In a short note on its website, the Cybersecurity and Infrastructure Security Agency (CISA) encouraged cloud administrators and users to review the National Security Agency’s (NSA) Jan. 22 guidance on mitigating cloud vulnerabilities.
CISA explained in the post that the new cloud guidance provides “information on implementing a defense-in-depth strategy to protect infrastructure assets.” The NSA info sheet includes information on mitigating potential cloud vulnerabilities and the components of a secure cloud environment.
NSA details four specific threats to cloud security – supply chain vulnerabilities, shared tenancy vulnerabilities, poor access control, and misconfiguration – and advocates for a risk-based approach to cloud implementation. The document outlines prevalence, sophistication, real-world examples, and administrative advice on each type of threat.
“Cloud customers have a critical role in mitigating misconfiguration and poor access control but can also take actions to protect cloud resources from the exploitation of shared tenancy and supply chain vulnerabilities,” the NSA guidance states. “By taking a risk-based approach to cloud adoption, organizations can securely benefit from the cloud’s extensive capabilities.”
The new guidance frames cloud security as an “on-going process.” NSA explains in the document that careful implementation and management of cloud capabilities can minimize risks and help users take full advantage of cloud’s security benefits. For example, the guidance touts cloud’s ability to automate security processes such as threat and incident response.
NSA also encourages collaboration between cloud service providers (CSP) and cloud customers to share security responsibilities. Sharing threat detection, incident response, and patch management duties is especially important in public clouds where the responsibility for the infrastructure, platform, and software of the cloud are commonly split.
“CSPs and cloud customers share unique and overlapping responsibilities to ensure the security of services and sensitive data stored in public clouds,” NSA states. “CSPs are responsible for securing the cloud infrastructure, as well as implementing logical controls to separate customer data. Organizational administrators are usually responsible for configuring application-level security.”