The National Security Agency (NSA) has released new guidelines to help organizations improve the security of data stored on the cloud. The guidelines include mitigation techniques for cloud vulnerabilities other than the identification of cloud security components, threat actors and more.
With the release of the guideline, NSA hopes that organizations can gain perspective on cloud security principles while addressing cloud security considerations to assist with cloud service procurement. The guide is designed both for the organizational leadership team and technical staff.
What are the major flaws?
According to the guide, cloud vulnerabilities can be divided into four categories: misconfiguration, poor access control, shared tenancy flaws, and supply chain vulnerabilities.
Misconfiguration: Termed as the most prevalent cloud vulnerability, a misconfiguration can enable attackers to access cloud data and services.
Poor access control: This occurs when cloud services use weak authentication methods or include vulnerabilities that bypass these vulnerabilities. Weaknesses in access control mechanisms can allow an attacker to elevate privileges, resulting in the compromise of cloud resources.
Shared tenancy vulnerabilities: Cloud platforms consist of multiple software and hardware components. Adversaries who are able to determine the software of hardware used in a cloud architecture can take advantage of vulnerabilities to elevate privileges in the cloud. The occurrence of such attacks is estimated to be rare as the sophistication level is ‘high’.
Hardware vulnerabilities in processors can also have a large impact on cloud security. One such case is the flaws in chip design that can result in the compromise of tenant information in the cloud through side-channel attacks.
Supply chain vulnerabilities: Supply chain vulnerabilities in the cloud include the presence of insider threats and intentional backdoors in hardware and software. In addition to this, third-party software cloud components may contain vulnerabilities intentionally inserted by rogue developers to compromise the application.
Managing risks in the cloud is a responsibility on the shoulders of cloud service providers (CSPs). Thus, CSPs should deploy the right countermeasures to help customers harden their cloud resources. Security in the cloud is a constant process and customers should also continually monitor their cloud resources and work to improve their security posture.
Article sourced from Cyware.