The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. In 2016 CSA released ‘Treacherous 12: Top Threats to Cloud Computing + Industry Insights’article to provide readers with a real-world glimpse into what is currently occurring in the security industry. InstaSafe has refreshed release to the 2016 article that includes new real-world anecdotes and examples of recent incidents that relate to each of the 12 cloud computing threat categories identified in the original paper.
“It’s our hope that these updates will not only provide readers with a more relevant context in which to evaluate the top threats but that the enhanced article will provide them with a real-world glimpse into what is currently occurring in the security industry.
When executives create business strategies, cloud technologies and CSPs must be considered. Developing a good roadmap and checklist for due diligence when evaluating technologies and CSPs is essential for the greatest chance of success. An organization that rushes to adopt cloud technologies and choose CSPs without performing due diligence exposes itself to a myriad of commercial, financial, technical, legal and compliance risks that jeopardize its success. This applies whether the company is considering moving to the cloud or merging with or acquiring a company that has moved to the cloud or is considering doing so.
9.2 Business Impacts
Commercial: Anticipated or newly designed customer services that rely on the CSP to develop new systems and processes may not be a priority for or an expertise of the CSP.
Technical: Unknown operational and architectural issues can arise when designers and architects unfamiliar with cloud technologies are designing applications being pushed to the cloud.
Legal: Data in use, motion or at rest in foreign locations during normal operations or even during recovery may subject the company to regulatory redress.
Compliance: Moving applications that depend on “internal” network level data privacy and security controls to the cloud are dangerous when those controls disappear.
The bottom line for enterprises and organizations moving to a cloud technology model is that they must perform extensive due diligence to understand the risks they assume by adopting this technology model and engaging the suppliers who provide it.
9.3 Anecdotes and Examples
M&A – In 2011, Facebook settles FTC charges that it deceived consumers by failing to keep its privacy promises. Under the terms of the FTC’s order, Facebook must get consumer’s’ affirmative consent before making changes that override their privacy settings, among other requirements.
Jason Weinstein, former deputy assistant attorney general, U.S. Department of Justice, summarized the issue of cybersecurity due diligence succinctly when he said: “When you buy a company, you’re buying their data, and you could be buying their data-security problems.” In other words, “cyber risk should be considered right along with financial and legal due diligence considerations.” This happened in case of Verizon overtaking Yahoo. Verizon and Yahoo announced that they’d agreed to shave $350 million off Yahoo’s $4.8 billion asking price to reflect huge security breaches that affected the accounts of more than 1 billion Yahoo users.
1. The Treacherous 12 – Cloud Computing Top Threats in 2016
2. Your privacy: Verizon’s takeover of Yahoo is all about user data