Leaders of the (Threat) Pack: Misconfigurations, IAM and Insecure APIs
September 23, 2024

Sean Heide
Cloud Security Alliance

It's likely you've heard of the Rat Pack. Decades later, along came the Brat Pack. And today, there's the Threat Pack. While they might not be making headlines on stage or on screen, this dubious group of leaders is making headlines in other ways, most recently as part of the Cloud Security Alliance's Top Threats to Cloud Computing 2024. This bi-annual survey, which polls enterprises and individuals on what they see as the greatest threat or risk to their cloud environment, encapsulates the most critical security issues that enterprises are currently facing in the cloud space.

This year's top threats included some familiar faces and a few new ones. And, while there have been a few shake ups, what's most interesting is that not too much has changed since we last asked the question in 2022. For the most part, many of the same threats made the list. What has changed is the order in which they appear. For example, Misconfiguration and Inadequate Change ControI moved up from third place in 2022 to the top spot this year. Identity and Access Management (IAM), meanwhile, took top billing two years ago, but moved down to second place this year, bumping Insecure Interfaces and APIs down to #3.

The fact that there has been movement is great, as it indicates progress in the industry while simultaneously demonstrating a growing trust in the cloud. Digging a little deeper, the fact that these issues have remained at or near the top of the list speaks strongly to the importance cloud practitioners place on addressing these risks when it comes to securing their cloud environments.

Given that, the top three threats should come as no surprise to anyone in the cloud space. As we are all too well aware, the issues that are the most challenging to address are those that stem from factors out of our control. Point in case are the updates vendors seem to push out on a frequent basis, each of which has a significant impact on how a cloud environment's backend works. Solving for this has been a long-running discussion, and one that's becoming even more complex as we move into the realm of artificial intelligence. Whereas previously the challenge centered on how to properly manage users, that same challenge still exists but with an added layer of how to best secure non-human identities.

The good news is that while challenges are mounting in one area, there is one sector where we seem to be improving — data exfiltration. This is a hugely important topic, but one that fell off the list of top threats this year. And while it's entirely possible that companies just aren't seeing a lot of attacks on their data, I think it's more likely that a stronger regulatory environment has been a key factor in pushing this down the list. The financial services and healthcare sectors — both of which are among the biggest users of cloud — have begun taking a much stronger stance when it comes to hardening data controls. The results are telling: Thanks to these enhanced regulations, companies are in a better position to prevent and mitigate these types of attacks.

Not to be discounted, the following threats rounded out our top 11 this year. Starting with #4, they are as follows (2022 ranking is shown where relevant):

4. Inadequate selection/Implementation of cloud security strategy (#4)

5. Insecure third-party resources (#6)

6. Insecure software development (#5)

7. Accidental cloud data disclosure (#8)

8. System vulnerabilities (#7)

9. Limited cloud visibility/Observability

10. Unauthenticated resource sharing

11. Advanced persistent threats (#10)

The survey also uncovered several themes that we think are likely to shape the future of cloud computing, specifically the increased sophistication of attacks, the ever-growing risk to the supply chain, the rise of Ransomware-as-a-Service, and finally, as mentioned above, an evolving regulatory landscape.

Whereas our list of top threats is by no means exhaustive, it does give a clear snapshot of the challenges companies are currently facing. Taking it a step further, it's our hope that it provides a framework companies can use to ensure their cloud initiatives align with larger strategic goals and that they are allocating their resources effectively to mitigate both financial and reputational risks.

Sean Heide is Technical Research Director at Cloud Security Alliance
Share this

Industry News

October 03, 2024

Check Point® Software Technologies Ltd. announced its position as a leader in The Forrester Wave™: Enterprise Firewalls, Q4 2024 report.

October 03, 2024

Sonar announced two new product capabilities for today’s AI-driven software development ecosystem.

October 03, 2024

Redgate announced a wide range of product updates supporting multiple database management systems (DBMS) across its entire portfolio, designed to support IT professionals grappling with today’s complex database landscape.

October 03, 2024

Elastic announced support for Google Cloud’s Vertex AI platform in the Elasticsearch Open Inference API and Playground.

October 02, 2024

Progress announced the recipients of its 2024 Women in STEM Scholarship Series.

October 02, 2024

SmartBear has integrated the load testing engine of LoadNinja into its automated testing tool, TestComplete.

October 01, 2024

Check Point® Software Technologies Ltd. announced the completion of its acquisition of Cyberint Technologies Ltd., a highly innovative provider of external risk management solutions.

October 01, 2024

Lucid Software announced a robust set of new capabilities aimed at elevating agile workflows for both team-level and program-level planning.

October 01, 2024

Perforce Software announced the Hadoop Service Bundle, a new professional services and support offering from OpenLogic by Perforce.

October 01, 2024

CyberArk announced the successful completion of its acquisition of Venafi, a provider of machine identity management, from Thoma Bravo.

October 01, 2024

Inflectra announced the launch of its AI-powered SpiraApps.

October 01, 2024

The former Synopsys Software Integrity Group has rebranded as Black Duck® Software, a newly independent application security company.

September 30, 2024

Check Point® Software Technologies Ltd. announced that it has been recognized as a Visionary in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms.

September 30, 2024

Harness expanded its strategic partnership with Google Cloud, focusing on new integrations leveraging generative AI technologies.

September 30, 2024

OKX announced the launch of OKX OS, an onchain infrastructure suite.