CISA Releases New Proposed Cloud Security Guidance
As the federal government continues to work out its strategy for secure cloud platform implementations, the Cybersecurity and Infrastructure Security Agency is asking for public comment on the latest version of its draft use case for services such as IaaS, PaaS, and SaaS.
The draft Trusted Internet Connections 3.0 guidance, released Thursday, is a huge, detailed document that lays out proposed methods for federal agencies to use cloud platforms securely. It builds on the Cloud Security Technical Reference Architecture that was part of President Biden’s executive order on cybersecurity from 2021. The guidance covers a wide range of potential uses cases for agencies, and seeks to apply some of the same principles used in traditional network and multi-boundary environments to help secure cloud deployments.
“The IaaS, PaaS, and SaaS guidance in the Cloud Use Case focuses on the scenario in which an agency has one or more cloud deployments in its enterprise. Traditionally, agency users would have accessed cloud deployments either directly from an agency campus or by establishing a secure connection (e.g., VPN) to an agency campus, and using that channel to access the cloud deployment,” the draft guidance says. The conceptual architecture laid out in the document comprises seven separate trust zones, which should be assigned various levels of trust, from low, to medium, to high, depending on the specific agency’s risk tolerance and use cases. The trust zones include agency campus, cloud service provider, remote user, external partner, agency service, external entity, and web. The guidance relies on a shared security model, which divides responsibility for securing various portions of a deployment between the CSPs and the agency itself.