The NSA has published some guidelines about how governmental agencies can mitigate their risk when utilizing cloud storage and processing. Although the advice is intended for national bodies, private businesses can stand to benefit from understanding the risks of using the cloud to store sensitive data. A recent study published by McAfee noted that a lot of private enterprises have neglected to appreciate the risks associated with the cloud. The result is that many private enterprises that use the cloud put their sensitive information at risk. In an age of data breaches, it is of the utmost importance that businesses understand the nuances of the cloud and make the right calls when utilizing it.
The Importance of Shared Responsibility
At the core of the NSA’s guidance is a focus on shared responsibility. While cloud providers are responsible for the security of the cloud, the responsibility for applications and data within the cloud remains the domain of the business. As recent cloud data breaches have shown us, poorly configured security settings can lead to an easy entry for malicious users. Part of the problem stems from the fact that enterprises misunderstand that applications and data within the cloud are separate and distinct from the cloud framework itself. Businesses believe that the cloud provider bears the sole responsibility for the security of the cloud and the data they store on it. The NSA clarifies this point in its guidelines.
Primary Vulnerabilities Within the Cloud
The NSA has highlighted four fundamental vulnerabilities within the cloud that enterprises ought to be aware of. They are misconfiguration of cloud servers, shared tenancy vulnerabilities, poor control for data access, and vulnerabilities within the business’s supply chain. Companies shouldn’t focus on a few weaknesses but should deal with them all since they impact the security of the business’s data. Fundamental mitigation techniques that the NSA suggests to keep the cloud secure are steps such as least privilege with zero trust, enforcing MFA, and using encryption for data both in transit and at rest on the server. The NSA goes into detail into how businesses can take the necessary steps to ensure that they maintain their cloud security. The agency especially highlights the options that private businesses can exercise based on their responsibility and what areas are under the control of the cloud provider.
What This Means for Private Businesses
The NSA’s guidelines, while designed for the government agencies that use the public cloud, also provide insight into industry best-practices for leveraging security that can protect the data of private businesses. Private enterprise has been playing fast-and-loose with the public cloud because of an unstated understanding that even if the IT personnel within the company isn’t fully aware of the vulnerabilities of the cloud, neither are the malicious actors. However, this document comes at a time where businesses are beginning to understand why cloud security is necessary. It also gives insight into the most common vulnerabilities and methodologies to exploit those holes. All users of the public cloud can benefit from the document, but it also opens the doors to malicious users co-opting the advice as a guide book. The guidelines may be a double-edged sword, but the hope is that it will encourage more responsibility within the private sector when using the public cloud.