Mediaboss Marketing

In January, the NSA issued guidance titled: Mitigating Cloud Vulnerabilities. With security organizations already overburdened with too many threat intelligences feeds, alerts, mandates and fire drills, its understandable that this information might go unnoticed, or be tossed onto the well get to it sooner or later pile.

However when an organization like the NSA speaks, it is generally a good idea to listen. Which raises the question: how does one operationalize guidance from the NSA and other elite security organizations? The short answer is the same as it is for all cybersecurity undertakings: prioritization and outcomes. Lets examine this approach, using the recent NSA guidance as our use case.

Vulnerability Components

The NSA broke down its guidance into four key vulnerabilities: misconfigurations, poor access control, shared tenancy vulnerabilities and supply chain vulnerabilities. It also provided this handy chart to articulate the prevalence and sophistication of exploit for each.

This chart provides clear prioritization for security professionals. In a time where resources (particularly skills on staff) are strained, it is critical to attack problems that represent the highest risk. Here is a look at each.MisconfigurationsIf weve learned nothing else about threat actors over the years, its that they want a good return on investment. This means theyll take the easiest route to stealing data, every time. It is for this reason that misconfigurations represent such a risk to enterprises there is nothing easier than stealing data left exposed by bad configuration management.

Cloud configuration management poses a particularly vexing problem because with the advent of DevOps, the cloud environment is constantly changing. This makes cloud monitoring a major challenge and, within that discipline, configuration and policy management need to transition to a continuous state. Here are the key elements of a modern cloud monitoring program:

Creating a continuous cloud monitoring program is the most important thing enterprises can do to operationalize the NSA guidance. Now lets look at the next most important thing.

Cloud Access ControlExploiting poor access control in cloud systems takes a higher degree of sophistication than simply looking for exposed data, so it is not yet a major contributor to cloud data breaches. However, the problem is widespread and stands to become such a contributor, if organizations do not improve their identity and access control processes.

The good news is the first step to ensuring strong access control in the cloud is also the first step to achieving continuous cloud monitoring visibility. Because cloud services and systems can be spun up by virtually anyone in an organization, it is critical to have the visibility required to understand when this is happening, so security pros can ensure proper access control.

The recurring theme in the NSA guidance is multifactor authentication. Enterprises can dramatically improve the integrity of cloud access control if they implement multifactor authentication across all cloud resources. Ideally, this will be part of a broader enterprise identity and access management (IAM) program that brings all enterprise resources on premises, in the cloud, and hybrid under appropriate identity governance.

Shared Tenancy and Supply ChainIm lumping these together because, for the most part, they are primarily the responsibility of cloud service providers, not the enterprise, and exploitation requires a high degree of sophistication. Therefore, as we sit here today, they are not a likely source of risk. The compromised hypervisor has been a nightmare scenario since the dawn of server virtualization, but according to the NSA, there have been no reported isolation compromises on major cloud platforms (although researchers have demonstrated the possibility of container of hypervisor compromises).

As for supply chain issues, that is the domain of cloud service providers (see chart below). They must do proper due diligence and continuous monitoring to ensure that none of their software or hardware components are vulnerable.

If nothing else, remember the two words that should define cybersecurity strategy and operationalization: prioritization and outcomes. If all security organizations prioritized activities based on the reduction of business risk (the desired outcome), the cyberworld would be a much safer, simpler place.

Read the original here:
Operationalizing NSA Guidance (or any Guidance, For That Matter!) - Infosecurity Magazine