By: Eric Goldstein, Executive Assistant Director for Cybersecurity
A new item has been added to the menu of Trusted Internet Connections (TIC) guidance: draft use case covering cloud services. Building upon the Cloud Security Technical Reference Architecture (TRA) required by President Biden’s Cybersecurity Executive Order, this use case provides architectural guidance on different aspects of cloud services. With the appetite for cloud guidance growing, this new CISA resource will help federal agencies effectively leverage applicable aspects of the Cloud Security TRA and work to achieve a mandate in the EO for secure cloud services.
USE CASES BACKGROUND
Under the Office of Management and Budget’s (OMB) Memorandum M-19-26, the modernized TIC 3.0 initiative is required to produce use cases to support agencies as they design and implement secure, flexible network architectures. Having already produced the Traditional TIC Use Case, Branch Office Use Case, and Remote User Use Case, the Cloud Use Case serves as the final product in this series.
CLOUD USE CASE: EXPLAINED
The Cloud Use Case provides network and multi-boundary security for agencies that operate in cloud environments. While this use case provides common security guidance for cloud operations, it also highlights unique considerations for Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS), and Email-as-a-Service (EaaS) deployments. Like previous use cases, the Cloud Use Case outlines security patterns, applicable security capabilities, and telemetry requirements specific to this particular use case. However, this guidance also incorporates cloud-specific considerations, such as the shared services model and cloud security posture management principles outlined in the Cloud Security TRA. Another unique aspect of this use case is that it was written from the vantage point of cloud-hosted services, as opposed to from the vantage point of the client accessing these services.
To ensure this new guidance is as accurate and comprehensive as possible, CISA invites the public to review and provide comment from 16 June until 22 July. Agencies, industry, academia, and other interested members of the public should submit their feedback to firstname.lastname@example.org. At the close of the public comment period, CISA will assess all feedback and publish a finalized version.