Circle
Events
Blog

Research Topic

Top Threats

Latest ResearchWorking Group
Cloud Threat Modeling
Cloud Threat Modeling

Download

Top Threats
The shift from traditional client/server to service-based models is transforming the way technology departments deliver computing technology and applications. However, cloud computing has also created new security vulnerabilities, including security issues whose full impacts are still emerging.

What is CSA doing to help address threats to cloud computing?
CSA created a bi-annual survey report to help the industry stay up to date on the latest threats, risks, and vulnerabilities in the cloud. Such issues are often the result of the shared, on-demand nature of cloud computing. In these reports we survey industry experts on security issues in the cloud industry and they rate salient threats, risks and vulnerabilities in their cloud environments. These reports allow cybersecurity managers to better communicate with executives and peers and provide context for discussions with technical staff.

How can your organization address these threats?
How have organizations dealt with these cloud threats in real life? CSA’s series of case studies help identify where and how those threats fit in a greater security analysis, while providing a clear understanding of how lessons and mitigation concepts can be applied in real-world scenarios. This group has also created a playbook for penetration testing in cloud environments and as well as guidance for how to approach threat modeling for cloud systems.


Top ThreatsCloud Incident Response

Discuss this topic in Circle

Have an interesting article or video on this topic that you want to share? Anyone can join the discussion community for this topic to share ideas or ask questions.

View discussion community

Participate in Top Threats Research

This group aims to provide organizations with an up-to-date, expert-informed understanding of cloud security risks, threats and vulnerabilities in order to make educated risk-management decisions regarding cloud adoption strategies.

View the working group

Research for Cloud Security Threats

CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.

Top Threats to Cloud Computing: Egregious Eleven

Top Threats to Cloud Computing: Egregious Eleven

Read an up-to-date, expert-informed understanding of the top cloud security concerns facing the industry in order to make educated risk-management decisions regarding cloud adoption strategies. In this fourth installment of the Top Threats Report, we again surveyed 241 industry experts on security issues in the cloud industry. This year our respondents rated 11 salient threats, risks and vulnerabilities in their cloud environments. After analyzing the responses in this survey, we noticed a drop in the ranking of traditional cloud security issues under the responsibility of cloud service providers (CSPs). Concerns such as denial of service, shared technology vulnerabilities and CSP data loss and system vulnerabilities—which all featured in the previous Treacherous 12—were now rated so low they have been excluded in this report. These omissions suggest that traditional security issues under the responsibility of the CSP seem to be less of a concern. I...

Top Threats to Cloud Computing: Egregious Eleven Deep Dive

Top Threats to Cloud Computing: Egregious Eleven Deep Dive

This report provides case‌ ‌study‌ ‌analyses‌ ‌for‌ last year’s ‌The‌ ‌Egregious‌ ‌11:‌ ‌Top‌ ‌Threats‌ ‌to‌ ‌Cloud‌ ‌Computing and a relative security industry breach analysis. Using nine actual attacks and breaches, including a major financial services company, a leading enterprise video communications firm, and a multinational grocery chain for its foundation, the paper connects the dots between the CSA Top Threats in terms of security analysis. Each of the nine examples are presented in the form of (1) a reference chart and (2) a detailed narrative. The reference chart’s format provides an attack-style synopsis of the actor spanning from threats and vulnerabilities to end controls and mitigations. These anecdotes will let cybersecurity managers, cloud architects, and cloud engineers better communicate with executives and peers in addition t...

Cloud Penetration Testing Playbook

Cloud Penetration Testing Playbook

As cloud services continue to enable new technologies and see massive adoption there is a need to extend the scope of penetration testing into public cloud systems and components. The process described here aims to provide the foundation for a public cloud penetration testing methodology and is designed for current and future technologies that are hosted on public cloud environments or services. In particular, this document focuses on penetration testing of applications and services hosted in the cloud. It addresses the methodological and knowledge gaps in security testing of information systems and applications in public cloud environments.This work focuses on testing systems and services hosted in public cloud environments. This refers to customer-controlled or customer-managed systems and services. For example, a custom virtual machine, managed and controlled by the cloud customer, in an IaaS environment would be in-scope whereas the h...

Webinars

Building Better Incident Responders
Building Better Incident Responders

May 25 | online

Learn more

Cloud security with continuous security validation
Cloud security with continuous security validation

May 25 | online

Learn more

5 Critical Capabilities for Compliance in Public Cloud
5 Critical Capabilities for Compliance in Public Cloud

May 12 | Online

Learn more

Don’t Shift-Left or Shift-Right: CSPM and CWPP just need to have a conversation
Don’t Shift-Left or Shift-Right: CSPM and CWPP just need to ...

May 10 | Online

Learn more

Blog Posts

Attack Vector vs. Attack Surface: What is the Difference?
The One Cloud Threat Everyone Is Missing
Prioritizing Cloud Security Threats: What You Need to Know