Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Aligning to the NIST Cybersecurity Framework in the AWS Cloud - GRC203-R - AWS re:Inforce 2019

294 views

Published on

The NIST Cybersecurity Framework (CSF) is recognized as the de facto guide for best practices in cybersecurity and risk-management for organizations of any size and in any sector or location. In this session, learn how to implement AWS services to align to the 108 outcome-based security activities in the NIST CSF. We discuss the AWS whitepaper and customer workbook, which cover the many AWS services customers can use to align to the NIST CSF, including IAM, AWS CloudTrail, Amazon CloudWatch, Amazon GuardDuty, Amazon Macie, Amazon EC2, Amazon Cognito, AWS SSO, VPC Flow Logs.

  • Be the first to comment

  • Be the first to like this

Aligning to the NIST Cybersecurity Framework in the AWS Cloud - GRC203-R - AWS re:Inforce 2019

  1. 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Aligning to the NIST Cybersecurity Framework in the AWS Cloud Min Hyun Global Lead, Growth Strategies AWS Security G R C 2 0 3 - R Michael South Americas Regional Leader, Public Sector Security and Compliance AWS
  2. 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Related repeats Wednesday, June 26 GRC203-R1: Aligning to the NIST Cybersecurity Framework in the AWS Cloud 11:00 AM – 12:00 PM | Level 0, Hall B2, Red
  3. 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda What is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)? Why use the NIST CSF? AWS responsibilities: AWS services alignment with the NIST CSF Customer responsibilities: Use of AWS services to align to the NIST CSF
  4. 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  5. 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is the NIST CSF? • It is a voluntary framework composed of best practices to help organizations of any size and in any sector improve the cybersecurity, risk management, and resilience of their systems • It has a common taxonomy to align an organization’s business drivers and security considerations that are specific to its use of technology • It uses existing standards to scale across borders, evolve with technological advances and business requirements, and provide economies of scale • It was originally intended for critical infrastructure but is applicable across all organization types 5
  6. 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is considered critical infrastructure? “There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the US that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” —Department of Homeland Security 6 1. Chemical 2. Commercial facilities 3. Communications 4. Critical manufacturing 5. Dams 6. Defense industrial bases 7. Emergency services 8. Energy 9. Financial services 10. Food and agriculture 11. Government facilities 12. Healthcare and public health 13. Information technology 14. Nuclear reactors, materials, and waste 15. Transportation systems 16. Water and wastewater systems
  7. 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is the NIST CSF? In February 2014, NIST published the “Framework for Improving Critical Infrastructure Cybersecurity” (or CSF), a voluntary framework to help organizations of any size and sector improve the cybersecurity, risk management, and resilience of their systems It was originally intended for critical infrastructure, but it has broader applicability across all organization types 7 Executive order Presidential Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” charges NIST in February 2013 Legislation Cybersecurity Enhancement Act of 2014 reinforced the legitimacy and authority of the CSF by codifying it and its voluntary adoption into law Executive order Presidential Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” mandates the use of CSF for all federal IT
  8. 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Profiles are intended to convey the organization’s as-is and desired risk postures Tiers characterize an organization’s aptitude for managing cybersecurity risk The core represents a set of cybersecurity practices, outcomes, and technical, operational, and managerial security controls (referred to as informative references) that support the five risk management functions What is the NIST CSF? The CSF offers a simple, yet effective risk-based, outcome-focused framework consisting of three elements: core, tiers, and profiles Core Tiers Profiles Identify Protect Detect Respond Recover Tier 4: Adaptive Tier 3: Repeatable Tier 2: Risk informed Tier 1: Partial Current TargetThese three elements enable organizations to prioritize and address cybersecurity risks consistent with their business and mission needs
  9. 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. NIST’s “Identify” function regarding “Risk Management Strategy” mapped to 9 different regulatory requirements. …each proposal modifies language and definitions, requiring firms to comply with largely the same but distinct requirements. Opportunities to streamline so focus is not on compliance but security. —Financial Services Sector Coordinating Council Financial services sector: Target profile
  10. 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Subcategories (108 outcome-based security activities) 23 categories NIST CSF: Core Identify Protect Detect Respond Recover Asset management Business environment Governance Risk assessment Risk assessment strategy Supply chain risk management Access control Awareness and training Data security Information protection processes and procedures Maintenance Protective technology Anomalies and events Security continuous monitoring Detection processes Response planning Communications Analysis Mitigation Improvements Recovery planning Improvements Communications
  11. 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Function: Overarching organization of cybersecurity lifecycle management Category: Desired security outcome Subcategory: Risk-based security activity (i.e., controls) Informative references: Standards mapping NIST CSF: Core
  12. 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. NIST CSF: Core
