The Cloud Security Alliance recently released its 2017 report on "The Treacherous 12," a detailed list of the most...
significant cloud security threats. The list was compiled by surveying industry experts and combining the results with risk analysis to determine the threats that are most prevalent to organizations storing data in the cloud. The list includes:
- Data Breaches
- Insufficient Identity, Credential and Access Management
- Insecure Interfaces and APIs
- System Vulnerabilities
- Account Hijacking
- Malicious Insiders
- Advanced Persistent Threats
- Data Loss
- Insufficient Due Diligence
- Abuse and Nefarious Use of Cloud Services
- Denial of Service
- Shared Technology Vulnerabilities
An interesting observation is how similar cloud security threats are to the risks of storing data anywhere else. The data in the cloud is still stored in a data center, and it can still be accessed by hackers via many of the same methods they have always used, such as email phishing, weak passwords and a lack of multifactor authentication.
There seems to be a general opinion among many organizations that storing your data in the cloud -- specifically in infrastructure as a service -- outsources the security completely, with an almost out of sight, out of mind attitude. However, as cloud service providers will point out, there is a shared responsibility model that means although the cloud provider may be in charge of the underlying infrastructure: your organization is responsible for the security of the applications and data that reside on that hardware.
The top cloud security threats
The key cloud security threats worth highlighting from "The Treacherous 12" report are the insider threat, the risk of data loss and insufficient due diligence. They demonstrate the casual attitude many organizations have about the use and management of cloud services.
There are many cases where organizations use cloud services as a way of bypassing what is seen as an overly restrictive IT department, whereas, in reality, the IT team is trying to protect the data. By bypassing the IT team and signing up for cloud services without their consent, the business can think it's becoming more agile in its approach, but in reality, it is circumventing restrictions that were designed to reduce the risk of a data breach.
There are many different SaaS providers offering tools and services to organizations with slick marketing and promises of positive ROI. However, the due diligence that is done on these services is lacking, which may be surprising.
For example, if your organization outsources its HR data to a small SaaS company, performing security due diligence on it should be a key prerequisite. That company may spend only a fraction of what your organization spends on security, and it may be a very attractive target for hackers because of the data it stores. Your organization's data may be far more likely to be stolen through that third party.
You also may be reliant on that organization's backups to prevent data loss; storing critical data on another company's network leaves your organization at even greater risk. There is also the added risk of insider attacks; the employees of the SaaS company have not been through your vetting procedures, and its processes for monitoring staff may not be as robust as yours.
Overall, the Cloud Security Alliance's report successfully highlights the key cloud security threats and just how similar those risks are to storing data anywhere else. It provides a timely reminder to ensure that enterprises treat the data they store in the cloud with the same care and attention that it would if it were storing it on premises.