[CSS-CLOUD] [EXTERNAL] Cloud computing cybersecurity considerations

Liao, Jason C (US 333F) jason.c.liao at jpl.nasa.gov
Tue Sep 16 08:33:10 EDT 2025 

NIST 800-53 is used for FedRAMP security guideline.

note:
https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

pdf:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

-Jason

On Sep 16, 2025, at 5:21 AM, Barkley, Erik J (US 3970) via CSS-CLOUD <css-cloud at mailman.ccsds.org> wrote:

Hello Holger,

Below is the summary of cloud computing cybersecurity considerations produced by AI (Gemini).

Best regards
-Erik


Adopting cloud computing requires a strong focus on cybersecurity due to unique risks and a shared responsibility model. Key considerations include understanding who's responsible for what, managing identity and access, and ensuring compliance with data regulations.
________________________________
The Shared Responsibility Model 🤝
The most critical cybersecurity consideration for cloud adoption is understanding the shared responsibility model. This framework clarifies the division of security tasks between the cloud service provider (CSP) and the customer.

  *   Cloud Service Provider (CSP) Responsibility ("Security of the Cloud"): The CSP is responsible for securing the underlying infrastructure. This includes the physical security of data centers, hardware, networking, and the virtualization layer. They handle tasks like patching the host operating system and managing the cloud platform's physical and environmental security.
  *   Customer Responsibility ("Security in the Cloud"): You, the customer, are always responsible for the security of your data, applications, and configurations within the cloud environment. This is where most security failures occur. Your responsibilities include managing user access, protecting your data with encryption, and properly configuring services. The exact division of labor changes with the cloud service model (IaaS, PaaS, or SaaS). For example, with Infrastructure as a Service (IaaS), you're responsible for the operating system and applications, while with Software as a Service (SaaS), you're mainly responsible for user access and data management.

________________________________
Core Cybersecurity Considerations 🛡️
Once you understand the shared responsibility model, you must address several core cybersecurity areas:
Identity and Access Management (IAM) 🧑‍💻
IAM is the cornerstone of cloud security. It's about ensuring that the right people have the right access to the right resources at the right time.

  *   Principle of Least Privilege: Grant users only the permissions they absolutely need to do their job, and nothing more. This minimizes the potential damage from a compromised account.
  *   Multi-Factor Authentication (MFA): Implement MFA for all accounts, especially for administrators. This adds a critical second layer of defense beyond a password.
  *   Centralized Management: Use a unified IAM solution to manage identities and access across all your cloud services and applications. This prevents fragmentation and the creation of "shadow IT" where unmanaged services can introduce vulnerabilities.

________________________________
Data Privacy and Compliance 📝
Moving data to the cloud introduces complex legal and regulatory considerations.

  *   Data Sovereignty: Understand where your data is stored and if it's subject to the laws of that country or region.
  *   Regulatory Compliance: Ensure your cloud security practices comply with relevant industry and regional regulations, such as GDPR (General Data Protection Regulation) for EU data or HIPAA (Health Insurance Portability and Accountability Act) for protected health information.
  *   Encryption: Encrypt data both in transit (as it moves between networks) and at rest (while it's stored) to protect it from unauthorized access. The customer is typically responsible for managing the encryption keys.

________________________________
Configuration Management and Monitoring 📊
Cloud misconfigurations are a leading cause of data breaches.

  *   Secure Configuration: Implement policies and automated tools to ensure all your cloud resources are configured securely from the start. This includes things like properly setting up firewall rules and storage bucket permissions.
  *   Continuous Monitoring: Regularly monitor your cloud environment for security threats, suspicious activity, and policy violations. Use automated tools to detect and respond to misconfigurations or unauthorized access in real-time.
  *   Threat Intelligence: Use a combination of internal logs and external threat intelligence to proactively identify and respond to potential risks, such as an insider threat or a new zero-day vulnerability.


--
CSS-CLOUD mailing list
CSS-CLOUD at mailman.ccsds.org<mailto:CSS-CLOUD at mailman.ccsds.org>
https://urldefense.us/v3/__https://mailman.ccsds.org/cgi-bin/mailman/listinfo/css-cloud__;!!PvBDto6Hs4WbVuu7!M7dP-waLIVLSKnNfmw1isojarh35qzmOdU5BIsssEFnHqxuASS-3qR4-TtnQGGG3NMIlDgSDo_u0-11G57H4qYbQtOIbbkTA$

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.ccsds.org/pipermail/css-cloud/attachments/20250916/186668d9/attachment-0001.htm>

More information about the CSS-CLOUD mailing list