The U.S. National Security Agency (NSA) has published advice on mitigating cloud vulnerabilities. While the advice is primarily designed for government agencies and departments, it nevertheless contains good advice for any commercial organization considering or embarking on — or already deployed in — a cloud environment.
The document (PDF) provides four basic sections: an overview of the basic components usually delivered by cloud service providers (CSPs); an explanation of the concept of shared responsibility; an analysis of the primary cloud threat actors; and an analysis and description of the main cloud vulnerabilities and their mitigations. The last section provides the bulk of the document.
Understanding shared responsibility is essential. “Businesses need to be aware that cloud providers are responsible for the security of the cloud, the underlying infrastructure. But the responsibility of security in the cloud, including data, applications etc…, is on businesses,” explains Alex Peay, SVP of product at intelligent IT automation firm SaltStack. This understanding will clarify the areas that the customer must address.
“It’s critical to know where in the stack (host vs. app, or network vs. edge) the CSP is providing security in contrast to where a customer would have to implement controls,” adds Ali Golshan, CTO and co-founder at containers and Kubernetes specialist firm StackRox. “As providers continue to innovate and offer new features and services, businesses also need to know which new features and services need to be configured and integrated to limit exposure.”
The four primary vulnerabilities in the cloud are misconfiguration (high prevalence and low required attacker sophistication); poor access control; shared tenancy vulnerabilities; and supply chain vulnerabilities. The last two are the least prevalent and require the highest attacker sophistication. Each of these vulnerability types are discussed with known examples of abuse and a checklist of mitigations that can be used to prevent future abuse.
Organizations should not pick and choose which vulnerabilities to mitigate, but work through all of them from the least prevalent to the most prevalent. Several fundamental mitigation principles apply to multiple vulnerability types, such as enforcing MFA, least privilege and zero trust, and using encryption for both data at rest and in transit.
Encryption is given special mention. The options are to use the encryption and key management services provided by the CSP, or to pre-encrypt data and do key management outside of the cloud. Local encryption ensures that sensitive data is never exposed to cloud administrators, but requires far more effort and expertise from the customer, and cannot generally be searched or operated on in the cloud.
Misconfiguration is the most common cloud vulnerability, often arising from cloud service policy mistakes or misunderstanding the application of shared responsibility. Discovery of misconfigurations exposing sometimes highly sensitive data to the internet happens regularly. An example provided by the NSA was the discovery of sensitive travel details of DoD personnel in September 2019 in a publicly accessible Elasticsearch database.
Apart from enforcing least privilege and employing encryption, the NSA recommendations include continuous monitoring, correlation of logs in hybrid or multi-cloud environments, adherence to relevant standards and, “Identify and eliminate Shadow IT, which subverts an organization’s controls.”
The second most common cloud vulnerability is poor access control, which “occurs when cloud resources use weak authentication/authorization methods or include vulnerabilities that bypass these methods.” An example of such an attack, says the NSA, occurred in October 2019 when “a CSP reported cyberattacks in which cloud accounts using multi-factor authentication were compromised through password reset messages sent to single-factor authentication email accounts.”
Mitigations include the use of strong factor MFA with regular re-authentication; a zero-trust model to and between cloud resources, and automated auditing of access logs.
The third vulnerability is to shared tenancies, where hypervisor vulnerabilities could enable a sophisticated attacker to elevate privileges. Such an attack could be more severe in a containerized environment, warns the NSA, where “a vulnerability in the container platform could allow an attacker to compromise containers of other tenants on the same host.”
While there have been no reported compromises, researchers have demonstrated both hypervisor and container breakouts. At USENIX 2019, Offensive Technologies demonstrated an exploit chain that could gain access to the host system. In February 2019, a vulnerability was found in a container platform that allowed an attacker to overwrite the container runtime and leverage this ability to access other containers running on the same platform.
User mitigations for this vulnerability are few, since the primary shared responsibility here falls on the CSP. Nevertheless, the NSA recommends the use of encryption with properly configured, managed and monitored key management systems; and that particularly sensitive workloads should consider virtualization rather than containerization when available.
The fourth vulnerability is to the supply chain. “In the ShadowHammer operation,” notes the NSA, “downloads from live update servers were modified to add malicious functionality. Half a million users downloaded the software, although analysis of the software showed the actor’s goal was to attack specific hosts by targeting MAC addresses.” Also, in December 2019, two malicious Python Package Index libraries were discovered stealing credentials.
Like shared tenancy vulnerabilities, primary responsibility for the supply chain lies with the CSP. User mitigations again include encryption, but also care in the selection of the CSP. The NSA adds, “Adhere to applicable standards, leverage secure coding practices, and practice continuous improvement in security, integrity, and resiliency of enterprise applications.”
“The cloud supply chain is becoming a major attack vector,” warns Golshan, “and, as a company, if you have or are adopting a multi or hybrid cloud strategy, it’s important to implement unified policies across your environments and workflow to avoid any inconsistencies.”
The NSA paper is largely well-received. It is “well written, has a clear mission statement, a simplified approach and covers the most common issues associated with cloud services and the separation of duties between the CSP and the customer,” Fausto Oliveira, principal security architect at continuous behavioral authentication firm Acceptto, told SecurityWeek. But he adds that it should be treated as an auxiliary resource rather than a definitive one.
“If I had to add anything to the paper, it would be a ‘further reading’ section with pointers to resources such as… the Cloud Security Alliance cloud controls matrix which are more detailed in nature and help implement in-depth security controls.”