NSA releases top 10 tips to manage your cloud migration securely

Organizations are increasingly migrating to cloud environments to increase efficiency and flexibility in processing, storing, and sharing information. However, that efficiency comes with risk: Cloud environments are increasingly being targeted by malicious cyber actors, according to the National Security Agency (NSA).

That’s why the NSA released a list of its Top 10 Cloud Security Mitigation Strategies earlier this year. Each of the 10 strategies links to a brief report describing best practices on the topic. The strategies are intended to help organizations ensure their cloud environments are securely configured and monitored to mitigate cloud-specific threats.

The NSA’s top 10 cloud security strategies

1. Uphold the cloud shared responsibility model

Don’t assume that your cloud service provider is doing all the heavy lifting on cybersecurity. Cloud service providers operate on a shared responsibility model, and the division of responsibilities differs greatly by service model: infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS).

It’s essential to read and understand your service provider documentation and best practice guides to ensure that you’re both holding your providers accountable and holding up your end of the security responsibilities.

2. Use secure cloud identity and access management practices

Phishing techniques, exposed credentials, or weak authentication can allow cyberattackers in the door. That’s why strict identity and access policies are critical.

Your policies should include multifactor authentication, properly managed temporary credentials, and separation of duties. In general, you should give users the lowest level of privileges necessary for their role. Ensure that your employees understand the risks of improper identity and access management.

3. Use secure cloud key management practices

Be aware of how your cloud service provider handles key management. Some rely on the cloud vendor for fully delegated server-side encryption, whereas others use a client-side encryption model.

It’s important that you understand your roles and responsibilities within your provider agreement, as well as the risks and benefits of each option.

4. Implement network segmentation and encryption in cloud environments

Secure your network using Zero Trust security practices, a model that uses continuous verification versus implicit trust in any one entity.

Zero Trust strategies include:

• Tying identity information to all network requests
  
• Using end-to-end encryption
• Implementing microsegmentation

Microsegmentation, in particular, is key. Only give users access to the resources that they need for their role. That way, even if malicious cyber actors gain access to your cloud tenant, their access will be limited.

5. Secure data in the cloud

Protect your organization from the risks of data theft and ransom by:

• Selecting appropriate cloud storage
• Preventing exposure over public IPs
• Enforcing least privilege
• Using object versioning
• Creating immutable backups with recovery plans
• Enabling encryption
• Regularly reviewing data security measures
  
  

Also, consider enabling “soft delete” functionality so important data isn’t accidentally — or maliciously — deleted.

6. Defending continuous integration/continuous delivery (CI/CD) environments

Software development and operations processes, including continuous integration/continuous delivery (CI/CD) environments, make attractive targets to malicious cyber actors who could introduce malicious code, steal trade secrets, or perpetrate denial of service attacks.

Secure your CI/CD pipeline by implementing robust identity and access management practices, ensuring your tools are up-to-date, auditing your logs, using security scanning, and properly managing secrets.

7. Enforce secure automated deployment practices through infrastructure as code (IaC)

Reduce the risk of human error during infrastructure deployment by using infrastructure as code (IaC) to automate it. This allows you to quickly see any unauthorized changes. Cloud service providers offer built-in IaC services, or you can use open source or commercial tools.

Additionally, automate your security policy compliance using IaC instead of using manual processes. This is known as policy as code.

8. Account for complexities introduced by hybrid cloud and multi-cloud environments

Hybrid cloud and multi-cloud environments can involve complex situations, including skill gaps between users across different environments and compatibility issues. Use vendor-agnostic tools to standardize your operations across environments, aggregate logs, provide consistency in user access, and monitor security in one place.

9. Mitigate risks from managed service providers in cloud environments

Using a managed service provider (MSP) can simplify technical support and maintenance, but may also provide another avenue for vulnerability. Research your prospective MSP’s security standards and practices before selecting a provider to safeguard your cloud environment.

The MSP’s services should be integrated with your own security and incident response systems to ensure timely, accurate risk mitigation.

10. Manage cloud logs For effective threat hunting

Since cloud systems involve a great number of users accessing data, it's essential to use a platform with thorough log keeping to track user activity within the cloud. These logs are important both for record keeping and for hunting down any abnormal activity within the system.

Cloud environments usually include logging software, but the default logging configurations vary greatly from program to program. Set up your tracking to detect unusual numbers of access attempts, system anomalies, and unusual network patterns. This helps ensure timely identification and removal of potential threats.

Conclusion

As more companies embrace cloud platforms, more potential threats will inevitably arise. Unsecured or misconfigured systems make the easiest targets. To maintain a safe cloud environment, companies are strongly urged to follow these 10 guidelines.