Cybersecurity Snapshot: NSA Picks Top Cloud Security Practices, while CNCF Looks at How Cloud Native Can Facilitate AI Adoption
2024-3-22 21:0:0 Author: www.tenable.com(查看原文) 阅读量:5 收藏

NSA Picks Top Cloud Security Practices

Check out the NSA’s 10 key best practices for securing cloud environments. Plus, learn how cloud native computing could help streamline your AI deployments. Meanwhile, don’t miss the latest about cyberthreats against water treatment plants and critical infrastructure in general. And much more!

Dive into six things that are top of mind for the week ending March 22.

1 - Ten best practices for beefing up cloud security

Looking for advice on boosting the security of your cloud environment? Check out the U.S. National Security Agency’s new “Top Ten Cloud Security Mitigation Strategies” for improving an organization’s cloud security posture.

“As organizations shift their data to the cloud for ease of processing, storing, and sharing, they must take precautions to maintain parity with on-premises security and mitigate additional cloud-specific threats,” reads the NSA document.

Ten best practices for beefing up cloud security

Here are the 10 best practices:

  • Understand your cloud service providers’ shared responsibility model, so that you know which security tasks fall on your shoulders and which ones are handled by your CSPs.
  • Adopt secure practices for identity and access management (IAM), such as using multi-factor authentication and properly managing temporary credentials.
  • Employ secure cloud key-management practices.
  • Implement network micro-segmentation and end-to-end encryption.
  • Protect cloud data via, for example, enforcing least privilege; creating immutable backups; and using object versioning.
  • Secure continuous integration and continuous delivery (CI/CD) pipelines with, for example, strong IAM, log audits and secrets management.
  • Use infrastructure-as-code to automate deployment of cloud resources.
  • Prevent security gaps in hybrid and multi-cloud environments by, for example, using vendor-agnostic tools to manage and monitor multiple environments from a single location.
  • Ensure that your managed service providers (MSPs) employ strong security standards and practices.
  • Monitor and analyze cloud logs to detect anomalous events and potential compromises.

2 – CNCF: How cloud native can support AI deployments

While organizations have gone ga-ga over artificial intelligence’s potential to revolutionize their operations, it’s no secret that AI systems need lots of computing power to work their magic. This can be a roadblock for organizations otherwise eager to deploy AI and machine learning tools.

If your business is grappling with this issue, you might want to check out a new white paper published this week by the Cloud Native Computing Foundation which looks at how cloud native (CN) computing could help facilitate the adoption of AI and ML systems.

“While CN technologies readily support certain aspects of AI/ML workloads, challenges and gaps remain, presenting opportunities to innovate and better accommodate,” reads the document titled “Cloud Native Artificial Intelligence.”

CNCF: How cloud native can support AI deployments

The paper provides an overview of AI and ML techniques; explains what CN technologies offer; discusses existing technical challenges in areas such as data preparation, model training and user experience; and looks at ways to overcome these gaps. 

“The paper will equip engineers and business personnel with the knowledge to understand the changing Cloud Native Artificial Intelligence (CNAI) ecosystem and its opportunities,” the document reads.

For more information about AI’s computing power needs:

3 – Biden administration sounds alarm on water plant cyberattacks

Highlighting the U.S. government’s concern with the cybersecurity of water and wastewater treatment plants, the White House invited representatives from all 50 states to discuss the issue. 

The virtual meeting, held this week, focused on outlining gaps in cyber defenses; fostering collaboration between federal, state and water-plant leaders; and triggering immediate action.

“Disabling cyberattacks are striking water and wastewater systems throughout the United States,” reads the meeting-invitation letter sent to all 50 governors by the White House.

Biden administration sounds alarm on water plant cyberattacks

Although water treatment plants offer a critical service, they tend to have weak cybersecurity, due to lack of resources and technical knowhow, according to the letter, penned by Environmental Protection Agency Administrator Michael Regan and by Jake Sullivan, Assistant to the President for National Security Affairs.

“In many cases, even basic cybersecurity precautions – such as resetting default passwords or updating software to address known vulnerabilities – are not in place,” Regan and Sullivan wrote.

For more information about protecting water and wastewater systems from cyberattacks, check out these Tenable resources:

VIDEO

Marty Edwards, Tenable Deputy CTO for OT and IoT, testifies during congressional hearing “Securing Operational Technology: A Deep Dive into the Water Sector”

4 - Critical infrastructure leaders warned about Volt Typhoon

Cybersecurity agencies from the U.S. and other countries want critical infrastructure leaders to take concrete steps to protect their organizations from Volt Typhoon, a hacking group backed by the Chinese government.

