Westren Cloud Security Alliance Top Threats Report In this assignment, you will review and analyze the report “Cloud Security Alliance – Top Threats” and share your thoughts on the ideas or claims mentioned in the paper.
What is expected:
(a). Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing”. As part of their mission, CSA develops technical documents on different aspects of cloud computing. One such document titled “Cloud Security Alliance Top Threats – The Treacherous 12 (2016)” discusses twelve top threats in cloud computing field and possible remedies for each threat.
(b). You need to review this document and write-up a report highlighting and explaining the major points that you understood from the paper and any take-home messages and whether you agree/disagree with them.
Please note that you will be graded based on how critically you express your understanding of this document in your report
Deliverables:
1. Please write a 2-page report that includes: (i) a summary of the key points that you understood from the document, (ii) your personal opinion on the main points mentioned in the document that you agree with and why, (ii) any points mentioned in the document that you do not agree with and incorporate your analysis on why you disagree on those point(s)
2. Please upload your report (as a single word or pdf file) Top Threats Working Group
The Treacherous 12
Cloud Computing Top Threats in 2016
February 2016
CLOUD SECURITY ALLIANCE The Treacherous 12 – Cloud Computing Top Threats in 2016
The permanent and official location for Cloud Security Alliance Top Threats research is
https://cloudsecurityalliance.org/group/top-threats/
© 2016 Cloud Security Alliance – All Rights Reserved
All rights reserved. You may download, store, display on your computer, view, print, and link to The Treacherous
12 – Cloud Computing Top Threats in 2016 at https://cloudsecurityalliance.org/download/the-treacherous-twelvecloud-computing-top-threats-in-2016/, subject to the following: (a) the Report may be used solely for your
personal, informational, non-commercial use; (b) the Report may not be modified or altered in any way; (c) the
Report may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You
may quote portions of the Report as permitted by the Fair Use provisions of the United States Copyright Act,
provided that you attribute the portions to The Treacherous 12 – Cloud Computing Top Threats in 2016.
© 2016, Cloud Security Alliance. All right reserved.
1
CLOUD SECURITY ALLIANCE The Treacherous 12 – Cloud Computing Top Threats in 2016
Contents
Acknowledgments……………………………………………………………………………………………………………….. 4
Executive Summary……………………………………………………………………………………………………………… 5
Methodology……………………………………………………………………………………………………………………….. 7
1.
Security Concern: Data Breaches…………………………………………………………………………………. 8
1.1
Description
1.2
Business Impacts
1.3
Anecdotes and Examples
1.4
CCM v3.0.1 Control IDs
1.5
Links
2.
Security Concern: Insufficient Identity, Credential and Access Management…………………….. 11
2.1
Description
2.2
Business Impacts
2.3
Anecdotes and Examples
2.4
CCM v3.0.1 Control IDs
2.5
Links
3.
Security Concern: Insecure Interfaces and APIs…………………………………………………………….. 14
3.1
Description
3.2
Business Impacts
3.3
Anecdotes and Examples
3.4
CCM v3.0.1 Control IDs
3.5
Links
4.
Security Concern: System Vulnerabilities……………………………………………………………………… 16
4.1
Description
4.2
Business Impacts
4.3
Anecdotes and Examples
4.4
CCM v3.0.1 Control IDs
4.5
Links
5.
Security Concern: Account Hijacking……………………………………………………………………………. 18
5.1
Description
5.2
Business Impacts
5.3
Anecdotes and Examples
5.4
CCM v3.0.1 Control IDs
5.5
Links
6.
Security Concern: Malicious Insiders……………………………………………………………………………. 20
6.1
Description
6.2
Business Impacts
6.3
Anecdotes and Examples
© 2016, Cloud Security Alliance. All right reserved.
2
CLOUD SECURITY ALLIANCE The Treacherous 12 – Cloud Computing Top Threats in 2016
7.
8.
9.
10.
11.
12.
