NSA Shares Guide for Mitigating Cloud Vulnerabilities, Threats

January 27, 2020 - The National Security Agency released new guidance designed to help organizations across all sectors mitigate cloud vulnerabilities, including identifying cloud security components, threat actors, and potential mitigation techniques.

According to the guide, cloud vulnerabilities can be broken down into four key categories: misconfiguration, poor access control, shared tenancy flaws, and supply chain vulnerabilities.

The guide is designed both for the organizational leadership team and technical staff and is broken down into three sections: cloud components, cloud threat actors, and cloud vulnerabilities and mitigations. The hope is that leadership can gain perspective on cloud security principles, while addressing cloud security considerations to assist with cloud service procurement.

To the NSA, organizations should take a risk-based approach to cloud-adoption to ensure the enterprise can “securely benefit from the cloud’s extensive capabilities.”

“While careful cloud adoption can enhance an organization’s security posture, cloud services can introduce risks that organizations should understand and address both during the procurement process and while operating in the cloud,” NSA officials wrote.

“Fully evaluating security implications when shifting resources to the cloud will help ensure continued resource availability and reduce risk of sensitive information exposures,” they added. “To implement effective mitigations, organizations should consider cyber risks to cloud resources, just as they would in an on-premises environment.”

The guide breaks down the different cloud architecture types, which vary by vendor and include identity and access management, virtualization and containerization computation, networking, and storage. NSA officials recommended that organizations first understand the different cloud implementation methods as part of its risk decision.

Organizations can also find insights into cloud encryption and key management, which the NSA explained for critical aspects of protecting information in the cloud.

“While the cloud service provider uses encryption (among other controls) to protect some aspects of customer data from other customers and CSP employees, cloud customers should understand the options that they have for further protecting their data,” NSA officials wrote.

“Understanding data sensitivity requirements is crucial for building a cloud encryption and key management strategy,” they added. “Cloud-based KM services are designed to integrate with other cloud services, reducing the amount of customer development needed to protect and process data in the cloud.”

The guide also sheds light on ways cloud vendors and its customers are meant to share cloud security responsibilities to bolster protection of data stored in the cloud, such as incident response and patching and updating.

The NSA also provided a deep dive into misconfiguration. The widespread vulnerability is widespread and has impacted a trove of sensitive data, including within the healthcare sector. IntSights researchers have found one-third of healthcare organizations are leaving online databases exposed or misconfigured.

“Misconfiguration of cloud resources remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services,” NSA officials wrote. “Often arising from cloud service policy mistakes or misunderstanding shared responsibility, misconfiguration has an impact that varies from denial of service susceptibility to account compromise.”

“The rapid pace of cloud service provider innovation creates new functionality but also adds complexity to securely configuring an organization’s cloud resources,” they added.

Organizations will find a step-by-step best practice guide to shoring up this critical vulnerability. Full insights can be found with the NSA.