DEVOPSdigest

It's likely you've heard of the Rat Pack. Decades later, along came the Brat Pack. And today, there's the Threat Pack. While they might not be making headlines on stage or on screen, this dubious group of leaders is making headlines in other ways, most recently as part of the Cloud Security Alliance's Top Threats to Cloud Computing 2024. This bi-annual survey, which polls enterprises and individuals on what they see as the greatest threat or risk to their cloud environment, encapsulates the most critical security issues that enterprises are currently facing in the cloud space.

This year's top threats included some familiar faces and a few new ones. And, while there have been a few shake ups, what's most interesting is that not too much has changed since we last asked the question in 2022. For the most part, many of the same threats made the list. What has changed is the order in which they appear. For example, Misconfiguration and Inadequate Change ControI moved up from third place in 2022 to the top spot this year. Identity and Access Management (IAM), meanwhile, took top billing two years ago, but moved down to second place this year, bumping Insecure Interfaces and APIs down to #3.

The fact that there has been movement is great, as it indicates progress in the industry while simultaneously demonstrating a growing trust in the cloud. Digging a little deeper, the fact that these issues have remained at or near the top of the list speaks strongly to the importance cloud practitioners place on addressing these risks when it comes to securing their cloud environments.

Given that, the top three threats should come as no surprise to anyone in the cloud space. As we are all too well aware, the issues that are the most challenging to address are those that stem from factors out of our control. Point in case are the updates vendors seem to push out on a frequent basis, each of which has a significant impact on how a cloud environment's backend works. Solving for this has been a long-running discussion, and one that's becoming even more complex as we move into the realm of artificial intelligence. Whereas previously the challenge centered on how to properly manage users, that same challenge still exists but with an added layer of how to best secure non-human identities.

The good news is that while challenges are mounting in one area, there is one sector where we seem to be improving — data exfiltration. This is a hugely important topic, but one that fell off the list of top threats this year. And while it's entirely possible that companies just aren't seeing a lot of attacks on their data, I think it's more likely that a stronger regulatory environment has been a key factor in pushing this down the list. The financial services and healthcare sectors — both of which are among the biggest users of cloud — have begun taking a much stronger stance when it comes to hardening data controls. The results are telling: Thanks to these enhanced regulations, companies are in a better position to prevent and mitigate these types of attacks.

Not to be discounted, the following threats rounded out our top 11 this year. Starting with #4, they are as follows (2022 ranking is shown where relevant):

4. Inadequate selection/Implementation of cloud security strategy (#4)

5. Insecure third-party resources (#6)

6. Insecure software development (#5)

7. Accidental cloud data disclosure (#8)

8. System vulnerabilities (#7)

9. Limited cloud visibility/Observability

10. Unauthenticated resource sharing

11. Advanced persistent threats (#10)

The survey also uncovered several themes that we think are likely to shape the future of cloud computing, specifically the increased sophistication of attacks, the ever-growing risk to the supply chain, the rise of Ransomware-as-a-Service, and finally, as mentioned above, an evolving regulatory landscape.

Whereas our list of top threats is by no means exhaustive, it does give a clear snapshot of the challenges companies are currently facing. Taking it a step further, it's our hope that it provides a framework companies can use to ensure their cloud initiatives align with larger strategic goals and that they are allocating their resources effectively to mitigate both financial and reputational risks.