6.4
CCM v3.0.1 Control IDs
6.5
Links
Security Concern: Advanced Persistent Threats…………………………………………………………….. 22
7.1
Description
7.2
Business Impacts
7.3
Anecdotes and Examples
7.4
CCM v3.0.1 Control IDs
7.5
Links
Security Concern: Data Loss………………………………………………………………………………………… 24
8.1
Description
8.2
Business Impacts
8.3
Anecdotes and Examples
8.4
CCM v3.0.1 Control IDs
8.5
Links
Insufficient Due Diligence…………………………………………………………………………………………… 26
9.1
Description
9.2
Business Impacts
9.3
Anecdotes and Examples
9.4
CCM v3.0.1 Control IDs
9.5
Links
Abuse and Nefarious Use of Cloud Services…………………………………………………………………… 29
10.1 Description
10.2 Business Impacts
10.3 Anecdotes and Examples
10.4 CCM v3.0.1 Control IDs
10.5 Links
Denial of Service……………………………………………………………………………………………………….. 31
11.1 Description
11.2 Business Impacts
11.3 Anecdotes and Examples
11.4 CCM v3.0.1 Control IDs
11.5 Links
Shared Technology Issues…………………………………………………………………………………………… 33
12.1 Description
12.2 Business Impacts
12.3 Anecdotes and Examples
12.4 CCM v3.0.1 Control IDs
11.5 Links
© 2016, Cloud Security Alliance. All right reserved.
3
CLOUD SECURITY ALLIANCE The Treacherous 12 – Cloud Computing Top Threats in 2016
Acknowledgments
Co-Chairs
Jon-Michael Brook
Dave Shackleford
Contributors
Jon-Michael Brook
Dave Shackleford
Vic Hargrave
Laurie Jameson
Michael Roza
Victor Chin, Research Analyst
CSA Chapters
CSA Thailand Chapter
© 2016, Cloud Security Alliance. All right reserved.
4
CLOUD SECURITY ALLIANCE The Treacherous 12 – Cloud Computing Top Threats in 2016
Executive Summary
At an unprecedented pace, cloud computing has simultaneously transformed business and government, and
created new security challenges. The development of the cloud service model delivers business-supporting
technology more efficiently than ever before. The shift from server to service-based thinking is transforming the
way technology departments think about, design, and deliver computing technology and applications. Yet these
advances have created new security vulnerabilities as well as amplify existing vulnerabilities, including security
issues whose full impact are finally being understood. Among the most significant security risks associated with
cloud computing is the tendency to bypass information technology (IT) departments and information officers.
Although shifting to cloud technologies exclusively may provide cost and efficiency gains, doing so requires that
business-level security policies, processes, and best practices are taken into account. In the absence of these
standards, businesses are vulnerable to security breaches that can erase any gains made by the switch to cloud
technology.
Seeing both the promise of cloud computing, and the risks associated with it, the Cloud Security Alliance
(CSA) has created industry-wide standards for cloud security. In recent years, CSA released the “Security
Guidance for Critical Areas in Cloud Computing” and the “Security as a Service Implementation Guidance”.
These documents have quickly become the industry-standard catalogue of best practices to secure cloud
computing, comprehensively addressing this within the thirteen domains of CSA Guidance and ten categories
of service associated with the Security as a Service (SecaaS) Implementation Guidance series. Many businesses,
organizations, and governments have incorporated this guidance into their cloud strategies.
Similar to the earlier mentioned research artifacts, the “The Treacherous 12 – Cloud Computing Top Threats in
2016” play a crucial role in the CSA research ecosystem. The purpose of the report is to provide organizations
with an up-to-date, expert-informed understanding of cloud security concerns in order to make educated riskmanagement decisions regarding cloud adoption strategies. The report reflects the current consensus among
security experts in CSA community about the most significant security issues in the cloud.
While there are many security concerns in the cloud, this report focuses on 12 specifically related to the shared,
on-demand nature of cloud computing. To identify the top concerns, CSA conducted a survey of industry experts
to compile professional opinions on the greatest security issues within cloud computing. The Top Threats
working group used these survey results alongside their expertise to craft the final 2016 report. In this most
recent edition of the report, experts identified the following 12 critical issues to cloud security (ranked in order
of severity per survey results):
1. Data Breaches
2. Weak Identity, Credential and Access Management
3. Insecure APIs
4. System and Application Vulnerabilities
5. Account Hijacking
6. Malicious Insiders
7. Advanced Persistent Threats (APTs)
8. Data Loss
9. Insufficient Due Diligence
10. Abuse and Nefarious Use of Cloud Services
11. Denial of Service
12. Shared Technology Issues
© 2016, Cloud Security Alliance. All right reserved.
5
CLOUD SECURITY ALLIANCE The Treacherous 12 – Cloud Computing Top Threats in 2016
The 2016 Top Threats release mirrors the shifting ramifications of poor cloud computing decisions up through
the managerial ranks, instead of being an IT issue it is now a boardroom issue. The reasons may lie with the
maturation of cloud, but more importantly, higher strategic decisions by executives in cloud adoption. The 2013
edition highlighted developers and IT departments rolling out their own self-service Shadow IT projects, and the
bypassing of organizational security requirements. In 2016, cloud adoption may be effectively aligned with the
executive strategies to maximize shareholder value. The always-on nature of Cloud Computing impacts factors
that may skew external perceptions and in turn company valuations. Wider reaching architecture/design factors
of Identity, Credential and Access Management, Insecure APIs and System & Application Vulnerabilities rise in
the survey, while data loss and individual account hijacking fell in comparison.
