Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersCircleEventsBlog

#1 Threat to Cloud Computing: Insufficient Identity, Credential, Access, and Key Management

Published 06/25/2022

Home
Industry Insights
#1 Threat to Cloud Computing: Insufficient Identity, Credential, Access, and Key Management

Written by the CSA Top Threats Working Group.

The CSA Top Threats to Cloud Computing Pandemic Eleven report aims to raise awareness of threats, vulnerabilities, and risks in the cloud. The latest report highlights the Pandemic Eleven top threats, in which the pandemic and the complexity of workloads, supply chains, and new technologies shifted the cloud security landscape.

This blog will summarize the first threat (of eleven) from the report.

Identity, Credential, and Access Management

Identity, credential, access management systems include tools and policies that allow organizations to manage, monitor, and secure access to valuable resources. Examples may include electronic files, computer systems, and physical resources, such as server rooms or buildings.

Proper maintenance and ongoing vigilance are important. The use of risk-scoring in Identity and Access Management (IAM) enhances security posture. Using a clear risk assignment model, diligent monitoring, and proper isolation of its behavior can help cross-check IAM systems. Tracking target access and frequency for risk scoring are also critical to understanding risk context.

Privileged Accounts

Privileged accounts must be deprovisioned in a precise and immediate manner in order to avoid personnel access after offboarding or role change. This reduces the data exfiltration or the likelihood of compromise. Outside of deprovisioning privileged accounts, it is imperative that roles and responsibilities match the level of ‘need to know.’ Multiple over-privileged personnel create a higher likelihood of data mismanagement or account takeover.

Business Impact

Negative consequences of Insufficient Identity, Credentials, Access and Key Management, and Privileged Accounts may include:

  • Negative business performance and productivity due to reactive and overly restrictive lockdowns
  • Employee testing fatigue resulting in a lack of compliance and apathy to security
  • Data replacement or corruption vs. exfiltration by unauthorized or malicious users
  • Loss of trust and revenue in the market
  • Financial expenses incurred due to incident response and forensics
  • Ransomware and supply chain disruption

What do proper IAM, credential, and key management results look like?

  • Hardened defenses at the core of enterprise architectures shift hacking to endpoint user identity as low-hanging fruit.
  • Robust zero trust layer requires more than simple authentication for discrete users and application-based isolation.
  • Operational policies and structured risk are models also vital for advanced tools.
  • User objects must be given risk scores that dynamically adjust as the business requires. Trust should be earned rather than simply providing keys and codes.

Example

In 2021, state-sponsored attacks were on the rise and getting more sophisticated. This year saw breaches that involved Twitch, Cosmology Kozmetik, PeopleGIS, Premier Diagnostics, SeniorAdvisor, Reindeer, and Twillo, with the majority of these attacks being privilege abuse from insider threats. This goes to show that companies that don’t monitor risk and resilience face a dynamic threat landscape flat-footed.

Learn more about this threat and the other 10 top threats in our Top Threats to Cloud Computing Pandemic Eleven publication.

Cloud Key ManagementIdentity and Access ManagementTop Threats

Share this content on your favorite social network today!

Latest from CSA
Managed Business Continuity Cloud Solutions
Read the State of SaaS Security Report 2025
Register now to attend this free Summit, June 11–12!
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Level up with Cloud Infrastructure Security Training
Related Articles:
Getting Started with Kubernetes Security: A Practical Guide for New Teams

Published: 04/25/2025

Understanding Zero Trust Security Models - A Beginners Guide

Published: 04/24/2025

BEC in the Age of AI: The Growing Threat

Published: 04/16/2025

Human and Non-Human Identities: The Overlooked Security Risk in Modern Enterprises

Published: 04/11/2025