Depending on your familiarity with the Cloud Security Alliance (CSA) publications, part one of this blog was intended as either an introduction or a nagging reminder of the ‘Egregious Eleven’ security threats to cloud computing. It also hopefully made some helpful observations about the first six items on the list. Part two now looks at the remaining five threats, starting with:

7 – Insecure APIs

Application programming interfaces (APIs) constitute the unseen fulcrums for much of the usability and functionality found in the cloud. They help create fresh digital models by leveraging and re-purposing of existing resources as well as acting as the gateway to brand new services. But messily constructed, layered interfaces that use unverified and sometimes poorly written third-party APIs may end up delivering some unintended and wholly unwelcome consequences. Whilst dropping their ranking from third in the ‘Treacherous Twelve’ to seventh in the Egregious Eleven, insecure interfaces and APIs still registered as the single biggest vulnerability to cloud security among 42 percent of respondents to the 2019 (ISC)² cloud security report.

To help address this threat, formal vetting and approval processes should be applied to external APIs in a similar manner as they are to other software components in use by your business. Wider considerations should also be given to the securing of different types of APIs. As one simple example here, whilst ‘REpresenational State Transfer’ or REST can offer a more efficient and lightweight format to SOAP, it lacks native encryption and the addition of TLS should be considered.

8 – Weak Control Plane

Explained in refreshingly plain English by this helpful meta-analysis, a weak ‘control plane’ in this particular context is where “a cloud service does not provide adequate or sufficient security controls to meet the security requirements of the customer.” (Read more...)