Light Dark
May 15, 2024 By Josh Nadeau 4 min read
Cloud Security
Network

The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.

This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here’s our overview of the new CSI sheets, what they address and the key takeaways from each.

Implementing cloud identity and access management

The “Use Secure Cloud Identity and Access Management Practices” CSI sheet was created to help identify and address the unique security challenges presented in cloud environments. With most modern businesses quickly adopting more cloud-based solutions to help them scale, the virtual attack surface they create needs adequate protection.

The document goes on to explain that one of the major risks associated with expanding into the cloud comes from malicious cyber actors who actively exploit undiscovered vulnerabilities in third-party platform access protocols. This is primarily due to misconfigurations in user access restrictions or role definitions, as well as the strategic execution of social engineering campaigns.

Many of the risks identified can be successfully mitigated through the use of Identity and Access Management (IAM) solutions designed to monitor and control cloud access more strictly. In addition, the CISA and NSA recommend proper implementation of multifactor authentication protocols, which are particularly effective when improving phishing resistance, as well as the careful management of public key infrastructure certificates.

Another important point mentioned is the use of encrypted channels for users when accessing cloud resources. It’s suggested that organizations mandate the use of Transport Layer Security (TLS) 1.2 or higher as well as relying on the Commercial National Security Algorithm (CNSA) Suite 2.0 whenever possible when configuring all software and firmware.

Hardening cloud key management processes

The “Use Secure Cloud Key Management Practices” sheet was released to reinforce the important role that cryptographic operations play in cloud environments. These operations keep communications secure and provide the right levels of encryption for data both in motion and at rest.

The sheet outlines the various key management options available to cloud customers, including Cloud Service Provider (CSP) managed encryption keys and third-party Key Management Solutions (KMS) that can and should be applied.

Having a dedicated hardware security module (HSM) is another important component of applying adequate key management processes, as it provides a secure and tamper-resistant environment for storing and processing cryptographic keys.

However, organizations will want to weigh the benefits and risks associated with having shared, partitioned and dedicated HSMs in place since a shared responsibility model will need to be applied to both the organization and the third parties they’re working with.

Utilizing network segmentation and encryption

The “Implement Network Segmentation and Encryption in Cloud Environments” sheet was designed to highlight the ongoing shift from perimeter-based security approaches to more granular, identity-based network security. To do this safely, the CISA and NSA recommend using end-to-end encryption and micro-segmentation to isolate and harden their networks from quick-scaling cyberattacks.

Currently, the NSA-approved CNSA Suite algorithms or NIST-recommended algorithms are considered the gold standard for data in transit encryption. These are recommended numerous times throughout all of the sheets provided, and private connectivity versus public connectivity is relied on whenever possible when connecting to cloud services.

Because of how aggressive many modern-day cyberattacks are, implementing network segmentation is highly recommended. This helps to contain breaches that would otherwise move laterally across connected databases or critical systems. There are now many cloud-native options to help organizations implement segmentation and accurately control traffic flows across the network.

Securing data in the cloud

The “Secure Data in the Cloud” sheet provided goes into detail about the classification of cloud data types, including “File,” “Object” and “Block” storage options. The sheet goes on to explain that depending on the type of storage you’re using, this will mean applying diverse measures to properly secure it.

Regardless of the encryption being used for each type of data, it is strongly advised to reduce the use of public networks when accessing cloud services. These are constant sources of security vulnerabilities, as public networks have very limited security in place and are often used by malicious sources to monitor traffic and find weaknesses in device security.

This sheet also stresses the implementation of role-based access control (RBAC) and attribute-based access control (ABAC) as an effective way to manage specific data access. These solutions allow you to see very granular access permissions while also encouraging organizations to eliminate overly permissive cloud access policies.

A big part of maximizing security in the cloud is reviewing and understanding the procedures and policies of cloud service providers, specifically how they apply to data storage and retention.

Businesses can work with their CSPs to implement solutions like “soft deletion,” which is the practice of marking data as deleted without actually removing it from the server. This allows for recovery when needed but still protects it from being accessed by unauthorized users.

Mitigating risk from managed service providers

The final sheet, “Mitigate Risks from Managed Service Providers in Cloud Environments,” is designed to help create more awareness regarding managed service providers (MSPs) being regular targets of malicious actors backed by nation-states.

There are also many misunderstandings about compliance with regulation standards when organizations choose to partner with cloud service providers. Companies need to have a clear understanding of shared responsibility principles and make sure their partnerships place a high priority on data security.

The sheet explains that organizations should have pre-established auditing mechanisms in place that include cloud-native data logging and monitoring. These help organizations better understand, control and secure the actions their MSPs are taking on behalf of the organization.

Embrace proactive cloud security

For years, the CISA and NSA have stressed that companies should take charge of cybersecurity readiness when working with MSPs in the cloud. By following the guidance of these CSIs, organizations can make sure they’re applying the latest best practices that will minimize their attack surface and improve their ability to successfully recover from cloud security breaches.

 |  |  |  |  |  |  |  |  |  | 
Josh Nadeau
Cybersecurity Writer

More from Cloud Security
December 18, 2024

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

December 4, 2024

Cloud threat report: Possible trend in cloud credential “oversaturation”

3 min read - For years now, the dark web has built and maintained its own evolving economy, supported by the acquisition and sales of stolen data, user login credentials and business IP. But much like any market today, the dark web economy is subject to supply and demand.A recent X-Force Cloud Threat Landscape Report has shed light on this fact, revealing a new trend in the average prices for stolen cloud access credentials. Since 2022, there has been a steady decrease in market…

November 14, 2024

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature