CISA provides agencies with long-awaited cloud security guidance

The Cybersecurity and Infrastructure Security Agency has released new guidance for applying modern network security practices across multiple cloud computing scenarios. It’s another evolution in a years-long effort to make it easier for agencies to securely adopt cloud services.

CISA published the  draft Trusted Internet Connections (TIC) 3.0 Cloud Use Case on Thursday. CISA is accepting comments on the draft document through July 22 before it works toward publishing a final version.

In a blog post, CISA Executive Assistant Director for Cybersecurity Eric Goldstein wrote that the use case builds upon last May’s cybersecurity executive order and CISA’s Cloud Security Technical Reference Architecture. An initial version of the “TRA” was published last fall.

“With the appetite for cloud guidance growing, this new CISA resource will help federal agencies effectively leverage applicable aspects of the Cloud Security TRA and work to achieve a mandate in the EO for secure cloud services,” Goldstein wrote.

The cloud use case has been highly anticipated since the White House Office of Management and Budget rescinded previous TIC policy and directed CISA to update the TIC initiative nearly three years ago.

The September 2019 memorandum from then-Deputy Director for Management Margaret Weichert identified previous requirements for agencies to flow traffic through a physical TIC access point as “an obstacle to the adoption of cloud-based infrastructure.”

Her memo directed CISA to publish TIC use cases to identify alternative security controls for scenarios when traffic is not required to flow through a TIC access point. The cloud use case is the final product to drop in the TIC 3.0 series. CISA has already published the Traditional TIC Use Case, Branch Office Use Case, and Remote User Use Case.

Ross Nodurft, former head of OMB’s cyber team and executive director of tech industry group Alliance for Digital Innovation, welcomed the new CISA guidance, calling it a “policy release valve” for agencies looking at cloud security architectures beyond the old TIC access points.

“It’s been a very long time coming,” Nodurft said. “And I’m frankly, I know a lot of the agencies have been asking for it, because it provides a bunch of different iterations of what architectures could and should look like.”

The document covers security considerations across Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS), and Email-as-a-Service (EaaS) deployments.

“This guidance also incorporates cloud-specific considerations, such as the shared services model and cloud security posture management principles outlined in the Cloud Security TRA,” Goldstein wrote in his blog. “Another unique aspect of this use case is that it was written from the vantage point of cloud-hosted services, as opposed to from the vantage point of the client accessing these services.”

It further breaks the guidance down into different “security patterns,” such as when an agency campus network connects with a cloud service provider versus when a remote user connects to cloud resources.

The idea is to give agencies more clarity on how they can securely adopt cloud services, especially after last May’s executive order directed agencies to “accelerate the move to secure cloud services.” OMB has also directed agencies to start adopting zero trust architectures by, in part, leveraging the security features in cloud services.

“While this use case can be leveraged as agencies move towards Zero Trust Architectures, implementation of zero trust requires additional controls, additional rigor of applying security capabilities, and measures beyond those detailed in this use case,” the use case document states.

Nodurft said another important advancement in the cloud use case is the discussion around telemetry, or network data collected to detect cyber threats. TIC access points have traditionally collected telemetry data.

The guidance states that agencies should track access to “all agency data and applications in the cloud and analyze all access events for suspicious behaviors,” while noting that many cloud service providers have capabilities in place for logging, monitoring and analysis of telemetry data.

“We want to start talking to the agencies about what type of telemetry data we can capture, given the security tools and security capabilities you guys are employing in your security architectures,” Nodurft said. “And then what does that look like from a centralized log aggregation repository? Are we are we going to really finally be able to have a centralized view from CISA and are agencies going to be able to then use that same telemetry information to look at their own security networks in a new way?”