Cloud security guidance as per the National Security Agency (NSA)

As a result of the recent report of a massive data breach in Microsoft’s support area databases, the US National Security Agency (NSA) published its Mitigation of Cloud Vulnerabilities Guidance, as an effort to help private companies and public organizations adopting the best practices for the personal data protection, including users and employees.   

The incident at Microsoft databases was attributed to a company IT team security configuration error, a common issue among providers of these services, including Amazon Web Services (AWS). The NSA itself refers to misconfigurations as the main cause of cloud security incidents: “Cloud service providers have various security tools for the protection of their users; however, incorrect configuration of these implementations remains the main security vulnerability faced by vendor companies and their customers,” the guidance reads.

Most of this guide to cloud data protection
focuses on correcting configuration mistakes: “Fundamental security
elements include setting principles such as least privilege and in-depth
defense”, mentions the NSA.

In addition, the recommendations also include some technical controls that could be enabled by the users, such as:

  • Encryption
  • Access
    Control Lists (ACL)
  • Intrusion
    Detection Systems (IDS)
  • Web
    Application Firewalls (WAF)
  • Virtual
    Private Network (VPN) usage

“The correct design and implementation of
cloud architecture should include controls to avoid misconfigurations, and
administrators will have the necessary tools for detecting and reporting
configuration errors,” adds the data protection guide.

In addition, the guide also has recommendations
for some other security threats for cloud deployments, including:

  • Poor
    access controls
  • Shared
    lease vulnerabilities
  • Supply
    chain vulnerabilities

While inherent security is the responsibility
of cloud service providers, the International Institute of Cyber Security
(IICS) mentions that customers should have full knowledge of potential security
threats to their implementations, so they can configure the most secure
environment possible to make the most of the benefits of cloud hosting. 

You may also like...