What the NIST Framework Misses About Cloud Security

Written by

The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a valuable tool that works to improve IT measurements and standards, like how to adequately protect data. As organizations adopt increasingly complex multi-cloud and hybrid cloud environments to support long-term remote working strategies, there are critical cloud security issues that the NIST Cybersecurity Framework overlooks.

Unfortunately, a shocking number of organizations – from small businesses to large government organizations – have a false sense of security because they meet NIST standards; they simply don’t realize that despite the many benefits NIST provides, they have gaping cloud security issues within their networks. 

Log files and audit reports

Many organizations would be surprised to learn there is no NIST standard that stipulates log files should be kept longer than 30 days. This is an extremely short timeframe when you consider the wealth of information present in logs. This lack of retention creates a major reporting challenge for organizations, especially large enterprises.

Given it takes more than four months on average to detect a data breach, the current 30 day limit simply doesn’t cut it. Extended audit log retention ensures IT teams have the forensic data they need to investigate potential root-causes of security incidents. This ability is also a crucial step in remaining compliant with data privacy regulations such as GDPR.   

Shared responsibility

There is much confusion regarding who is responsible for security in the cloud, especially in enterprises using multi-cloud or hybrid cloud environments.

High-level cloud platforms like SaaS require a slew of IT-driven security responsibilities. In PaaS and SaaS solutions, identity and access management is a shared responsibility that requires an effective implementation plan that includes configuration of an identity provider, configuration of administrative services, establishing and configuration of user identities, and implementation of service access controls. 

With the progression of digital transformation initiatives and increased WFH efforts, more organizations are migrating business applications to cloud-hosted environments. While the shared responsibility model clearly dictates the security obligations of a cloud provider and its users to ensure accountability, there are gaps in visibility and security monitoring applications that need to be addressed.

As more companies chose the cloud to take advantage of cost savings and improved business functionality, it is more important than ever businesses close these gaps to achieve peak security.

Tenant delegation

NIST implies the scoping of least privilege access, but does not specify tenant delegation, or “virtual tenants.” Virtual tenants isolate areas of the overall environment and keep admins from messing with areas they don’t belong. They let admins control their ‘virtual’ areas, helping protect resources and data in M365. 

Understandably, a lack of tenant delegation creates major security challenges when PII and intellectual property are concerned. As such, organizations – especially large, distributed ones – should consider adopting tools that support the segmentation of access to specific business units to increase overall security efforts.

Admin roles and rules

There are roughly 75 attributes of Microsoft Application Administrator, but hardly anyone – neither the folks at Microsoft nor enterprise IT – knows what they mean. If a user is granted access to the role of Application Administrator, it is virtually impossible to know exactly what type of access that user has, introducing unnecessary security risks. 

While IT staffers have certain functions they need to do as part of their job, such as creating new user accounts and changing passwords, these functions don’t easily fit into a particular role; they’re more fluid. This fluidity makes traditional security approaches, such as role-based access control (RBAC), less impactful. 

Bonus: Functional Access Control (FAC)

Where RBAC is an approach to least privilege access, Functional Access Control (FAC) is a way to actually achieve it.

The NIST-endorsed FAC approach offers a more granular approach to designating what functions an IT admin can do. This an enables organizations to right-size access for specific users, which in turn improves security efforts.

Research indicates nearly two-thirds of organizations see security as the biggest challenge for cloud adoption, which makes the NIST Cybersecurity Framework a valuable tool for IT leaders looking to adequately protect data.

The Framework is great to keep in mind, so as long as organizations understand that following recommended standards does not provide full coverage from potential security incidents.

What’s hot on Infosecurity Magazine?