The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new CSI (CSI) aimed at providing organizations with information and guidelines on how to effectively protect their cloud environments. Information) Sheet has been released.
This new release includes a total of five CSI sheets covering various aspects of cloud security, including threat mitigation, identity and access management, and network security. Here's an overview of the new CSI sheets, their contents, and key takeaways from each sheet.
Implementing cloud identity and access management
The Use Secure Cloud Identity and Access Management Practices CSI sheet was created to help you identify and address the unique security challenges that exist in cloud environments. Most modern enterprises are rapidly adopting cloud-based solutions to scale, and the virtual attack surface they create requires adequate protection.
The document further explains that one of the major risks associated with expanding to the cloud is posed by malicious cyber attackers who actively exploit undiscovered vulnerabilities in third-party platform access protocols. I am. This is primarily due to misconfigured user access restrictions and role definitions, as well as strategic execution of social engineering campaigns.
Many of the identified risks can be mitigated by using identity and access management (IAM) solutions designed to more closely monitor and control cloud access. Additionally, CISA and NSA recommend proper implementation of multi-factor authentication protocols and careful management of public key infrastructure certificates, which are particularly effective in improving phishing resistance.
Another important point is that users use encrypted channels when accessing cloud resources. We recommend that organizations mandate the use of Transport Layer Security (TLS) 1.2 or later and rely on Commercial National Security Algorithm (CNSA) Suite 2.0 whenever possible. When configuring all software and firmware.
Enhance your cloud key management process
The “Using Secure Cloud Key Management Practices” sheet was released to reinforce the important role that cryptographic operations play in cloud environments. These operations ensure communications are secure and provide appropriate levels of encryption for data both in transit and at rest.
This sheet provides an overview of the various key management options available to cloud customers, including cloud service provider (CSP)-managed encryption keys and third-party key management solutions (KMS) that can or should be applied. I will explain.
Using a dedicated hardware security module (HSM) is another important element of applying proper key management processes, as it provides a secure and tamper-proof environment for storing and handling cryptographic keys. .
However, because the shared responsibility model must apply to both the organization and the third parties it works with, organizations must weigh the benefits and risks associated with deploying a shared, split, or dedicated HSM. Sho.
Segment your network and use encryption
The “Implementing Network Segmentation and Encryption in Cloud Environments” sheet was designed to highlight the continued transition from a perimeter-based security approach to more granular identity-based network security. To do this securely, CISA and NSA recommend using end-to-end encryption and microsegmentation to isolate and harden networks from rapidly expanding cyberattacks.
Currently, the NSA-approved CNSA Suite algorithms or NIST-recommended algorithms are considered the gold standard for data encryption in transit. These are recommended over and over again throughout all the sheets we offer, and when connecting to cloud services, private and public connections are trusted whenever possible.
Many modern cyberattacks are highly aggressive, so implementing network segmentation is highly recommended. This helps prevent a breach from spreading laterally across connected databases and critical systems. There are now many cloud-native options that can help organizations implement segmentation and precisely control traffic flow across their networks.
Protect your data in the cloud
The provided “Secure Data in the Cloud'' sheet details the classification of cloud data types, including “File,'' “Object,'' and “Block'' storage options. The sheet further explains that depending on the type of storage you are using, you should apply different measures to properly protect your storage.
Regardless of the encryption used for each type of data, we strongly recommend reducing the use of public networks when accessing cloud services. Public networks are a constant source of security vulnerabilities because they have very limited security and are often used by malicious sources to monitor traffic and find weaknesses in device security.
This sheet also highlights the implementation of role-based access control (RBAC) and attribute-based access control (ABAC) as effective ways to manage specific data access. These solutions allow for very granular permissions while encouraging organizations to eliminate overly permissive cloud access policies.
A key to maximizing cloud security is reviewing and understanding your cloud service provider's procedures and policies, especially how they apply to data storage and retention.
Businesses can work with CSPs to implement solutions such as “soft deletion,” which marks data as deleted without actually deleting it from the server. This allows recovery if necessary, but protects it from access by unauthorized users.
Reduce risk with managed service providers
The final sheet, “Reducing Risk from Managed Service Providers in Cloud Environments,” brings more awareness to how managed service providers (MSPs) are regular targets for state-sponsored malicious actors. The purpose is to increase.
Additionally, there are many misconceptions about compliance with regulatory standards when organizations choose to partner with cloud service providers. Companies must clearly understand the principle of shared responsibility and make data security a top priority in their partnerships.
The sheet explains that organizations should proactively establish audit mechanisms that include cloud-native data logging and monitoring. These help an organization better understand, control, and secure the actions that her MSP performs on its behalf.
Adopt proactive cloud security
CISA and NSA have emphasized for years that businesses need to take ownership of their cybersecurity efforts when working with MSPs in the cloud. By following these CSI guidance, organizations can ensure they are applying the latest best practices to minimize their attack surface and improve their ability to successfully recover from cloud security breaches.
