In their recent publication, Mitigating Cloud Vulnerabilities, the U.S. National Security Agency made major recommendations to organizations to secure their cloud assets. Two of the areas addressed by the report, access control and misconfiguration, were categorized as both high prevalence and low sophistication in the NSA’s threat matrix. Given this perfect storm intersection, both areas will likely see a significant number of attempts by attackers, with sometimes dire consequences.
Given the complexity of the cloud landscape and numerous IAAS and SAAS offerings with different control sets, it’s no surprise that misconfiguration was given significant attention by the report. Further complicating the issue is the rapid transition of government and industry to the cloud, where constant innovation can create a myriad and confusing lot of configuration changes. Poor access control occurs when an organization employs weak access or authorization techniques that may give unwanted access to an attacker. The use of single-factor authentication, ie username and password, or vulnerable two-factor authentication setups can allow the attacker to escalate their privileges, and give them access to information that may be sensitive.
To combat these attacks, agencies and companies alike would be wise to consider implementing the guidelines suggested by the report. For misconfiguration prevention, the report suggests the use of third party tools to detect and remediate vulnerabilities, elimination or control of Shadow IT, encryption in transit and at rest, and employment of data loss prevention solutions. To address access control vulnerabilities, the report suggests the use of multi-factor authentication with strong factors, and requires regular re-authentication. Furthermore, the report goes so far to suggest the limitation of access to and between cloud assets and the user. Often, addressing vulnerabilities can be a complicated affair. Fortunately, as an industry leading cloud access security broker (CASB), Bitglass has the ability of addressing or supporting all of the solutions listed above through a multi-mode, multi-cloud approach.