CISA and NSA Issue Guidance Sheets on Best Practices for Cloud Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have jointly issued a series of five cybersecurity information sheets following increasing cyber threats targeting cloud environments. These resources are designed to assist organizations in strengthening the security posture of their cloud environments, providing invaluable guidance on best practices and recommended mitigations. Cloud computing offers undeniable advantages in terms of cost-effectiveness and flexibility, particularly in supporting the evolving needs of remote workforces. However, the inherent complexities of cloud environments present unique security challenges. Yearly, numerous healthcare data breaches emerge from inadequately secured cloud infrastructures, highlighting the urgency for robust security measures. Threat actors, both cybercriminal groups and nation-state actors, actively exploit vulnerabilities in cloud configurations to gain unauthorized access to sensitive data. Once breached, these environments provide access for further attacks, including those targeting internal networks and downstream clients of managed service providers (MSPs). 

The cybersecurity information sheets issued by CISA and NSA cover a variety of critical topics necessary for improving the security of cloud environments. These include detailed guidance on secure cloud identity and access management practices, which are pivotal for controlling user permissions and safeguarding sensitive data within cloud infrastructures. The recommendations outline robust authentication protocols, role-based access controls, and multifactor authentication mechanisms to prevent unauthorized access and data breaches. The information sheets also cover secure cloud key management practices, highlighting the sophisticated processes involved in managing encryption keys within cloud environments. They emphasize the importance of implementing robust key lifecycle management processes, including key creation, storage, rotation, and deletion, to ensure the integrity and confidentiality of cryptographic operations. The documents further provide deatiled insights into managing the complexities of cloud service provider (CSP) relationships, offering practical considerations for achieving a balance between CSP-managed and organization-managed key management responsibilities.  

The guidance on network segmentation and encryption notes strategies for strengthening network security in cloud environments, with a particular emphasis on Zero Trust (ZT) principles. It advocates for a transition away from traditional perimeter-focused security approaches towards identity-centric security models, wherein network access is predicated on user authentication and authorization. The recommendations emphasize the importance of implementing end-to-end encryption protocols and micro-segmentation techniques to compartmentalize network traffic and limit lateral movement by threat actors. The guidance asserts that organizations can greatly mitigate the risks presented by cyber threats targeting cloud infrastructures by adopting these proactive measures, ultimately improving their overall cybersecurity posture. 

The information sheets also offer insights into securing data in the cloud and mitigating risks associated with MSPs. They outline best practices for selecting appropriate storage services, applying encryption and access controls, and implementing robust auditing mechanisms to ensure data integrity and compliance with regulatory requirements. The guidance on MSP risk mitigation highlights important considerations for organizations leveraging third-party services, including due diligence assessments, contractual agreements, and ongoing monitoring of MSP security practices. By adhering to the recommendations outlined in these comprehensive guides, organizations can improve their cloud security posture and manage evolving threats with greater resilience and confidence. 

While these recommendations align with existing best practices, they serve as a timely reminder for organizations to reassess and improve their cloud security strategies. As cyber threats continue to evolve in sophistication and frequency, proactive measures outlined in these information sheets are necessary for safeguarding sensitive data and preserving the integrity of cloud environments. Organizations are encouraged to leverage these resources to improve their cybersecurity defenses and mitigate the risks presented by malicious actors targeting cloud infrastructure. 

Author: Nathan Murphy

Nathan Murphy is news journalist on Nathan has worked as a writer on a number of publications, contributing hundreds of articles on a broad range of topics, with a particular focus on IT security. You can contact Nathan on LinkedIn and follow on Twitter