
Cloud Security Alliance identifies 11 most egregious cloud threats
At the Black Hat USA conference this week the Cloud Security Alliance published a report identifying what it describes to be the 11 most egregious threats to cloud computing.
The 11 most egregious threats as ranked in order by significance according to the CSA are:
- Data Breaches
- Misconfiguration and inadequate change control
- Lack of cloud security architecture and strategy
- Insufficient identity, credential, access and key management
- Account hijacking
- Insider threat
- Insecure interfaces and APIs
- Weak control plane
- Metastructure and applistructure failures
- Limited cloud usage visibility
- Abuse and nefarious use of cloud services

The opportunity for further mistakes to be made increases as the number of types of cloud computing frameworks employed expands. Most organizations today are already having more than enough trouble securing the monolithic applications on top of virtual machines running in the cloud. As the percentage of applications that employ either containers or serverless computing frameworks starts to increase, each one of these frameworks adds additional application programming interfaces (APIs) that need to be secured.
Organizations that embrace containers to become more agile quickly also quickly discover their IT environment now consists of thousands of containers, each one of which needs to be continuously monitored to ensure no vulnerable code has been either inadvertently or purposefully encapsulated within a container.
The CSA is recommending that organizations more aggressively embrace best DevSecOps practices to mitigate potential threats to cloud computing environments. The challenge is that change comes slowly to most IT organizations, especially given the amount of love that have been lost over the years between developers and cybersecurity professionals. Despite the rise of DevSecOps practices, many cybersecurity professionals are going to find it very difficult to trust developers to do the right thing in terms of embedding cybersecurity controls within their applications. Given the chronic shortage of cybersecurity talent there may be no alternative. Cybersecurity professionals would, nevertheless, be well advised to adopt the “Trust But Verify” dictum that President Ronald Reagan once espoused when negotiating nuclear arms treaties.
While waiting for a great cybersecurity epiphany to occur among developers, cybersecurity professionals in the meantime would be well advised to remember another old adage: an ounce of prevention is worth a pound of cure. Rather than waiting for the inevitable cloud breach to occur, cybersecurity teams should proactively scan for misconfigurations and other vulnerabilities before they get discovered by any number of bad actors. At this point, it’s safe to assume these vulnerabilities now potentially number in the hundreds of millions. The race is now on to see who will discover those vulnerabilities first.

Rapport 2025 sur les ransomwares
Principales conclusions concernant l’expérience et l’impact des ransomwares sur les organisations du monde entier
S’abonner au blog de Barracuda.
Inscrivez-vous pour recevoir des informations sur les menaces, des commentaires sur le secteur et bien plus encore.

Sécurité des vulnérabilités gérée : correction plus rapide, risques réduits, conformité simplifiée
Découvrez à quel point il peut être facile de trouver les vulnérabilités que les cybercriminels cherchent à exploiter