  13. 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Common taxonomy around risk management No cost Risk-based, outcome- focused Leverages existing accreditations, standards, and controls Flexible and adaptive Relevant to techs and execs Sector agnostic Healthcare Commercial sector Federal agencies States Italy, Japan, Israel, Uruguay Financial services Why use the NIST CSF?
  14. 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Why use the NIST CSF? According to Gartner, the CSF is used by approximately 30 percent of US private sector organizations and is projected to reach 50 percent by 2020 As of the release of this report, all 16 US critical infrastructure sectors use the CSF, and over 20 states have implemented it Since FY 2017, US federal agency Federal Information Security Modernization Act (FISMA) metrics are organized around the CSF and now reference it as a “standard for managing and reducing cybersecurity risks” Over 20 states have implemented the CSF, and it has been supported by the NGA/NASCIO
  15. 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. ISO/IEC 27103:2018 Cybersecurity and ISO and IEC standards (February 2018) Technical report on implementing a cybersecurity framework leveraging existing standards Promotes the same concepts and best practices reflected in the NIST CSF FINAL ISO 27103 DRAFT ISO 27101 Cybersecurity framework development guidelines Concepts include five functions (identify, protect, detect, respond, recover) and foundational activities that crosswalk to existing standards, accreditations, and frameworks DRAFT ISO 27101 Internationalization of the NIST CSF
  16. 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Aligning to the NIST CSF in the AWS Cloud AWS accomplishes two objectives with the whitepaper Security of the cloud: Provides a third-party attestation that AWS infrastructure and services conform to NIST CSF risk management practices based on FedRAMP and ISO 27001 accreditations, assuring customers that their data is protected across AWS Security in the cloud: Maps the NIST CSF to AWS Cloud offerings that customers can use to align to the NIST CSF; provides a detailed breakdown of AWS services and the associated customer and AWS responsibilities to facilitate alignment to the NIST CSF
  17. 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. When deploying AWS solutions, organizations can have the assurance that AWS services uphold risk management best practices defined in the CSF and can leverage these solutions for their own alignment to the CSF AWS services alignment with the CSF As validated by our third-party assessor, the services that maintain an accreditation under FedRAMP moderate and/or ISO 27001, ISO 27101, and ISO 27017 align with the CSF • Validated the NIST CSF citations mapping to NIST SP 800-53 security control requirements • Reviewed the AWS services that have undergone the FedRAMP moderate and ISO 9001/27001/27017/27018 accreditations that meet the citation or control requirement • During the service validation, identified additional citations that may have available scoped services that meet the requirement • All services recommended for inclusion were validated as in scope to the AWS FedRAMP moderate and ISO attestations—marked with italics in workbook
  18. 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Aligning to the NIST CSF in the AWS Cloud How to use this resource • Executive level • Summary of AWS and customer responsibilities to align to each of the five functions in the CSF (identify, protect, detect, respond, and recover) • Third-party attestation • Technical level • Detailed mapping of AWS services and resources (beyond FedRAMP and ISO 27001) • Customer responsibilities • AWS responsibilities
  19. 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  20. 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Asset management (ID.AM) Business environment (ID.BE) Governance (ID.GV) Risk assessment (ID.RA) Risk management strategy (ID.RM) Supply chain risk management (ID.SC) NIST CSF: Identify Inventory Lambda function Event (event-based) Lambda function Event (event-based) Enterprise agreement
  21. 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. NIST CSF: Protect Identity management, authentication, and access control (PR.AC) Awareness and training (PR.AT) Data security (PR.DS) Information protection processes and procedures (PR.IP) Maintenance (PR.MA) Protective technology (PR.PT) AWS STS MFA token Role Permissions
  22. 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Auto Scaling group Public subnet Public subnet Auto Scaling group AWS Cloud AWS Region VPC Availability zone A Availability zone B Application subnet Application subnet Database subnet Database subnet Database primary Database secondary Web servers Web servers App servers App servers Protect in AWS architecture
  23. 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Anomalies and events (DE.AE) Security continuous monitoring (DE.CM) Detection processes (DE.DP) NIST CSF: Detect Flow logs Lambda function Event (event-based)
  24. 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Response planning (RS.RP) Communications (RS.CO) Analysis (RS.AN) Mitigation (RS.MI) Improvements (RS.IM) Organizational response activities are improved by incorporating lessons learned from current and previous detection and response activities AWS service configurations and security automation are updated and improved NIST CSF: Respond Filtering rule ACL Subnet Rule
  25. 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Event (event- based) AWS Lambda function Filtering rule Other AWS and partner services Automate with integrated services
  26. 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. NIST CSF: Recover Recovery planning (RC.RP) Improvements (RC.IM) Communications (RC.CO) Organizational recover activities are improved by incorporating lessons learned from current and previous detection and response activities AWS service configurations and security automation are updated and improved
  27. 27. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Min Hyun hyunmin@amazon.com Michael South mlsouth@amazon.com

×