Traditional cloud security issues often associated with cloud service providers (CSPs) continue to decline in importance, according to the Cloud Security Alliance's Top Threats to Cloud Computing 2024 report.
Misconfigurations, identity and access management vulnerabilities, and API risks remain critical.
These findings continue the trajectory first seen in the 2022 report, coupled with the fact that threats such as the persistent nature of misconfiguration, identity and access management (IAM) vulnerabilities, insecure application programming interfaces (APIs), and the lack of a comprehensive security strategy continue to rank high, highlighting their critical nature.
“It’s tempting to think that the reason the same issues have remained at the top since the last report was released is due to a lack of progress in securing these features,” said Michael Rosa, co-chair of the Key Threats Working Group. “However, the bigger picture speaks to the importance organizations place on these vulnerabilities and the degree to which they are working to build more secure and resilient cloud environments.”
The 2024 Top Threats Report ranks the following concerns in order of importance (with previous rankings in place). It is worth noting that concerns such as denial of service, shared technology vulnerabilities, and loss of telecommunications service provider data, which were among the concerns in the 2022 report, are now rated low enough to be excluded from this report:
Poor configuration and insufficient change control (#3) Identity and access management (#1) Insecure interfaces and APIs (#2) Inadequate cloud security strategy selection/implementation (#4) Insecure third-party resources (#6) Insecure software development (#5) Accidental exposure of cloud data (#8) System vulnerabilities (#7) Limited cloud visibility/monitoring Unauthenticated resource sharing Advanced persistent threats (#10)
Key Trends Shaping the Future of Cloud Computing
In the context of these ongoing threats, the paper also touched on several key trends that are likely to shape the future of cloud computing, including:
Increasing sophistication of attacks: Attackers will continue to develop more sophisticated techniques, including artificial intelligence, to exploit vulnerabilities in cloud environments. These new techniques will require a proactive security posture with continuous monitoring and threat hunting capabilities.
Supply Chain Risks: The increasing complexity of cloud computing systems will increase the attack surface for supply chain vulnerabilities. Organizations will need to extend security measures to vendors and partners.
Evolving regulatory landscape: Regulators are likely to implement stricter regulations on data privacy and security, requiring organizations to adapt their cloud security practices.
The Rise of Ransomware as a Service (RaaS): RaaS will make it easier for unskilled actors to launch sophisticated ransomware attacks against cloud environments. Organizations will need robust data backup and recovery solutions along with strong access controls.
“Given the ever-evolving cybersecurity landscape, it’s challenging for businesses to stay ahead of the curve and mitigate the financial and reputational risks they face,” said Sean Hyde, Technical Research Director at Cloud Security Alliance. “By drawing attention to those threats, vulnerabilities and risks that are at the forefront of industry minds, organizations can better focus their resources.”
In creating the Top Threats to Cloud Computing 2024 report, the working group conducted two phases of research, each using surveys to gather the thoughts and opinions of cybersecurity professionals regarding the threats, vulnerabilities, and security risks most relevant to cloud computing.
During the first phase, the group created a shortlist of cloud security issues through in-person surveys of group members; in the second phase, the group surveyed more than 500 industry experts on a shortlist of 28 cloud industry security issues to compile the final report.
