Priya Patel
TLDR:
The U.S. National Security Agency (NSA) released a cybersecurity information sheet addressing challenges of hybrid cloud and multi-cloud environments. The document emphasizes the complexities introduced by these environments and offers solutions to address them. Key points include the use of vendor-agnostic infrastructure as code solutions, unified management solutions, ongoing cloud training, implementing a Zero Trust approach, using CNSA Suite-approved algorithms for network communications, and maintaining compliance standards. The NSA also highlights the importance of disaster recovery, identity and access management, logging and monitoring, and policy as code to ensure cloud environments remain protected.
Full Article:
The U.S. National Security Agency (NSA) released a cybersecurity information sheet this week focusing on challenges associated with implementing hybrid cloud and multi-cloud environments, offering solutions to address the heightened complexity. The document highlights the complexities introduced by these environments. “A hybrid cloud is an environment that uses both private cloud and public cloud offerings for its infrastructure. The private cloud, often referred to as an on-premises (on-prem) solution, is an infrastructure provisioned for use by a single company, whereas the public cloud is provisioned for general use by many organizations,” the NSA wrote in its information sheet titled ‘Account for Complexities Introduced by Hybrid Cloud and Multi-Cloud Environments.’
Identifying that no two cloud environments are alike, the NSA document outlined that public cloud options tend to differ vastly, not only from private cloud infrastructures but also from each other as well, often resulting in knowledge and skill gaps in the deployment and management process. “Multi-cloud environments may also lead to operational siloes, where single teams or individuals maintain just one environment, causing configuration discrepancies between environments that may lead to exploitable security gaps.”
It detailed that standardizing cloud operations will resolve some operational complexities. Vendor-agnostic infrastructure as code (IaC) solutions can be used to deploy hybrid cloud and multi-cloud infrastructures from a centralized location. Unified management solutions are also available to provide cloud administrators the ability to manage and monitor infrastructure resources from a central location. Furthermore, administrators should familiarize themselves with the cloud offerings in their environment to avoid gaps in skill sets. Cloud training should be ongoing to maintain a good security posture.
In hybrid cloud and multi-cloud environments, there are sometimes multiple data flows between the environments. A Zero Trust approach should be taken by minimizing the flows between environments, only allowing paths as defined by organizational policies, and verifying all identities involved before allowing connection attempts. All network communications should use Commercial National Security Algorithm (CNSA) Suite-approved algorithms.
The NSA also recognizes that identity and access management differs across cloud vendors and is a challenge in hybrid cloud and multi-cloud environments. Maintaining user identities in separate environments or maintaining secure interoperation between providers, while also maintaining the principle of least privilege, can be demanding. It also detailed that logging and monitoring are essential tasks for proactively tracking cyber threats and should be enabled for all environments in use.
