The Cloud Security Alliance (CSA) Egregious 11 is similar to the OWASP Top Ten for Web Applications. Regularly, the organization releases a detailed "Top Threats to Cloud Computing" report to raise awareness of the most critical cloud security issues and promote strong security practices. An interesting trend in this fourth edition is that traditional cloud security issues directly under the control of the cloud service provider (CSP), e.g., denial of service and shared technology vulnerabilities, are absent. This reflects a trend where security concerns are higher up the tech stack, more toward those business applications deployed on CSP infrastructure and the services and APIs that power them.

The Egregious 11 — Defending Against the CSA Top Threats Webinar

This webinar dives deeper into the Egregious 11, how to identify and mitigate these threats, and how they fit into a cloud-native security program.

Watch Now: The Egregious 11 — Defending Against the CSA Top Threats

Spend time to understand cloud-specific threats, built-in features of your CSP, and how both fit into your security program. Doing so, you'll find that there are a lot of interrelated controls you can apply that yield multiple leverage points.

For each of the CSA egregious 11, my tips are as follows:


Data Breach: Double/triple check encryption settings. Most extracted data is wholly unprotected. Don't assume the CSP encrypts your data stores automatically; they don't.

2-csa-egregious-11-misconfiguration-inadequate-change-controlMisconfiguration & Inadequate Change Control: Remove default credentials for each service and API you use. It's easy for an attacker to discover your cloud services and try default login creds.

3-csa-egregious-11-lack-of-cloud-security-architecture-strategyLack of cloud security architecture & strategy
: Threat model. A simple activity — document your assets, identify threats to those assets, and conceive of ways to thwart those threats. Disallow/deactivate services you don't need.

4-csa-egregious-11-insufficient-identity-access-key-managementInsufficient Identity, Access, Key Management: Don't rely on username/password for authentication. RBAC, or a 2FA for login, can protect up to 80% of unauthorized access.

5-csa-egregious-11-account-hijackingAccount Hijacking: Alert on and monitor all new account creations. Hackers look for easy entry points. Once they gain access, they can escalate privileges for lateral movement.

6-csa-egregious-11-insider-threatInsider Threat
: DLP (data loss prevention) can help flag exfiltration attempts.

7-csa-egregious-11-insecure-interfaces-and-apisInsecure Interfaces & APIs: Most frequent attack vector in 2022, according to Gartner. Force input validation for APIs you build; use CSP traffic throttling tools to prevent bot abuse/attacks.

8-csa-egregious-11-weak-control-planeWeak Control Plane: This is your command center. Treat it as such with strict and limited access control. Reduce the number of users who have access to the control plane and implement RBAC or MFA for a rigorous ID process.

9-csa-egregious-11-metastructure-and-applistructure-failuresMetastructure & Applistructure Failures: Monitor security bullets for 3rd-party applications/SaaS you use and act accordingly, e.g., patch. Conduct regular security assessments on your own applications and 3rd-party software (supply chain).

10-csa-egregious-11-limited-cloud-usage-visibilityLimited Cloud Usage Visibility: Use an EASM (external attack surface monitoring) or CART (continuous automated red teaming) solution to scan for shadow IT regularly and other unsanctioned (yet live) assets.

11-csa-egregious-11-abuse-and-nefarious-use-of-cloud-servicesAbuse and Nefarious Use of Cloud Services: Leverage CSPs monitoring services to identify abnormal resource/employee usage. This is always available yet seldom used. Related to this, maintain and enforce a list of approved apps and stores (allowed list).

I want to reiterate something that I started this document with: traditional cloud security issues, like network distributed denial of service (DDOS) attacks, are now mostly under control by the cloud service providers. As the CSPs have gotten much more mature and robust with security, those types of things don't even make it onto the Egregious 11 list anymore.

The Egregious 11 is now much more elevated toward those business applications deployed on top of the metastructure – applications, services, and APIs. I view this as more of a permanent scenario given the lack of systemic knowledge organizations have related to secure cloud operations. Learn how to apply the tips above, most of which are long-standing security principles, to the environments and business applications you're managing.

About Ed Adams, CEO

Ed Adams is a software quality and security expert with over 20 years of experience in the field. He served as a member of the Security Innovation Board of Directors since 2002 and as CEO since 2003. Ed has held senior management positions at Rational Software, Lionbridge, Ipswitch, and MathSoft. He was also an engineer for the US Army and Foster-Miller earlier in his career.

Ed is a Ponemon Institute Research Fellow, Privacy by Design Ambassador by the Information & Privacy Commissioner of Canada, Forbes Technology Council Member, and recipient of multiple SC Magazine’s Reboot Leadership Awards. He sits on the board of Cyversity, a non-profit committed to advancing minorities in the field of cyber security,  and is a BoSTEM Advisory Committee member.