What is CSA doing to help address threats to cloud computing?
CSA created a bi-annual survey report to help the industry stay up to date on the latest threats, risks, and vulnerabilities in the cloud. Such issues are often the result of the shared, on-demand nature of cloud computing. In these reports we survey industry experts on security issues in the cloud industry and they rate salient threats, risks and vulnerabilities in their cloud environments. These reports allow cybersecurity managers to better communicate with executives and peers and provide context for discussions with technical staff.
How can your organization address these threats?
How have organizations dealt with these cloud threats in real life? CSA’s series of case studies help identify where and how those threats fit in a greater security analysis, while providing a clear understanding of how lessons and mitigation concepts can be applied in real-world scenarios. For security practitioners wanting implementation guidance, this group has also created a playbook for penetration testing in cloud environments.
The shift from traditional client/server to service-based models is transforming the way technology departments think about, designing, and delivering computing technology and applications. However, the improved value offered by cloud computing advances have also created new security vulnerabilities, including security issues whose full impacts are still emerging.The CSA Top Threats Working Gro...
No Meetings Currently Scheduled
Working Group Leadership
Research for Cloud Security Threats
CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.
Top Threats to Cloud Computing: Egregious Eleven
Read an up-to-date, expert-informed understanding of the top cloud security concerns facing the industry in order to make educated risk-management decisions regarding cloud adoption strategies. In this fourth installment of the Top Threats Report, we again surveyed 241 industry experts on security issues in the cloud industry. This year our respondents rated 11 salient threats, risks and vulnerabilities in their cloud environments. After analyzing the responses in this survey, we noticed a drop in the ranking of traditional cloud security issues under the responsibility of cloud service providers (CSPs). Concerns such as denial of service, shared technology vulnerabilities and CSP data loss and system vulnerabilities—which all featured in the previous Treacherous 12—were now rated so low they have been excluded in this report. These omissions suggest that traditional security issues under the responsibility of the CSP seem to be less of a concern. Instea...
Top Threats to Cloud Computing: Egregious Eleven Deep Dive
This report provides case study analyses for last year’s The Egregious 11: Top Threats to Cloud Computing and a relative security industry breach analysis. Using nine actual attacks and breaches, including a major financial services company, a leading enterprise video communications firm, and a multinational grocery chain for its foundation, the paper connects the dots between the CSA Top Threats in terms of security analysis. Each of the nine examples are presented in the form of (1) a reference chart and (2) a detailed narrative. The reference chart’s format provides an attack-style synopsis of the actor spanning from threats and vulnerabilities to end controls and mitigations. These anecdotes will let cybersecurity managers, cloud architects, and cloud engineers better communicate with executives and peers in addition to pro...
Cloud Penetration Testing Playbook
As cloud services continue to enable new technologies and see massive adoption there is a need to extend the scope of penetration testing into public cloud systems and components. The process described here aims to provide the foundation for a public cloud penetration testing methodology and is designed for current and future technologies that are hosted on public cloud environments or services. In particular, this document focuses on penetration testing of applications and services hosted in the cloud. It addresses the methodological and knowledge gaps in security testing of information systems and applications in public cloud environments.This work focuses on testing systems and services hosted in public cloud environments. This refers to customer-controlled or customer-managed systems and services. For example, a custom virtual machine, managed and controlled by the cloud customer, in an IaaS environment would be in-scope whereas the hypervisor of an ...