People have long been seen as a key weakness in cybersecurity, from falling for phishing and other social engineering schemes to running outdated software to inadvertently leaking data.

The human factor also ranks high among the threats facing cloud computing environments. In a report released this week during the Black Hat Conference in Las Vegas, the Cloud Security Alliance (CSA) found that misconfiguration and inadequate change control was the number-one threat, followed by identity and access management (IAM), insecure interfaces and APIs, and inadequate implementation of cloud security strategies, all issues heavily influenced by human actions.

Others with a people factor in the top 10 included insecure software development and accidental cloud data exposure.

The CSA’s Top Threats to Cloud Computing 2024 report is the organization’s first in two years. There were some changes from the last list released in 2022, with the arrow continuing to point to people as the common thread in many of threats.

Worries About Providers are Declining

Comparing the two lists, it’s as much about what threats are dropping in the rankings as what remains, the report’s authors wrote. The top four threats were the same in both rankings, though in different orders. Configurations moved from three to one, with IAM dropping from one to two. Insecure APIs dropped from two to three, while inadequate security implementations stayed at four.

“The survey analysis shows a continuing drop in the ranking of traditional cloud security issues that are the responsibility of cloud service providers (CSPs),” they wrote. “Concerns such as denial of service, shared technology vulnerabilities, and CSP data loss featured in the previous report were now rated low enough to be excluded from this report. These omissions continue the apparent trust in the cloud.”

Worries over traditional cloud security issues in infrastructure-as-a-service (IaaS) environments are dwindling and data breaches no longer dominate as the top cloud security concern, they wrote. However, the nature of the top threats doesn’t make for easy answers.

Cloud Makes Security Challenging

They called configuration “a cornerstone of organizational capability maturity for decades,” adding that the “transition to cloud computing has compounded the challenges, making it crucial for teams to adopt more robust cloud-specific configurations. Given a cloud’s persistent network access and infinite capacity, misconfigurations can have wide-reaching impacts across an organization.”

For IAM, the trend toward using self-signed certificates and ongoing poor cryptographic management are driving worries and fueling interest in implementing zero-trust architectures and software-defined perimeters, the authors wrote. Enterprises also are embracing microservices, which is making securing interfaces and APIs even more important.

“Despite their pivotal role in cloud services, including SaaS and PaaS offerings, substantial challenges remain in securing these elements due to coder inefficiencies and the always-on nature of the cloud,” they wrote.

The report was created in two phases, with both using surveys about cloud security threats and risks. The first phase involved creating a short list of issues via in-person surveys of CSA working group members. In the second, the group polled more than 500 industry experts.

“Given the ever-evolving cybersecurity landscape, it’s difficult for companies to stay ahead of the curve and mitigate their financial and reputational risks,” Sean Heide, the CSA’s technical research director, said in a statement. “By bringing attention to those threats, vulnerabilities, and risks that are top-of-mind across the industry, organizations can better focus their resources.”

Thales Found Similar Trends

The report echoes what other organizations have found. In June, Thales released a similar report that said that cloud resources – including SaaS applications, cloud storage, and cloud management infrastructure – are now the biggest targets for threat actors, putting a focus for organizations on protecting their cloud environments.

At 31%, human error and misconfiguration continued to be the number-one root cause of cloud data breaches, according to Thales’ 2024 Cloud Security Study, which was based on a survey of 2,961 of cybersecurity and IT management professionals. The next two were exploiting known vulnerabilities and failing to use multi-factor authentication, both of which have human elements as well.

“The inclusion of identity resources among top targets is significant for another reason: identity and access management (IAM) is a primary means of linking people with policy and control over technology access and use,” the authors of the Thales report wrote. “Infrastructure and technology aren’t the only aspects of cloud environments exposed to risk. Technology, after all, exists to serve people – which means that the interaction of people with technology, and the degree to which human action can compromise technology, is a factor in cybersecurity.”