Tag Archives: threats

Key Takeaways – Top Threats to Cloud Computing Report (2020)

Leave a reply

I just re-read the “Top Threats to Cloud Computing Egregious Eleven Deep Dive” (2020) by the Cloud Security Alliance. There is a lot of good stuff (or bad stuff depending on your vantage point). I like this report because it has use cases that illustrate real threats and weaknesses; it is also data driven not Elmer F.U.Dd driven! The report has “Key Takeaways” sections too.


Source: wikimedia.org

I highly recommend reading it and revise your architecture and processes as needed. I highlighted (in bold) a few key takeaways that are particularly important for you security architects to consider.

Summary

The authors make the following summary statement in the beginning of the report.

Identity and Access Management (IAM) controls were the most relevant mitigation in this year’s report, accounting for 8 of the 9 case studies. Security Incident Management, e-Discovery and Cloud Forensics (SEF), including planning for an attack fallout and executing on the plan was paramount to successfully dealing with all but one of the incidents cited. Both IAM and SEF accounted for 17 controls each.

Key Takeaways

The authors outline the following takeaways:

  1. Data inventory/lifecycle practices for archiving, disposal, and destruction limit data exposure.
  2. Be aware of the cloud service’s metadata that can be exposed with misconfigurations
  3. Over-privileged cloud apps allow access to too much data when compromised
  4. Enable Multi Factor Authentication(MFA) to ensure strong user authentication.
  5. Implement different set of login credentials for different services on the same platform to ensure compromise of one account does not affect the other services.
  6. User awareness campaign to ensure users follow security best practices such as use of strong and unique password per account.
  7. Data stored in the cloud should be secured through encryption and the use of IAM facilities
  8. 3rd party security service providers should be vetted to make sure they are trustworthy and follow standard security practices
  9. The agility of cloud services enables more human error, design flaws and policy violations. More investments into control and correction of existing and planned states are necessary
  10. Cloud services and assets exhibit a broader external attack surface, its discovery and reduction is key.
  11. Sound architecture & design of cloud systems, networks, accounts and identities, as well as other defense in depth considerations are beneficial even for smaller cloud-using organizations and environments..
  12. Consumers have to be aware of the hidden dangers of installing apps into their mobile devices without understand the true impact to their privacy
  13. Always protect sensitive data storage via encryption
  14. Have a detailed, tested incident response plan at the ready, including arrangements for additional network and filter capacity in an emergency
  15. Perform appropriate threat modeling
  16. Lower attack surface through best practice network design (ACLs, Firewalls, port and protocol blocking, deny)
  17. Proper threat modelling allows security architects and developers time to evaluate control gaps
  18. Security Protections built in not bolted on
  19. Service provider agreements should clearly state security responsibilities of the supplier
  20. Conduct periodic security assurance audits to verify vendor conformance against organizational policies, procedures and standards.