Cisa Nsa Share Best Practices For Securing Cloud Services
The NSA and the Cybersecurity and Infrastructure Security Agency (CISA) have released five joint cybersecurity bulletins containing on best practices for securing a cloud environment.
Cloud services have become immensely popular for the enterprise as they provide managed servers, storage, and applications without them having to manage their own infrastructure.
Cloud services have become so ubiquitous that many enterprise application developer offer both an on-premise version and a cloud-hosted version that they manage, easing the burden of corporate admins.
Today, the NSA and CISA have issued five join documents on how to secure your cloud services using best practices. These guides focus on a identity and access management solutions, key management solutions, encrypting data in the cloud, managing cloud storage, and mitigating risks from managed service providers.
The five guides are listed below along with the NSA/CISA summary:
Use Secure Cloud Identity and Access Management Practices
“The purpose of this cybersecurity information sheet (CSI) is to explain some of the common threats to cloud identity management, and to recommend best practices organizations should employ to mitigate these threats when operating in the cloud.”
This CSI includes tips for both identity and access management, including best practices on on configuring MFA, the storing of credentials, and partitioning of privileges, so that multiple people are required to elevate privileges or perform sensitive actions.
Use Secure Cloud Key Management Practices
“This CSI outlines key management options based on these factors and recommends best practices to consider when using them. With any use of a cloud KMS, it is critical to understand and document shared security responsibilities. Refer to the NSA CSI: Uphold the Cloud Shared Responsibility Model for additional information on the shared responsibility model.”
This CSI discusses how to configure Key Management Solutions (KMS) securely.
Implement Network Segmentation and Encryption in Cloud Environments
“This cybersecurity information sheet (CSI) makes recommendations for implementing these principles in a cloud environment, which can differ from on-premises (on-prem) networks. While on-prem networks require specialized appliances to enable ZT, cloud technologies natively provide the necessary infrastructure and services for implementing these recommendations to varying degrees. This CSI focuses on best practices using features commonly available in cloud environments.”
This CSI provides tips on encrypting data in transit and how to best segment your cloud services so that they cannot communicate with each other unless necessary.
“The purpose of this cybersecurity information sheet is to provide an overview of what cloud storage is and common practices for properly securing and auditing cloud storage systems.”
This CSI provides guidelines on encrypting data at rest, securing data from unauthorized access, and creating backup and recovery plans.
Mitigate Risks from Managed Service Providers in Cloud Environments
“This cybersecurity information sheet outlines five important aspects to consider when choosing and using MSP services.”
Managed Service Providers (MSPs) often have high levels of access to customer networks, making them attractive targets for threat actors, as we saw in Kaseya’s massive REvil ransomware attack.
This CSI provides tips on securing corporate accounts used by MSPs, auditing their activities, and what to think about when negotiating agreements.
While many cybersecurity professionals, network admins, and IT executives may be familiar with the best practices shared in these CSIs, as they are a short read, it is worthwhile to see if you can learn something new.
Threat actors commonly target cloud services as they tend to store valuable data and can be used to pivot to internal networks.
In 2021, Microsoft issued a report on how the Russian Nobelium threat actors were actively targeting cloud services and managed service providers to target their downstream customers, including their internal networks.
To aid in detecting attacks targeting Azure cloud services, CISA released a tool named ‘Untitled Goose Tool’ last year that helps defenders dump telemetry data from Azure Active Directory, Microsoft Azure, and Microsoft 365 environments.