NIST CSF 2.0 - shipping forecast, security complexities in the cloud.

In recent years, the shift to the cloud has become a strategic initiative as organisations seek to stay competitive and foster innovation. This move is driven by the potential to reduce technical debt, lower operational costs, improve scalability, and enhance collaboration. Prominent companies like Netflix and Adobe are just a few that have publicly acknowledged the significant benefits gained from this transition. However, moving to cloud-based systems is not without its challenges, particularly for cyber security. The high-profile breaches at Capital One, involving 106 million user records illustrate the potential risks involved.?

Utilising the updated NIST CSF 2.0 framework, this discussion aims to delineate the primary differences between on-premises and cloud systems, as a guide toward a secure transition. The new framework notably introduces a governance function, highlighting the critical need for comprehensive policies, procedures, and processes tailored to manage and monitor the regulatory, legal, and operational risks associated with cyber security.

On-premises systems provide organisations with complete control over their assets, allowing direct implementation of corporate governance mechanisms. In contrast, cloud systems require a more nuanced approach due to a reliance on Service Level Agreements (SLAs) to ensure that service offerings align with corporate security and compliance needs. Given the cloud’s scalability and elasticity, governance frameworks need to be adapted to dynamic configurations and services. Additionally, the potential international location of cloud infrastructure raises complex regulatory and compliance issues, particularly when handling sensitive or regulated information across multiple jurisdictions.

In the cloud, there are no traditional network parameters, robust Identity verification is critical. This involves additional checks for the user, typically managed through Multi-Factor Authentication (MFA) that combines something the user knows, is, and has. This approach significantly mitigates risks associated with compromised credentials or brute force attacks. Such stringent authentication before access to every resource would degrade user experience. To support robust identity verification, the federation strategy Single Sign-On (SSO) is employed to streamline authentication, which can be applied across multiple cloud platforms without compromising security.

In the cloud, encryption is a critical control for safeguarding data confidentiality, at rest, in motion, or in use. With encryption, another consideration is secure key management. This process will include key generation, distribution, storage, rotation and timely revocation to prevent unauthorised access. There is also an added complexity from the shared responsibility model. In this setting, infrastructure encryption keys are typically managed by the CSP, with the end-user organisations retaining responsibility for application and data layer keys.

Detection of potential security incidents in cloud environments also differs markedly from on-premises settings. While on-premises systems allow for customised security monitoring and control, cloud deployments rely on the collaborative efforts with CSPs to manage infrastructure logs and monitor for signs of security events. The scalable nature of the cloud require detection mechanisms which can accommodate transient resources and ephemeral data flows, with a focus on identity-related events due to the absence of a defined network perimeter.

Responding to and recovering from cyber incidents in the cloud involves orchestrated efforts with CSPs, as these will be reliant on their tools and capabilities. The recovery process, in particular, depends heavily on the services provided by CSP. These will include data backups and system restoration, which are integral to meeting defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).??

Transitioning to the cloud is not merely about leveraging new technologies, it also requires understanding and navigating the complexities of cloud cyber security. With careful planning, robust security measures, and a clear understanding of the differences and structures provided by established? frameworks like the NIST CSF 2.0, organisations can mitigate potential pain points and fully capitalise on the benefits of cloud computing.