A CISA release noting the guidance directs administrators to an analysis of Microsoft Office 365.
The National Security Agency issued an advisory with technical guidance for procuring and securing systems reliant on cloud service providers amid a push for the government to adopt the technology.
“With careful implementation and management, cloud capabilities can minimize risks associated with cloud adoption, and empower customers to take advantage of cloud security enhancements,” reads the NSA guide, while noting “Security in the cloud is a constant process and customers should continually monitor their cloud resources and work to improve their security posture.”
The guide, published Wednesday, was flagged today in a release by the Cybersecurity and Infrastructure Security Agency in conjunction with its analysis of security observations related to Microsoft Office 365 and advanced persistent threats associated with managed service providers, including cloud vendors.
The NSA’s guidance stresses that there are security benefits to be reaped from using cloud services but the technology also presents a number of vulnerabilities. The agency provides security tips for both technical staff implementing cloud services and organizational leaders making procurement decisions.
The document notes the shared nature of responsibilities between vendor and customer for ensuring appropriate measures are in place to protect organizations. It classifies relevant vulnerabilities into four groups—misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities—and addresses assumptions about who might be responsible for addressing each.
“Cloud customers have a critical role in mitigating misconfiguration and poor access control, but can also take actions to protect cloud resources from the exploitation of shared tenancy and supply chain vulnerabilities,” the NSA guidance reads.
On the supply chain vulnerabilities, the NSA says, yes, “mitigating supply chain attacks against the cloud platform is mainly the responsibility of the [Cloud Service Provider],” but that administrators should, for example, “procure cloud resources pursuant to applicable accreditation processes.”
NSA points to the Cloud Computing Security Requirements Guide for the Department of Defense as one such process and also advises selecting cloud offerings “that have had critical components evaluated against National Information Assurance Partnership Protection Profiles.” Those NIAP evaluations could reveal whether any “backdoors are built into components,” NSA said.
The NSA guidance does not specifically mention Microsoft, except in its citations that include a link to an October blog post where the company flags “significant cyber activity” associated with a threat group called Phosphorous, which they believe is linked to the Iranian government.
The blog highlights the importance of customers enabling two-step account verification, something CISA also notes in its analysis of Office 365, released in May.
Generally, CISA notes the hackers behind attacks on cloud services are likely to keep trying because success could offer entry into other customers’ systems.