Security News > 2020 > January > NSA Shares Guidance on Mitigating Cloud Vulnerabilities
The U.S. National Security Agency has published advice on mitigating cloud vulnerabilities.
The document provides four basic sections: an overview of the basic components usually delivered by cloud service providers; an explanation of the concept of shared responsibility; an analysis of the primary cloud threat actors; and an analysis and description of the main cloud vulnerabilities and their mitigations.
The four primary vulnerabilities in the cloud are misconfiguration; poor access control; shared tenancy vulnerabilities; and supply chain vulnerabilities.
Misconfiguration is the most common cloud vulnerability, often arising from cloud service policy mistakes or misunderstanding the application of shared responsibility.
The second most common cloud vulnerability is poor access control, which "Occurs when cloud resources use weak authentication/authorization methods or include vulnerabilities that bypass these methods." An example of such an attack, says the NSA, occurred in October 2019 when "a CSP reported cyberattacks in which cloud accounts using multi-factor authentication were compromised through password reset messages sent to single-factor authentication email accounts."