As the federal government continues to work out its strategy for secure cloud platform implementations, the Cybersecurity and Infrastructure Security Agency is asking for public comment on the latest version of its draft use case for services such as IaaS, PaaS, and SaaS.
The draft Trusted Internet Connections 3.0 guidance, released Thursday, is a huge, detailed document that lays out proposed methods for federal agencies to use cloud platforms securely. It builds on the Cloud Security Technical Reference Architecture that was part of President Biden’s executive order on cybersecurity from 2021. The guidance covers a wide range of potential uses cases for agencies, and seeks to apply some of the same principles used in traditional network and multi-boundary environments to help secure cloud deployments.
“The IaaS, PaaS, and SaaS guidance in the Cloud Use Case focuses on the scenario in which an agency has one or more cloud deployments in its enterprise. Traditionally, agency users would have accessed cloud deployments either directly from an agency campus or by establishing a secure connection (e.g., VPN) to an agency campus, and using that channel to access the cloud deployment,” the draft guidance says.
The conceptual architecture laid out in the document comprises seven separate trust zones, which should be assigned various levels of trust, from low, to medium, to high, depending on the specific agency’s risk tolerance and use cases. The trust zones include agency campus, cloud service provider, remote user, external partner, agency service, external entity, and web. The guidance relies on a shared security model, which divides responsibility for securing various portions of a deployment between the CSPs and the agency itself.
“Inherent in this model is that the responsibility for securing a SaaS offering relies heavily upon the service provider. On the other hand, with IaaS, most responsibility falls on the agency, some responsibility resides with the CSP, and other responsibilities are shared. While the shared responsibility shows three distinct service models, as cloud offerings mature, there is no clean line between offerings and the delineation between each service model is blurred,” the guidance says.
“Additionally, each CSP may define this shared security relationship differently. Agencies must clearly identify and understand the delineation of responsibilities between themselves and their CSPs for deploying security capabilities. This can become more complex when agencies are utilizing services from multiple CSPs.”
Enterprises have been using multiple cloud platforms for many parts of their computing and infrastructure needs for many years and have seen cost savings and efficiency gains as a result. But things work differently in Washington, where everything is tightly regulated and budgets are squeezed and monitored to the nth degree. Many federal agencies use cloud services, but the proposed guidance is meant to provide methods for agencies to rely upon when putting together a strategy for securing the cloud deployments.
“While this use case provides common security guidance for cloud operations, it also highlights unique considerations for Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS), and Email-as-a-Service (EaaS) deployments. Like previous use cases, the Cloud Use Case outlines security patterns, applicable security capabilities, and telemetry requirements specific to this particular use case,” said Eric Goldstein, executive assistant director of CISA.
“However, this guidance also incorporates cloud-specific considerations, such as the shared services model and cloud security posture management principles outlined in the Cloud Security TRA. Another unique aspect of this use case is that it was written from the vantage point of cloud-hosted services, as opposed to from the vantage point of the client accessing these services.”
Public comment on the TIC 3.0 guidance is open until July 22.