SlideShare a Scribd company logo

Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chicago AWS Summit

Amazon Web Services
Amazon Web Services

The NIST Cybersecurity Framework (CSF) is endorsed by government and industry as a recommended baseline for use by any organization, regardless of sector or size, to implement risk-management best practices and achieve desired security outcomes. In this session, we discuss how organizations can use AWS to align to the CSF by providing a detailed breakout of AWS services and associated customer responsibilities (security in the cloud) and AWS responsibilities (security of the cloud).

1 of 25
Download to read offline
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Aligning to the NIST Cybersecurity Framework in the AWS cloud Tim Anderson Sr. technical industry specialist AWS Security S E C 2 0 4
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Agenda What is the NIST Cybersecurity Framework (CSF)? Why use the NIST CSF? AWS responsibilities: AWS alignment with the NIST CSF Customer responsibilities: Use of AWS services to align to the NIST CSF
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is the NIST CSF?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What is the NIST Cybersecurity Framework? 4 • A voluntary framework composed of best practices to help organizations of any size and in any sector improve the cybersecurity, risk management, and resilience of their systems • Common taxonomy to align an organization’s business drivers and security considerations specific to its use of technology • Uses existing standards to scale across borders, evolve with technological advances and business requirements, and provide economies of scale • Originally intended for critical infrastructure, but applicable across all organization types
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Why was the NIST CSF created? 5 Executive Order Presidential Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” charges NIST in Feb. 2013 Legislation Cybersecurity Enhancement Act of 2014 reinforced the legitimacy and authority of the CSF by codifying its development and voluntary adoption into law In February 2014, the National Institute of Standards and Technology (NIST) published the “Framework for Improving Critical Infrastructure Cybersecurity” (or CSF), a voluntary framework to help organizations of any size and sector improve the cybersecurity, risk management, and resilience of their systems. Originally intended for critical infrastructure, but broader applicability across all organization types. Executive Order Presidential EO 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” mandates the use of CSF for all federal IT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What is considered critical infrastructure? 7 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. 1. Chemical 2. Commercial Facilities 3. Communications 4. Critical Manufacturing 5. Dams 6. Defense Industrial Base 7. Emergency Services 8. Energy 9. Financial Services 10. Food and Agriculture 11. Government Facilities 12. Healthcare and Public Health 13. Information Technology 14. Nuclear Reactors, Materials, and Waste 15. Transportation Systems 16. Water and Wastewater Systems
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What is the NIST Cybersecurity Framework? The CSF offers a simple yet effective, risk-based, outcome-focused framework consisting of three elements—Core, Tiers, and Profiles. • The Core represents a set of cybersecurity practices, outcomes, and technical, operational, and managerial security controls (referred to as Informative References) that support the five risk management functions Core • Tiers characterize an organization’s aptitude for managing cybersecurity risk Tiers • Profiles are intended to convey the organization’s “as is” and “desired” risk posture Profiles Identify Protect Detect Respond Recover Tier 4- Adaptive Tier 3- Repeat- able Tier 2- Risk Informed Tier 1- Partial Current Target These three elements enable organizations to prioritize and address cybersecurity risks consistent with their business and mission needs.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Identify Protect Detect Respond Recover Asset management Business environment Governance Risk Assessment Risk Assessment Strategy Supply Chain Risk Management Access Control Awareness and Training Data Security Information Protection Processes and Procedures Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications Subcategories (108 outcome-based security activities) NIST CSF | Core 23 Categories
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T NIST CSF | Core Function— overarching organization of cybersecurity life cycle management Category—desired security outcome Subcategory—risk- based security activity (i.e., controls) Informative references—standards mapping
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T NIST CSF | Core
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Why use the NIST Cybersecurity Framework? Common taxonomy around risk management No cost Risk-based, outcome-focused Leverages existing accreditations, standards, and controls Flexible and adaptive Relevant to techs and execs Sector agnostic Health Care Commercial Sector Federal Agencies States Italy, Japan, Israel, Uruguay Financial Services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Why use the NIST Cybersecurity Framework? According to Gartner, the CSF is used by approximately 30 percent of U.S. private sector organizations and projected to reach 50 percent by 2020. As of the release of this report, all 16 U.S. critical infrastructure sectors use the CSF and over 20 states have implemented it. Since fiscal year 2016, U.S. federal agency Federal Information Security Modernization Act (FISMA) metrics have been organized around the CSF and now reference it as a “standard for managing and reducing cybersecurity risks.” Over 20 states have implemented the CSF, and it has been supported by the NGA/NASCIO.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Internationalization of the NIST CSF ISO/IEC 27103:2018— Cybersecurity and ISO and IEC Standards (Feb. 2018) - Technical report on implementing a cybersecurity framework leveraging existing standards - Promotes the same concepts and best practices reflected in the NIST CSF FINAL ISO 27103 DRAFT ISO 27101— Cybersecurity framework development guidelines - Concepts include five functions (Identify, Protect, Detect, Respond, Recover) and foundational activities that crosswalk to existing standards, accreditations and frameworks DRAFT ISO 27101
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Aligning to the NIST CSF in the AWS cloud AWS accomplishes two objectives with the whitepaper: Security of the cloud—Provides a third-party attestation that AWS infrastructure and services conform to NIST CSF risk- management practices, assuring customers that their data is protected across AWS. Security in the cloud—Maps the NIST CSF to AWS cloud offerings that customers can use to align to the NIST. We provide a detailed breakout of AWS services and associated customer and AWS responsibilities to facilitate alignment to the NIST CSF.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS services alignment with the CSF • As validated by our third-party assessor, the services that maintain an accreditation under FedRAMP Moderate and/or ISO 27001/27101/27017 align with the CSF. ✓ Validated the NIST CSF Citations mapping to NIST SP 800-53 security control requirements ✓ Reviewed the AWS services that have undergone the FedRAMP Moderate and ISO 9001/27001/27017/27018 accreditations that meet the citation or control requirement ✓ During the service validation, identified additional citations that may have available scoped services that meet the requirement ✓ All services recommended for inclusion were validated as in scope to the AWS FedRAMP Moderate and ISO attestations—marked with *italics in workbook When deploying AWS solutions, organizations can have the assurance that AWS services uphold risk management best practices defined in the CSF and can leverage these solutions for their own alignment to the CSF.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Aligning to the NIST CSF in the AWS cloud How to use the whitepaper: 1. Executive level • Summary of AWS and customer responsibilities to align to each of the five functions in the CSF (Identify, Protect, Detect, Respond, Recover) • Third-party attestation 2. Technical level • Detailed mapping of AWS services and resources (beyond FedRAMP and ISO 27001) • Customer responsibilities • AWS responsibilities
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Asset Management (ID.AM) Business Environment (ID.BE) Governance (ID.GV) Risk Assessment (ID.RA) Risk Management Strategy (ID.RM) Supply Chain Risk Management (ID.SC) Inventory Lambda Function Event (event-based) Lambda Function Event (event-based) Enterprise Agreement NIST CSF | Identify
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T NIST CSF | Protect Identity Management, Authentication, and Access Control (PR.AC) Awareness and Training (PR.AT) Data Security (PR.DS) Information Protection Processes and Procedures (PR.IP) Maintenance (PR.MA) Protective Technology (PR.PT) AWS Security Token Service (AWS STS) MFA token Role Permissions
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Auto Scaling group Public Subnet Public Subnet Auto Scaling group Protect in AWS Architecture AWS Cloud AWS Region VPC Availability Zone A Availability Zone B App Subnet App Subnet DB Subnet DB Subnet DB Primary DB Secondary Web Servers Web Servers App Servers App Servers
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T NIST CSF | Detect Anomalies and Events (DE.AE) Security Continuous Monitoring (DE.CM) Detection Processes (DE.DP) Flow logs Lambda Function Event (event-based)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Response Planning (RS.RP) Communications (RS.CO) Analysis (RS.AN) Mitigation (RS.MI) Improvements (RS.IM) Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. AWS service configurations and security automation are updated/ improved. NIST CSF | Respond Filtering rule ACL Subnet Rule
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Event (event- based) Lambda Function Filtering rule Other AWS & Partner Services Automate with integrated services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T NIST CSF | Recover Recovery Planning (RC.RP) Improvements (RC.IM) Communications (RC.CO) Organizational recover activities are improved by incorporating lessons learned from current and previous detection/response activities. AWS service configurations and security automation are updated/ improved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Tim Anderson Sr. technical industry specialist AWS Security tdander@amazon.com

