Black Hat 2024: Cloud Security Alliance releases Top Threats to Cloud Computing 2024 Report
Black Hat Conference—Traditional cloud security issues often associated with cloud service providers (CSPs) are continuing to decrease in importance, according to the Top Threats to Cloud Computing 2024 report, the latest installment in the Top Threats to Cloud Computing series from the Cloud Security Alliance (CSA).
These findings continue the trajectory first seen in the 2022 report, along with the fact that threats such the persistent nature of misconfigurations, Identity and Access Management (IAM) weaknesses, insecure application programming interfaces (APIs), and the lack of a comprehensive security strategy continue to rank high, highlighting their critical nature.
“It’s tempting to think that the reason the same issues have remained in the top spots since the report was last issued stems from a lack of progress in securing these features. The larger picture, however, speaks to the importance placed on these vulnerabilities by organizations and the degrees to which they are working to build ever more secure and resilient cloud environments,” said Michael Roza, co-chair, Top Threats Working Group, and one of the paper’s lead authors.
The 2024 Top Threats ranked the following concerns in order of significance (with applicable previous rankings). Of note, concerns such as denial of service, shared technology vulnerabilities, and CSP data loss, which were featured in 2022, were now rated low enough to be excluded from this report:
- Misconfiguration and inadequate change control (#3)
- Identity and Access Management (IAM) (#1)
- Insecure interfaces and APIs (#2)
- Inadequate selection/Implementation of cloud security strategy (#4)
- Insecure third-party resources (#6)
- Insecure software development (#5)
- Accidental cloud data disclosure (#8)
- System vulnerabilities (#7)
- Limited cloud visibility/Observability
- Unauthenticated resource sharing
- Advanced persistent threats (#10)
Each analysis describes the threat and its business impacts while offering key takeaways, anecdotes, and real-world examples, in addition to referencing the relevant section of CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing v5 domain guides and the relevant mitigating controls in CSA’s Cloud Controls Matrix (CCM) and CAIQ v4.
Within the context of these ongoing threats, the paper also touched upon several key trends that are likely to shape the future of cloud computing, among them:
- Increased attack sophistication: Attackers will continue to develop more sophisticated techniques, including AI, to exploit vulnerabilities in cloud environments. These new techniques will necessitate a proactive security posture with continuous monitoring and threat-hunting capabilities.
- Supply chain risk: The growing complexity of cloud ecosystems will increase the attack surface for supply chain vulnerabilities. Organizations will need to extend security measures to their vendors and partners.
- Evolving regulatory landscape: Regulatory bodies will likely implement stricter data privacy and security regulations, requiring organizations to adapt their cloud security practices.
- The rise of Ransomware-as-a-Service (RaaS): RaaS will make it easier for unskilled actors to launch sophisticated ransomware attacks against cloud environments. Organizations will need robust data backup and recovery solutions alongside strong access controls.
“Given the ever-evolving cybersecurity landscape, it’s difficult for companies to stay ahead of the curve and mitigate their financial and reputational risks. By bringing attention to those threats, vulnerabilities, and risks that are top-of-mind across the industry, organizations can better focus their resources,” said Sean Heide, Technical Research Director, Cloud Security Alliance.
The CSA Top Threats Working Group aims to provide organizations with an up-to-date, expert-informed understanding of cloud security risks, threats, and vulnerabilities in order to make educated risk-management decisions regarding cloud adoption strategies. Individuals interested in becoming involved in the future research and initiatives of this group are invited to join the Working Group.
In creating the Top Threats to Cloud Computing 2024 report, the Working Group conducted research in two stages, both of which used surveys to gather the thoughts and opinions of cybersecurity professionals concerning the most relevant threats, vulnerabilities, and risks of security issues to cloud computing. During the first stage the group created a short list of cloud security issues through in-person surveys of group members; the second stage polled more than 500 industry experts on a short-list of 28 security issues in the cloud industry to compile the final report.