The US National Security Agency (NSA) has released a cloud security guide aimed at helping organizations protect themselves against a growing wave of threats.
Cloud computing continues to grow as organizations move their applications and data out of their own data centers and into the cloud.
Research from Gartner predicts that, by 2028, as much as 70% of IT workloads will be running in a cloud environment, up from just 25% in 2023.
While cloud computing can be more secure than applications hosted on-premise, that doesn’t mean it is without its own particular risks, which are often underestimated.
Cloud security tips you need to know
As organizations continue to migrate more of their data and services to cloud environments, attackers will increasingly attempt to compromise those environments, the agency said.
“Using the cloud can make IT more efficient and more secure, but only if it is implemented right,” said Rob Joyce, NSA’s Director of Cybersecurity.
“Unfortunately, the aggregation of critical data makes cloud services an attractive target for adversaries.”
The NSA’s top ten cloud security mitigation strategies aim to inform cloud customers of the most important practices they can adopt.
Understand who is responsible for security
Problems can arise when customers assume the cloud service provider (CSP) is securing something – when it’s actually the customer’s job. The NSA said customers must understand the CSP’s shared responsibility model which identifies who is responsible for security.
That model will vary from service to service (it may be different for SaaS, PaaS, or IaaS) and will also vary by supplier, so pay close attention to documentation.
“Direct engagement with the CSP may sometimes be necessary to understand their service,” the NSA notes.
Secure your accounts
Identity and access management (IAM) are critical to securing cloud resources.
Attackers will attempt to gain access to cloud services in many ways, perhaps by using phishing techniques to steal passwords, or by scooping up exposed credentials, or by beating weak authentication practices.
Once in, they can use over-generous account privileges to get further into the system.
To prevent this, cloud users should use identity and access management technologies including multifactor authentication and properly managed temporary credentials.
“Access control policies should be carefully configured to ensure users are granted the least privileges necessary,” the NSA said.
Think about your key management
Cloud suppliers will offer a number of ways of handling key management.
These can range from relying on the cloud vendor for fully delegated server-side encryption, to a full client-side encryption method: often organizations will rely on the CSP for at least a portion of key management, encryption, and decryption.
Whichever route they choose, users need to understand the risks and benefits to each option and their roles and responsibilities.
Use network segmentation and encryption
The NSA said that Zero Trust network security practices should be used to protect organizational data.
End-to-end encryption of all data in transit to, from, and within the cloud is also key to protecting data in the cloud, the recommendations said.
“Be aware that data passed between customer resources in the cloud may traverse the internet, and take precautions to encrypt such data,” the guidance said.
Concentrate on data security in the cloud
Data stored in the cloud can be an attractive target for attackers looking either to steal or ransom it.
That means using encryption and data access policies such as role-based access control and attribute-based access controls to protect information.
Both user and system accounts should only be given the minimal level of access needed to perform tasks by their cloud administrators, the NSA guidance said.
“Object storage is one of the most exploited data storage methods because of its popularity and how easily it can be misconfigured. Applying proper access policies to Object storage will prevent unintentional data exposure,” it said.
The NSA said organizations should consider enabling “soft delete” features to reduce the impact of accidental or malicious deletions.
Don’t forget your software pipeline
Continuous integration and continuous delivery (CI/CD) pipelines are frequently deployed in the cloud, which makes them highly valuable targets for attackers.
Organizations should make sure they are using strong identity and access management policies, keeping tools up to date, auditing logs and implementing security scanning.
Think about implementing Infrastructure as Code
Infrastructure as Code (IaC) automates the deployment of cloud resources and this can reduce the chance of misconfigurations and “ghost assets” introduced by human error, the agency said.
After deploying IaC, organizations should dynamically test deployed resources, ensure access and version controls are enabled, avoid manual changes, and continuously log and monitor resources, the NSA said.
Remember the added complication of hybrid multi-cloud
Hybrid cloud and multi-cloud environments bring a new set of security challenges with them.
The risk is that using multiple clouds creates silos and skill gaps, which may lead to “configuration discrepancies, unnecessary data flows, insecure IAM, loss of visibility, and exploitable security gaps,” the NSA said.
The agency added that standardizing vendor-agnostic cloud tools helps organizations to maintain and monitor multiple environments.
Be aware of Managed Service Provider (MSP) security risks
Using an MSP effectively increases an organization’s attack surface, so you need to make sure that security is a priority when choosing an MSP.
That means picking providers that comply with the security standards and practices important to you. Organizations should audit MSP accounts and operations in the environment, with a focus on privileged accounts.
Use cloud logs to spot trouble
Cloud systems involve many users accessing shared resources and services. This can make it hard for defenders to see what is really going on.
But while cloud services do offer logging services, their default settings vary, so it’s important to make sure these are configured so that hackers cannot roam with impunity.
The NSA said security professionals can use tools, such as security information and event management (SIEM) systems, log analysis software, and anomaly detection services, to analyze the logs for indicators of compromise.
That might include unusual login attempts, network traffic patterns, and anomalous system events.