CPS 2022: Wrapping Your Head Around the Benefits, Risks of Shifting to the Cloud

It’s been estimated that 94% of companies used cloud services in 2022. As a result of that rising usage of cloud services, an organization’s attack surface has changed significantly.

Understanding the benefits and risks of transitioning to cloud services can be overwhelming.

Michael Nouguier, chief information security officer and director of cybersecurity services at Richey May Technology Solutions, pointed to a funny cartoon at the Dec. 6 Content Protection Summit (CPS), during the session “Wrap Your Head Around the Cloud.”

In the cartoon, one character says to another: “Nah, I’m not worried about cloud security. My stored data is so disorganized they’d never be able to find anything!”

That is “kind of how the cloud started, at least in my opinion and through my experience,” Nouguier said.

During the  session he and Jim Reavis, co-founder and CEO of the Cloud Security Alliance (CSA), dove into cloud security trends and emerging threats moving into 2023.

“We only have 28 minutes to go through some of this,” said Nouguier. “So we’re not going to dive deep into each one of the concepts that we’re talking about today.”

“The first thing we’re going to touch on” are the CSA Pandemic 11, the top 11 current cybersecurity threats, he said.

“We’re not going to go through all of them,” Reavis told attendees, explaining this is a “regular report we do” based on input from experts throughout the sector.

The CSA Pandemic 11 are:

  1. Insufficient Identity, credentials, access and key management
  2. Insecure interfaces and APIs
  3. Misconfiguration and inadequate change control
  4. Lack of cloud security architecture and strategy
  5. Insecure software development
  6. Unsecured third-party resources
  7. System vulnerabilities
  8. Accidental cloud data disclosure
  9. Misconfiguration and exploitation of serverless and container workloads
  10. Organized Crime/hackers/APT
  11. Cloud Storage Data Exfiltration

The “real secret sauce” of the CSA is “we have about 157,000 members around the world and out of that there’s like 12,000 that are just like really dedicated researchers,” Reavis said.

“We create this list a couple of different ways,” Reavis explained. “One, we do a survey to understand what sorts of threats” are out there that the FBI is investigating and “then we assemble some experts together and also do a little bit more predictive analytics and more of a qualitative view of the trends they’re seeing to see what’s really important.”

Reavis added: “We try to prioritize out of that what are the threats that you need to be concerned about going forward today and going forward for the next year or so. And then what’s pretty nice with this document is we combine it with another research artifact we have called” the CSA Cloud Controls Matrix, a cybersecurity control framework for cloud computing.

One change over the years reflected in the report is that the security provided by cloud service providers has become stronger, Reavis noted.

“So much of the responsibility is yours as well,” he said, referring to companies using cloud services.

The FBI has been “trying forever to tell people do multifactor” authentication, he said. “If people aren’t doing that, then maybe we’ve got to find some different solutions. And I do think there might be some different solutions but we want to do multifactor,” he added.

To download the presentation, click here.

To view the entire session, click here.

Presented by Fortinet and produced by MESA, CDSA’s Content Protection Summit is sponsored by Convergent Risks, Richey May Technology Solutions, GeoComply, Signiant, Verimatrix, Shift Media, EIDR and EZDRM.