As the cloud expands to more applications, data, and business processes, end users may also outsource their security to vendors.
According to an industry survey, many companies feel the need to take control of security and not hand over the ultimate responsibility to cloud service providers. The Cloud Security Alliance, which released its survey of 241 industry experts, identified 11 cloud security issues.
The survey’s authors point out that many of this year’s most pressing issues are placing the security burden on enterprise end-users, rather than on service providers. “We have noticed a drop in the ranking of traditional cloud security issues under the responsibility of cloud service providers. Issues such as denial of service, shared technology vulnerabilities, data loss, and cloud provider system vulnerabilities, all of which featured in the previous “Treacherous 12” report, were rated so low that they were excluded. of this report. These omissions suggest that traditional security issues that are the responsibility of the cloud service provider seem less of a concern. Instead, we find there is more need to address security issues that are higher up the technology stack and are the result of decisions made by management. »
These results align with another recent survey, from Forbes Insights and VMware, which found that proactive companies resist the temptation to outsource security to their cloud service providers – only 31% of executives say they outsource a lot of security measures. to cloud service providers. Yet 94% of them use cloud services for some aspect of security.
The main concerns in 2022
The latest report from the Cloud Security Alliance highlights this year’s top concerns:
- Data Breaches. “Data is becoming the main target of cyberattacks,” the report’s authors point out. “Defining the business value of data and the impact of its loss is of critical importance to organizations that own or process data. Furthermore, “data protection is evolving towards the question of who has access to it”, they add. “Encryption techniques can help protect data, but they negatively impact system performance while making applications less user-friendly. »
- Poor configuration and inadequate change control. “Cloud-based resources are very complex and dynamic, which makes configuring them difficult. Traditional controls and change management approaches are not effective in the cloud. According to the authors, “Enterprises must embrace automation and employ technologies that continuously analyze misconfigured resources and remediate issues in real time.”
- Lack of cloud security architecture and strategy. “Make sure the security architecture aligns with business goals and objectives. Develop and implement a security architecture framework. »
- Insufficient management of identities, credentials, access and keys. “Secure accounts, including two-factor authentication and limited use of root accounts. Practice the strictest identity and access controls for users and cloud identities. »
- Account hijacking. This is a threat that must be taken seriously. “Defense in depth and IAM controls [Identity and Access Management, NDLR] are critical to mitigating account hijacking. »
- Internal threat. “Taking steps to minimize insider neglect can help mitigate the consequences of insider threats. Train your security teams so they can properly install, configure, and monitor your computer systems, networks, mobile devices, and backup devices. The authors also recommend to “regularly educate employees about training. Provide training to your employees to educate them on how to manage security risks, such as phishing and protecting corporate data they carry outside the company on laptops and mobile devices” .
- Unsecured interfaces and APIs. “Practice good API hygiene. Best practices include diligent monitoring of things like inventory, testing, auditing, and safeguards against abnormal activity. Additionally, “consider using standard and open API frameworks (e.g., Open Cloud Computing Interface (OCCI) and Cloud Infrastructure Management Interface (CIMI)”.
- Weak control plane. “The cloud customer should do their due diligence and determine if the cloud service they intend to use has an adequate control plane. »
- Metastructure and applistructure failures. “Cloud service providers need to provide visibility and expose mitigations to counteract the cloud’s inherent lack of transparency for tenants. All vendors should perform penetration testing and provide the results to customers. »
- Limited cloud usage visibility. “Risk mitigation begins with developing a comprehensive top-down cloud visibility effort. Enforce company-wide training on accepted cloud usage policies and their enforcement. All unapproved cloud services must be reviewed and approved by the cloud security architect or third party risk management. »
- Abuse and misuse of cloud services. “Companies need to monitor their employees in the cloud because traditional mechanisms are unable to mitigate the risks posed by the use of cloud services. »
Source: ZDNet.com