OWASP Top 10 Cloud Risks and Mitigation Controls

This work of OWASP Top 10 Cloud Risks and consolidation of their Mitigation Controls has been performed by Sanjay Jha. All Risk Statements are highlighted in bold letters.
4. Business 5. User Privacy & 10. Non-production
1. Accountability 2. User Identity 3. Regulatory 6. Service & Data 7. Multi-Tenancy & 8. Incidence Analysis & 9. Infrastructure
Continuity & Secondary Usage of Environment
& Data Risk Federation Compliance Integration Physical Security Forensics Security
Resiliency Data Exposure
Risk of Data loss Risk of Hijacked Risk of Regulatory Risk of cloud Risk of user personal Risk of Hijacked Risk of Data loss Risk of untimely/delayed Risk of Advanced Risk of an
Accounts and compliance provider being data mined or used traffic caused by “failure of diagnosis and resolution persistent threats unauthorized user
In Third Party Compromised violations acquired by a (sold) without user of incidents in complex (APTs), DoS and getting access to the
CSP’s controls used to
Contracts, mention Credentials. consumer’s consent. Encrypt Data in use, and dynamic cloud DDoS attacks confidential
maintain separation
CSP and Consumer In contract, define competitor. Data at rest, and computing environment. information in non-
among tenants” or
agreement to a pre- Manage user terms of service with • Privacy and Acceptable Data in transit. Use Security Risk production
“subverting logical
defined RACI matrix; Identities across CSP for In the contract with Usage Policy latest TLS. Comprehensive logging assessments of IT environment.
isolation controls”.
Data Protection multiple CSPs; “Responsibility on CSP, include • Secondary Usage without compromising infrastructure assets;
requirements such as compliance” and necessary terms for Risk of Hacked Performance; Use multi layers of
Policy Risk of Cross-tenant
encryption, Stringent controls “Geographical affinity”; protection of risks APIs from Hardening of App, DB, authentication.
attacks by malicious
pseudonymization, over user lifecycle Also, CSP and caused by acquisition Risk of lock-in and vulnerable and Dedicated Forensic VM OS and NW Devices;
or Ignorant tenants:
tokenization, etc.; including on/off- Consumer Agreement of CSP by consumer’s users not being able to compromised Images; No use of Production
Side channel Attacks, Patch Management;
and SLAs. boarding; to Prevent third-party competitor. delete their personal internet-accessible data in non-production
Scanning other CSP Policy on handling,
forced disclosure of data. APIs used by Segregation of duties; environment;
User Provisioning, tenants, and DoS; evaluating and correlating
CSP Risk confidential data by a Risk of lack of consumers.
Assessments Authorization and know-how and • Consent for Opt-In and Secure architecture to event logs across Access Controls. No non-production
Authentication; cloud service provider. Opt-Out. Implement adequate jurisdictions. data to be identical to
including CSP CCM; capabilities needed have adequate Logical Robust authentication.
to ensure continuity Risk of private data API Security controls Separations for Multi- Role-based admin the production data.
CASB, Kerberos, Regular Third-Party CSP to have virtual
Encryption: & resiliency. to avoid attacks on Tenancy. privileges;
LDAP, RADIUS, AD Assessments being accessed by machine imaging (or other Pseudonymize or
the CSP's
Logical isolation of integration; Certification: CSP’s unauthorized person(s) management API or 1. Data Encryption (per similar technologies) in VA for customized Tokenize the
Risk Management
the multiple Business Continuity and/or for unauthorized applications that tenant key place to help in the forensic applications, IaaS and production data before
OAuth2 and/or SAML Framework, case-by-
consumer data. program to be or appropriate support multi- management). analysis of security PaaS; moving it to non-
for backend case basis.
Multiple Encryption integration; ISO22301 certified to purpose(s). tenancy. 2. Bring Your Own Key incidents. production
Data Localization Tiered architecture with environment.
keys address the risk of “”. • De-identification of PII (BYOK),
Federated Identity for (Data Sovereignty or Risk of increased appropriate security
• Pseudonymize 3. Virtual Private Cloud Do not develop highly
Data Classification; single sign-on (SSO); Data Residency). Do Risk of monetary malware infections, controls between them;
• Tokenize (VPC) sensitive app in the
not store data outside losses (and/or data exfiltration and 4. Dedicated VM (Virtual
Data Leak Prevention 2-factor / multi-factor • Security Awareness Third party audits; cloud environment.
legal jurisdiction. penalty) due to an lack of n/w & data Machine) instance(s)
Authentication using outage. • Law Obligation for CSP
control because of SOAR / SIEM; Stringent access
Digital Rights OATH-HOTP; Pseudonymize the • Key escrows to law
unsanctioned cloud Shared Service-Single controls and activity
Management; data prior to upload to This risk can be agencies Threat Intelligence;
services usage. Point of Failures monitoring for users
Administration of the cloud to avoid mitigated by having • Subpoena
Data Backup and external access; Consumers to perform working on the pre-
compliance failures. following two clauses Route integration of Controlled and
Recovery, Adopt Privacy by Design monitoring and production system.
mentioned in the Shadow IT only Coordinated Change
VPN connection Monitor compliance approach. analysis of information
Data Retention, contract: through IT and after Management to avoid Adopt concept of
between CSP with Regulations & about applications,
Perform Data Protection security assessment. risk of uncoordinated ‘privacy by design’ and
Data Disposal, instances and Industry Standards • Recovery Time services, data, and
Impact Assessment change controls and ‘security by design’.
consumer network; such as SOX, GDPR, Objectives (RTO); Implement users, without using
Fully and permanent and (DPIA) misconfigurations.
HIPAA, HITECH, Middleware security network-based Implement data
destruction of the • Monetary penalty for controls. Auditability of
PCIDSS, SSAE16 / monitoring and logging, protection principles
deleted data. Proper configuration downtime.
ISAE 3402, ENISA, Administrative Access which is available for throughout the entire
of Services allowing Adopt Security by
NESA, etc. on-premises IT. project lifecycle.
access. Design approach.

I am sharing this work with the information security and risk management community so that they can leverage this work for their own purposes. Sd/-: Sanjay Jha, 03-FEB-2020