Editor’s Note: Published by the National Security Agency (NSA) as an advisory for organizational leaders and technical professionals, the recently released cybersecurity info sheet on Mitigating Cloud Vulnerabilities may be helpful for data discovery and legal discovery professionals as they consider cloud security both during and after cloud service procurement.
Extract from the National Security Agency Cybersecurity Information Update
Mitigating Cloud Vulnerabilities
While careful cloud adoption can enhance an organization’s security posture, cloud services can introduce risks that organizations should understand and address both during the procurement process and while operating in the cloud. Fully evaluating security implications when shifting resources to the cloud will help ensure continued resource availability and reduce the risk of sensitive information exposures. To implement effective mitigations, organizations should consider cyber risks to cloud resources, just as they would in an on-premises environment.
This document divides cloud vulnerabilities into four classes (misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities) that encompass the vast majority of known vulnerabilities. Cloud customers have a critical role in mitigating misconfiguration and poor access control but can also take actions to protect cloud resources from the exploitation of shared tenancy and supply chain vulnerabilities. Descriptions of each vulnerability class along with the most effective mitigations are provided to help organizations lock down their cloud resources. By taking a risk-based approach to cloud adoption, organizations can securely benefit from the cloud’s extensive capabilities.
This guidance is intended for use by both organizational leadership and technical staff. Organizational leadership can refer to the Cloud Components section, Cloud Threat Actors section, and the Cloud Vulnerabilities and Mitigations overview to gain perspective on cloud security principles. Technical and security professionals should find the document helpful for addressing cloud security considerations during and after cloud service procurement.CSI-MITIGATING-CLOUD-VULNERABILITIES_20200121
Managing risk in the cloud requires that customers fully consider exposure to threats and vulnerabilities, not only during procurement but also as an on-going process. Clouds can provide a number of security advantages over traditional, on-premises technology, such as the ability to thoroughly automate security-relevant processes, including threat and incident response. With careful implementation and management, cloud capabilities can minimize risks associated with cloud adoption, and empower customers to take advantage of cloud security enhancements. Customers should understand the shared responsibility that they have with the Cloud Service Providers (CSPs) in protecting the cloud. CSPs may offer tailored countermeasures to help customers harden their cloud resources. Security in the cloud is a constant process and customers should continually monitor their cloud resources and work to improve their security posture.
- Challenged by Privacy? The NIST Privacy Framework
- A Framework for Improving Cybersecurity: Infrastructure Considerations from NIST