The United States’ National Security Agency (NSA) has put together a short guidance document on mitigating vulnerabilities for cloud computing. At only eight pages, it is an accessible primer for cloud security and a great place to start before taking on something like the comprehensive NIST 800-53 security controls. As a guidance document, it doesn’t attempt to be deeply technical; instead, it provides an overview of the technologies, threats, and vulnerabilities that are common in cloud environments and approaches to reducing cloud risk. This is a valuable reference, and it aligns with where I think every security discussions should start – risk.
“By taking a risk-based approach to cloud adoption, organizations can securely benefit from the cloud’s extensive capabilities."
Additionally, the document reiterates what is true for all security programs: it must have top-level support and vision.
“Critical to an organization’s success in both transitioning to the cloud and maintaining cloud resources is support from informed leadership, which ensures the right governance, budget, and oversight.”
For those already working in the cybersecurity space, this will strike some familiar themes. What is different with the cloud is that many responsibilities are shared with a third party, which means risk is also shared. This is reflected in the outline of the threat actors, which, aside from the usual malicious outside threats and insider threats, also includes threats at the cloud service provider (CSP) level. There are four classes of vulnerabilities listed by the NSA: misconfiguration, poor access control, shared tenancy, and supply chain. The first two constitute the primary responsibility of the customer. The latter two are the CSP's. Secure configuration and least-privilege access are key components of any security program. The challenge when addressing these risks in the cloud is that the technology is rapidly evolving, opaquer, and often more complex than a traditional data center. The access controls can have a steep learning curve with various roles and levels that don’t always make clear the levels of exposure a service may have. When beginning the move to the cloud, the important considerations when it comes to security are:
- Ensuring services are properly configured and hardened,
- Properly handling data using least-privilege access,
- Implementing multi-factor authentication, and
- Conducting continuous security monitoring and analysis.
Undoubtedly, this is just the tip of the iceberg, and security is an evolving and complex process that requires constant improvement. Starting on the right foot accelerates the cloud security journey. The full guidance and additional information can be found on US-Cert.gov here.