The Department of Defense has released a playbook designed to help software development managers, mission owners and developers improve the cybersecurity of applications hosted in cloud environments.
The Cloud Security Playbook, cleared for public release on Feb. 26, seeks to address the most common cloud security vulnerabilities and threats and intends to help mission owners hosting software in the cloud quickly achieve an Authorization to Operate, or ATO.
The document comes in two volumes. The first volume aims to prepare organizations for using a cloud and intends to enable users to understand key concepts, such as the shared responsibility model, the impact level and the requirement of a DOD provisional authorization or ATO for cloud services.
Preparing Organizations for Cloud Adoption
The playbook suggests several actions to prepare an organization for using a cloud, such as setting up a cloud governance team, developing a cloud migration strategy and establishing a budget to implement the cloud migration strategy.
Other measures outlined in the document are developing organizational policies on cloud usage, creating a cloud exit strategy, defining the roles and responsibilities of those who will have cloud access and training the workforce on cloud security.
Implementing Secure Identity, Credential & Access Management
The document calls for the implementation of identity, credential and access management, or ICAM.
Recommended actions under this section include implementing and enforcing the principle of least privilege, or PoLP; implementing PoLP for each cloud resource; requiring phishing-resistant multifactor authentication; using context-based access control policies and review policies prior to deployment and periodically after deployment to identify potential gaps; and considering requiring administrators to access cloud resources using privileged access workstations.
The initial volume also covers other key plays, such as establishing secure network access, deploying with infrastructure as code, using a cloud-native application protection platform, employing defensive cyberspace operations and deploying user and entity behavior analytics.
Cloud Security Playbook Volume 2
The playbook’s second volume addresses ways to secure containers and microservices, defend DevSecOps pipelines, mitigate third-party risks and ensure the security of artificial intelligence systems and application programming interfaces.
To defend DevSecOps pipelines, recommended actions include adopting a zero-trust approach, using encryption with a FIPS 140-2 approved algorithm, minimizing the use of long-term credentials, implementing endpoint detection and response tools and integrating security testing into the pipeline.
