In efforts to help organizations improve the security of their data stored on the cloud, the National Security Agency (NSA) released an information sheet with guidance last month on mitigating cloud vulnerabilities. This guidance is one of three releases recommended by the Cybersecurity and Infrastructure Security Agency (CISA) for use by administrators in implementing a defense strategy to safeguard their companies’ infrastructure assets. The new guidelines include mitigation techniques for cloud vulnerabilities beyond the identification of the components of cloud security and threat actors.
Here are the main points of the guidelines:
There are four categories of cloud vulnerabilities:
- Misconfiguration. This is the most widespread vulnerability and such weakness can enable attackers to access cloud data and services.
- Poor access control. This is a vulnerability that occurs when authentication methods are weak. Having this allows attackers the opportunity to get past such control and provide themselves with rights, thereby compromising cloud resources.
- Shared tenancy vulnerabilities. This is a vulnerability in the presence of sophisticated attackers, making cyber-attacks due to this vulnerability rare. Nonetheless, it is one to be aware of because the repercussions can be very severe. This vulnerability occurs because cloud platforms are composed of multiple software and hardware, and those who understand any of the software or hardware used can attack it.
- Supply chain vulnerabilities. Any company that operates with a supply chain system has this vulnerability. There are insider threats and outsider threats. On the inside, there are backdoors in hardware and software under control by authorized internal actors, and inevitably vulnerability forms to inside malicious actors. On the outside, there are third-party software components which open up the possibility for rogue developers to insert vulnerabilities subject to manipulation and attack.
It seems the NSA has provided this framework so that organizations can consider all of their vulnerabilities that exist for these components and take appropriate action to reduce cloud vulnerabilities.
The release of these January 2020 guidelines are the government’s continued efforts in encouraging organizations to gain knowledge on cloud security principles and guide them through the various considerations that need to be made with cloud service procurement. This guide is written with organization leaders and their technical staff in mind.