Misconfigurations and IAM weaknesses top cloud security concerns

Traditional cloud security issues often associated with cloud service providers (CSPs) are continuing to decrease in importance, according to the Top Threats to Cloud Computing 2024 report by the Cloud Security Alliance.

Misconfigurations, IAM weaknesses, and API risks remain critical

These findings continue the trajectory first seen in the 2022 report, along with the fact that threats such the persistent nature of misconfigurations, identity and access management (IAM) weaknesses, insecure application programming interfaces (APIs), and the lack of a comprehensive security strategy continue to rank high, highlighting their critical nature.

“It’s tempting to think that the reason the same issues have remained in the top spots since the report was last issued stems from a lack of progress in securing these features. The larger picture, however, speaks to the importance placed on these vulnerabilities by organizations and the degrees to which they are working to build ever more secure and resilient cloud environments,” said Michael Roza, co-chair, Top Threats Working Group.

The 2024 Top Threats ranked the following concerns in order of significance (with applicable previous rankings). Of note, concerns such as denial of service, shared technology vulnerabilities, and CSP data loss, which were featured in 2022, were now rated low enough to be excluded from this report:

• Misconfiguration and inadequate change control (#3)
• Identity and Access Management (IAM) (#1)
• Insecure interfaces and APIs (#2)
• Inadequate selection/Implementation of cloud security strategy (#4)
• Insecure third-party resources (#6)
• Insecure software development (#5)
• Accidental cloud data disclosure (#8)
• System vulnerabilities (#7)
• Limited cloud visibility/Observability
• Unauthenticated resource sharing
• Advanced persistent threats (#10)

Key trends shaping the future of cloud computing

Within the context of these ongoing threats, the paper also touched upon several key trends that are likely to shape the future of cloud computing, among them:

Increased attack sophistication: Attackers will continue to develop more sophisticated techniques, including AI, to exploit vulnerabilities in cloud environments. These new techniques will necessitate a proactive security posture with continuous monitoring and threat-hunting capabilities.

Supply chain risk: The growing complexity of cloud ecosystems will increase the attack surface for supply chain vulnerabilities. Organizations will need to extend security measures to their vendors and partners.

Evolving regulatory landscape: Regulatory bodies will likely implement stricter data privacy and security regulations, requiring organizations to adapt their cloud security practices.

The rise of Ransomware-as-a-Service (RaaS): RaaS will make it easier for unskilled actors to launch sophisticated ransomware attacks against cloud environments. Organizations will need robust data backup and recovery solutions alongside strong access controls.

“Given the ever-evolving cybersecurity landscape, it’s difficult for companies to stay ahead of the curve and mitigate their financial and reputational risks. By bringing attention to those threats, vulnerabilities, and risks that are top-of-mind across the industry, organizations can better focus their resources,” said Sean Heide, Technical Research Director, Cloud Security Alliance.

In creating the Top Threats to Cloud Computing 2024 report, the Working Group conducted research in two stages, both of which used surveys to gather the thoughts and opinions of cybersecurity professionals concerning the most relevant threats, vulnerabilities, and risks of security issues to cloud computing.

During the first stage the group created a short list of cloud security issues through in-person surveys of group members; the second stage polled more than 500 industry experts on a short-list of 28 security issues in the cloud industry to compile the final report.