In the joint fact sheet “PRC State-Sponsored Cyber Activity: Actions for Critical Infrastructure Leaders,” published this week, the agencies urge leaders of critical infrastructure organizations to take specific steps immediately, including:

  • Apply detection and hardening best practices
  • Involve representatives from across the business, including executive leaders, in developing comprehensive cybersecurity plans
  • Conduct regular tabletop exercises
  • Implement stringent vendor-risk management processes to reduce third-party risk
  • Align cybersecurity measures among IT, OT, cloud, supply chain and business teams

“The authoring agencies urge leaders to recognize cyber risk as a core business risk. This recognition is both necessary for good governance and fundamental to national security,” the fact sheet reads.

Critical infrastructure leaders warned about Volt Typhoon

The guidance, jointly issued by cyber agencies from the U.S., Australia, Canada, the U.K. and New Zealand, comes about a month after these same agencies published a joint advisory about Volt Typhoon aimed at IT and OT security teams.

That joint advisory, titled “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” warned that Volt Typhoon has quietly infiltrated the IT and OT environments of multiple critical infrastructure organizations, and could strike at a moment’s notice.

5 - CSA unpacks, contrasts and compares AI safety and AI security

If you’re involved with ensuring your organization uses AI both securely and responsibly, you might find interesting a new blog published this week by the Cloud Security Alliance that delves into how AI security and AI safety intersect and diverge.

AI security refers to the protection of AI systems from cyberattacks, while AI safety encompasses issues like ethics and fairness.

CSA unpacks, contrasts and compares AI safety and AI security


"While AI safety and AI security have distinct priorities and areas of focus, they are inextricably linked and must be addressed in tandem to create responsible, trustworthy and secure AI systems,” reads the article, titled “AI Safety vs. AI Security: Navigating the Commonality and Differences." 

AI security topics addressed include:

  • data privacy, availability and integrity
  • model security and integrity
  • system availability

Among the AI safety issues addressed are:

  • Lack of transparency
  • System bias
  • Facial recognition misidentification

“Effective AI governance and risk management strategies should encompass both domains throughout the entire AI lifecycle, from design and development to deployment and monitoring,” reads the article.

For more information about AI security and AI safety:

VIDEO

Building Safe and Reliable Autonomous Systems (Stanford University)

6 - McKinsey: Four steps to manage GenAI risks

As the generative AI train keeps gathering speed and enterprises everywhere rush to adopt this technology, it’s imperative to properly manage its risks.

If your organization is looking for guidance, check out the most recent advice dispensed by McKinsey in its article “Implementing generative AI with speed and safety.

Specifically, the management consulting firm recommends that enterprises take these four steps:

  • Grasp and respond to inbound risks such as security threats; third-party risk; malicious use; and intellectual property infringement.
  • List the cases for using generative AI and identify potential risks, such as bias in a customer-service chatbot, and outline mitigation and governance strategies.
  • Adapt and expand existing governance by creating a cross-functional generative AI steering group; crafting responsible AI guidelines and policies; and cultivating staff AI skills.
  • Develop an operating model for how four critical roles will interact throughout the generative AI lifecycle: designers, engineers, governors and end users.

For more information about managing generative AI risks:

Juan Perez

Juan Perez

Juan has been writing about IT since the mid-1990s, first as a reporter and editor, and now as a content marketer. He spent the bulk of his journalism career at International Data Group’s IDG News Service, a tech news wire service where he held various positions over the years, including Senior Editor and News Editor. His content marketing journey began at Qualys, with stops at Moogsoft and JFrog. As a content marketer, he's helped plan, write and edit the whole gamut of content assets, including blog posts, case studies, e-books, product briefs and white papers, while supporting a wide variety of teams, including product marketing, demand generation, corporate communications, and events.

Related Articles

  • Cloud
  • Cybersecurity Snapshot
  • Exposure Management
  • Federal
  • Government
  • Internet of Things
  • OT Security

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Thank You

Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Thank You

Thank you for your interest in Tenable.io. A representative will be in touch soon.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Thank You

Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Thank You

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

Request a demo of Tenable Security Center

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

* Field is required

Request a demo of Tenable OT Security

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

Request a demo of Tenable Identity Exposure

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

Request a Demo of Tenable Cloud Security

Exceptional unified cloud security awaits you!

We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.

See
Tenable One
In Action

Exposure management for the modern attack surface.

See Tenable Attack Surface Management In Action

Know the exposure of every asset on any platform.

Thank You

Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Learn How Tenable Helps Achieve SLCGP Cybersecurity Plan Requirements

Tenable solutions help fulfill all SLCGP requirements. Connect with a Tenable representative to learn more.


文章来源: https://www.tenable.com/blog/cybersecurity-snapshot-nsa-picks-top-cloud-security-practices-while-cncf-looks-at-how-cloud
如有侵权请联系:admin#unsafe.sh