News

NSA Warns of Cloud Misconfigurations in Wake of Microsoft's Azure Error

A new report from the National Security Agency (NSA) titled "Mitigating Cloud Vulnerabilities" identifies what the agency considers the top cloud security issue plaguing organizations: misconfigured privacy settings.

The report is yet another indication that the NSA is taking a more active role in cloud/enterprise security. For example, for its first Patch Tuesday release of the year, Microsoft included a patch for a vulnerability affecting the latest versions of Windows that was discovered and reported to Microsoft by the NSA.

Misconfigured cloud settings have caused multiple incidents of data exposures from the Amazon Web Services (AWS) cloud in recent years. Most recently, a misconfiguration error in Microsoft's Azure cloud exposed 250 million technical support accounts. In fact, the NSA report is dated Jan. 22, the same day that Microsoft publicized the Azure data exposure.

It's no surprise that the NSA led off its guidance with the No. 1 vulnerability, misconfiguration, which it described as having widespread prevalence but requiring low attacker sophistication.

"While CSPs [Cloud Service Providers] often provide tools to help manage cloud configuration, misconfiguration of cloud resources remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services," the NSA said. "Often arising from cloud service policy mistakes or misunderstanding shared responsibility, misconfiguration has an impact that varies from denial of service susceptibility to account compromise. The rapid pace of CSP innovation creates new functionality but also adds complexity to securely configuring an organization's cloud resources."

For actual misconfiguration mitigation advice, the report offers some 27 different items, depending on an organization's situation and goals.

"Proper cloud configuration begins with infrastructure design and automation," the report said. "Security principles such as least privilege and defense-in-depth should be applied during initial design and planning. Well-organized cloud governance is also key to a defensible environment. Technical controls for implementing these principles vary by CSP but often include cloud service policies, encryption, Access Control Lists (ACLs), application gateways, Intrusion Detection Systems (IDSs), Web Application Firewalls (WAFs), and Virtual Private Networks (VPNs). A well-designed and well-implemented cloud architecture will include controls that prevent misconfigurations or alert administrators to improper configurations."

Other vulnerabilities for which mitigation guidance is given include:

  • Poor Access Control -- Prevalence: widespread; Attacker Sophistication: moderate: Poor access control occurs when cloud resources use weak authentication/authorization methods or include vulnerabilities that bypass these methods. Weaknesses in access control mechanisms can allow an attacker to elevate privileges, resulting in the compromise of cloud resources.
  • Shared Tenancy Vulnerabilities -- Prevalence: rare; Attacker Sophistication: high: Cloud platforms consist of multiple software and hardware components. Adversaries who are able to determine the software or hardware used in a cloud architecture could take advantage of vulnerabilities to elevate privileges in the cloud. Vulnerabilities in cloud hypervisors (i.e., the software/hardware that enables virtualization) or container platforms are especially severe due to the critical role these technologies play in securing cloud architectures and isolating customer workloads.
  • Supply Chain Vulnerabilities -- Prevalence: rare; Attacker Sophistication: high: Supply Chain vulnerabilities in the cloud include the presence of inside attackers and intentional backdoors in hardware and software. CSPs source hardware and software from across the globe and employ developers of many nationalities. Third-party software cloud components may contain vulnerabilities intentionally inserted by the developer to compromise the application. Inserting an agent into the cloud supply chain, as a supplier, administrator or developer, could be an effective means for nation state attackers to compromise cloud environments.

"Managing risk in the cloud requires that customers fully consider exposure to threats and vulnerabilities, not only during procurement but also as an on-going process," the report concludes. "Customers should understand the shared responsibility that they have with the CSP in protecting the cloud. CSPs may offer tailored countermeasures to help customers harden their cloud resources. Security in the cloud is a constant process and customers should continually monitor their cloud resources and work to improve their security posture."

About the Author

David Ramel is an editor and writer for Converge360.

Featured

  • 2020 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss. (Now updated with COVID-19-related event changes.)

  • The 2020 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generations of .NET and PowerShell, here's what's on tap from Microsoft this year.

  • Curvey Stone Steps Graphic

    Microsoft Makes Run at 5G, Edge Computing with Azure Edge Zones

    Microsoft is promising to enable new edge computing scenarios for partners and developers with Azure Edge Zones, which became available as a preview this week.

  • Microsoft's Entire 2020 Event Lineup Going 'Digital-First'

    In response to concerns about the ongoing coronavirus (COVID-19) pandemic, Microsoft is transitioning all of its big conferences in 2020 to be online only.

RCP Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.