AWS Security - ETDA · Aligning to the NIST Cybersecurity Framework in the AWS Cloud ... business requirements, and provide economies of scale ... Relevant to techs and execs Sector

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AWS Security |

Aligning to the NIST Cybersecurity Framework in the AWS Cloud

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

What is the NIST Cybersecurity Framework (CSF)?

Why Use the NIST CSF?

AWS Responsibilities: AWS Services Alignment with the

NIST CSF

Customer Responsibilities: Use of AWS Services to Align

to the NIST CSF


What is the NIST CSF?


What is the NIST Cybersecurity Framework?

4

• A voluntary framework comprised of best practices to help organizations of any size and in any sector improve the cybersecurity, risk management, and resilience of their systems.

• Common taxonomy to align organization’s business drivers and security considerations specific to its use of technology

• Uses existing standards to scale across borders, evolve with technological advances and business requirements, and provide economies of scale

• Originally intended for critical infrastructure but applicable across all organization types


Why was the NIST CSF created?

5

Executive Order

Presidential Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” charges NIST in Feb 2013

Legislation

Cybersecurity Enhancement Act of 2014 reinforced the legitimacy and authority of the CSF by codifying its development and voluntary adoption into law.

In February 2014, the National Institute of Standards and Technology (NIST) published the “Framework for Improving Critical Infrastructure Cybersecurity” (or CSF), a voluntary framework to help organizations of any size and sector improve the cybersecurity, risk management, and resilience of their systems.

Originally intended for critical infrastructure, but broader applicability across all organization types.

Executive Order

Presidential EO 13800,

“Strengthening the

Cybersecurity of

Federal Networks and

Critical Infrastructure”

mandates the use of

CSF for all Federal IT


Who is NIST?

6

• The National Institute of Standards and Technology is a non-regulatory federal agency with the Department of Commerce

• Conducts research, tests products/services, develops standards, among

other functions

• NIST is responsible for developing information security standards and

guidelines, including minimum requirements for federal information systems• NIST 800 series (800-53 security and privacy controls, 800-37 (risk management framework, 800-61 incident handling, 800-

145 cloud computing definition)• FIPS (140-2 encryption, 199 security categorization)

• NIST and its standards are recognized worldwide


What is considered critical infrastructure?

7

In the U.S., 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

1. Chemical2. Commercial Facilities3. Communications4. Critical Manufacturing5. Dams6. Defense Industrial Base7. Emergency Services8. Energy 9. Financial Services10. Food and Agriculture11. Government Facilities12. Healthcare and Public Health13. Information Technology14. Nuclear Reactors, Materials, and Waste15. Transportation Systems16. Water and Wastewater Systems


What is the NIST Cybersecurity Framework?

The CSF offers a simple-yet-effective risk-based, outcome-focused framework consisting of three elements – Core, Tiers, and Profiles

• The Core represents a set of cybersecurity practices, outcomes, and technical, operational, and managerial security controls (referred to as Informative References) that support the five risk management functions.

Core

• Tiers characterize an organization’s aptitude for managing cybersecurity risk

Tiers

• Profiles are intended to convey the organization’s “as is” and “desired” risk posture.

Profiles

Identify Protect Detect Respond Recover

Tier 4-Adaptive

Tier 3-Repeat-

able

Tier 2-Risk

Informed

Tier 1-Partial

Current Target

These three elements enable organizations to prioritize and address cybersecurity risks consistent with their business and mission needs.


NIST’s “Identify” function regarding “Risk Management Strategy” mapped to 9 different regulatory requirements… each proposal modifies language and definitions, requiring firms to comply with largely the same but distinct requirements.

Opportunities to streamline so focus is not on compliance but security.

-Financial Services Sector Coordinating Council

Different lexicon, Same security objective


Identify Protect Detect Respond RecoverAsset management

Business

environment

Governance

Risk Assessment

Risk Assessment

Strategy

Supply Chain Risk

Management

Access Control

Awareness and

Training

Data Security

Information

Protection

Processes and

Procedures

Maintenance

Protective

Technology

Anomalies and

Events

Security Continuous

Monitoring

Detection

Processes

Response Planning

Communications

Analysis

Mitigation

Improvements

Recovery Planning

Improvements

Communications

Subcategories (108 outcome-based

security activities)

NIST CSF- Core

23 categories


NIST CSF | Core

Function- overarching organization of cybersecurity lifecycle management

Category- desired security outcome

Subcategory- risk-based security activity (i.e. controls)

Informative references-standards mapping


NIST CSF | Core


Why Use the NIST Cybersecurity Framework?

Common taxonomy around risk

management

No cost

Risk-based, outcome-focused

Leverages existing accreditations, standards, and

controls

Flexible and adaptive

Relevant to techs and execs

Sector agnostic

Health Care

Commercial sector

Federal Agencies

States

Italy, Japan, Israel, Uruguay

Financial Services


Internationalization of the NIST CSF

ISO

27

10

3 ISO/IEC 27103:2018--Cybersecurity and ISO and IEC Standards (Feb 2018)

- Guidance for implementing a cybersecurity framework leveraging existing standards

- Promotes the same concepts and best practices reflected in the NIST CSF

DR

AFT

-IS

O 2

71

01 DRAFT ISO 27101-

Cybersecurity framework development guidelines

- Identifies concepts for creating and implementing a cybersecurity framework

- Construct includes five functions (Identify, Protect, Detect, Respond, Recover) and foundational activities that crosswalk to existing standards, accreditations and frameworks


Aligning to the NIST CSF in the AWS Cloud

AWS accomplishes two objectives with the whitepaper:

Security of the cloud- Provides a third-party attestation that AWS infrastructure and services conform to NIST CSF risk-management practices, assuring customers that their data is protected across AWS.

Security in the cloud- Maps the NIST CSF to AWS Cloud offerings that customers can use to align to the NIST. We provide a detailed breakout of AWS services and associated customer and AWS responsibilities to facilitate alignment to the NIST CSF.


AWS Services Alignment with the CSF

As validated by our third party assessor, the services that maintain an accreditation under FedRAMP Moderate and/or ISO 27001/27101/27017 align with the CSF.

✓ Validated the NIST CSF mapping to NIST SP 800-53 security control requirements

✓ Reviewed the AWS services that have undergone the FedRAMP Moderate and ISO 9001 / 27001 / 27017 / 27018 accreditations that meet the control requirement

✓ All services recommended for inclusion were validated as in scope to the AWS FedRAMP Moderate and ISO attestations (marked with *italics in the customer workbook- Appendix A of the whitepaper)

When deploying AWS solutions, organizations can have the confidence that:

•AWS services uphold risk management best practices defined in the CSF

•Customers can leverage these solutions for their own alignment to the CSF


Aligning to the NIST CSF in theAWS Cloud


Asset Management

(ID.AM)

Business

Environment (ID.BE)

Governance (ID.GV) Risk Assessment

(ID.RA)

Risk Management

Strategy (ID.RM)

Supply Chain Risk

Management (ID.SC)

NIST CSF: Identify

InventoryLambda

Function

Event

(event-

based)

Lambda

Function

Event

(event-

based)

Enterprise

Agreement


NIST CSF: Protect

Identity

Management,

Authentication and

Access Control

(PR.AC)

Awareness and

Training (PR.AT)

Data Security

(PR.DS)

Information

Protection

Processes and

Procedures (PR.IP)

Maintenance

(PR.MA)

Protective

Technology (PR.PT)

AWS STS

MFA

token

Role

Permission

s


Auto Scaling group

Public Subnet Public Subnet

Auto Scaling group

Protect in AWS ArchitectureAWS Cloud

AWS Region

VPC

Availability Zone A Availability Zone B

App Subnet App Subnet

DB Subnet DB Subnet

DB Primary DB Secondary

Web

ServersWeb

Servers

App Servers App Servers


NIST CSF: Detect

Anomalies and

Events (DE.AE)

Security Continuous

Monitoring (DE.CM)

Detection Processes

(DE.DP)

Flow logs

Lambda

Function

Event

(event-

based)


Response Planning

(RS.RP)

Communications

(RS.CO)

Analysis (RS.AN) Mitigation (RS.MI) Improvements

(RS.IM)

Organizational

response activities

are improved by

incorporating

lessons learned

from current and

previous

detection/response

activities.

AWS service

configurations and

Security

Automation are

updated/improved.

NIST CSF: Respond

Filtering

rule

ACL

Subnet

Rule


Event (event-

based)

Lambda

FunctionFiltering rule

Other AWS &

Partner

Services

Automate with integrated services


NIST CSF: Recover

Recovery Planning

(RC.RP)

Improvements

(RC.IM)

Communications

(RC.CO)

Organizational

recover activities

are improved by

incorporating

lessons learned

from current and

previous

detection/response

activities.

AWS service

configurations and

Security

Automation are

updated/improved.


Thank you!

Documents

AWS Security - ETDA · Aligning to the NIST Cybersecurity Framework in the AWS Cloud ... business requirements, and provide economies of scale ... Relevant to techs and execs Sector