Cloud Pain Points

A brief but nice summary of pain points we have all experienced?

  • Insufficient staff skills
  • Data loss/leakage
  • API vulnerabilities
  • Malware infections
  • Insufficient identity and access management controls
  • Lack of visibility into what data and workloads are within cloud applications
  • Inability to monitor data in transit to and from cloud applications
  • Cloud applications being provisioned outside of IT visibility (e.g., shadow IT)
  • Inability to prevent malicious insider theft or misuse of data
  • Advanced threats and attacks against the cloud application provider
  • Inability to assess the security of the cloud application provider’s operations
  • Vendors failing to alert customers of vulnerabilities
  • Inability to maintain regulatory compliance
  • Misconfigurations of cloud hardware and/or cloud software

By Threatpost

Wiki for Cloud Security

NotSoSecure have made this wiki for cloud security, with tools and methods for how to research and develop knowledge in this topic. I find it quite useful when browsing various cloud security research blogs they refer to, tools and methods. E.g., for AWS a lot of defensive and offensive tools are listed such as ScoutSuite in which I have great experience with.

Threat Modeling Tools

MS Threat modeling tool, Cairis, Iriusrisk, Kenna, OWASP pytm, OWASP threat dragon, threagile are some of the most known threat modeling tools I know.

Personally I like OWASP Threat Dragon for being supported on most common platforms, and because of its flexibility in designing and registering threats. MS Threat modeling tool provides a lot of out-of-the-box threat scenarios with details based on the model designed.

OWASP Threat Dragon
MS Threat modeling