The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.
This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here’s our overview of the new CSI sheets, what they address and the key takeaways from each.
Implementing cloud identity and access management
The “Use Secure Cloud Identity and Access Management Practices” CSI sheet was created to help identify and address the unique security challenges presented in cloud environments. With most modern businesses quickly adopting more cloud-based solutions to help them scale, the virtual attack surface they create needs adequate protection.
The document goes on to explain that one of the major risks associated with expanding into the cloud comes from malicious cyber actors who actively exploit undiscovered vulnerabilities in third-party platform access protocols. This is primarily due to misconfigurations in user access restrictions or role definitions, as well as the strategic execution of social engineering campaigns.
Many of the risks identified can be successfully mitigated through the use of Identity and Access Management (IAM) solutions designed to monitor and control cloud access more strictly. In addition, the CISA and NSA recommend proper implementation of multifactor authentication protocols, which are particularly effective when improving phishing resistance, as well as the careful management of public key infrastructure certificates.
Another important point mentioned is the use of encrypted channels for users when accessing cloud resources. It’s suggested that organizations mandate the use of Transport Layer Security (TLS) 1.2 or higher as well as relying on the Commercial National Security Algorithm (CNSA) Suite 2.0 whenever possible when configuring all software and firmware.
Hardening cloud key management processes
The “Use Secure Cloud Key Management Practices” sheet was released to reinforce the important role that cryptographic operations play in cloud environments. These operations keep communications secure and provide the right levels of encryption for data both in motion and at rest.
The sheet outlines the various key management options available to cloud customers, including Cloud Service Provider (CSP) managed encryption keys and third-party Key Management Solutions (KMS) that can and should be applied.
Having a dedicated hardware security module (HSM) is another important component of applying adequate key management processes, as it provides a secure and tamper-resistant environment for storing and processing cryptographic keys.
However, organizations will want to weigh the benefits and risks associated with having shared, partitioned and dedicated HSMs in place since a shared responsibility model will need to be applied to both the organization and the third parties they’re working with.
Utilizing network segmentation and encryption
The “Implement Network Segmentation and Encryption in Cloud Environments” sheet was designed to highlight the ongoing shift from perimeter-based security approaches to more granular, identity-based network security. To do this safely, the CISA and NSA recommend using end-to-end encryption and micro-segmentation to isolate and harden their networks from quick-scaling cyberattacks.
Currently, the NSA-approved CNSA Suite algorithms or NIST-recommended algorithms are considered the gold standard for data in transit encryption. These are recommended numerous times throughout all of the sheets provided, and private connectivity versus public connectivity is relied on whenever possible when connecting to cloud services.
Because of how aggressive many modern-day cyberattacks are, implementing network segmentation is highly recommended. This helps to contain breaches that would otherwise move laterally across connected databases or critical systems. There are now many cloud-native options to help organizations implement segmentation and accurately control traffic flows across the network.
Securing data in the cloud
The “Secure Data in the Cloud” sheet provided goes into detail about the classification of cloud data types, including “File,” “Object” and “Block” storage options. The sheet goes on to explain that depending on the type of storage you’re using, this will mean applying diverse measures to properly secure it.
Regardless of the encryption being used for each type of data, it is strongly advised to reduce the use of public networks when accessing cloud services. These are constant sources of security vulnerabilities, as public networks have very limited security in place and are often used by malicious sources to monitor traffic and find weaknesses in device security.
This sheet also stresses the implementation of role-based access control (RBAC) and attribute-based access control (ABAC) as an effective way to manage specific data access. These solutions allow you to see very granular access permissions while also encouraging organizations to eliminate overly permissive cloud access policies.
A big part of maximizing security in the cloud is reviewing and understanding the procedures and policies of cloud service providers, specifically how they apply to data storage and retention.
Businesses can work with their CSPs to implement solutions like “soft deletion,” which is the practice of marking data as deleted without actually removing it from the server. This allows for recovery when needed but still protects it from being accessed by unauthorized users.
Mitigating risk from managed service providers
The final sheet, “Mitigate Risks from Managed Service Providers in Cloud Environments,” is designed to help create more awareness regarding managed service providers (MSPs) being regular targets of malicious actors backed by nation-states.
There are also many misunderstandings about compliance with regulation standards when organizations choose to partner with cloud service providers. Companies need to have a clear understanding of shared responsibility principles and make sure their partnerships place a high priority on data security.
The sheet explains that organizations should have pre-established auditing mechanisms in place that include cloud-native data logging and monitoring. These help organizations better understand, control and secure the actions their MSPs are taking on behalf of the organization.
Embrace proactive cloud security
For years, the CISA and NSA have stressed that companies should take charge of cybersecurity readiness when working with MSPs in the cloud. By following the guidance of these CSIs, organizations can make sure they’re applying the latest best practices that will minimize their attack surface and improve their ability to successfully recover from cloud security breaches.