Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security |
Aligning to the NIST Cybersecurity Framework in the AWS Cloud
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is the NIST Cybersecurity Framework (CSF)?
Why Use the NIST CSF?
AWS Responsibilities: AWS Services Alignment with the
NIST CSF
Customer Responsibilities: Use of AWS Services to Align
to the NIST CSF
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is the NIST CSF?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is the NIST Cybersecurity Framework?
4
• A voluntary framework comprised of best practices to help organizations of any size and in any sector improve the cybersecurity, risk management, and resilience of their systems.
• Common taxonomy to align organization’s business drivers and security considerations specific to its use of technology
• Uses existing standards to scale across borders, evolve with technological advances and business requirements, and provide economies of scale
• Originally intended for critical infrastructure but applicable across all organization types
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why was the NIST CSF created?
5
Executive Order
Presidential Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” charges NIST in Feb 2013
Legislation
Cybersecurity Enhancement Act of 2014 reinforced the legitimacy and authority of the CSF by codifying its development and voluntary adoption into law.
In February 2014, the National Institute of Standards and Technology (NIST) published the “Framework for Improving Critical Infrastructure Cybersecurity” (or CSF), a voluntary framework to help organizations of any size and sector improve the cybersecurity, risk management, and resilience of their systems.
Originally intended for critical infrastructure, but broader applicability across all organization types.
Executive Order
Presidential EO 13800,
“Strengthening the
Cybersecurity of
Federal Networks and
Critical Infrastructure”
mandates the use of
CSF for all Federal IT
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Who is NIST?
6
• The National Institute of Standards and Technology is a non-regulatory federal agency with the Department of Commerce
• Conducts research, tests products/services, develops standards, among
other functions
• NIST is responsible for developing information security standards and
guidelines, including minimum requirements for federal information systems• NIST 800 series (800-53 security and privacy controls, 800-37 (risk management framework, 800-61 incident handling, 800-
145 cloud computing definition)• FIPS (140-2 encryption, 199 security categorization)
• NIST and its standards are recognized worldwide
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is considered critical infrastructure?
7
In the U.S., 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.
1. Chemical2. Commercial Facilities3. Communications4. Critical Manufacturing5. Dams6. Defense Industrial Base7. Emergency Services8. Energy 9. Financial Services10. Food and Agriculture11. Government Facilities12. Healthcare and Public Health13. Information Technology14. Nuclear Reactors, Materials, and Waste15. Transportation Systems16. Water and Wastewater Systems
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is the NIST Cybersecurity Framework?
The CSF offers a simple-yet-effective risk-based, outcome-focused framework consisting of three elements – Core, Tiers, and Profiles
• The Core represents a set of cybersecurity practices, outcomes, and technical, operational, and managerial security controls (referred to as Informative References) that support the five risk management functions.
Core
• Tiers characterize an organization’s aptitude for managing cybersecurity risk
Tiers
• Profiles are intended to convey the organization’s “as is” and “desired” risk posture.
Profiles
Identify Protect Detect Respond Recover
Tier 4-Adaptive
Tier 3-Repeat-
able
Tier 2-Risk
Informed
Tier 1-Partial
Current Target
These three elements enable organizations to prioritize and address cybersecurity risks consistent with their business and mission needs.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
NIST’s “Identify” function regarding “Risk Management Strategy” mapped to 9 different regulatory requirements… each proposal modifies language and definitions, requiring firms to comply with largely the same but distinct requirements.
Opportunities to streamline so focus is not on compliance but security.
-Financial Services Sector Coordinating Council
Different lexicon, Same security objective
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Identify Protect Detect Respond RecoverAsset management
Business
environment
Governance
Risk Assessment
Risk Assessment
Strategy
Supply Chain Risk
Management
Access Control
Awareness and
Training
Data Security
Information
Protection
Processes and
Procedures
Maintenance
Protective
Technology
Anomalies and
Events
Security Continuous
Monitoring
Detection
Processes
Response Planning
Communications
Analysis
Mitigation
Improvements
Recovery Planning
Improvements
Communications
Subcategories (108 outcome-based
security activities)
NIST CSF- Core
23 categories
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
NIST CSF | Core
Function- overarching organization of cybersecurity lifecycle management
Category- desired security outcome
Subcategory- risk-based security activity (i.e. controls)
Informative references-standards mapping
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
NIST CSF | Core
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why Use the NIST Cybersecurity Framework?
Common taxonomy around risk
management
No cost
Risk-based, outcome-focused
Leverages existing accreditations, standards, and
controls
Flexible and adaptive
Relevant to techs and execs
Sector agnostic
Health Care
Commercial sector
Federal Agencies
States
Italy, Japan, Israel, Uruguay
Financial Services
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Internationalization of the NIST CSF
ISO
27
10
3 ISO/IEC 27103:2018--Cybersecurity and ISO and IEC Standards (Feb 2018)
- Guidance for implementing a cybersecurity framework leveraging existing standards
- Promotes the same concepts and best practices reflected in the NIST CSF
DR
AFT
-IS
O 2
71
01 DRAFT ISO 27101-
Cybersecurity framework development guidelines
- Identifies concepts for creating and implementing a cybersecurity framework
- Construct includes five functions (Identify, Protect, Detect, Respond, Recover) and foundational activities that crosswalk to existing standards, accreditations and frameworks
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Aligning to the NIST CSF in the AWS Cloud
AWS accomplishes two objectives with the whitepaper:
Security of the cloud- Provides a third-party attestation that AWS infrastructure and services conform to NIST CSF risk-management practices, assuring customers that their data is protected across AWS.
Security in the cloud- Maps the NIST CSF to AWS Cloud offerings that customers can use to align to the NIST. We provide a detailed breakout of AWS services and associated customer and AWS responsibilities to facilitate alignment to the NIST CSF.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Services Alignment with the CSF
As validated by our third party assessor, the services that maintain an accreditation under FedRAMP Moderate and/or ISO 27001/27101/27017 align with the CSF.
✓ Validated the NIST CSF mapping to NIST SP 800-53 security control requirements
✓ Reviewed the AWS services that have undergone the FedRAMP Moderate and ISO 9001 / 27001 / 27017 / 27018 accreditations that meet the control requirement
✓ All services recommended for inclusion were validated as in scope to the AWS FedRAMP Moderate and ISO attestations (marked with *italics in the customer workbook- Appendix A of the whitepaper)
When deploying AWS solutions, organizations can have the confidence that:
•AWS services uphold risk management best practices defined in the CSF
•Customers can leverage these solutions for their own alignment to the CSF
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Aligning to the NIST CSF in theAWS Cloud
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Asset Management
(ID.AM)
Business
Environment (ID.BE)
Governance (ID.GV) Risk Assessment
(ID.RA)
Risk Management
Strategy (ID.RM)
Supply Chain Risk
Management (ID.SC)
NIST CSF: Identify
InventoryLambda
Function
Event
(event-
based)
Lambda
Function
Event
(event-
based)
Enterprise
Agreement
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
NIST CSF: Protect
Identity
Management,
Authentication and
Access Control
(PR.AC)
Awareness and
Training (PR.AT)
Data Security
(PR.DS)
Information
Protection
Processes and
Procedures (PR.IP)
Maintenance
(PR.MA)
Protective
Technology (PR.PT)
AWS STS
MFA
token
Role
Permission
s
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Auto Scaling group
Public Subnet Public Subnet
Auto Scaling group
Protect in AWS ArchitectureAWS Cloud
AWS Region
VPC
Availability Zone A Availability Zone B
App Subnet App Subnet
DB Subnet DB Subnet
DB Primary DB Secondary
Web
ServersWeb
Servers
App Servers App Servers
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
NIST CSF: Detect
Anomalies and
Events (DE.AE)
Security Continuous
Monitoring (DE.CM)
Detection Processes
(DE.DP)
Flow logs
Lambda
Function
Event
(event-
based)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Response Planning
(RS.RP)
Communications
(RS.CO)
Analysis (RS.AN) Mitigation (RS.MI) Improvements
(RS.IM)
Organizational
response activities
are improved by
incorporating
lessons learned
from current and
previous
detection/response
activities.
AWS service
configurations and
Security
Automation are
updated/improved.
NIST CSF: Respond
Filtering
rule
ACL
Subnet
Rule
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Event (event-
based)
Lambda
FunctionFiltering rule
Other AWS &
Partner
Services
Automate with integrated services
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
NIST CSF: Recover
Recovery Planning
(RC.RP)
Improvements
(RC.IM)
Communications
(RC.CO)
Organizational
recover activities
are improved by
incorporating
lessons learned
from current and
previous
detection/response
activities.
AWS service
configurations and
Security
Automation are
updated/improved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!