With descriptions and analysis of the Treacherous 12, this report serves as an up-to-date guide that will help
cloud users and providers make informed decisions about risk mitigation within a cloud strategy. This threat
research document should be utilized in conjunction with the best practices guides, “Security Guidance for Critical
Areas in Cloud Computing V.3” and “Security as a Service Implementation Guidance”. A threat analysis was also
conducted with the STRIDE Threat Model[1] and the working group recommends the NIST Risk Management
Framework[2] on guidance for how to manage information technology risk. Together, these documents will offer
valuable guidance during the formation of comprehensive, appropriate cloud security strategies.
1
2
The STRIDE Threat Model. https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx
NIST Risk Management Framework (RMF) Overview. http://csrc.nist.gov/groups/SMA/fisma/framework.html
© 2016, Cloud Security Alliance. All right reserved.
6
CLOUD SECURITY ALLIANCE The Treacherous 12 – Cloud Computing Top Threats in 2016
Methodology
In creating The Treacherous 12 – Cloud Computing Top Threats in 2016, the CSA Top Threats Working Group
conducted research in two primary stages. Both stages used surveys and questionnaires as instruments of study.
In the first stage of the research, our goal was to create a short list of cloud security concerns. The group
first started with a list of 20 security concerns, updating last year’s eight issues and adding 12 new issues.
We presented the 20 concerns via a series of consultations asking working group members to indicate the
importance of each concern to their organization. This stage of the research also provided the opportunity for
respondents to suggest other concerns. After considering all the survey results and additional information, the
working group identified the top 13 most salient cloud security concerns.
In the second stage of the research, the group’s main goal was to rank the previously short-listed cloud security
concerns. The group wanted the study to capture what people thought were the most relevant cloud security
concerns; a 4-point Likert scale was chosen as the research instrument. A Likert scale is a popular quantitative
research method in surveys and is used to represent people’s attitudes on a topic. The scale is: 1 (Irrelevant),
2 (Somewhat Relevant), 3 (Relevant), and 4 (Very Relevant). Every security concern was rated 1, 2, 3 or 4 and
assigned corresponding scores. For example, a security concern rated as Irrelevant was given one point, a
security concern rated as Somewhat Relevant was given two points, and so on. The points for each category
were averaged, and the security concerns were then ranked according to their mean. The working group then
dropped the security concern which ranked last, leaving the final 12.
The working group also analyzed the security concerns using the STRIDE threat model, which was developed by
Microsoft to evaluate information security threats. Specifically, the security concerns discussed in this paper are
evaluated to determine whether they fall into any of the following threat categories:
•
•
•
•
•
•
Spoofing identity (S)
Tampering with data (T)
Repudiation (R)
Information Disclosure(I)
Denial of service (D)
Elevation of privilege (E)
In the survey, a total of 271 people had responded to the study. About half were from the U.S. (48.95%) with the
next highest number of respondents from Australia (5.02%).
Of the respondents who categorized their organizations, 44.65% reported themselves as being part of the
technology industry; 15% reported themselves as being part of the professional services industry; and 9.30%
reported themselves as being part of the public sector. The remainder was represented by the education,
finance, health, and other sectors.
Of the respondents who answered demographic questions, 87.33% identified themselves as Security Specialist,
12.22% as Software Specialist and 9.95% as Networking Specialist followed by other categories.
© 2016, Cloud Security Alliance. All right reserved.
7
CLOUD SECURITY ALLIANCE The Treacherous 12 – Cloud Computing Top Threats in 2016
1. Security Concern: Data Breaches
1.1
Description
A data breach is an incident in which sensitive, protected or confidential
information is released, viewed, stolen or used by an individual who is
not authorized to do so. A data breach may be the primary objective of a
targeted attack or may simply be the result of human error, application
vulnerabilities or poor security practices. A data breach may involve any
kind of information that was not intended for public release including,
but not limited to, personal health information, financial information,
personally identifiable information (PII), trade secrets and intellectual
property.
An organization’s cloud-based data may have value to different parties
for different reasons. For example, organized crime often seeks financial,
health and personal information to carry out a range of fraudulent
activities. Competitors and foreign nationals may be keenly interested
in proprietary information, intellectual property and trade secrets.
