NSA Issues Cloud Security Guidance

If you’re going to listen to anyone lecture you about cloud security, it would probably be the US National Security Agency (NSA). After all, it spends a lot of time hacking other peoples' networks and is also moving its own mission data to the cloud. So when it updates its guidance on cloud security, as it did at the end of February, we should probably take notice.

The document, available here, updates its first, published in 2018. This one is more sophisticated, according to NSA high-ups. At double the length, it's still only eight pages long, but it serves as a good introduction to cloud security before picking up a meatier document like the CSA's Cloud Security Controls Matrix or NIST's outdated-looking Cloud Security Reference Architecture.

The document describes the shared responsibility model that places some of the onus for security on the cloud service provider side and some with the customer. It also identifies several threat actors, including not just cyber criminals and nation state actors, but also untrained customer cloud admins, who are the ones generally responsible for exposing large amounts of data in S3 buckets and ElasticSearch databases.

Misconfiguration of cloud resources is among the most common type of cloud vulnerability, the document says, while carrying the lowest risk. It separates other vulnerabilities into poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities, which it says are mainly the responsibility of the CSR.

The shared tenancy category neatly encompasses the recent risks we've seen in container-based computing, where multiple containers sharing the same kernel could end up vulnerable to the same attacks. Consider container security carefully before deploying them in multi-container environments, it says. One possible answer here could be something like Kata Containers, which offers some of the isolation benefits of virtual machines while remaining relatively nimble.

The NSA calls out one particular threat actor of particular interest: malicious CSP admins who might use their privileges to steal or destroy your cloud-based data. How might you defend yourself against those? End-to-end encryption using self-managed keys and a cloud access security broker, perhaps?

What’s Hot on Infosecurity Magazine?