Executive Summary

At an unprecedented pace, cloud computing has simultaneously transformed business

and government, and
created new security challenges. The development of the cloud service model
delivers business-supporting
technology more efficiently than ever before. The shift from server to service-
based thinking is transforming the
way technology departments think about, design, and deliver computing technology
and applications. Yet these
advances have created new security vulnerabilities as well as amplify existing
vulnerabilities, including security
issues whose full impact are finally being understood. Among the most significant
security risks associated with
cloud computing is the tendency to bypass information technology (IT) departments
and information officers.
Although shifting to cloud technologies exclusively may provide cost and efficiency
gains, doing so requires that
business-level security policies, processes, and best practices are taken into
account. In the absence of these
standards, businesses are vulnerable to security breaches that can erase any gains
made by the switch to cloud
technology.
Seeing both the promise of cloud computing, and the risks associated with it, the
Cloud Security Alliance
(CSA) has created industry-wide standards for cloud security. In recent years, CSA
released the “Security
Guidance for Critical Areas in Cloud Computing” and the “Security as a Service
Implementation Guidance”.
These documents have quickly become the industry-standard catalogue of best
practices to secure cloud
computing, comprehensively addressing this within the thirteen domains of CSA
Guidance and ten categories
of service associated with the Security as a Service (SecaaS) Implementation
Guidance series. Many businesses,
organizations, and governments have incorporated this guidance into their cloud
strategies.
Similar to the earlier mentioned research artifacts, the “The Treacherous 12 -
Cloud Computing Top Threats in
2016” play a crucial role in the CSA research ecosystem. The purpose of the report
is to provide organizations
with an up-to-date, expert-informed understanding of cloud security concerns in
order to make educated riskmanagement
decisions regarding cloud adoption strategies. The report reflects the current
consensus among
security experts in CSA community about the most significant security issues in the
cloud.
While there are many security concerns in the cloud, this report focuses on 12
specifically related to the shared,
on-demand nature of cloud computing. To identify the top concerns, CSA conducted a
survey of industry experts
to compile professional opinions on the greatest security issues within cloud
computing. The Top Threats
working group used these survey results alongside their expertise to craft the
final 2016 report. In this most
recent edition of the report, experts identified the following 12 critical issues
to cloud security (ranked in order
of severity per survey results):
1. Data Breaches
2. Weak Identity, Credential and Access Management
3. Insecure APIs
4. System and Application Vulnerabilities
5. Account Hijacking
6. Malicious Insiders
7. Advanced Persistent Threats (APTs)
8. Data Loss
9. Insufficient Due Diligence
10. Abuse and Nefarious Use of Cloud Services
11. Denial of Service
12. Shared Technology Issues
CLOUD SECURITY ALLIANCE The Treacherous 12 - Cloud Computing Top Threats in 2016
© 2016, Cloud Security Alliance. All right reserved. 6
The 2016 Top Threats release mirrors the shifting ramifications of poor cloud
computing decisions up through
the managerial ranks, instead of being an IT issue it is now a boardroom issue. The
reasons may lie with the
maturation of cloud, but more importantly, higher strategic decisions by executives
in cloud adoption. The 2013
edition highlighted developers and IT departments rolling out their own self-
service Shadow IT projects, and the
bypassing of organizational security requirements. In 2016, cloud adoption may be
effectively aligned with the
executive strategies to maximize shareholder value. The always-on nature of Cloud
Computing impacts factors
that may skew external perceptions and in turn company valuations. Wider reaching
architecture/design factors
of Identity, Credential and Access Management, Insecure APIs and System &
Application Vulnerabilities rise in
the survey, while data loss and individual account hijacking fell in comparison.
With descriptions and analysis of the Treacherous 12, this report serves as an up-
to-date guide that will help
cloud users and providers make informed decisions about risk mitigation within a
cloud strategy. This threat
research document should be utilized in conjunction with the best practices guides,
“Security Guidance for Critical
Areas in Cloud Computing V.3” and “Security as a Service Implementation Guidance”.
A threat analysis was also
conducted with the STRIDE Threat Model[1] and the working group recommends the NIST
Risk Management
Framework[2] on guidance for how to manage information technology risk. Together,
these documents will offer
valuable guidance during the formation of comprehensive, appropriate cloud security
strategies.
1 The STRIDE Threat Model.
https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx
2 NIST Risk Management Framework (RMF) Overview.
http://csrc.nist.gov/groups/SMA/fisma/framework.html
CLOUD SECURITY ALLIANCE The Treacherous 12 - Cloud Computing Top Threats in 2016
© 2016, Cloud Security Alliance. All right reserved. 7
Methodology
In creating The Treacherous 12 - Cloud Computing Top Threats in 2016, the CSA Top
Threats Working Group
conducted research in two primary stages. Both stages used surveys and
questionnaires as instruments of study.
