NSA addresses challenges of hybrid cloud, multi-cloud environments in new cybersecurity information sheet

The U.S. National Security Agency (NSA) released a cybersecurity information sheet this week focusing on challenges associated with implementing hybrid cloud and multi-cloud environments, offering solutions to address the heightened complexity. The document highlights the complexities introduced by these environments.

“A hybrid cloud is an environment that uses both private cloud and public cloud offerings for its infrastructure. The private cloud, often referred to as an on-premises (on-prem) solution, is an infrastructure provisioned for use by a single company, whereas the public cloud is provisioned for general use by many organizations,” the NSA wrote in its information sheet titled ‘Account for Complexities Introduced by Hybrid Cloud and Multi-Cloud Environments.’ “A multi-cloud environment, on the other hand, provisions multiple offerings from different cloud service providers. Organizations often find themselves using one or both of these solutions when deploying their infrastructures to the cloud.”

Identifying that no two cloud environments are alike, the NSA document outlined that public cloud options tend to differ vastly, not only from private cloud infrastructures but also from each other as well, often resulting in knowledge and skill gaps in the deployment and management process. “Multi-cloud environments may also lead to operational siloes, where single teams or individuals maintain just one environment, causing configuration discrepancies between environments that may lead to exploitable security gaps.”

It detailed that standardizing cloud operations will resolve some operational complexities. Vendor-agnostic infrastructure as code (IaC) solutions can be used to deploy hybrid cloud and multi-cloud infrastructures from a centralized location. Unified management solutions are also available to provide cloud administrators the ability to manage and monitor infrastructure resources from a central location.

Furthermore, administrators should familiarize themselves with the cloud offerings in their environment to avoid gaps in skill sets. Cloud training should be ongoing to maintain a good security posture. 

In hybrid cloud and multi-cloud environments, there are sometimes multiple data flows between the environments. A Zero Trust approach should be taken by minimizing the flows between environments, only allowing paths as defined by organizational policies, and verifying all identities involved before allowing connection attempts. A misconfigured network can lead to data breaches across multiple cloud tenants and potentially a customer’s on-prem environment as well. All network communications should use Commercial National Security Algorithm (CNSA) Suite-approved algorithms.

The NSA also recognizes that identity and access management differs across cloud vendors and is a challenge in hybrid cloud and multi-cloud environments. Maintaining user identities in separate environments or maintaining secure interoperation between providers, while also maintaining the principle of least privilege, can be demanding.

It also detailed that logging and monitoring are essential tasks for proactively tracking cyber threats and should be enabled for all environments in use. However, threat hunting and keeping track of user activity in hybrid cloud and multi-cloud environments can become difficult. This is due to lack of the skills or resources required to maintain constant visibility into multiple environments at once, especially when monitoring activity between cloud environments.

Cloud providers have their own methods of disaster recovery for internal systems that may impact the recovery objective for organizations. Multi-cloud solutions are often used to circumvent issues that may arise in disaster recovery by allowing organizations to quickly spin up backups stored in a different cloud environment. When using multi-cloud solutions for disaster recovery efforts of cloud assets, avoid vendor lock-in and have redundancy across multiple cloud environments. 

Though this approach may require additional training to ensure service usage is understood across different environments, it helps ensure data is not lost if an outage or destructive event affects a cloud service provider (CSP). Disaster recovery implementations should be regularly tested to ensure recovery expectations can be met if a real disaster occurs. 

The NSA document identified that ensuring compliance standards are met can be difficult in hybrid cloud and multi-cloud environments. Policy as code, an IaC model, can be used to codify security and compliance best practices across cloud accounts. Using a cloud-agnostic policy as a code solution will allow policies to be created as part of the existing cloud deployment operations for organizations to ensure all environments remain compliant.

The information sheet called upon organizations to consider implementing various best practices to ensure cloud environments remain protected, including the use of infrastructure as code to deploy infrastructure resources from a centralized location; ensure training is ongoing for all cloud environments in use to avoid gaps in skill sets;  minimize data flows between environments to paths necessary for day-to-day business operations; ensure CNSA Suite-approved algorithms are used; and follow NSA and NIST guidelines to determine the best IAM solution to meet organizational needs.

It also suggested defining access control policies uniformly to ensure user access is consistent across all environments; using a centralized solution to aggregate logs and facilitate active monitoring and threat hunting; avoiding vendor lock-in and enabling redundancy across multiple environments to ease disaster recovery efforts for cloud assets and resources; and codifying security and compliance best practices through policy as code.

Last month, the NSA issued a document urging CSPs to prioritize security for maintaining robust business models and safeguarding cloud infrastructure. Organizations must understand the importance of logging, effective management, storage, and analysis of logs. Security logs play a vital role in threat hunting, security incident investigations, and compliance adherence.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.