The CSA’s Treacherous 12: Safeguarding Cloud Security Threats

By Matthew Reeve on 27th April, 2020.

Adopting cloud in the business world is what could now be referred to as a ‘no-brainer’. Around 83% of enterprise workloads operate in the cloud in 2020, and a whopping 94% of enterprises already use a cloud service in one shape or form.

Offering low upfront spend, scalability and easy accessibility, those figures don’t really come as much of a surprise. With the majority of businesses operating via a cloud model, this has ushered in a new age for how we transmit, store and ultimately handle data.

Accompanying these new technologies and processes come new threats and therefore provisional measures that we all must take to ensure we stay secure and compliant. Data breaches and leaks alone, can see huge penalties imposed through GDPR; fines of up to 4% of annual turnover, or a fine of €20 million (whichever is greater). While any downtime, due to an attack or hack, can cause businesses with online applications and services to suffer a loss of revenue, brand reputation and customer confidence.

It’s imperative therefore that businesses stay protected when operating online. The Cloud Security Alliance (CSA), a non-profit organisation promoting security best-practice guidelines, describes 12 threats that everyone in the cloud should consider and adequately protect their environments against. These have been dubbed “the treacherous 12”.

Studying vulnerability surveys such as these and taking action to prevent them ever becoming genuine threats can hugely improve your online security. In this blog post, we will breakdown the CSA’s report and explain in detail what each of the 12 security threats represent and how you can mitigate them.

The Treacherous 12

In their report, the Cloud Security Alliance state: “Among the most significant security risks associated with cloud computing is the tendency to bypass information technology (IT) departments and information officers. Although shifting to cloud technologies exclusively may provide cost and efficiency gains, doing so requires that business-level security policies, processes, and best practices are taken into account. In the absence of these standards, businesses are vulnerable to security breaches that can erase any gains made by the switch to cloud technology.”

    The 12 security threats the CFA identify are:

  • Data breaches
  • Insufficient identity, credential and access management
  • Insecure interfaces and APIs
  • System vulnerabilities
  • Account hijacking
  • Malicious insiders
  • Advanced persistent threats
  • Data loss
  • Insufficient due diligence
  • Abuse and nefarious use of cloud services
  • Denial of service
  • Shared technology vulnerabilities

1. Data Breaches

Threat: When sensitive data is collected, processed and stored, it can be vulnerable to being intercepted or accessed without permission if the necessary security measures are not in place. Targeted attacks can focus on vulnerabilities in technology and software or utilise other tactics like malware, but data breaches can also simply occur through system misconfigurations or human error.

Solution: Employing multi-factor authentication (MFA) decreases the risk of unauthorised users gaining access to anything they shouldn’t – Microsoft recently announced that users who utilise multi-factor authentication will block 99.9% of automated attacks against their accounts. To defend against more sophisticated attacks, theft or interceptions of data, consider using encryption so that even if data falls into the wrong hands it is rendered useless to anyone without the decryption key. Encryption can be applied to data in three states; at rest, in use, and in transit. Encryption at rest applies to data stored on your hardware or resources. Encryption in use applies to data as it is being created, edited, or viewed. Finally, encryption in transit applies to data as it moves from one location to another.

2. Insufficient Identity, Credential and Access Management

Threat: The cloud’s accessibility, enabling remote working from anywhere with an internet connection, is one of its (many) selling points. However, if exploited, this potential to connect to networks and platforms from afar can present security risks. Hackers may mask themselves as legitimate users to gain access and use cloud resources and systems.

Solution: Use robust identity and access management control tools. Identify who should have access to what, grant privileges and permissions that are appropriate, and then enforce this through the access control tools.

3. Insecure Interfaces and Application Programming Interfaces (APIs)

Threat: Application programming interfaces (APIs) give users the ability to manage, develop and customise their cloud environment. However, this very open and accessible nature can present a cloud security threat, as when individuals and businesses customise cloud services to their needs, there is room for errors and misconfigurations. Interfaces are also typically the most exposed part of a cloud environment, possibly with a public IP address, making it vital they are secure.

Solution: APIs should always include access controls, authentication, and encryption. If possible, its best to rely on standard API frameworks – tried and tested designs with security in mind. It’s important to implement a robust security solution that includes network monitoring across the entire environment, so should a security issue present itself, it is detected and addressed immediately. If the interface is public facing, it’s especially important to deploy access controls – this should prevent a large majority of unauthorised access attacks. An Access Control List (ACL) controls and filters network traffic by comparing it against a defined set of standards, such as the source, destination or other characteristic. A handy characteristic of ACLs is they give you the flexibility of filtering for a single IP address or a group of IP addresses.

4. System Vulnerabilities

Threat: No software is designed perfectly – there will always be bugs – but the question is whether these bugs present exploitable opportunities for hackers. A cloud operating system is made up of different components, and if one of these has a vulnerability, it presents an opportunity for the system to be infiltrated, affecting the wider cloud environment.

Solution: Attacks resulting from system vulnerabilities can be mitigated with simple IT processes, such as system threat monitoring, installing security patches and upgrades, and regular vulnerability scanning. It’s important businesses have complete visibility over their environments, so all cloud resources are identified and assessed, both from a security standpoint and to ensure they’re aligned with business needs – if they aren’t used or necessary, get rid of them.

5. Account Hijacking

Threat: This relates to targeted attempts by individuals to access specific accounts without authorisation, usually ones with high privileges and access to sensitive data. If a cloud account is compromised, it can lead to control of the wider environment. Hackers may aim to steal account credentials through targeting individuals with social engineering techniques such as phishing scams. The victim may then unwittingly hand over their login details.

Solution: Businesses should take measures to minimise negligence to security practices and train employees to recognise security risks and social engineering techniques. Always protect your business from fraudulent or malicious activities through firewalls and anti-virus software and consider deploying advanced security defences such as DDoS mitigation. It’s also worth evaluating and controlling privileges for all users, so should an account be compromised, they don’t have access to resources unnecessarily.

6. Malicious Insiders

Threat: Not all threats are necessarily located externally. As a trusted individual with access privileges, an insider doesn’t have the problem of passing security defences such as firewalls or authentication controls. If this individual has malicious intentions, they could do immeasurable damage to systems and data integrity.

Solution: Although less likely to occur than other threats on this list, a disgruntled insider purposely causing damage is possibly the hardest to defend against. Network monitoring and incident response are obviously critical factors in quickly identifying and minimising any internal attacks. Mitigating them in the first place requires clear contractual repercussions relating to engaging in malicious activity.

7. Advanced Persistent Threats (ATPs)

Threat: An Advanced Persistent Threat (ATP) is a sophisticated cyberattack by a network hacking individual or group. The objectives vary, but the means of attack typically revolve around gaining unauthorised access, compromising systems and stealing data and / or intellectual property – usually inconspicuously, with the aim of remaining undetected and maintaining a presence over a long period of time. Because of this nature, they are often sponsored by a nation or state, or linked to acts of politically motivated cybercrime.

Solution: ATP attacks are generally geared towards large organisations or governments – those that deal with masses of data that can be slowly and quietly gathered over time, so they aren’t as much of a worry to small-medium sized enterprises (SMEs). There isn’t a standalone defence to ATP attacks, by their very nature they are designed to infiltrate and avoid detection. However, ensuring cyber security is a top priority, with the budgets and resources necessary to continually update and protect against online threats is critical.

8. Data Loss

Threat: Although a data breach can be hugely detrimental to businesses, it’s important to remember data loss can be equally as damaging. Data loss can occur through mistakes and accidents, but also though malicious activity such as ransomware which locks down systems and threatens to delete data if a ransom is not paid. We’re seeing huge increases in ransomware attacks in recent years, with a 365% rise from 2018 to 2019.

Solution: The clear and obvious answer to data loss is implementing a backup solution. If data is accidentally lost or deleted, you can easily restore it, and if a system is compromised through ransomware, you have the peace of mind knowing that everything is replicated. Don’t fall into the trap of assuming that data stored in the cloud doesn’t need backing up or is somehow exempt from the threat of loss.

