The US National Security Agency (NSA) has published an important document outlining the main classes of cloud vulnerabilities and the ways an organization can go about addressing them.
The NSA acknowledges that cloud services can introduce unique risks that organizations should understand and address both during the procurement process and while operating in the cloud.
The report, Mitigating Cloud Vulnerabilities (PDF), divides cloud vulnerabilities into four classes – misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities – that encompass most known vulnerabilities faced by organizations relying on cloud workloads to conduct day-to-day operations.
Descriptions of each vulnerability class and the most effective mitigations are provided to help organizations lock down their cloud resources. The vulnerability classes vary as to prevalence and the attacker sophistication needed to discover and exploit the vulnerabilities, while each section presents a cloud vulnerability class with real world examples, estimated vulnerability prevalence, various levels of attacker sophistication, and mitigations.
- Misconfiguration of cloud resources remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services. Often arising from cloud service policy mistakes or misunderstanding shared responsibility, misconfiguration has an impact that varies from denial of service susceptibility to account compromise. According to the report, a well-designed and well-implemented cloud architecture will include controls that prevent misconfigurations or alert administrators to improper configurations.
- Poor access control means cloud resources use weak authentication / authorization methods or include vulnerabilities that bypass these methods. The NSA cautions that weaknesses in access control mechanisms can allow an attacker to elevate privileges, resulting in the compromise of cloud resources. Poor access control can be mitigated by enforcing strong authentication and authorization protocols, like: multi factor authentication with strong factors and regular re-authentication; limit access to and between cloud resources and implementing a Zero-Trust model; audit access logs for security concerns using automated tools; avoid leaking API keys by not including said keys in software version control systems.
- Shared Tenancy Vulnerabilities. Cloud platforms employ a plurality of software and hardware components, making for a large attack surface. In a multi-tenant environment, such as the cloud, a “container” vulnerability can allow an attacker to compromise containers of other tenants on the same host. Flaws in chip design can also result in the compromise of tenant information in the cloud through side-channel attacks. Mitigations for shared tenancy vulnerabilities involve separating organizational resources from other cloud tenants using the security mechanisms provided by the cloud service provider (CSP).
- Supply Chain Vulnerabilities are probably the most common, as they reside in source hardware and software from vendors and nations across the globe. Third-party software cloud components may contain vulnerabilities intentionally inserted by the developer to compromise the application, the NSA speculates. Inserting an agent into the cloud supply chain, as a supplier, administrator or developer, could be an effective means for nation state attackers to compromise cloud environments. The Agency says the CSP is mainly responsible for detecting and mitigating supply chain attacks against the cloud platform. However, an organization’s administrator can strengthen defenses against supply chain compromise by doing the following: enforce encryption of data at rest and in transit; procure cloud resources pursuant to applicable accreditation processes; ensure contracts stipulate adherence to internal standards; control the selection of virtual mach9ine images to prevent the use of untrusted third party products; discuss vendor-specific countermeasures with the CPS; adhere to applicable standards, leverage secure coding practices, and practice continuous improvement in security, integrity, and resiliency of enterprise applications.
“By taking a risk-based approach to cloud adoption, organizations can securely benefit from the cloud’s extensive capabilities,” the NSA says. “Customers should understand the shared responsibility that they have with the CSP in protecting the cloud. CSPs may offer tailored countermeasures to help customers harden their cloud resources. Security in the cloud is a constant process and customers should continually monitor their cloud resources and work to improve their security posture.”
Notably, the report also includes examples of cloud threat actors and their characteristics, including malicious CSP admins, malicious customer cloud admins, and nation state-sponsored actors, as well as untrained or neglectful customers.