NSA Shares Guide for Mitigating Cloud Vulnerabilities, Threats
January 27, 2020 – The National Security Agency released new guidance designed to help organizations across all sectors mitigate cloud vulnerabilities, including identifying cloud security components, threat actors, and potential mitigation techniques.
According to the guide, cloud vulnerabilities can be broken down into four key categories: misconfiguration, poor access control, shared tenancy flaws, and supply chain vulnerabilities.
The guide is designed both for the organizational leadership team and technical staff and is broken down into three sections: cloud components, cloud threat actors, and cloud vulnerabilities and mitigations. The hope is that leadership can gain perspective on cloud security principles, while addressing cloud security considerations to assist with cloud service procurement.
Multi Cloud Approach More Prone to Data Breaches Than Hybrid Use
32% Providers Store Data in Cloud, Despite Lack of Security Resources
DHS Addresses Security Concerns with Microsoft Office 365, Cloud Migration
To the NSA, organizations should take a risk-based approach to cloud-adoption to ensure the enterprise can â€œsecurely benefit from the cloudâ€™s extensive capabilities.â€
â€œWhile careful cloud adoption can enhance an organizationâ€™s security posture, cloud services can introduce risks that organizations should understand and address both during the procurement process and while operating in the cloud,â€ NSA officials wrote.
â€œFully evaluating security implications when shifting resources to the cloud will help ensure continued resource availability and reduce risk of sensitive information exposures,â€ they added. â€œTo implement effective mitigations, organizations should consider cyber risks to cloud resources, just as they would in an on-premises environment.â€
The guide breaks down the different cloud architecture types, which vary by vendor and include identity and access management, virtualization and containerization computation, networking, and storage. NSA officials recommended that organizations first understand the different cloud implementation methods as part of its risk decision.
Organizations can also find insights into cloud encryption and key management, which the NSA explained for critical aspects of protecting information in the cloud.
â€œWhile the cloud service provider uses encryption (among other controls) to protect some aspects of customer data from other customers and CSP employees, cloud customers should understand the options that they have for further protecting their data,â€ NSA officials wrote.
â€œUnderstanding data sensitivity requirements is crucial for building a cloud encryption and key management strategy,â€ they added. â€œCloud-based KM services are designed to integrate with other cloud services, reducing the amount of customer development needed to protect and process data in the cloud.â€
The guide also sheds light on ways cloud vendors and its customers are meant to share cloud security responsibilities to bolster protection of data stored in the cloud, such as incident response and patching and updating.
The NSA also provided a deep dive into misconfiguration. The widespread vulnerability is widespread and has impacted a trove of sensitive data, including within the healthcare sector. IntSights researchers have found one-third of healthcare organizations are leaving online databases exposed or misconfigured.
â€œMisconfiguration of cloud resources remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services,â€ NSA officials wrote. â€œOften arising from cloud service policy mistakes or misunderstanding shared responsibility, misconfiguration has an impact that varies from denial of service susceptibility to account compromise.â€