Cloud Native / Cloud Services / Security

CISA Lays Out Security Rules for Zero Trust Clouds

9 Sep 2021 11:38am, by

If you’re a former Beltway Bandit (guilty) or other Federal government IT worker you know all about jumping through regulatory hoops to get your job done. Sometimes, it’s a real pain in the neck, but other times the Feds come up with really useful guidance. That appears to be the case with the Cybersecurity and Infrastructure Security Agency (CISA) and its Cloud Security Technical Reference Architecture (TRA) and Zero Trust Maturity Model drafts.

These documents lay out the guidelines for dealing with a security world where the old-school traditional network wall is riddled with holes. Firewalls are still fine in their place, but if you rely on them for security today, you’re asking for trouble. Just ask, for example, Colonial Pipeline.

Therefore, we must implement data protection measures based around cloud security and zero trust. These cloud documents layout guidance for agencies’ secure migration to the cloud by explaining considerations for shared services, cloud migration, and cloud security posture management. Their suggestions, though, are handy for more than just Federal contractors.

To do this, the CISA partnered up with the United States Digital Service (USDS) and the Federal Risk and Authorization Management Program (FedRAMP). It’s not really a government project unless you have at least three agencies working together — and hopefully not at cross purposes.

The cloud document covers recommended approaches to cloud migration and data protection. It also covers Cloud Security Posture Management (CSPM) and enumerates related security tools for monitoring, development, integration, risk assessment, and incident response in cloud environments.

The CISA’s Zero Trust Maturity Model helps agencies develop their zero trust strategies and implementation plans. Its goal is to “prevent unauthorized access to data and services coupled with making the access control enforcement as granular as possible.” In other words, zero trust shifts from a location-centric model to a more data-centric approach for fine-grained security.

While securing the cloud is difficult, it’s a solvable problem. We have the tools. We know what we need to do. Zero trust is another matter. Moving to zero trust is non-trivial. “Fundamentally,” the CISA states, “it requires a change in an organization’s philosophy and culture around cybersecurity. The path to zero trust is a journey that will take years to implement.”

You can help lay out the path to both. Both of these documents are now open to public comment. Eric Goldstein, the CISA’s Executive Assistant Director of Cybersecurity, explained, “We are now requesting public comment to ensure our recommended cloud technology modernization and zero trust efforts, respectively, enable the best visibility, flexibility, and security.”

The public comment period has begun and is scheduled to conclude on Friday, Oct. 1, 2021. You can submit your comments and feedback via e-mail to [email protected]. Following the comment period, CISA will work with stakeholders to assess the feedback and produce new versions of these guidance documents.

Feature image: Fragmentary decree of King Neferkauhor