As the cloud expands to include more applications, data, and business processes, end users may also outsource their security to vendors.
According to an industry survey, many companies feel the need to control security and not hand the ultimate responsibility to cloud providers. The Cloud Security Alliance, which released a survey of 241 industry experts, identified 11 cloud security issues.
The survey authors note that many of this year’s most pressing issues place the security burden on enterprise end users, not service providers. “We have observed a drop in the ranking of traditional cloud security issues under the responsibility of cloud service providers. Issues such as denial of service, shared technology vulnerabilities, data loss, and cloud provider system vulnerabilities, all of which were featured in the previous report ‘Treacher 12’, were categorized as These omissions indicate that traditional security issues that lie with the cloud service provider appear to be less of a concern. Instead, we find that there is a greater need to address security issues that rank higher in the Technology group which is the result of decisions made by management.
These findings align with another recent survey, conducted by Forbes Insights and VMware, which found that proactive companies resist the temptation to outsource security to cloud service providers — only 31% of executives said they outsource a lot of security measures to cloud providers. However, 94% of them use cloud services for some aspect of security.
Key Interests in 2022
The latest report from the Cloud Security Alliance highlights this year’s top concerns:
- data breaches. The report’s authors note that “data has become the primary target of cyberattacks.” “Determining the commercial value of data and the impact of its loss is of critical importance to organizations that own or process the data. Moreover, “data protection is evolving towards the issue of who can access it,” they add. “Encryption techniques can help protect data, but they negatively impact on system performance while making applications less user-friendly. »
- Bad configuration and insufficient change control. “Cloud-based resources are very complex and dynamic, which makes them difficult to configure. Traditional controls and change management methods are not effective in the cloud. According to the authors, “Businesses must embrace automation and employ technologies that constantly analyze misconfigured resources and address issues in real time.” “.
- Lack of cloud security architecture and strategy. Ensure that the security architecture aligns with business goals and objectives. Develop and implement a security architecture framework. »
- Inadequate management of identities, credentials, access and keys. “Secure accounts, including two-factor authentication and limited use of root accounts. Exercise stricter identity and access controls for users and cloud identities.”
- Account theft. This is a threat that must be taken seriously. In-Depth Defense and IAM Controls [Identity and Access Management, NDLR] Essential to mitigate account takeover. »
- internal threat. Taking steps to reduce negligence from within can help mitigate the consequences of insider threats. Train your security teams so that they can properly install, configure, and monitor computer systems, networks, mobile devices, and backup devices. The authors also recommend “regularly educating employees about training” . Provide training to your employees to educate them on how to manage security risks, such as phishing and protect corporate data that they carry outside of the company on their laptops and mobile devices.”
- Unlocked interfaces and APIs. Practice good API hygiene. Best practices include serious monitoring of things like inventory, testing, auditing, and safeguards against abnormal activity. Additionally, “consider using standard and open API frameworks (eg, Open Cloud Computing Interface (OCCI) and Cloud Infrastructure Management Interface (CIMI)”.
- Weak control plane. “The cloud customer must perform their due diligence and determine if the cloud service they intend to use has an appropriate level of control.”
- Infrastructure and applications failure. Cloud service providers need to provide visibility and disclosure to counteract the inherent lack of transparency in the cloud for tenants. All sellers are required to perform penetration testing and provide results to customers. »
- Limited visibility of cloud usage. Mitigating risks begins with developing an end-to-end cloud vision effort. Enforce and enforce company-wide training on acceptable cloud usage policies. All uncertified cloud services must be reviewed and approved by a cloud security engineer or third party risk manager. »
- Abuse and abuse of cloud services. “Businesses need to monitor their employees in the cloud, as traditional mechanisms are not able to mitigate the risks posed by using cloud services.”