The United States’ National Security Agency (NSA) has put together a short guidance document on mitigating vulnerabilities for cloud computing. At only eight pages, it is an accessible primer for cloud security and a great place to start before taking on something like the comprehensive NIST 800-53 security controls.

As a guidance document, it doesn’t attempt to be deeply technical; instead, it provides an overview of the technologies, threats, and vulnerabilities that are common in cloud environments and approaches to reducing cloud risk. This is a valuable reference, and it aligns with where I think every security discussions should start – risk.

“By taking a risk-based approach to cloud adoption, organizations can securely benefit from the cloud’s extensive capabilities.”

Additionally, the document reiterates what is true for all security programs: it must have top-level support and vision.

“Critical to an organization’s success in both transitioning to the cloud and maintaining cloud resources is support from informed leadership, which ensures the right governance, budget, and oversight.”

For those already working in the cybersecurity space, this will strike some familiar themes. What is different with the cloud is that many responsibilities are shared with a third party, which means risk is also shared. This is reflected in the outline of the threat actors, which, aside from the usual malicious outside threats and insider threats, also includes threats at the cloud service provider (CSP) level.

There are four classes of vulnerabilities listed by the NSA: misconfiguration, poor access control, shared tenancy, and supply chain. The first two constitute the primary responsibility of the customer. The latter two are the CSP’s.

Secure configuration and least-privilege access are key components of any security program. The challenge when addressing these risks in the cloud is that the technology is rapidly evolving, opaquer, and often (Read more...)