Activists may want to expose information that can cause damage or
embarrassment. Unauthorized insiders obtaining data within the cloud
are a major concern for organizations.
The risk of data breach is not unique to cloud computing, but it
consistently ranks as a top concern for cloud customers. A cloud
environment is subject to the same threats as a traditional corporate
network as well as new avenues of attack by way of shared resources,
cloud provider personnel and their devices and third party partners of
the cloud provider. Cloud providers are highly accessible and the vast
amount of data they host makes them an attractive target.
1.2
Business Impacts
SERVICE MODELS
IaaS
PaaS
SaaS
CSA SECURITY GUIDANCE
REFERENCE
Domain 5: Information
Management and Data Security
Domain 10: Application Security
Domain 11: Encryption and Key
Management
Domain 12: Identity, Entitlement
and Access Management
Domain 13: Virtualization
THREAT ANALYSIS
STRIDE:
Spoofing Identity
Tampering with data
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege
Although nearly any data breach can be problematic, the sensitivity
of the data usually determines the extent of the damage. In many parts of the world, laws and regulations oblige
organizations to exercise certain standards of care to ensure that sensitive information is protected against
unauthorized use. When a data breach occurs, companies may incur large fines and may also be subject to civil
lawsuits and, in some cases, criminal charges.
A company also accrues costs related to investigating a breach and notifying customers who were impacted.
Some companies engage professional consulting and legal services to assist with managing the breach response.
It is also customary for a company suffering a data breach to purchase credit monitoring services for consumers
whose information was stolen to alert them in case of fraudulent use. Indirect impacts such as damage to a brand’s
reputation and resulting loss of business are much harder to calculate. Measures such as the rate at which customers
leave, and any change to the cost of user acquisition can be used to estimate this.
Cloud providers often have good security for aspects they take responsibility for but, ultimately customers are
© 2016, Cloud Security Alliance. All right reserved.
8
CLOUD SECURITY ALLIANCE The Treacherous 12 – Cloud Computing Top Threats in 2016
responsible for protecting their data in the cloud. The best protection against data breach is an effective security
program. Two important security measures that can help companies stay secure in the cloud are multifactor
authentication and encryption.
1.3
Anecdotes and Examples
In mid-2015, BitDefender, an antivirus firm, had an undisclosed number of customer usernames and passwords
stolen due to a security vulnerability in its public cloud application hosted on AWS. The hacker responsible demanded
a ransom of $15,000.
The 2015 Anthem breach of more than 80 million customer records began with stolen credentials on the corporate
network. A third-party cloud service was used to transfer the huge data store from the company’s network to the
public cloud where it could be downloaded by the hackers.
British telecom provider TalkTalk reported multiple security incidents in 2014 and 2015, which resulted in the theft
of four million customers’ personal information. The breaches were followed by a rash of scam calls attempting to
extract banking information from TalkTalk customers. TalkTalk was widely criticized for its failure to encrypt customer
data.
1.4
CCM v3.0.1 Control IDs
AIS-04: Application & Interface Security – Data Security/Integrity
CCC-02: Change Control & Configuration Management – Outsourced Development
DSI-02: Data Security & Information Lifecycle Management – Data Inventory/Flows
DSI-05: Data Security & Information Lifecycle Management – Information Leakage
DSI-06: Data Security & Information Lifecycle Management – Non-Production Data
DSI-08: Data Security & Information Lifecycle Management – Secure Disposal
EKM-02: Encryption & Key Management – Key Generation
EKM-03: Encryption & Key Management – Sensitive Data Protection
EKM-04: Encryption & Key Management – Storage and Access
GRM-02: Governance and Risk Management – Data Focus Risk Assessments
GRM-10: Governance and Risk Management – Risk Assessments
HRS-02: Human Resources – Background Screening
HRS-06: Human Resources – Mobile Device Management
IAM-02: Identity & Access Management – Credential Lifecycle/Provision Management
IAM-04: Identity & Access Management – Policies and Procedures
IAM-05: Identity & Access Management – Segregation of Duties
IAM-07: Identity & Access Management – Third Party Access
IAM-09: Identity & Access Management – User Access Authorization
IAM-12: Identity & Access Management – User ID Credentials
IVS-08: Infrastructure & Virtualization Security – Production/Non-Production Environments
IVS-09: Infrastructure & Virtualization Security – Segmentation
IVS-11: Infrastructure & Virtualization Security – Hypervisor Hardening
SEF-03: Security Incid…
Purchase answer to see full
attachment