Back

NSA Guidance on Mitigating Cloud Vulnerabilities

The National Security Agency has released a document on "Mitigating Cloud Vulnerabilities" to the public. It addresses the security risks that are distinctive to cloud services...

5 min read
Published on Feb 10, 2020
nsa-releases-guidance-mitigating-cloud-vulnerabilities

The National Security Agency has released a document on “Mitigating Cloud Vulnerabilities” to the public. It addresses the security risks which are distinctive to cloud services. Cloud adoption can improve an organization’s security compared with on-premises systems, but it carries its own risks. The document aims at helping technical and security professionals to understand and minimize these problems. Cloud services are especially attractive to small organizations, which can’t easily support specialized IT and security staff. Cloud service providers (CSPs) lend their expertise to a large number of customers, reducing the expenditure for each one. At the same time, cloud accounts share facilities, presenting an attractive target. The document divides into three major sections. Each corresponds to broad cloud vulnerabilities:

  • Components
  • Threat actors
  • Vulnerabilities and mitigations

Evaluating and Selecting Cloud Services

The NSA document reminds its readers that “cloud architectures are not standardized”. One service may be well managed and provide a strong level of security, while another is poorly managed and has significant vulnerabilities. A single provider may offer multiple tiers of service, with different tradeoffs between cost and protection. Private cloud services allocate dedicated hardware to a customer. They provide greater isolation than shared hardware, and they cost more. Containerization allows efficient allocation of memory and processing power but is more prone to vulnerabilities. Virtual machines are an intermediate solution, isolating systems from one another in principle but running some risk by sharing hardware. Software-defined networking (SDN) gives each customer its own virtual network, further isolating it from other systems. The document mentions a threat area not often discussed: malicious or inept CSP administrators. This type of insider threat is uncommon, but it could affect a large number of customers at once. A stealthy administrator taps into private information without notice. Choosing a CSP for reputation and quality will reduce this risk.

Customer Responsibilities

The document reminds its readers that “CSPs and cloud customers share unique and overlapping responsibilities.” Customers cannot leave everything to the provider. The sharing of responsibility depends on the service level. Customers who use IaaS or PaaS carry a greater security burden than those who use only SaaS. Support services vary from one CSP to another, and customers need to understand exactly what the provider does for them and what they need to do. If customers put their own or third-party software on a cloud service, they take on the responsibility of fixing any vulnerabilities in it. They need a threat detection and mitigation capability, since the provider is generally unable to detect security incidents that involve customer software and data. Customers need to be confident of their own cloud administrators, who are in a strong position to acquire or alter information for their own ends. They need to create security policies and train employees in risk awareness and best practices. It mentions encryption and key management. Customers can generate private encryption keys, or they can use cloud-based key management services. They can perform encryption on the cloud or on their own systems. Pre-encryption outside the cloud provides greater security at the cost of greater complexity. Private cloud services provide the greatest amount of isolation, but they require the customer to take responsibility for nearly everything above the bare-metal level.

Widespread Vulnerabilities

The vulnerabilities listed in the document show a negative correlation between prevalence and attacker sophistication. The most common security incidents come from weaknesses that are easy to exploit. The two issues whose prevalence is designated as “widespread” are misconfiguration and poor access control. Misconfiguration is especially worrisome since the attacker sophistication necessary to exploit it is rated “low.” Sometimes information is inadvertently exposed to the public, requiring nothing more than the right URL or API call to obtain it. The document cites cases where this has happened, in one case exposing US CENTCOM data to all public users.

The NSA recommends a combination of policies and automated tools to prevent inadvertent exposure of information. Training, logging, adherence to standards, and auditing are among the recommendations. Weak access control is the source of many security problems. The document focuses on relatively sophisticated methods of exploiting access control issues, rather than the more familiar ones involving weak or unguarded passwords. They include taking advantage of password reset mechanisms and using weak fallback authentication protocols. Recommendations include using multi-factor authentication and limiting access to and between cloud resources.

Other Vulnerabilities

covering cloud vulnerabilities Two cloud vulnerabilities are rare. Indeed, they require high attacker sophistication. One of them, shared tenancy vulnerabilities, is inherent in non-private cloud architectures. The document states that “there have been no reported isolation compromises in any major cloud platform,” but researchers have demonstrated that such attacks are possible. Containerized architectures are the most vulnerable, and techniques for breaking out of a hypervisor-managed VM have been shown to exist.

Supply chain vulnerabilities require injecting malicious components into trusted hardware and software from a vendor. Nation-state actors can create this kind of vulnerability; they may be able to force a vendor to introduce a backdoor and not tell their customers. Further, compromise the servers where applications or updates are downloaded. These threats are difficult to guard against. Vulnerabilities of these types are uncommon, but a successful attack would put all the tenants on a hosting system at risk. A supply chain exploit could affect multiple CSPs.

Mitigating Risks

The document goes into detail recommending mitigations for each vulnerability class. It states that “security in the cloud is a constant process”. Customers need to work together with their vendors to identify areas of risk and reducing them. The process begins with selecting cloud services and continues through the migration process and ongoing operations. Organizational management, as well as technical and security people, can review the recommendations and determine which ones apply to their organization and will provide the most benefit.

Learn More About Cloud Vulnerabilities

Contact us for more information on IT security and data protection.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

Risks of not using a CMMC RPO

The Risks of Not Using a CMMC RPO for Compliance and Certification Readiness

A CMMC RPO helps organizations prepare for certification and avoid compliance failures. Learn why working with an RPO is essential for achieving CMMC compliance.

Mar 20, 2025
8 min read
CMMC 2.0 Require GCC High for Compliance

Does CMMC 2.0 Require GCC High for Compliance?

Does CMMC 2.0 require GCC High? Learn the cloud options for compliance, data security, and protecting CUI under NIST 800-171 and DFARS.

Mar 17, 2025
10 min read
Office 365 License Comparison: Business Plans Vs. E5, E3 and E1

CMMC RPO vs a C3PAO: Understanding Their Roles in Compliance

Understanding the difference between an RPO and a C3PAO is crucial for CMMC compliance. Learn why they should be separate and how an RPO helps prepare for certification.

Mar 15, 2025
6 min read
Can You Meet CMMC with Google Workspace?

Can You Meet CMMC with Google Workspace?

Is Google Workspace CMMC compliant? Learn about its DFARS, NIST 800-171, and ITAR limitations and how migrating to GCC High ensures full compliance.

Mar 4, 2025
7 min read
Is Maintaining a GCC High Tenant Worth It for Non-Government

Evaluating the Need for a GCC High Tenant in Non-Government Organizations

Explore whether maintaining a GCC High tenant is necessary for organizations not involved in government work. Understand the pros and cons, costs, and compliance considerations.

Feb 25, 2025
7 min read
Top 10 Reasons to Partner with an MSP for Security and Compliance

Top 10 Reasons to Partner with an MSP for Security and Compliance

Discover why partnering with an MSP for security and compliance is critical for organizations navigating FAR CUI and CMMC requirements.

Feb 21, 2025
8 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation