An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | March 7, 2024

NSA Releases Top Ten Cloud Security Mitigation Strategies

FORT MEADE, Md. – The National Security Agency (NSA) is releasing “Top Ten Cloud Security Mitigation Strategies” to inform cloud customers about important security practices as they shift their data to cloud environments. The report is a compilation of ten Cybersecurity Information Sheets (CSIs), each on a different strategy. The Cybersecurity and Infrastructure Security Agency (CISA) joins NSA as a partner on six of the ten strategies.
The ten strategies are covered in the following reports:

  1. Uphold the cloud shared responsibility model

  2. Use secure cloud identity and access management practices (Joint with CISA)

  3. Use secure cloud key management practices (Joint with CISA)

  4. Implement network segmentation and encryption in cloud environments (Joint with CISA)

  5. Secure data in the cloud (Joint with CISA)

  6. Defending continuous integration/continuous delivery environments (Joint with CISA)

  7. Enforce secure automated deployment practices through infrastructure as code

  8. Account for complexities introduced by hybrid cloud and multi-cloud environments

  9. Mitigate risks from managed service providers in cloud environments (Joint with CISA)

  10. Manage cloud logs for effective threat hunting

“Using the cloud can make IT more efficient and more secure, but only if it is implemented right,” said Rob Joyce, NSA’s Director of Cybersecurity.  “Unfortunately, the aggregation of critical data makes cloud services an attractive target for adversaries.  This series provides foundational advice every cloud customer should follow to ensure they don’t become a victim.”

The CSI for each strategy includes an executive summary providing background information and details about threat models. Additionally, each CSI concludes with best practices and additional guidance.   
Read the summary report here.

Visit our full library for more cybersecurity information and technical guidance.

NSA Media Relations