NSA Guidance on Mitigating Cloud Vulnerabilities

The National Security Agency has released a document on “Mitigating Cloud Vulnerabilities” to the public. It addresses the security risks which are distinctive to cloud services. Cloud adoption can improve an organization’s security compared with on-premises systems, but it carries its own risks. The document aims at helping technical and security professionals to understand and minimize these problems. Cloud services are especially attractive to small organizations, which can’t easily support specialized IT and security staff. Cloud service providers (CSPs) lend their expertise to a large number of customers, reducing the expenditure for each one. At the same time, cloud accounts share facilities, presenting an attractive target. The document divides into three major sections. Each corresponds to broad cloud vulnerabilities:

• Components
• Threat actors
• Vulnerabilities and mitigations

Evaluating and Selecting Cloud Services

The NSA document reminds its readers that “cloud architectures are not standardized”. One service may be well managed and provide a strong level of security, while another is poorly managed and has significant vulnerabilities. A single provider may offer multiple tiers of service, with different tradeoffs between cost and protection. Private cloud services allocate dedicated hardware to a customer. They provide greater isolation than shared hardware, and they cost more. Containerization allows efficient allocation of memory and processing power but is more prone to vulnerabilities. Virtual machines are an intermediate solution, isolating systems from one another in principle but running some risk by sharing hardware. Software-defined networking (SDN) gives each customer its own virtual network, further isolating it from other systems. The document mentions a threat area not often discussed: malicious or inept CSP administrators. This type of insider threat is uncommon, but it could affect a large number of customers at once. A stealthy administrator taps into private information without notice. Choosing a CSP for reputation and quality will reduce this risk.

Customer Responsibilities

The document reminds its readers that “CSPs and cloud customers share unique and overlapping responsibilities.” Customers cannot leave everything to the provider. The sharing of responsibility depends on the service level. Customers who use IaaS or PaaS carry a greater security burden than those who use only SaaS. Support services vary from one CSP to another, and customers need to understand exactly what the provider does for them and what they need to do. If customers put their own or third-party software on a cloud service, they take on the responsibility of fixing any vulnerabilities in it. They need a threat detection and mitigation capability, since the provider is generally unable to detect security incidents that involve customer software and data. Customers need to be confident of their own cloud administrators, who are in a strong position to acquire or alter information for their own ends. They need to create security policies and train employees in risk awareness and best practices. It mentions encryption and key management. Customers can generate private encryption keys, or they can use cloud-based key management services. They can perform encryption on the cloud or on their own systems. Pre-encryption outside the cloud provides greater security at the cost of greater complexity. Private cloud services provide the greatest amount of isolation, but they require the customer to take responsibility for nearly everything above the bare-metal level.

Widespread Vulnerabilities

The vulnerabilities listed in the document show a negative correlation between prevalence and attacker sophistication. The most common security incidents come from weaknesses that are easy to exploit. The two issues whose prevalence is designated as “widespread” are misconfiguration and poor access control. Misconfiguration is especially worrisome since the attacker sophistication necessary to exploit it is rated “low.” Sometimes information is inadvertently exposed to the public, requiring nothing more than the right URL or API call to obtain it. The document cites cases where this has happened, in one case exposing US CENTCOM data to all public users.

The NSA recommends a combination of policies and automated tools to prevent inadvertent exposure of information. Training, logging, adherence to standards, and auditing are among the recommendations. Weak access control is the source of many security problems. The document focuses on relatively sophisticated methods of exploiting access control issues, rather than the more familiar ones involving weak or unguarded passwords. They include taking advantage of password reset mechanisms and using weak fallback authentication protocols. Recommendations include using multi-factor authentication and limiting access to and between cloud resources.

Other Vulnerabilities

Two cloud vulnerabilities are rare. Indeed, they require high attacker sophistication. One of them, shared tenancy vulnerabilities, is inherent in non-private cloud architectures. The document states that “there have been no reported isolation compromises in any major cloud platform,” but researchers have demonstrated that such attacks are possible. Containerized architectures are the most vulnerable, and techniques for breaking out of a hypervisor-managed VM have been shown to exist.

Supply chain vulnerabilities require injecting malicious components into trusted hardware and software from a vendor. Nation-state actors can create this kind of vulnerability; they may be able to force a vendor to introduce a backdoor and not tell their customers. Further, compromise the servers where applications or updates are downloaded. These threats are difficult to guard against. Vulnerabilities of these types are uncommon, but a successful attack would put all the tenants on a hosting system at risk. A supply chain exploit could affect multiple CSPs.

Mitigating Risks

The document goes into detail recommending mitigations for each vulnerability class. It states that “security in the cloud is a constant process”. Customers need to work together with their vendors to identify areas of risk and reducing them. The process begins with selecting cloud services and continues through the migration process and ongoing operations. Organizational management, as well as technical and security people, can review the recommendations and determine which ones apply to their organization and will provide the most benefit.

Learn More About Cloud Vulnerabilities

Contact us for more information on IT security and data protection.