In the first stage of the research, our goal was to create a short list of cloud
security concerns. The group
first started with a list of 20 security concerns, updating last year’s eight
issues and adding 12 new issues.
We presented the 20 concerns via a series of consultations asking working group
members to indicate the
importance of each concern to their organization. This stage of the research also
provided the opportunity for
respondents to suggest other concerns. After considering all the survey results and
additional information, the
working group identified the top 13 most salient cloud security concerns.
In the second stage of the research, the group’s main goal was to rank the
previously short-listed cloud security
concerns. The group wanted the study to capture what people thought were the most
relevant cloud security
concerns; a 4-point Likert scale was chosen as the research instrument. A Likert
scale is a popular quantitative
research method in surveys and is used to represent people’s attitudes on a topic.
The scale is: 1 (Irrelevant),
2 (Somewhat Relevant), 3 (Relevant), and 4 (Very Relevant). Every security concern
was rated 1, 2, 3 or 4 and
assigned corresponding scores. For example, a security concern rated as Irrelevant
was given one point, a
security concern rated as Somewhat Relevant was given two points, and so on. The
points for each category
were averaged, and the security concerns were then ranked according to their mean.
The working group then
dropped the security concern which ranked last, leaving the final 12.
The working group also analyzed the security concerns using the STRIDE threat
model, which was developed by
Microsoft to evaluate information security threats. Specifically, the security
concerns discussed in this paper are
evaluated to determine whether they fall into any of the following threat
categories:
• Spoofing identity (S)
• Tampering with data (T)
• Repudiation (R)
• Information Disclosure(I)
• Denial of service (D)
• Elevation of privilege (E)
In the survey, a total of 271 people had responded to the study. About half were
from the U.S. (48.95%) with the
next highest number of respondents from Australia (5.02%).
Of the respondents who categorized their organizations, 44.65% reported themselves
as being part of the
technology industry; 15% reported themselves as being part of the professional
services industry; and 9.30%
reported themselves as being part of the public sector. The remainder was
represented by the education,
finance, health, and other sectors.
Of the respondents who answered demographic questions, 87.33% identified themselves
as Security Specialist,
12.22% as Software Specialist and 9.95% as Networking Specialist followed by other
categories.
CLOUD SECURITY ALLIANCE The Treacherous 12 - Cloud Computing Top Threats in 2016
© 2016, Cloud Security Alliance. All right reserved. 8
1.1 Description
A data breach is an incident in which sensitive, protected or confidential
information is released, viewed, stolen or used by an individual who is
not authorized to do so. A data breach may be the primary objective of a
targeted attack or may simply be the result of human error, application
vulnerabilities or poor security practices. A data breach may involve any
kind of information that was not intended for public release including,
but not limited to, personal health information, financial information,
personally identifiable information (PII), trade secrets and intellectual
property.
An organization’s cloud-based data may have value to different parties
for different reasons. For example, organized crime often seeks financial,
health and personal information to carry out a range of fraudulent
activities. Competitors and foreign nationals may be keenly interested
in proprietary information, intellectual property and trade secrets.
Activists may want to expose information that can cause damage or
embarrassment. Unauthorized insiders obtaining data within the cloud
are a major concern for organizations.
The risk of data breach is not unique to cloud computing, but it
consistently ranks as a top concern for cloud customers. A cloud
environment is subject to the same threats as a traditional corporate
network as well as new avenues of attack by way of shared resources,
cloud provider personnel and their devices and third party partners of
the cloud provider. Cloud providers are highly accessible and the vast
amount of data they host makes them an attractive target.
1.2 Business Impacts
Although nearly any data breach can be problematic, the sensitivity
SERVICE MODELS
IaaS PaaS SaaS
1. Security Concern: Data Breaches
Domain 5: Information
Management and Data Security
Domain 10: Application Security
Domain 11: Encryption and Key
Management
Domain 12: Identity, Entitlement
and Access Management
Domain 13: Virtualization
CSA SECURITY GUIDANCE
REFERENCE
of the data usually determines the extent of the damage. In many parts of the
world, laws and regulations oblige
organizations to exercise certain standards of care to ensure that sensitive
information is protected against
unauthorized use. When a data breach occurs, companies may incur large fines and
may also be subject to civil
lawsuits and, in some cases, criminal charges.
A company also accrues costs related to investigating a breach and notifying
customers who were impacted.
Some companies engage professional consulting and legal services to assist with
managing the breach response.
