2 egregious cloud security threats the CSA missed

My interesting weekend reading was this Cloud Security Alliance (CSA) report, which was vendor sponsored, highlighting 11 cloud security threats that should be on top of everyone’s mind. These threats are described as “egregious.”

CSA surveyed 241 experts on security issues in the cloud industry and came up with these top 11 threats:

  1. Data breaches
  2. Misconfiguration and inadequate change control
  3. Lack of cloud security architecture and strategy
  4. Insufficient identity, credential, access, and key management
  5. Account hijacking
  6. Insider threat
  7. Insecure interfaces and APIs
  8. Weak control plane
  9. Metastructure and applistructure failures
  10. Limited cloud usage visibility
  11. Abuse and nefarious use of cloud services

This is a pretty good report, by the way. It’s free to download, and if you’re interested in the evolution of cloud computing security, it’s a good read.  

However, no report can be so comprehensive that it lists all threat patterns, or even derivatives to the threat patterns listed. I have a couple to add that I’m seeing over and over again.

  1. Lack of proactive cloud monitoring systems joined at the hip with cloud security systems.

By the time attacks are identified they often do not look like attacks. Some tool watches something change over time, such as CPU and storage system saturation, and a non-security-focused ITops tool, such as an AIops tool, spots the issue. There needs to be a way for that alert to be shared with the cloud security system so it can take evasive action using automation.

I’ve heard too many stories of attacks using any number of vectors that were discovered by an ITops tool and not by the security system. The reality is that security is systemic to all that is cloud, including usage and performance monitoring, governance systems, database monitoring, etc. Chances are these systems will pick up the shenanigans before the security system knows what’s going on. This is why the various systems need to be integrated and talk to each other. Most are not these days.

  1. Cloud security that’s too complex and time consuming. 

Many in the cloud security space use the phrase “You never can be too secure.” Guess what? You can.

As we get into the whole world of multifactor identification, passwords that have to change monthly, and encryption that hinders performance, we can make security a burden that costs way too much. What’s interesting is that the more complex the security systems, the less secure they seem to be. How is this the case?

It comes down to human behavior. If cloud users are asked to change their passwords every month, guess what?  They just write the passwords down in digital memo systems, or I’ve seen them stuck to the screen using sticky notes. 

Moreover, I’ve seen people bypass encryption because it slows things down too much, even if there are compliance issues. Basically, humans will trade security for convenience or ease of doing their jobs.  

The answers are not easy. Sure, you can be a jerk and come down on those violating security policies like a ton of bricks, but that will backfire as well.  

The answer is to move to a more passive security plan. This means leveraging security solutions such as biometrics, where looking into a retinal scanner takes the place of frequently changed passwords. Also, encryption services can run on separate servers, thus reducing the impact on performance. 

Of course, we can go on for days identifying threats, either existing or emerging. The smarter approach is to look at your own cloud deployment rather than focusing on what others are calling “threats.”  

Posted by Contributor