The National Security Agency (NSA) has released a cloud security report which provides advice about cloud components, the shared responsibility model, and threats in the cloud in order to help organizations mitigate cloud vulnerabilities.
The NSA Cloud Security Report (PDF) is a well-written and straightforward guide to cloud security basics for organizations in all industry sectors. It starts by discussing four common cloud services (IAM, computing, networking, and storage), their roles in a cloud architecture and the measures organizations should take to use each service securely.
The report then advises organizations to understand the options they have for further protecting data through encryption. It summarizes the alternatives for encryption and encryption key management (i.e. CSP-provided, Bring Your Own Key, off-cloud management, etc.), and notes the advantages and disadvantages of each option.
The third part of the report explains how the shared responsibility model works and illustrates the division of responsibilities for security between Cloud Service Providers and organizations – noting that organizations should pay particular attention to their responsibilities in the fields of threat detection, incident response, and patching and updating resources.
Prior to moving onto how to mitigate cloud vulnerabilities, the NSA alerts organizations to the different types of threat actors. While stating that threat actors may target the same types of weaknesses in both cloud and on-premises systems (i.e. unpatched web applications), the report lists four types of threat actors particularly relevant to cloud computing:
- Malicious CSP Administrators that can leverage privileged credentials to gain unauthorized access to networks and modify or destroy data.
- Malicious Insiders who can use privileged credentials (or the lack of careful credential management) to gain unauthorized access to data.
- Cyber-Criminals and/or Nation State-Sponsored Actors that will take advantage of vulnerabilities or compromised credentials to gain access to cloud resources.
- Untrained or Neglectful Users who expose data or cloud resources unintentionally. This type of threat actor also covers unintentional exposure due to human error.
Advice for Mitigating Cloud Vulnerabilities
The sections relating to cloud services, encryption, the shared responsibility model, and threat actors are a succinct introduction to the main theme of the report – how to mitigate cloud vulnerabilities – and, in order to best provide advice, the NSA selects four classes of cloud vulnerability, mapping them according to their prevalence and sophistication of exploitation.
The report provides examples of each type of vulnerability and, starting with the most prevalent, suggests ways in which organizations can mitigate these cloud vulnerabilities.
Misconfigurations
The misconfiguration of cloud services is the most common vulnerability and, according to the NSA, is most often caused by cloud service policy mistakes or a misunderstanding of the shared responsibility model. The report recommends organizations design and automate infrastructures to prevent misconfigurations, apply least privilege IAM controls, and implement effective cloud governance.
Poor Access Control
Poor access control occurs when cloud resources use weak authentication and authorization methods or include vulnerabilities that allow unauthorized users to bypass these methods. To address the threat of unauthorized access, the report recommends applying a Zero Trust access model to resources, implementing multi-factor authentication for users, and using automation to audit access logs.
Shared Tenancy Vulnerabilities
Although shared tenancy vulnerabilities at the hypervisor level are unlikely, the NSA draws attention to the risk of container “breakouts”. The Agency recommends mitigating the potential consequences of a breakout by encrypting data at rest and in transit, and by using dedicated or bare-metal instances for sensitive workloads rather than containers.
Supply Chain Vulnerabilities
For the purpose of this report, the NSA uses the term “supply chain vulnerabilities” to represent threats such as backdoors built into software (rather than vulnerabilities in business partner security). The report acknowledges mitigating supply chain attacks against a cloud platform is the responsibility of the CSP, but recommends organizations control the selection of VM images from third party vendors.
Implementing the NSA´s Recommendations
Throughout the report, the NSA advocates taking a risk-based approach to cloud adoption in order to “securely benefit from the cloud´s extensive capabilities”, and the report concludes by recommending the automation of security-relevant processes. There are many security-relevant processes that are possible to automate with the VMware Secure State platform. For example:
- You can integrate a continuous verification process into the CI/CD pipeline to prevent configuration drift.
- You can enforce a policy to block access to accounts when multi-factor authentication is disabled.
- VMware Secure State can scan your environment for unencrypted data, and initiate a function to encrypt exposed data when it is found.
Possibly the most difficult part of implementing the NSA´s recommendations is knowing which vulnerabilities to prioritize. To help with this issue, VMware Secure State provides environment context and risk scores to help organizations prioritize vulnerabilities across a dynamic cloud infrastructure.
To find out more about VMware Secure State’s cloud security capabilities, do not hesitate to get in touch. Our team of cloud experts will be happy to answer your questions and organize a demonstration to help you visualize how VMware Secure State can help you better protect your cloud environment.