Agencies are struggling as they migrate IT assets and functions to the cloud. Most agencies are learning as they go, diving in without usage guidelines, monitoring, and remediation escalation processes in place.
The lack of a governance structure that can monitor and manage the move to the cloud has resulted in a rise in security incidents and puts government data at risk. Until quite recently security teams suffered from a lack of tools and regulations designed for cloud security best practices.
As a first step, agencies need to determine the cloud standards to enforce. And we've listed them here...
Too many processes and mandates dated back to the data center operations, without attention to the expanded list of potential issues in cloud environments.
For example, there are security requirements in place to scan physical servers for vulnerabilities. But in the cloud, there is much more than just physical servers to scan. Computing power and managed services can be spun up and torn down in minutes, using resources shared across hundreds of locations in the cloud. Security policies calling for server scanning are hopelessly outdated and cannot be followed.
The migration to the cloud is good news for development teams but can be a very challenging adjustment for security teams. This challenge can be exacerbated when agencies pursue a multi-cloud approach because each cloud service provider has unique services and resource configuration approaches.
Agencies need help determining the cloud standards to enforce. There are proven industry standards they can embrace like Center for Internet Security (CIS) Benchmarks (for AWS, Azure, and GCP), NIST SP 800-207, and AWS Foundational Security Best Practices.
Cloud Standards
CIS Benchmarks
The Center for Internet Security is a community-driven nonprofit promoting globally recognized best practices for securing IT systems and data. CIS is a global community of IT professionals who continuously evolve these standards and provide products and services to proactively safeguard against emerging threats. Through a global, collaborative effort, CIS has developed world-class standards in the form of the CIS Controls and CIS Benchmarks, along with specialized technology tools to help security practitioners implement and manage their cyber defenses.
NIST SP 800-207
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. The Special Publication 800-series reports on ITL’s research, guidelines, and outreach efforts in information system security, and its collaborative activities with industry, government, and academic organizations.
NIST SP 800-207 is focused on implementing a zero-trust architecture (ZTA), its logical components, possible deployment scenarios, and threats. It also presents a general road map for organizations wishing to migrate to a zero-trust design approach and discusses relevant federal policies that may impact or influence a zero-trust architecture.
AWS Security Foundational Best Practices
The AWS Foundational Security Best Practices standard is a set of controls developed by AWS’s experience implementing security best practices across a wide variety of AWS government and commercial accounts. The standard allows agencies to continuously evaluate AWS accounts and resources to pinpoint areas of deviation from best practices, along with actionable and prescriptive guidance on how to remediate each finding across multiple AWS services. Each control is assigned a category and priority that reflects the applicable security finding. Using this standard improves and maintains an organization’s security posture for its AWS accounts and resources.
Azure Security Benchmark Documentation
The Azure Security Benchmark was developed by Microsoft, based upon experience securing Azure environments for both government and commercial clients. It includes a collection of high-impact security recommendations in the form of Security Controls and Service Baselines. The Security Controls are recommendations that are generally applicable across multiple Azure tenant and Azure services.
Each recommendation identifies a list of stakeholders that are typically involved in planning, approval, or implementation of the benchmark. The Service Baselines apply the controls to individual Azure services to provide recommendations on that service’s security configuration. Agencies can use these to help secure their Azure subscriptions and services.
Google Cloud Security Best Practices Center
Google Cloud Security Best Practices Center provides specific, informed guidance on helping secure Google Cloud deployments and describes recommended configurations, architectures, suggested settings, and other operational advice. There is a layered approach provided by: Google Cloud Security Foundations Blueprint Guide, Best Practices for Enterprise Organizations, and a Catalogue of Security and Compliance Reference Architectures. Together, these form the basis for an enterprise approach to GCP security best practices
Meeting These Standards
The large cloud service providers (CSPs) have developed many of the cloud security best practices that are needed for security-related automated remediation, which is required to move towards a Zero Trust approach as mandated by the Biden Administration. These solutions have not achieved broad awareness in government leadership. Specific requirements addressed include logging and retention of logs, multifactor authentication (MFA), and data encryption.
These provide baseline standards to start from, including hundreds of configuration guidelines to safeguard cloud environments against today’s evolving cyber threats. The Office of Management and Budget (OMB) has released multiple memorandums highlighting cybersecurity improvements required and deadlines for achieving them. Leveraging solutions developed by the CSPs can mean achieving these goals and improving cloud network security in months rather than years.
For example, OBM M-21-31 relates specifically to agency logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency. Many agencies are seeing they are not logging nearly as many events as they should be, in some cases they should be logging 10 times the current number.
OBM M-22-09 provides specific goals and deadlines for implementing zero trust. The goals are organized using the zero trust maturity model developed by the Cybersecurity and Infrastructure Security Agency (CISA). CISA’s zero trust model describes five complementary areas of effort (Identity, Devices, Networks, Applications and Workloads, and Data), with three themes that cut across these areas (Visibility and Analytics, Automation and Orchestration, and Governance).
Within each pillar, the maturity model provides agencies with specific examples of a traditional, advanced, and optimal zero trust architecture. OMB is requiring that agencies achieve these specific zero trust security goals by the end of the Fiscal Year (FY) 2024.
Standards Drive Compliance
Using these cloud standards is the way to increase cloud network security and meet President Biden’s Cybersecurity Directives and policy mandates and move towards a ZTA. STS helps clients implement cloud-centric automation solutions that establish governance guardrails and enforce usage standards across multiple cloud environments. These solutions automate IT operations processes, freeing humans for higher-value tasks such as identifying the most serious threats.
For critical standards compliance issues, automation can also remediate the non-compliant findings by bringing cloud resources back into a desired state configuration. This delivers significant security improvements through automated monitoring, reporting, and remediation of compliance issues.
We Can Help
STS uses a standardized implementation approach that uses three operational phases that fully integrate cloud-native monitoring and remediation within existing agency systems, tools, and organizations. If you're interested in talking with our team about implementation (or just want to talk to an expert about cloud security), you can contact us and submit any questions.