CISA and the NSA recently released a series of ten strategies to guide organizations in developing sound cybersecurity practices for their cloud environments. NSA has billed this guide of “top ten” strategies as the “most important practices to improve the security posture of their cloud environments.”
This guidance comes on the heels of a report from CISA about how Russian intelligence services are adapting to the ever-increasing shift from on-premise networks to the cloud. That said, the state of cloud security has been under the microscope for months, as high-profile cloud events ranging from a supply chain attack affecting MOVEit and its customers to nation-state threat actors targeting Microsoft continue to emerge. The pace of events and related concerns led the federal government’s Cybersecurity Review Board (CSRB) opening an investigation into the state of cloud security in August.
“As organizations shift their data to the cloud for ease of processing, storing, and sharing, they must take precautions to maintain parity with on-premises security and mitigate additional cloud-specific threats,” NSA states in the Executive Summary.
The top 10 listThe strategies rightly point to some of the risk concerns that make building and deploying in the cloud unique, such as managing the shared responsibility model. “Customers often incorrectly assume that the cloud service provider (CSP) manages important aspects of safeguarding resources in the cloud that are not the CSP’s responsibility,” the strategy states. “Misconfiguration and lack of security controls are significant risks in cloud environments.”
The strategies also include other critical areas that all public and private sector IT leaders using the cloud must consider, including, identity and access management best practices, securing sensitive data and managing CI/CD. The full list is as follows:
Uphold the cloud shared responsibility model
Use secure cloud identity and access management practices (Joint with CISA)
Use secure cloud key management practices (Joint with CISA)
Implement network segmentation and encryption in cloud environments (Joint with CISA)
Secure data in the cloud (Joint with CISA)
Defending continuous integration/continuous delivery environments (Joint with CISA)
Enforce secure automated deployment practices through infrastructure as code
Account for complexities introduced by hybrid cloud and multi-cloud environments
Mitigate risks from managed service providers in cloud environments (Joint with CISA)
Manage cloud logs for effective threat hunting
The implications of these strategies, especially when they need to be implemented across increasingly complex multi-cloud and/or hybrid environments, can be daunting. For that reason, it’s critical that implementation is paired with effective internal communication and governance, as well as continuous visibility and monitoring.
“Using the cloud can make IT more efficient and more secure, but only if it is implemented right,” said Rob Joyce, NSA’s Director of Cybersecurity, in the press release. “Unfortunately, the aggregation of critical data makes cloud services an attractive target for adversaries. This series provides foundational advice every cloud customer should follow to ensure they don’t become a victim.”
And also... AICloud environments enable quick building and deployment of applications, empowering organizations to meet their goals quickly and effectively. Yet moving business to the cloud presents a tectonic shift to infosec, forcing security teams to evolve and embrace a new operating model for protecting their environments and eliminating critical risks. Though not explicitly mentioned in NSA’s “Top Ten” list, the explosive adoption of AI introduces an additional layer of complexity and underscores the need for transparency, collaboration, and visibility. President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence recognizes this concern and will lead to the release of new guidelines to drive secure development and adoption of AI.
Collaboration is equally importantThe strategies outlined by CISA and the NSA are a critical baseline. Equally critical is the need for security teams, developers, and business owners to work from the same playbook, ensuring that their cloud environments maintain a strong security posture in the face of continuous change.
Learn moreLearn more about how Wiz helps both private sector and government organizations address these priorities. If you prefer a live demo, we would love to connect with you.