Moving to the cloud can improve a company’s security posture — but cloud services aren’t without risks, and organizations should both understand and address these risks before buying these services and deploying workloads in the cloud. To that end, the National Security Agency (NSA) published new guidance titled “Mitigating Cloud Vulnerabilities.”

The report targets companies’ leadership and technical staff. It highlights the basic components of cloud architecture and threat actors. And then it also ranks four different types of cloud security risks — misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities — that, according to the NSA, account for the vast majority of known security flaws.

While each cloud service providers’ architecture will be slightly different, most clouds have four components in common. This includes identity and access management — these are the controls in place for customers to protect access to their resources as well as controls that the service providers use to protect back-end cloud resources — as well as compute, networking, and storage.

Shared Responsibility

The NSA report also discusses the concept of shared responsibility. This is important because security vendors and cloud service providers alike say many of their customers still don’t have a strong grasp on this model and how it works. Cloud providers like Amazon Web Services (AWS) and Microsoft Azure are responsible for protecting their public cloud infrastructure and implementing logical controls to separate customer data. The customer, however, is responsible for configuring application-level security controls, and for protecting its workloads running on cloud servers. In other words, both the cloud provider and the customer have a shared responsibility when it comes to cloud security.

“Shared-responsibility model is a tough one,” said James Christiansen, VP of cloud security transformation at Netskope. Part of the difficulty comes from “a mindset that when you outsource something, you wash your hands of it.”

In other words, when companies move from their on-premises infrastructure and into the public cloud, often they just assume that AWS or Azure is responsible for all the security measures needed to protect the resources running in the cloud. However, this is not the case.

Also, Christiansen says he’s not a fan of the term “shared responsibility.” Instead, “I would just go with a responsibility matrix: these are your responsibilities, and these are ours,” he added. “There are very distinct responsibilities, and when you see those failures, it’s often the failure of not understanding the part that they are responsible for.”

NSA’s Top 4 Cloud Vulnerabilities

The NSA categorizes cloud vulnerabilities and mitigations into four groups. It also says how prevalent each one is, and what level of sophistication it requires for an attacker to pull it off.

Misconfiguraiton, a widespread threat that requires a low level of sophistication, tops the list. According to the NSA, misconfiguration of cloud resources remains the most prevent cloud vulnerability. “Often arising from cloud service policy mistakes or misunderstanding shared responsibility, misconfiguration has an impact that varies from denial of service susceptibility to account compromise,” the report says. “The rapid pace of [cloud service providers’] innovation creates new functionality but also adds complexity to securely configuring an organization’s cloud resources.”

The report says least privilege and defense in depth are two of the security principles that organizations should apply from the planning phase. A least-privilege model restricts access for accounts to only the resources required to perform routine, legitimate activities. Defense in depth involves placing multiple layers of security controls throughout an IT system.

The No. 2 vulnerability — poor access control — happens when companies have weak authentication methods in place to allow access to cloud resources, or when these cloud resources have flaws that enable attackers to bypass these methods. The NSA deems this vulnerability widespread and says it requires a moderate level of sophistication to pull off.

Organizations can mitigate poor access control by enforcing strong authentication protocols such as multi-factor authentication and using automated tools to audit access logs.

No. 3, shared tenancy vulnerabilities, remain rare, according to the report, and require a high level of sophistication. But these types of vulnerabilities in cloud hypervisors or container platforms can be especially severe.

To mitigate these, the NSA advises enforcing encryption of data at rest and in transit. And for especially sensitive workloads, companies should use dedicated or bare-metal cloud instances.

If companies don’t use a dedicated instance, Christiansen suggests requiring that the cloud provider perform a forensic analysis of the logs, separating your logs from those of the other tenants. Organizations should write this into the contract when they initially buy cloud services, he said.

Supply Chain Security

Finally, the NSA says the No. 4 vulnerability — supply chain security flaws — remain rare, and require highly sophisticated attackers. But many threat hunters and security vendors agree supply chain security risks are becoming more common and they expect to see these types of attacks increase this year.

Supply chain vulnerabilities include inside attackers, intentional flaws and backdoors in hardware and software, as well as companies’ partners and suppliers whose security may not by up to par, and thus, allow attackers to access their targets’ cloud resources via their suppliers’ networks.

Christiansen agrees that attackers need be pretty sophisticated to pull off a supply chain attack, but says he was surprised to see it rated rare.

“You think about the big corporations and they have done a really good job of fortifying their security,” he said. “But then when they go to a third party, the third party doesn’t have the same level of security, and that’s when you are seeing the weakest-link problem. We’ve seen this as far back as the Target breach. It’s a very big attack surface, and I believe that third parties are absolutely a target for state-sponsored attacks and organized attacks.”

While cloud service providers “mitigate the risk of inside attackers through controls such as role separation, two-person integrity for especially sensitive operations, and alerting on suspicious administrator activities,” enterprises can improve their security posture against supply chain compromise, the report says. This includes encrypting data at rest and in transit, and also selecting cloud offerings that have had critical components evaluated against National Information Assurance Partnership (NIAP) Protection Profiles (PPs).

You Can’t Secure What You Can’t See

Christiansen suggests the NSA report could have included a couple additional pieces of cloud security guidance.

“The real salient parts are the right ones, and those are the things companies should be looking at when they evaluate their security strategy,” he said. “But where it’s less obvious” is in companies’ multi- and hybrid-cloud environment, where organizations may run some workloads on AWS, others on Azure, and still others in a private cloud. “How do we bring all these multi-cloud threat detection tools and be able to monitor these different environments? That point got a little lost. You have to look at not just one cloud provider, but all the cloud providers, and bring those all together in a single pane of glass.”

He also suggests putting controls in place to ensure that the security and IT teams know when a business unit uses a company credit card to purchase a new cloud instance or even software-as-a-service. “A business unit could do this, load confidential information on it, and it would be completely insecure because we didn’t even know about,” Christiansen said. “You can’t do all those things in the [NSA] guidance if you don’t know about it.”

Meet with the procurement and financial groups to review credit card statements and look for cloud purchases, he said. And then, implement a policy that says “thou shalt not do this, enforce that policy, and educate your staff.”