Cloud security guidance as per the National Security Agency (NSA)

As a result of the recent report of a massive data breach in Microsoft’s support area databases, the US National Security Agency (NSA) published its Mitigation of Cloud Vulnerabilities Guidance, as an effort to help private companies and public organizations adopting the best practices for the personal data protection, including users and employees.   

The incident at Microsoft databases was attributed to a company IT team security configuration error, a common issue among providers of these services, including Amazon Web Services (AWS). The NSA itself refers to misconfigurations as the main cause of cloud security incidents: “Cloud service providers have various security tools for the protection of their users; however, incorrect configuration of these implementations remains the main security vulnerability faced by vendor companies and their customers,” the guidance reads.

Most of this guide to cloud data protection focuses on correcting configuration mistakes: “Fundamental security elements include setting principles such as least privilege and in-depth defense”, mentions the NSA.

In addition, the recommendations also include some technical controls that could be enabled by the users, such as:

  • Encryption
  • Access Control Lists (ACL)
  • Intrusion Detection Systems (IDS)
  • Web Application Firewalls (WAF)
  • Virtual Private Network (VPN) usage

“The correct design and implementation of cloud architecture should include controls to avoid misconfigurations, and administrators will have the necessary tools for detecting and reporting configuration errors,” adds the data protection guide.

In addition, the guide also has recommendations for some other security threats for cloud deployments, including:

  • Poor access controls
  • Shared lease vulnerabilities
  • Supply chain vulnerabilities

While inherent security is the responsibility of cloud service providers, the International Institute of Cyber Security (IICS) mentions that customers should have full knowledge of potential security threats to their implementations, so they can configure the most secure environment possible to make the most of the benefits of cloud hosting.