It is also customary for a company suffering a data breach to purchase credit
monitoring services for consumers
whose information was stolen to alert them in case of fraudulent use. Indirect
impacts such as damage to a brand’s
reputation and resulting loss of business are much harder to calculate. Measures
such as the rate at which customers
leave, and any change to the cost of user acquisition can be used to estimate this.
Cloud providers often have good security for aspects they take responsibility for
but, ultimately customers are
THREAT ANALYSIS
STRIDE:
Spoofing Identity
Tampering with data
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege
CLOUD SECURITY ALLIANCE The Treacherous 12 - Cloud Computing Top Threats in 2016
© 2016, Cloud Security Alliance. All right reserved. 9
responsible for protecting their data in the cloud. The best protection against
data breach is an effective security
program. Two important security measures that can help companies stay secure in the
cloud are multifactor
authentication and encryption.
1.3 Anecdotes and Examples
In mid-2015, BitDefender, an antivirus firm, had an undisclosed number of customer
usernames and passwords
stolen due to a security vulnerability in its public cloud application hosted on
AWS. The hacker responsible demanded
a ransom of $15,000.
The 2015 Anthem breach of more than 80 million customer records began with stolen
credentials on the corporate
network. A third-party cloud service was used to transfer the huge data store from
the company’s network to the
public cloud where it could be downloaded by the hackers.
British telecom provider TalkTalk reported multiple security incidents in 2014 and
2015, which resulted in the theft
of four million customers’ personal information. The breaches were followed by a
rash of scam calls attempting to
extract banking information from TalkTalk customers. TalkTalk was widely criticized
for its failure to encrypt customer
data.
1.4 CCM v3.0.1 Control IDs
AIS-04: Application & Interface Security – Data Security/Integrity
CCC-02: Change Control & Configuration Management – Outsourced Development
DSI-02: Data Security & Information Lifecycle Management – Data Inventory/Flows
DSI-05: Data Security & Information Lifecycle Management – Information Leakage
DSI-06: Data Security & Information Lifecycle Management – Non-Production Data
DSI-08: Data Security & Information Lifecycle Management – Secure Disposal
EKM-02: Encryption & Key Management – Key Generation
EKM-03: Encryption & Key Management – Sensitive Data Protection
EKM-04: Encryption & Key Management – Storage and Access
GRM-02: Governance and Risk Management – Data Focus Risk Assessments
GRM-10: Governance and Risk Management – Risk Assessments
HRS-02: Human Resources – Background Screening
HRS-06: Human Resources – Mobile Device Management
IAM-02: Identity & Access Management – Credential Lifecycle/Provision Management
IAM-04: Identity & Access Management – Policies and Procedures
IAM-05: Identity & Access Management – Segregation of Duties
IAM-07: Identity & Access Management – Third Party Access
IAM-09: Identity & Access Management – User Access Authorization
IAM-12: Identity & Access Management – User ID Credentials
IVS-08: Infrastructure & Virtualization Security – Production/Non-Production
Environments
IVS-09: Infrastructure & Virtualization Security – Segmentation
IVS-11: Infrastructure & Virtualization Security – Hypervisor Hardening
SEF-03: Security Incident Management, E-Discovery & Cloud Forensics – Incident
Reporting
STA-06: Supply Chain Management, Transparency and Accountability – Third Party
Assessment
CLOUD SECURITY ALLIANCE The Treacherous 12 - Cloud Computing Top Threats in 2016
© 2016, Cloud Security Alliance. All right reserved. 10
1.5 Links
1. The Impact of a Data Breach Can Be Minimized Through Encryption
https://securityintelligence.com/the-impact-of-a-data-breach-can-be-minimized-
through-encryption/
2. Dropbox and Box leak files in security through obscurity nightmare
http://www.techrepublic.com/article/dropbox-and-box-leak-files-in-security-through-
obscuritynightmare/
3. Anthem’s Breach and the Ubiquity of Compromised Credentials
https://blog.cloudsecurityalliance.org/2015/02/09/not-alone-92-companies-share-
anthems-vulnerability/
4. Stolen Passwords Used in Most Data Breaches
http://www.darkreading.com/stolen-passwords-used-in-most-data-breaches/d/d-id/
1204615
5. Anti-Virus Firm BitDefender Admits Breach, Hacker Claims Stolen Passwords are
Unencrypted
http://www.forbes.com/sites/thomasbrewster/2015/07/31/bitdefender-hacked/
6. TalkTalk Criticised for Poor Security and Handling of Hack Attack
http://www.theguardian.com/technology/2015/oct/23/talktalk-criticised-for-poor-
security-and-handlingof-
hack-attack