CISA, NIST issue cloud security guidance

0
521

The Cybersecurity and Infrastructure Security Agency has issued finalized core guidance for the Trusted Internet Connection program, and the National Institute of Standards and Technology published its guide on access controls for infrastructure-as-a service, platform-as-a-service and software-as-a-service models — as well as inter- and intra-cloud operations.

After reviewing nearly 500 comments and questions on the latest version of the Trusted Internet Connection program, the Cybersecurity and Infrastructure Security Agency updated core guidance for the TIC 3.0 Program Guidebook, Reference Architecture and Security Capabilities Catalog. The updates support newer technologies and architectural and security concepts that “reflect the growing number of cybersecurity threats and adoption of cloud-based services,” CISA said in its response to comments.

The guidance offers more clarity on the relationship between TIC 3.0, zero trust networking and trust zones established by the program. The comments also provided CISA with new insight into how to develop use cases to apply to a broader set of agencies and better leverage service provider capabilities.

According to the agency, much of the feedback it received fell into five categories: proposing additional use cases for the program, questions about how TIC interacted with other agency programs like EINSTEIN and Continuous Diagnostics and Mitigation, questions around how much support CISA plans to provide agencies, requests for additional detail in the Program Guidebook and Reference Architecture documents and requests for more information around the development, schedule and authority of use cases.

Commenters were also seeking additional capabilities at the operating system and application levels, encrypting data at rest and in transit, logging, and clarification on whether any capabilities from TIC 2.0 were still applicable. Another set of documents — including the Use Case Handbook, Overlay Handbook, Traditional TIC Use Cases and Branch Office Use Cases — will be refreshed later this summer.

The moves put CISA one step closer to completing an overhaul of a program that started out as an effort to cut down on the number of trusted internet access points used by federal agencies, but has since transformed into a set of network security standards for a more distributed architecture, accounting for the widespread adoption of cloud computing and an increasingly remote government workforce.

These days, “an agency’s assets, data, and components are commonly located in areas beyond their network boundary – on remote devices, at cloud data centers, with external partners,” the new security catalogue notes — not strictly on-premises at federal facilities.
Those trends were already in play before the novel coronavirus hit U.S shores this year, and the resulting move to telework in the wake of the pandemic has added a sense of urgency. In April, CISA released emergency interim TIC guidance to help federal managers deal with the sudden shift, but that was more an effort to triage the problem and expires at the end of this year.

Meanwhile, the National Institute of Standards and Technology on July 31 issued final guidance on access controls for infrastructure-as-a service, platform-as-a-service and software-as-a-service models as well as inter- and intra-cloud operations. For IaaS models, the guidance addresses access controls related to the network, hypervisor, virtual machines and application programming interfaces. The PaaS guidance covers protecting middleware and memory data, instituting access policies for microservices and dealing with replicated data. In SaaS systems, NIST describes access control issues related to data ownership, confidentiality, privilege management, replicas of data, multitenancy, attribute and role management, access control policy management and APIs.