's the security threat you should be most worried aboutZDNetJune 09, 2022
View all

Research for Cloud Security Threats

CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.

Top Threats to Cloud Computing: Egregious Eleven

Top Threats to Cloud Computing: Egregious Eleven

Read an up-to-date, expert-informed understanding of the top cloud security concerns facing the industry in order to make educated risk-management decisions regarding cloud adoption strategies. In this fourth installment of the Top Threats Report, we again surveyed 241 industry experts on security issues in the cloud industry. This year our respondents rated 11 salient threats, risks and vulnerabilities in their cloud environments. After analyzing the responses in this survey, we noticed a drop in the ranking of traditional cloud security issues under the responsibility of cloud service providers (CSPs). Concerns such as denial of service, shared technology vulnerabilities and CSP data loss and system vulnerabilities—which all featured in the previous Treacherous 12—were now rated so low they have been excluded in this report. These omissions suggest that traditional security issues under the responsibility of the CSP seem to be less of a concern. I...

Discover the top threats to cloud
Top Threats to Cloud Computing: Egregious Eleven Deep Dive

Top Threats to Cloud Computing: Egregious Eleven Deep Dive

This report provides case‌ ‌study‌ ‌analyses‌ ‌for‌ last year’s ‌The‌ ‌Egregious‌ ‌11:‌ ‌Top‌ ‌Threats‌ ‌to‌ ‌Cloud‌ ‌Computing and a relative security industry breach analysis. Using nine actual attacks and breaches, including a major financial services company, a leading enterprise video communications firm, and a multinational grocery chain for its foundation, the paper connects the dots between the CSA Top Threats in terms of security analysis. Each of the nine examples are presented in the form of (1) a reference chart and (2) a detailed narrative. The reference chart’s format provides an attack-style synopsis of the actor spanning from threats and vulnerabilities to end controls and mitigations. These anecdotes will let cybersecurity managers, cloud architects, and cloud engineers better communicate with executives and peers in addition t...

Download the case studies
Cloud Penetration Testing Playbook

Cloud Penetration Testing Playbook

As cloud services continue to enable new technologies and see massive adoption there is a need to extend the scope of penetration testing into public cloud systems and components. The process described here aims to provide the foundation for a public cloud penetration testing methodology and is designed for current and future technologies that are hosted on public cloud environments or services. In particular, this document focuses on penetration testing of applications and services hosted in the cloud. It addresses the methodological and knowledge gaps in security testing of information systems and applications in public cloud environments.This work focuses on testing systems and services hosted in public cloud environments. This refers to customer-controlled or customer-managed systems and services. For example, a custom virtual machine, managed and controlled by the cloud customer, in an IaaS environment would be in-scope whereas the h...

Access the playbook
View All Research

Webinars

Reducing the Attack Surface in the Cloud

Reducing the Attack Surface in the Cloud

Online
October 14, 2021

Watch now

Impact of Digital Transformation on Security Strategy

Impact of Digital Transformation on Security Strategy

Online
October 28, 2021

Watch now

Cloud Imposter: Using SSO to Stage a SaaS Invasion

Cloud Imposter: Using SSO to Stage a SaaS Invasion

Online
October 19, 2021

Watch now

Standardize Identity Security: From On-Prem to Multi-Cloud

Standardize Identity Security: From On-Prem to Multi-Cloud

Online
November 16, 2021

Watch now

View All Webinars

Blog Posts

Looking Back on a Successful Social Engineering Attack: Retool 2023
Read Now
Inadequate Database Security: A Case Study of the 2023 Darkbeam Incident
Read Now
The Hidden Cost of Trust: New Data Reveals Alarming Employee Engagement with Vendor Email Compromise
Read Now
View All Blog Posts