9. Insufficient Due Diligence

Threat: It’s important to understand how the cloud effects your functionality and operations, both when it is working and when it isn’t. Although lack of availability should never be allowed to become a persistent problem, there should be a business continuity plan in place for how to remain productive and recover quickly from a period of downtime. Other areas to address when considering a move to the cloud are the commercial, technical, compliance and legal implications for your business.

Solution: It’s essential to perform extensive due diligence when looking to move to the cloud and to have a clear line of communication with your cloud provider to correctly outline the specific responsibilities of operating securely in the cloud. For example, consider addressing security issues such as backup and encryption – who is responsible for backing up or encrypting what? If you have a disaster recovery solution, what is the process for bringing systems and services back online.

10. Abuse and Nefarious Use of Cloud Services

Threat: Cloud services are widely available and easy to access; any individual or business can purchase and make use of them. However, this presents opportunities for malicious attackers to join the cloud and misuse their access and privileges within that environment whilst posing as a legitimate paying customer. The specific vulnerabilities will depend on the type of cloud service, its infrastructure and overall security, but if cyber criminals successfully register and access cloud services, they can attempt to compromise systems and data of the providers and other users.

Solution: Similar to the insider threat, this vulnerability is more difficult to defend against. For businesses with cloud services online, it is essential they choose a hosting partner who deploys high levels of infrastructure security to actively ensure their services are not misused and exploited at this layer. It’s also important that businesses maintain a business continuity plan should online services become compromised or unavailable – not just due to malicious activity, but in any circumstance that the cloud and its data is not accessible.

11. Denial of Service

Threat: A Denial of Service (DoS) attack typically overloads resources, either in terms of speed or availability, so that the service is unable to be accessed or used. Common methods include flooding networks with traffic or requests, for example adding huge volumes of items to shopping baskets. Denial of Service attacks come in many forms; one common large-scale variation is a Distributed Denial of Service (DDoS) attack which originates from multiple malicious computers to attack at once from different locations.

Solution: To defend against Denial of Service attacks and a whole host of other threats and vulnerabilities, it is vital businesses deploy a rigorous and robust online security strategy. This should include specific DoS mitigation measures, network monitoring and intrusion detection to flag any potential issues as early as possible, and engage firewalls to inspect traffic and IP addresses. With DDoS mitigation, a primary task is to identify normal conditions for network traffic. By defining these conditions, mitigation solutions can then detect variances and possible attacks, such as those flooding networks with traffic.

12. Shared Technology Vulnerabilities

Threat: This covers the potential security vulnerabilities that can arise from having multiple tenants using different cloud services on the same hardware. If a specific cloud service that one of the tenants is using is compromised, it can open opportunities for attackers to expand that vulnerability to the wider environment and users. This can lead to the loss of data or theft and damage to services or systems.

Solution: For optimum security, ensure your cloud environment has per-tenant firewalls and networking and some form of perimeter security to isolate traffic and stop vulnerabilities from being shared across multi-tenant users. With this in mind, speak to your cloud provider about the structure of their security defences and how they setup tenant isolation. At Secura, this is achieved through both hardware and software solutions and our use of VMware virtualisation technologies, making our cloud solutions completely isolated for each customer. It’s also good practice to deploy data-at-rest encryption so that should any breach or hack occur, your data is unreadable.

At Secura, we take cloud security seriously. Secura and all of our data centre partners are fully ISO 27001 accredited and our Virtual Private Cloud (VPC) platform is secure by design, with perimeter security options offering complete user isolation. Advanced online security and protection is also available through Web Protect, a fully managed, enterprise grade online security package, which defends against DDoS, vulnerability exploits and malware, and provides powerful encryption technologies.

If you’d like to find out more about our VPC, Web Protect, or any of our other services, please don’t hesitate to get in touch.

Image credit: Connect world/

Matthew Reeve

Content Executive

Matthew is Secura's content specialist, producing gripping, emotionally complex, edge of your seat, cloud hosting articles and videos.

Tweet me at: