NSA Releases Guidelines to Improve Cloud Security

  • The guidelines include mitigation techniques for cloud vulnerabilities other than the identification of cloud security components, threat actors and more.
  • NSA hopes that organizations can gain perspective on cloud security principles while addressing cloud security considerations to assist with cloud service procurement.

The National Security Agency (NSA) has released new guidelines to help organizations improve the security of data stored on the cloud. The guidelines include mitigation techniques for cloud vulnerabilities other than the identification of cloud security components, threat actors and more.

With the release of the guideline, NSA hopes that organizations can gain perspective on cloud security principles while addressing cloud security considerations to assist with cloud service procurement. The guide is designed both for the organizational leadership team and technical staff.

What are the major flaws?

According to the guide, cloud vulnerabilities can be divided into four categories: misconfiguration, poor access control, shared tenancy flaws, and supply chain vulnerabilities.

Misconfiguration: Termed as the most prevalent cloud vulnerability, a misconfiguration can enable attackers to access cloud data and services. In May 2017, this kind of security flaw had caused a large defense contractor to expose sensitive NGA data and authentication credentials to the public. Likewise, in September 2017, a security researcher had discovered CENTCOM data accessible to all public cloud users and in September 2019, sensitive travel details of Department of Defense (DoD) personnel were exposed due to the same security flaw. And there are countless examples of the same flaw impacting private companies as well.

Poor access control: This occurs when cloud services use weak authentication methods or include vulnerabilities that bypass these vulnerabilities. Weaknesses in access control mechanisms can allow an attacker to elevate privileges, resulting in the compromise of cloud resources. The cyberattacks in October 2019 by the Phosporous group on Microsoft customers and the attacks in March 2018 by the Iranian Mabna Institute where email accounts were compromised by bypassing multi-factor authentication, are examples of how this flaw can be exploited by threat actors.

Shared tenancy vulnerabilities: Cloud platforms consist of multiple software and hardware components. Adversaries who are able to determine the software of hardware used in a cloud architecture can take advantage of vulnerabilities to elevate privileges in the cloud. The occurrence of such attacks is estimated to be rare as the sophistication level is ‘high’.

Hardware vulnerabilities in processors can also have a large impact on cloud security. One such case is the flaws in chip design that can result in the compromise of tenant information in the cloud through side-channel attacks.

Supply chain vulnerabilities: Supply chain vulnerabilities in the cloud include the presence of insider threats and intentional backdoors in hardware and software. In addition to this, third-party software cloud components may contain vulnerabilities intentionally inserted by rogue developers to compromise the application. Inserting an agent into the cloud supply chain, as a supplier, administrator or developer, could be an effective means for nation-state attackers to compromise cloud environments.

Conclusion

Managing risks in the cloud is a responsibility on the shoulders of cloud service providers (CSPs). Thus, CSPs should deploy the right countermeasures to help customers harden their cloud resources. Security in the cloud is a constant process and customers should also continually monitor their cloud resources and work to improve their security posture.