The Department of Homeland Security (DHS) released volume one of its draft Cloud Interface Reference Architecture for the National Cybersecurity Protection System (NCPS) on December 12, aimed at enabling greater cloud adoption while keeping security concerns at the forefront.
The draft architecture would augment the traditional logs generated by EINSTEIN sensors at Trusted Internet Connections (TIC) access points by using cloud network flow logs as equivalents for connections to cloud service providers. Agencies would be responsible for pushing logs to DHS, which would store them regionally, using its Cloud Log Aggregation Warehouse (CLAW) architecture. The model would allow DHS to directly access the data in the cloud, rather than needing to pull the data back to agency on-premise infrastructure before sending it to DHS.
“As agencies move their IT infrastructure to the cloud, some of their network traffic no longer traverses traditional NCPS sensors, and security information about that traffic is no longer captured by NCPS,” the guidance notes. “The NCPS program is evolving to ensure that security information about cloud-based traffic can be captured and analyzed and DHS analysts can continue to provide situational awareness and support to the agencies.”
The release of the guidance was coordinated with the release of new guidance on TIC, as the two compliment each other. Feedback on both initiatives are due by January 31.
While DHS aimed to avoid extra cost from the reference architecture as a project constraint, the guidance notes that agencies will have more steps for NCPS compliance in the cloud. In the traditional NCPS architecture, agencies only have a shared responsibility on the EINSTEIN sensor position, while in the cloud model, the burden of procuring, configuring, and reporting would be on the agency and cloud service provider, while DHS would focus intrusion activities.
“Under IaaS, PaaS, and SaaS deployment models the agency and CSP responsibilities greatly increase as they utilize CSP offerings and their own supplemental services to satisfy NCPS capabilities,” the guidance notes.
The guidance also shows that cloud information sharing is not yet fully functional, with platform-as-a-service and software-as-a-service protections being designated as future offerings.
Looking towards the future, DHS notes that this part of the guidance is intended to be a vendor-neutral overview of the changes in NCPS to accommodate cloud, while future guidance will provide details for specific cloud service providers. The draft guidance also requires network flow logs to begin, but notes that other types of logs, such as transaction and event security logs, may be a data source in the future.