Discuss this topic in Circle
Have an interesting article or video on this topic that you want to share? Anyone can join the discussion community for this topic to share ideas or ask questions.View discussion community
Participate in Top Threats Research
This group aims to provide organizations with an up-to-date, expert-informed understanding of cloud security risks, threats and vulnerabilities in order to make educated risk-management decisions regarding cloud adoption strategies.
|‘One of the key issues is a lack of experience’: Security teams struggle amid shift to cloud||SC Magazine||May 26, 2022|
|Ransomware, bad and bogus. Updates on the cyber phases of Russia's hybrid war.||The CyberWire||June 07, 2022|
|RSA Conference 2022 - Announcements Summary (Day 2)||Security Week||June 08, 2022|
|Cloud Security Alliance's Top Threats to Cloud Computing: Pandemic 11 Report Finds Traditional Cloud Security Issues Becoming Less Concerning||VMBlog||June 07, 2022|
|Cloud computing: Here's the security threat you should be most worried about||ZDNet||June 09, 2022|
Research for Cloud Security Threats
CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.
Top Threats to Cloud Computing: Egregious Eleven
Read an up-to-date, expert-informed understanding of the top cloud security concerns facing the industry in order to make educated risk-management decisions regarding cloud adoption strategies. In this fourth installment of the Top Threats Report, we again surveyed 241 industry experts on security issues in the cloud industry. This year our respondents rated 11 salient threats, risks and vulnerabilities in their cloud environments. After analyzing the responses in this survey, we noticed a drop in the ranking of traditional cloud security issues under the responsibility of cloud service providers (CSPs). Concerns such as denial of service, shared technology vulnerabilities and CSP data loss and system vulnerabilities—which all featured in the previous Treacherous 12—were now rated so low they have been excluded in this report. These omissions suggest that traditional security issues under the responsibility of the CSP seem to be less of a concern. I...
Top Threats to Cloud Computing: Egregious Eleven Deep Dive
This report provides case study analyses for last year’s The Egregious 11: Top Threats to Cloud Computing and a relative security industry breach analysis. Using nine actual attacks and breaches, including a major financial services company, a leading enterprise video communications firm, and a multinational grocery chain for its foundation, the paper connects the dots between the CSA Top Threats in terms of security analysis. Each of the nine examples are presented in the form of (1) a reference chart and (2) a detailed narrative. The reference chart’s format provides an attack-style synopsis of the actor spanning from threats and vulnerabilities to end controls and mitigations. These anecdotes will let cybersecurity managers, cloud architects, and cloud engineers better communicate with executives and peers in addition t...
Cloud Penetration Testing Playbook
As cloud services continue to enable new technologies and see massive adoption there is a need to extend the scope of penetration testing into public cloud systems and components. The process described here aims to provide the foundation for a public cloud penetration testing methodology and is designed for current and future technologies that are hosted on public cloud environments or services. In particular, this document focuses on penetration testing of applications and services hosted in the cloud. It addresses the methodological and knowledge gaps in security testing of information systems and applications in public cloud environments.This work focuses on testing systems and services hosted in public cloud environments. This refers to customer-controlled or customer-managed systems and services. For example, a custom virtual machine, managed and controlled by the cloud customer, in an IaaS environment would be in-scope whereas the h...