Back

NSA Guidance on Mitigating Cloud Vulnerabilities

The National Security Agency has released a document on "Mitigating Cloud Vulnerabilities" to the public. It addresses the security risks that are distinctive to cloud services...

5 min read
Published on Feb 10, 2020
nsa-releases-guidance-mitigating-cloud-vulnerabilities

The National Security Agency has released a document on “Mitigating Cloud Vulnerabilities” to the public. It addresses the security risks which are distinctive to cloud services. Cloud adoption can improve an organization’s security compared with on-premises systems, but it carries its own risks. The document aims at helping technical and security professionals to understand and minimize these problems. Cloud services are especially attractive to small organizations, which can’t easily support specialized IT and security staff. Cloud service providers (CSPs) lend their expertise to a large number of customers, reducing the expenditure for each one. At the same time, cloud accounts share facilities, presenting an attractive target. The document divides into three major sections. Each corresponds to broad cloud vulnerabilities:

  • Components
  • Threat actors
  • Vulnerabilities and mitigations

Evaluating and Selecting Cloud Services

The NSA document reminds its readers that “cloud architectures are not standardized”. One service may be well managed and provide a strong level of security, while another is poorly managed and has significant vulnerabilities. A single provider may offer multiple tiers of service, with different tradeoffs between cost and protection. Private cloud services allocate dedicated hardware to a customer. They provide greater isolation than shared hardware, and they cost more. Containerization allows efficient allocation of memory and processing power but is more prone to vulnerabilities. Virtual machines are an intermediate solution, isolating systems from one another in principle but running some risk by sharing hardware. Software-defined networking (SDN) gives each customer its own virtual network, further isolating it from other systems. The document mentions a threat area not often discussed: malicious or inept CSP administrators. This type of insider threat is uncommon, but it could affect a large number of customers at once. A stealthy administrator taps into private information without notice. Choosing a CSP for reputation and quality will reduce this risk.

Customer Responsibilities

The document reminds its readers that “CSPs and cloud customers share unique and overlapping responsibilities.” Customers cannot leave everything to the provider. The sharing of responsibility depends on the service level. Customers who use IaaS or PaaS carry a greater security burden than those who use only SaaS. Support services vary from one CSP to another, and customers need to understand exactly what the provider does for them and what they need to do. If customers put their own or third-party software on a cloud service, they take on the responsibility of fixing any vulnerabilities in it. They need a threat detection and mitigation capability, since the provider is generally unable to detect security incidents that involve customer software and data. Customers need to be confident of their own cloud administrators, who are in a strong position to acquire or alter information for their own ends. They need to create security policies and train employees in risk awareness and best practices. It mentions encryption and key management. Customers can generate private encryption keys, or they can use cloud-based key management services. They can perform encryption on the cloud or on their own systems. Pre-encryption outside the cloud provides greater security at the cost of greater complexity. Private cloud services provide the greatest amount of isolation, but they require the customer to take responsibility for nearly everything above the bare-metal level.

Widespread Vulnerabilities

The vulnerabilities listed in the document show a negative correlation between prevalence and attacker sophistication. The most common security incidents come from weaknesses that are easy to exploit. The two issues whose prevalence is designated as “widespread” are misconfiguration and poor access control. Misconfiguration is especially worrisome since the attacker sophistication necessary to exploit it is rated “low.” Sometimes information is inadvertently exposed to the public, requiring nothing more than the right URL or API call to obtain it. The document cites cases where this has happened, in one case exposing US CENTCOM data to all public users.

The NSA recommends a combination of policies and automated tools to prevent inadvertent exposure of information. Training, logging, adherence to standards, and auditing are among the recommendations. Weak access control is the source of many security problems. The document focuses on relatively sophisticated methods of exploiting access control issues, rather than the more familiar ones involving weak or unguarded passwords. They include taking advantage of password reset mechanisms and using weak fallback authentication protocols. Recommendations include using multi-factor authentication and limiting access to and between cloud resources.

Other Vulnerabilities

covering cloud vulnerabilities Two cloud vulnerabilities are rare. Indeed, they require high attacker sophistication. One of them, shared tenancy vulnerabilities, is inherent in non-private cloud architectures. The document states that “there have been no reported isolation compromises in any major cloud platform,” but researchers have demonstrated that such attacks are possible. Containerized architectures are the most vulnerable, and techniques for breaking out of a hypervisor-managed VM have been shown to exist.

Supply chain vulnerabilities require injecting malicious components into trusted hardware and software from a vendor. Nation-state actors can create this kind of vulnerability; they may be able to force a vendor to introduce a backdoor and not tell their customers. Further, compromise the servers where applications or updates are downloaded. These threats are difficult to guard against. Vulnerabilities of these types are uncommon, but a successful attack would put all the tenants on a hosting system at risk. A supply chain exploit could affect multiple CSPs.

Mitigating Risks

The document goes into detail recommending mitigations for each vulnerability class. It states that “security in the cloud is a constant process”. Customers need to work together with their vendors to identify areas of risk and reducing them. The process begins with selecting cloud services and continues through the migration process and ongoing operations. Organizational management, as well as technical and security people, can review the recommendations and determine which ones apply to their organization and will provide the most benefit.

Learn More About Cloud Vulnerabilities

Contact us for more information on IT security and data protection.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

What Is a POAM?

What Is a POAM?

Learn how a Plan of Action and Milestones (POAM) helps meet NIST 800-171 & DFARS compliance. Understand its role in FedRAMP, security categorization, and risk mitigation.

Apr 8, 2025
8 min read
Best Cybersecurity Practices for Achieving CMMC Compliance

Best Cybersecurity Practices for Achieving CMMC Compliance

Achieving CMMC cybersecurity compliance requires strong security controls. Learn best practices for securing your IT environment, protecting CUI, and implementing MFA.

Apr 7, 2025
6 min read
8-pranks-for-windows-11-happy-april-fools

8 Pranks for Windows 11 - Happy April Fools!

Happy April Fools Day The day of the year when some IT staff think it might be humorous to do something to generate hundreds of support tickets for ...

Apr 1, 2025
3 min read
Office 365 License Comparison: Business Plans Vs. E5, E3 and E1

GCC High Vs GCC for Protecting CUI with CMMC

Learn the key differences between GCC and GCC High for handling CUI under CMMC, DFARS, and NIST 800-171. Find out which cloud meets your compliance needs.

Mar 31, 2025
4 min read
Risks of not using a CMMC RPO

The Risks of Not Using a CMMC RPO for Compliance and Certification Readiness

A CMMC RPO helps organizations prepare for certification and avoid compliance failures. Learn why working with an RPO is essential for achieving CMMC compliance.

Mar 20, 2025
8 min read
CMMC 2.0 Require GCC High for Compliance

Does CMMC 2.0 Require GCC High for Compliance?

Does CMMC 2.0 require GCC High? Learn the cloud options for compliance, data security, and protecting CUI under NIST 800-171 and DFARS.

Mar 17, 2025
10 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation