Unpacking the Cloud Security Best Practices from CISA and the NSA

Originally published by Tenable.

Written by Zan Liffick.

Recent cloud security guidance from CISA and the NSA offers a wealth of recommendations to help organizations reduce risk. This blog highlights key takeaways, provides further insights from CIS, and explores how utilizing cloud security posture management (CSPM) and cloud-native application protection program (CNAPP) solutions/services can help.

The cloud security best practices from CISA and the NSA

The five cloud security best practices documents CISA and the NSA published in March are meant to help organizations adopt stronger security measures in cloud-first, multi-cloud or hybrid environments. These cybersecurity information sheets (CSIs) offer many specific measures to reduce risk overall, covering some of the most critical attack vectors impacting cloud computing services.

What’s this all about?

Each CSI focuses on a specific cloud service or suite of services, first identifying the threat and then the MITRE ATT&CK tactics and techniques used by threat actors. Then the documents provide detailed guidance on how to help reduce the risk of threat actors finding an opening. The best practices align with recommendations that other organizations touch on, such as the Center for Internet Security (CIS) Cloud Foundations benchmarks. The CSIs emphasize concepts such as least privilege, limiting attack surface area and centralizing logs for auditing purposes, as well as the use of tools like key management services (KMS), multi-factor authentication (MFA), and modern encryption protocols.

Each CSI will be summarized below, along with useful information that organizations looking to secure a cloud presence can use today.

Use Secure Cloud Identity and Access Management Practices

The identity and access management (IAM) document details best practices for access controls. These are essential to all security programs but are particularly important when developing a public cloud computing environment.

The document highlights MITRE tactics and techniques that attackers use to gain access to any environment, but cloud environments with public-facing access are an easier target. Threat actors can use phishing techniques and target accounts that don’t have active MFA. The document outlines key risk considerations once the actor is in the door, and how elements such as least privilege and separation of duties for access controls can help.

This document speaks to critical controls that other organizations, such as CIS, have also spoken to with its Cloud Foundations benchmarks. In doing so, it lends more authority to the benchmark content. Within the Cloud Foundations content, CIS includes many recommendations on controls to help secure access in cloud environments; some examples of these access control recommendations are:

• Amazon Web Services Foundations: Ensure MFA is enabled for the ‘root’ user account.
• Microsoft Azure Foundations: Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults.
• Google Cloud Platform Foundations: Ensure That Service Account Has No Admin Privileges.

Use Secure Cloud Key Management Practices

Next, CISA and NSA cover encryption methodologies, including how to best maintain secure keys and address secrets management. There are definitely tie-ins to the IAM controls with regards to how services accounts authenticate and what those accounts can do when they gain access. Coupled with a well-planned IAM strategy, utilizing KMS in a cloud service provider (CSP) is critical for smooth and secure infrastructure and operations.

This document features several important items to consider when setting up a KMS strategy. While the IAM and KMS functions may vary across CSPs, many of these considerations are universal. As such, they will also be found in corresponding CIS benchmark recommendations. This guidance can be found in recommendations on protecting keys (access controls), key/secret rotation and logging/monitoring key usage.

The document also explains where a KMS fits into the most popular cloud service models (ie: infrastructure as a service, platform as a service, or software as a service) and how MITRE classifies the tactics/techniques that attackers use to gain access or operate once they’re inside. Here are some examples of key management recommendations in the CIS Cloud Foundations benchmarks:

• Amazon Web Services Foundations: Ensure that encryption-at-rest is enabled for RDS Instances. Note: this recommendation includes using AWS KMS keys for encryption purposes.
• Microsoft Azure Foundations: Ensure the Key Vault is Recoverable.
• Google Cloud Platform Foundations: Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days.

Implement Network Segmentation and Encryption in Cloud Environments

Segmentation has become a hot topic in recent years. This is due to the introduction of micro-segmentation in data centers. In addition, network security experts have highlighted the need for a “deny by default” firewall strategy. The network segmentation and encryption implementation document addresses those concepts, but also talks about encryption-in-transit as the best way to secure data moving across the network or internet when that transit is necessary. After all, not only should you prevent attackers from accessing an environment, but also ensure that even if they get in , they won’t be able to see anything important.

The document explains recommendations for encrypted communication channels using transport layer security (TLS) 1.2 or greater for application protocols; an IPsec virtual private network (VPN) rather than TLS-based VPNs; and even private connectivity directly to the CSP. Traffic between services, to/from external parties, or between a user and a service should all be encrypted and as isolated as possible. Private access points are available for many common services used in the major CSPs, and role-based access control (RBAC) or attribute-based access control (ABAC) can be used to limit what that access can do in the environment.

The network segmentation sections outline the importance of network and workload isolation: it helps prevent lateral movement if an attacker gains access to one system or service. The document effectively explains the differences between micro- and macro-segmentation; why macro is considered the minimum necessary; and how micro-segmentation is the ideal that organizations should try to reach. This guidance has been expanded in recent years and the examples given help bridge the gap between the data center and cloud environment.

This document also offers additional links for guidance on the zero trust security model and network infrastructure security in general. The zero trust model fits well into a public cloud or hybrid cloud architecture considering the nature of what most organizations wish to do in those environments.

The document’s guidance can be found across the CIS Foundations benchmarks as well, such as recommending TLS access using version 1.2 or higher; denying specific traffic for security groups; and setting an explicit default deny firewall policy. It also has sections on networking specifically in each benchmark that address firewall rules for the respective CSP. Examples of CIS recommendations that cover these topics include:

• Amazon Web Services Foundations: Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports.
• Microsoft Azure Foundations: Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server.
• Google Cloud Platform Foundations: Ensure That the Default Network Does Not Exist in a Project.

Secure Data in the Cloud

The cloud storage document briefly covers the commonly available types of cloud storage: file/folder (smb/nfs/etc), object (like AWS Simple Storage Service [S3]), and block (mostly used by compute resources or other services provided by the CSP). A common theme is encryption and access control. The document mentions both encryption in-transit and at-rest, with recommendations for TLS 1.2 or higher on data in-transit and using a KMS for data at-rest. And again, the document highlights access controls using RBAC or ABAC.

Considering this is data storage, an extra layer of security with data access is also recommended: some form of data loss prevention (DLP). DLP systems are often used in on-premises data centers. DLP systems are commonly used in healthcare, even though they’re not necessarily required for compliance with the Health Insurance Portability and Accountability Act (HIPAA). Other industries with heavy use of personal health information (PHI) and personally identifiable information (PII) also use DLP systems. An important part of DLP functionality is auditing for exposure; and since the most prominent cloud computing breaches were related in some way to cloud data storage configuration, this extra layer is very important.

As with the other documents, many of the recommendations here are also included in CIS benchmarks, specifically calling out encryption at-rest and in-transit as well as proper access controls on storage accounts. In fact, for AWS S3 buckets, the general recommendation in the CIS Amazon Web Services Foundations Benchmark is to enable the functionality to block public access. For more information, read the AWS documentation. The recommendation below lines up with this specifically:

• Amazon Web Services Foundations: Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'.

For additional Azure and Google Cloud Platform examples with regards to data encryption and security, see the recommendations below:

• Microsoft Azure Foundations: Ensure Storage for Critical Data are Encrypted with Customer Managed Keys.
• Google Cloud Platform Foundations: Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible.

Mitigate Risks from Managed Service Providers in Cloud Environments

And finally, since some organizations hire external contractors or managed service providers to help with the transition and continual administration of cloud environments, the document about risk mitigation from managed service providers highlights this third-party risk. MITRE even documents the Trusted Relationship as a technique used by malicious actors to gain access with the purpose of establishing administrative control to a particular tenant environment.

Auditing and access control measures can go a long way to mitigating some risks associated with third-party involvement. While measures like MFA can help, access controls and monitoring are more effective when a third party is involved in deployments or administrative tasks. The topic then comes back to having appropriate IAM policies in place to protect the environment and the end users consuming the cloud services.

---

About the Author

After spending over two decades working in various systems, network and security engineering roles, and later specializing in cloud computing, Zan Liffick joined the Tenable Research Audits and Compliance team in 2022 as a Senior Research Engineer. Zan also sits on several CIS cloud security working groups and actively contributes to new benchmarks.