Last week, the US National Security Agency (NSA) released new guidance on mitigating cloud vulnerabilities to help organizations as they consider and deploy public cloud services.
We’ve been talking about the importance of cloud security for quite some time now but following a string of highly publicized cloud-related attacks, this guidance comes at a critical time. The core of the NSA document is that organizations must consider cyber risks to cloud resources, just as they would in an on-premises environment – including how they approach privileged access management. This message reinforces our long-held view that no matter where they “live” – on-premises or in the cloud – privileged accounts must be protected.
While the NSA’s recommendations focus solely on cloud-native environments, most enterprises today operate in a hybrid environment – with some workloads on-premises and others in the cloud. The NSA guidance itself provides valuable insights into securing cloud environments, but this guidance should always be considered as part of a holistic approach to security.
That being said, let’s dig into the NSA’s recommendations.
Security Guidance for the Public Cloud
The NSA delves into four cloud architectural services common to most public clouds – identity and access management (IAM), compute, networking and storage. It describes how many organizations are turning to these cloud services, but cautions that cloud adoption introduces a host of new risks that must be understood and addressed. It places strong emphasis on the shared responsibility between organizations and cloud providers in protecting applications, data, and other sensitive information in the cloud.
The shared responsibility model illustrates that, while cloud providers are responsible for the cloud infrastructure, organizations are still accountable for the security of certain services and sensitive data stored in public clouds, such as configuration, applications, data and environments.
To shed some light on the most common risks, the NSA categorizes cloud vulnerabilities into four main groups– misconfiguration, process access control, shared tenancy vulnerabilities, and supply chain vulnerabilities. These groupings take into account both how often these vulnerabilities occur and how sophisticated a cyber attacker has to be to take advantage of them.
Misconfiguration
One of the most prevalent vulnerabilities in cloud environments today, misconfigurations offer attackers the path of least resistance and so require very little in terms of sophistication from the attacker. These misconfigurations often arise from either policy mistakes or misunderstanding of the security responsibilities on the organization’s side.
These misconfigurations can result in several issues from denial of service to account compromise. If an attacker can abuse a misconfiguration to compromise a single privileged user, for example, they will use these credentials to compromise a cloud management console or – worse — ultimately take over control of the organization’s cloud environment.
Poor Access Control
These attacks almost always involve privileged access. The prevalence of this attack is widespread and it requires only moderate sophistication from the attacker. They look for opportunities to exploit weak authentication and authorization methods.
Once they gain a foothold, attackers will start to escalate privileges, move laterally through the environment, and, ultimately, compromise as many cloud resources as possible. For example, an attacker can bypass multi-factor authentication (MFA) by evoking a password reset where only single-factor authentication is required to reset credentials.
Shared Tenancy Vulnerabilities
Adversaries who are able to determine which software and hardware components are used in a public cloud hypervisor could take advantage of vulnerabilities to elevate privileges in the cloud. The NSA directive notes that while there have been no reported compromises in any major cloud computing platform, security researchers have demonstrated both hypervisor and container breakouts.
A recent example of this was CVE-2019-1372, where the attacker could remotely execute code, bypassing the sandbox, and CVE-2019-1234 where attackers could make requests to the internal Azure Stack resources. Both examples here have since been addressed.
Supply Chain Vulnerabilities
Supply chain vulnerabilities in the cloud include attackers inside the supply chain and backdoors intentionally installed in hardware and software. While infiltrating the supply chain is not usually an attacker’s ultimate goal, if the attacker can get the cloud provider to install hardware with a backdoor, it makes all other controls useless.
However, as we noted previously, cyber attackers will almost always seek the path of least resistance to carry out their mission. That usually involves abusing misconfigurations or privileged access instead of turning to highly sophisticated methods such as inserting an agent into the cloud supply chain.
At the end of the day, securing cloud instances is an ongoing challenge. The guidance offered by the NSA is helping to demystify some of this and – maybe even more importantly – provide prioritization to the most susceptible areas so organizations know where to optimize their security resources.
At CyberArk, our goal is to help enterprises protect their assets and workloads wherever they exist – including in the cloud. We believe the NSA has taken an important step with this directive to not only raises awareness about security in the cloud and the importance of protecting privileged access, but also supports productive conversations about shared responsibility.
With the CyberArk Privileged Access Security Solution, we help companies continuously discover privileged accounts as they are created and isolate privileged user sessions to protect cloud and on-premise critical systems while speeding up the onboarding process and consumption of these credentials.
Want to learn more? Check out our eBook, “6 Key Use Cases for Securing Your Organization’s Cloud Workloads” and explore our cloud security resources.
