The US National Security Agency (NSA) has published a cloud security guide aimed at helping organizations protect themselves against a rising wave of threats.
Cloud computing continues to grow as organizations move their applications and data from their own data centers to the cloud.
Gartner research predicts that by 2028, up to 70% of IT workloads will run in a cloud environment, up from just 25% in 2023.
While cloud computing may be more secure than locally hosted applications, that doesn't mean it's free of particular risks, which are often underestimated.
Cloud security tips you need to know
As organizations continue to migrate more data and services to cloud environments, attackers will increasingly attempt to compromise those environments, the agency said.
“Using the cloud can make IT more efficient and more secure, but only if implemented correctly,” said NSA Cybersecurity Director Rob Joyce.
“Unfortunately, the aggregation of critical data makes cloud services an attractive target for adversaries.”
The NSA's Top Ten Cloud Security Mitigation Strategies aim to inform cloud customers of the most important practices they can adopt.
Understand who is responsible for security
Problems can arise when customers assume that the cloud service provider (CSP) is securing something, when in fact it is the customer's job. The NSA said customers should understand the CSP's shared responsibility model that identifies who is responsible for security.
That model will vary from service to service (it may be different for SaaS, PaaS or IaaS) and will also vary by provider, so pay close attention to the documentation.
“Sometimes direct engagement with the CSP may be necessary to understand their service,” the NSA notes.
Secure your accounts
Identity and access management (IAM) is critical to protecting cloud resources.
Attackers will attempt to gain access to cloud services in many ways, perhaps using phishing techniques to steal passwords, obtaining exposed credentials, or overcoming weak authentication practices.
Once inside, they can use overly generous account privileges to get deeper into the system.
To avoid this, cloud users should use identity and access management technologies, including multi-factor authentication and appropriately managed temporary credentials.
“Access control policies should be carefully configured to ensure that users receive the minimum necessary privileges,” the NSA said.
Think about your key management
Cloud providers will offer several ways to handle key management.
These can range from relying on the cloud provider for fully delegated server-side encryption to a full client-side encryption method: often organizations will rely on the CSP for at least some of the key management, the encryption and decryption.
Whichever route they choose, users should understand the risks and benefits of each option and their roles and responsibilities.
Use network segmentation and encryption
The NSA said Zero Trust network security practices should be used to protect the organization's data.
End-to-end encryption of all data in transit to, from and within the cloud is also key to protecting data in the cloud, according to the recommendations.
“Be aware that data transmitted between cloud client resources may traverse the Internet, and take precautions to encrypt such data,” the guidance said.
Focus on cloud data security
Data stored in the cloud can be an attractive target for attackers looking to steal it or hold it ransom.
That means using encryption and data access policies, such as role-based access control and attribute-based access controls, to protect information.
Both user and system accounts should only be given the minimum level of access necessary to perform tasks by their cloud administrators, according to NSA guidance.
“Object storage is one of the most exploited data storage methods due to its popularity and the ease with which it can be misconfigured. Applying appropriate access policies to object storage will prevent inadvertent data exposure,” he said.
The NSA said organizations should consider enabling “soft delete” features to reduce the impact of accidental or malicious deletions.
Don't forget your software channel
Continuous integration and continuous delivery (CI/CD) pipelines are frequently deployed in the cloud, making them valuable targets for attackers.
Organizations should ensure they use strong identity and access management policies, keep tools up to date, audit logs, and implement security analytics.
Think about implementing infrastructure as code
Infrastructure as code (IaC) automates the deployment of cloud resources and this can reduce the possibility of misconfigurations and “ghost assets” introduced by human error, the agency said.
After deploying IaC, organizations should dynamically test deployed resources, ensure access and version controls are enabled, avoid manual changes, and continuously record and monitor resources, the NSA said.
Remember the added complication of hybrid multicloud
Hybrid cloud and multicloud environments bring with them a new set of security challenges.
The risk is that using multiple clouds creates silos and skills gaps, which can lead to “configuration mismatches, unnecessary data flows, insecure IAM, loss of visibility, and exploitable security gaps,” the NSA said.
The agency added that standardizing vendor-agnostic cloud tools helps organizations maintain and monitor multiple environments.
Be aware of managed service provider (MSP) security risks
Using an MSP effectively increases an organization's attack surface, so you should make sure security is a priority when choosing an MSP.
That means choosing vendors that meet the security standards and practices important to you. Organizations should audit the accounts and operations of MSPs in the environment, focusing on privileged accounts.
Use cloud logs to detect problems
Cloud systems involve many users accessing shared resources and services. This can make it difficult for defenders to see what is really happening.
But while cloud services offer logging services, their default settings vary, so it's important to make sure they're set up so hackers can't roam around with impunity.
The NSA said security professionals can use tools, such as security information and event management (SIEM) systems, log analysis software, and anomaly detection services, to analyze logs for indicators of compromise.
This could include unusual login attempts, network traffic patterns, and abnormal system events.
