“By taking a risk-based approach to cloud adoption, organizations can securely benefit from the cloud’s extensive capabilities."Additionally, the document reiterates what is true for all security programs: it must have top-level support and vision.
“Critical to an organization’s success in both transitioning to the cloud and maintaining cloud resources is support from informed leadership, which ensures the right governance, budget, and oversight.”For those already working in the cybersecurity space, this will strike some familiar themes. What is different with the cloud is that many responsibilities are shared with a third party, which means risk is also shared. This is reflected in the outline of the threat actors, which, aside from the usual malicious outside threats and insider threats, also includes threats at the cloud service provider (CSP) level. There are four classes of vulnerabilities listed by the NSA: misconfiguration, poor access control, shared tenancy, and supply chain. The first two constitute the primary responsibility of the customer. The latter two are the CSP's. Secure configuration and least-privilege access are key components of any security program. The challenge when addressing these risks in the cloud is that the technology is rapidly evolving, opaquer, and often more complex than a traditional data center. The access controls can have a steep learning curve with various roles and levels that don’t always make clear the levels of exposure a service may have. When beginning the move to the cloud, the important considerations when it comes to security are:
- Ensuring services are properly configured and hardened,
- Properly handling data using least-privilege access,
- Implementing multi-factor authentication, and
- Conducting continuous security monitoring and analysis.