National Security Agency (NSA) regulates new information sheets with guidelines for 2020 which other than the identification of cloud security components, threat actors, include alleviation techniques for cloud vulnerabilities and more. NSA identifies cloud security components and highlights, threat actors. The whole information frames divide cloud vulnerabilities into major four classes. Those four are: poor access control, misconfiguration, supply chain vulnerabilities, and shared tenancy vulnerabilities. The above four comprise the vast majority of known vulnerabilities. NSA hopes that organizations can gain perspective on cloud security principles while addressing cloud security considerations to assist with cloud service procurement. New guidelines from NSA show improvement in the security of stored data over the cloud. Apart from the identification of cloud security components, threat actors, recent 2020 guidelines assure for data security over cloud vulnerabilities. Organizations will gain a long-term perspective on cloud security principles with cloud security procurement.
According to the guide, cloud vulnerabilities can be divided into four categories: misconfiguration, poor access control, shared tenancy flaws, and supply chain vulnerabilities.
Misconfiguration is seen as the most widespread cloud vulnerability. A misconfiguration allows attackers to access cloud services and data. Cloud services providers (CSPs) comprises the number of tools to help and manage the cloud configuration. Still, the misconfiguration of cloud resources is the most highlighted cloud vulnerability and can be exploited to access cloud data and services. CSP random innovations add complexity to the security configurations of organizations’ cloud resources. In May 2017, this kind of security flaw had caused a large defense contractor to expose sensitive NGA data and authentication credentials to the public. As reports noted, CENTCOM data accessible to all public cloud users was discovered in September 2017 and in September 2019, sensitive travel details of DoD (Department of Defense). And there is a lot example of the same flaw affecting private companies in a direct or indirect manner.
Poor access control:
This occurs when cloud services use weak authentication methods or include vulnerabilities that bypass these vulnerabilities. Such poor access control arises issues of compromised cloud services and bypasses privileges to attackers. In October 2019, the phosphorus group Cyberattack on Microsoft customers, and in March 2019 by the Iranian Mabna Institute is straightforward examples of exploitation by threat authors. In both of this Cyberattack, email accounts were compromised by filtrating multi-factor authentication.
Shared tenancy vulnerabilities:
Multiple software and hardware components fall into the category of Cloud platforms. Adversaries who are able to determine the software of hardware used in a cloud architecture can take advantage of vulnerabilities to elevate privileges in the cloud. But still, the occurrence of this type of attack are considered rare. Hardware vulnerabilities in processors also have a large collision on cloud security. Hardware vulnerabilities can be seen in chip design through side-channel attacks. They result in the compromise of personal tenant information. Cloud hypervisors are the software or hardware that enables virtualization. Assailability in cloud hypervisors or in container platforms are highly severe, as these technologies play much important role in isolating customer workloads, and in securing cloud architectures. Such vulnerabilities are quite expensive and difficult to exploit and discover. To some extent, this limits their exploitation to advance the attacker.
Supply chain vulnerabilities:
Supply chain vulnerabilities in the cloud include the presence of insider threats and intentional back doors in hardware and software. In addition to this, third-party software cloud components may contain vulnerabilities intentionally inserted by rogue developers to compromise the application. Inserting an agent into the cloud supply chain, as a supplier, administrator or developer, could be an effective means for nation-state attackers to compromise cloud environments. A few examples of supply chain vulnerabilities are as follows. Various downloads from live update servers were modified to add malicious functionality in the ShadowHammer operation. The attackers just wanted to attack specific hosts through their MAC addresses. Half a million users downloaded the software. Similarly, two malicious PyPI (python package libraries) were found stealing credentials from various systems. This happened in December 2019.
It is the responsibility of CSPs (cloud service providers) to manage risk in the cloud. Thus, CSPs should deploy the right countermeasures to help customers harden their cloud resources. Security in the cloud is a constant process and customers should also continually monitor their cloud resources and work to improve their security posture.