Executive Summary
The Top Threats reports traditionally aim to raise awareness of threats, vulnerabilities, and risks in
the cloud. In this sixth installment, we surveyed over 700 industry experts on security issues in the
cloud industry. This year our respondents identified eleven important security issues to their cloud
environments. The Top Threats Working Group used the survey results and its expertise to create the
2022 “Top Threats to Cloud Computing – Pandemic Eleven” report.
The latest report highlights the Pandemic Eleven (ranked in order of significance per the survey
described on page 8). Also shown are the 2019 survey rankings or analog in parentheses):
- Insufficient Identity, Credentials, Access, and Key Management (4)
- Insecure Interfaces and APIs (7)
- Misconfiguration and Inadequate Change Control (2)
- Lack of Cloud Security Architecture and Strategy (3)
- Insecure Software Development
- Unsecured Third-Party Resources
- System Vulnerabilities (8)
- Accidental Cloud Data Disclosure
- Misconfiguration and Exploitation of Serverless and Container Workloads
- Organized Crime/Hackers/APT (11)
- Cloud Storage Data Exfiltration
Observations and Rationale
The COVID-19 pandemic and subsequent lockdowns redefined the workplace, stressing work
from home as no longer a nice-to-have flexibility benefit, but a necessity for continued corporate
operations. The pandemic and the complexity of cloud workloads, supply chains, and new
technologies such as Edge Compute, Internet of Things (IoT), Operational Technology (OT), and
Blockchain shifted the cloud security landscape. New concepts such as SDP (Software Defined
Perimeter) and ZTA (Zero Trust Architecture) altered our view of access to the landscape.
Analyzing the responses in survey results, there is a continuing drop in the ranking of traditional
cloud security issues under the responsibility of cloud service providers (CSPs). Concerns such
as denial of service, shared technology vulnerabilities, CSP data loss, and system vulnerabilities—
featured in the ‘Egregious Eleven (EE)’ Cloud Computing Top Threats in 2019 —were now rated low
enough to be excluded from this report. These omissions continue the apparent trust in cloud; vintage
cloud security issues in Infrastructure as a Service (IaaS) environments seem to be less of a concern.
Additionally, we observed that data breaches no longer dominate as the top cloud security concern.
New, highly rated items in the survey point to cloud adopters as the weak links. Respondents no
longer question whether the metastructure (EE:9), weak control plane (EE:8) or usage visibility
(EE:10) will be an issue in their cloud deployments. The focus trend from the Treacherous Twelve
through the Egregious Eleven to this survey continues pushing responsibility up the stack. The
Pandemic Eleven highlights circumstances directly in the user’s control: identity and access
management, cryptography, configuration management, poor coding practices and ignoring
strategic cloud direction. The uptick in agile project management and DevOps hoists these combined
problems directly on the end software teams.
Separating the highest performing cloud organizations will come down to those companies that
emphasize change management, increase employee cross-training, embed team security champions
and enable security & compliance culturally. Cloud continues to flourish and become an everyday
expectation long after the immediate demands of the COVID lockdowns. Investigate these eleven
threats, risks and vulnerabilities to secure your cloud for future success.
Views: 13
