NSA Guidance on Mitigating Cloud Vulnerabilities

23 January 2020

The National Security Agency (NSA) today published guidance aimed at “organizational leadership and technical staff”, outlining practical ways organizations can mitigate the most common cloud vulnerabilities. In this post, we’ll highlight the key elements of the NSA’s guidance for convenient reference. The full report is linked below.

To implement effective mitigations, organizations should consider cyber risks to cloud resources, just as they would in an on-premises environment.

The guidance points to four main classes or areas of vulnerabilities (misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities), pointing out that they “encompass the vast majority of known” cloud vulnerabilities.

Cloud Components

The NSA paper accurately points out that cloud architectural components vary widely across cloud service providers. Not all providers offer the same components. However, all generally offer the four core architectural components: Identity & Access Management, Compute (both virtualization & containerization), Networking and Storage (object, block & database storage). The NSA paper suggests that understanding how a given provider implements these fundamental components should factor into procurement decisions when comparing providers.

Encryption & Key Management

Cloud service provider managed encryption is almost always a better path to achieve standardized encryption capabilities that are both effective and feasible to manage. The exception being cases where the organization feels there is a risk of data exposure to the cloud service provider themselves. In these cases, a bring your own key (BYOK) strategy should be implemented.

Shared Security

Cloud service providers generally all adopt the shared security model. The security of the cloud is the provider’s responsibility, while the security of whatever is in the cloud is the customer’s responsibility. Provider responsibility increases as you move left-to-right on the table below (bold components are provider managed). Infrastructure-as-a-Service (IaaS) providers are responsible for far fewer aspects of the overall environment than are Platform-as-a-Service (PaaS) or Software-as-a-Service (SaaS) providers.

IaaS PaaS SaaS
Configuration Configuration Configuration
Application Application Application
Data Data Data
Environment Environment Environment
Operating System Operating System Operating System
Virtualization Virtualization Virtualization

Some common providers of each type are:

Note: Certain managed offerings from typical IaaS providers abstract additional aspects away from the customer such that they are effectively PaaS or SaaS offerings, while the provider as a whole remains essentially an IaaS

Cloud Threat Actors

NSA points to four threat actor types that comprise the majority of threats, along with the most common attack paths exploited by each type of actor:

Cloud Vulnerabilities and Mitigations

The paper further points out that many of the underlying vulnerabilities found in cloud environments share characteristics with traditional environments. However, the fact that cloud infrastructure is multi-tenant by nature poses an increases risk for all parties involved.

Numerous real-world examples of each vulnerability type are discussed in the paper and each type is classified by prevalence and attack sophistication required to exploit the vulnerability.


Poor Access Control

Shared Tenancy Vulnerabilities

Supply Chain Vulnerabilities


The fact that the vast majority of cloud compromises and data breaches occur as a result of misconfiguration, coupled with widespread prevalence and low attacker sophistication required to exploit those vulnerabilities should be a driver in prioritizing mitigation efforts around minimizing the occurrence of those vulnerabilities.

Full Report

For further details, reference the complete NSA report.