CSA Report Surfaces Cloud Attack Patterns

The Cloud Security Alliance (CSA) this week published a free report intended to make it easier for cybersecurity teams to recognize and thwart the most 11 egregious threats to cloud computing environments.

John Yeoh, global vice president of research for the CSA, said the “Top Threats to Cloud Computing: Egregious 11 Deep Dive” report maps recent attacks against organizations, including a major financial services company, a leading enterprise video communications firm and a multinational grocery chain, against the threats identified by CSA.

Each of the mitigation controls profiled in these cases studies is mapped to how frequently they were relevant in the context of the 16 domains defined in the Cloud Controls Matrix, said Yeoh.

Identity and access management controls (IAM) were the most relevant mitigation in this year’s report, accounting for eight of the nine case studies. IAM controls are referenced 15 times and SEF controls are referenced 17 times in the cited attacks. Security incident management, e-Discovery and Cloud Forensics (SEF), including planning for an attack fallout and executing on the plan, was deemed paramount to successfully dealing with all but one of the incidents cited.

Yeoh said misconfigurations generally are still the primary root cause of cloud security incidents. For the most part, cybersecurity criminals are using relatively simple tools to scan for ports that have been left open because a cloud service was misconfigured when organizations used tools for managing infrastructure as code. Cybercriminals can either exfiltrate data or deploy malware as they see fit, he said.

The challenge organizations are struggling with when it comes to securing clouds has very little to do with the platforms themselves. Under a shared responsibility approach to cybersecurity, each cloud service provider makes certain the underlying platform is secure. Things go awry most often when IT teams deploy applications because developers either misconfigure a service or deploy something using default settings that are inherently insecure. In an on-premises IT environment, a security team would review an application before it’s deployed. However, in the age of the cloud a cybersecurity team may not even be aware an application workload has been deployed.

Many organizations are now trying to bridge the divide between cybersecurity and developers by promoting the adoption of best DevSecOps practices. The report published by CSA is intended to help organizations first recognize types of breaches and the most appropriate response as part of an effort to improve the overall muscle memory of the organization when it comes addressing cloud security, said Yeoh.

At this juncture, it’s not so much a question of whether organizations will address cloud security issues as much as it is how soon and effectively. DevSecOps pushes more responsibility for application security further left toward developers that are in a better position to address issues before an application is deployed. Most of the developers would rather have to tools to address these issues in their hands versus waiting for a cybersecurity team to pour over a backlog of applications waiting to be deployed. The challenge from a cybersecurity perspective then becomes finding a way to verify the appropriate security controls across a rapidly expanding base of applications have actually been put in place.

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 747 posts and counting.See all posts by mike-vizard