By Keren Pollack, on November 13th, 2019

The Cloud Security Alliance (CSA) published its annual report for top threats, risks, and vulnerabilities in the cloud for 2019.

 

The CSA is a world-leading organization dedicated to establishing best practices to ensure a cloud computing environment. The CSA Top Threats report was conducted after surveying 241 industry experts on security issues in the cloud industry. 11 issues were rated as top threats, risks, and vulnerabilities in the cloud industry, some were previously rated in former reports and some are having their controversial respect of first appearing in this list.

Top 11 threats according to the CSA:

  1. Data Breaches
  2. Misconfiguration and Inadequate Change in Control.
  3. Lack of Cloud Security Architecture and Strategy.
  4. Insufficient Identity, Credential, Access, and Key management.
  5. Account Hijacking.
  6. Insider Threat.
  7. Insecure Interface and APIs.
  8. Weak Control Plane.
  9. Metastructure and Applistructure Failure.
  10. Limited Cloud Usage Visibility.
  11. Abuse and Nefarious Use of Cloud Services.

 

This report presents new emerging issues in cloud security, leaving ‘hot’ topics such as denial of service, shared technology vulnerability and CSP data loss out of the top 11 list. Instead, highly rated in the survey are more nuanced issues, suggesting maturation in the understanding of the cloud.

Hardening the IT infrastructure from servers to applications

Misconfiguration and inadequate change in control:

Positioned second at the Top Threat report and also making its first appearance in it is the Misconfiguration and Change in Control security issue. The fact that this control was absent from former reports, but is now ranked so high is not a coincidence. Malicious activities based on this attack vector is becoming more and more prevalent and more painful than ever. Businesses acknowledge this issue to be top-rated in security prioritization, investing resources on solutions in this area.

Misconfiguration occurs when computed assets are set up incorrectly, often leaving the asset vulnerable to malicious activity. Misconfiguration of cloud resources is a leading cause of data breaches, especially when leveraged in critical assets in the cloud infrastructure.

 

In addition, because of the complex nature of cloud environments compared to traditional IT, controlling change processes become highly challenging. It might be a matter of seconds or minutes until a change is applied, making cloud assets easily affected by maliciously deliberated and every-day non-deliberated configuration drifts.

According to the CSA, it is solely the customer’s responsibility to maintain a securely configured cloud environment, as the cloud service provider sets its default configurations aimed for maximal functionality rather than security. The potential business impact of a misconfigured item can be severe, depending of course on the asset that is misconfigured.

Why configuring cloud resources securely is so hard?

If configuring cloud resources in a secure fashion was easy, it wouldn’t be ranked as a top threat. Changing configuration may cause damage to the functionality of the asset. Functionality and security often don’t come in one hand and when this happens hard choices need to be made. Moreover, understanding in which cases the two contradict is a complex project on its own. As discussed earlier, the complexity of the cloud environment makes it hard to control and to keep track after. When a configuration change is desired, its impact needs to be analyzed before implementation. In order to understand this impact, lab testing needs to be conducted, consuming time and resources. This is a mistake-prone process that can cost a lot to the business if (or when) mistakes do happen, therefore this subject often gets neglected.

Hardening IIS server guide

CSA Key Takeaways for Misconfiguration and Change Control:

  1. Cloud-based resources are highly complexed and dynamic, making them challenging to configure.
  2. Traditional controls and change management approaches are not effective in the cloud.
  3. Companies should embrace automation and employ technologies that scan continuously for misconfigured resources and remediate problems in real-time.

 

Automation? Remediation in real-time?

CHS by CalCom does that for you. CalCom Hardening Solution (CHS) is a server configuration hardening automation solution designed to reduce operational costs and increase the server’s security and compliance posture. CHS eliminates outages and reduces hardening costs by indicating the impact of a security configuration change on production services. It ensures a resilient, constantly hardened and monitored server environment.