Recommended

Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWS
Amazon Web Services
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
Kubernetes on AWS with Amazon EKS
Kubernetes on AWS with Amazon EKSKubernetes on AWS with Amazon EKS
Kubernetes on AWS with Amazon EKS
Amazon Web Services
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
Amazon Web Services
 
Multi cloud security architecture
Multi cloud security architecture Multi cloud security architecture
Multi cloud security architecture
Maganathin Veeraragaloo
 
AWS Cloud Adoption Framework and Workshops
AWS Cloud Adoption Framework and WorkshopsAWS Cloud Adoption Framework and Workshops
AWS Cloud Adoption Framework and Workshops
Tom Laszewski
 
AWS Cloud Adoption Framework
AWS Cloud Adoption Framework AWS Cloud Adoption Framework
AWS Cloud Adoption Framework
Amazon Web Services
 

Recommended

Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWS
Amazon Web Services
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
Kubernetes on AWS with Amazon EKS
Kubernetes on AWS with Amazon EKSKubernetes on AWS with Amazon EKS
Kubernetes on AWS with Amazon EKS
Amazon Web Services
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
Amazon Web Services
 
Multi cloud security architecture
Multi cloud security architecture Multi cloud security architecture
Multi cloud security architecture
Maganathin Veeraragaloo
 
AWS Cloud Adoption Framework and Workshops
AWS Cloud Adoption Framework and WorkshopsAWS Cloud Adoption Framework and Workshops
AWS Cloud Adoption Framework and Workshops
Tom Laszewski
 
AWS Cloud Adoption Framework
AWS Cloud Adoption Framework AWS Cloud Adoption Framework
AWS Cloud Adoption Framework
Amazon Web Services
 
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
Amazon Web Services
 
Assessing Your Company's Cloud Readiness
Assessing Your Company's Cloud ReadinessAssessing Your Company's Cloud Readiness
Assessing Your Company's Cloud Readiness
Amazon Web Services
 
Cloud migration strategies
Cloud migration strategiesCloud migration strategies
Cloud migration strategiesSogetiLabs
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials Day
Amazon Web Services
 
Building Your Cloud Strategy
Building Your Cloud StrategyBuilding Your Cloud Strategy
Building Your Cloud Strategy
Amazon Web Services
 
[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy
☁ Hicham KADIRI ☁
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
Allen Brokken
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Amazon Web Services
 
(ISM305) Framework: Create Cloud Strategy & Accelerate Results
(ISM305) Framework: Create Cloud Strategy & Accelerate Results(ISM305) Framework: Create Cloud Strategy & Accelerate Results
(ISM305) Framework: Create Cloud Strategy & Accelerate Results
Amazon Web Services
 
Governance Strategies & Tools for Cloud Formation
Governance Strategies & Tools for Cloud Formation Governance Strategies & Tools for Cloud Formation
Governance Strategies & Tools for Cloud Formation
Amazon Web Services
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security Checklist
Amazon Web Services
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWS
Amazon Web Services
 
AWS Business Essentials Day
AWS Business Essentials DayAWS Business Essentials Day
AWS Business Essentials Day
Amazon Web Services
 
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAn Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - Webinar
Amazon Web Services
 
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
Amazon Web Services Korea
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure security
Bruno Capuano
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
Prime Infoserv
 
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
Amazon Web Services
 
How to Enhance Your Application Security Strategy with F5 on AWS
How to Enhance Your Application Security Strategy with F5 on AWS How to Enhance Your Application Security Strategy with F5 on AWS
How to Enhance Your Application Security Strategy with F5 on AWS
Amazon Web Services
 

More Related Content

What's hot

How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
Amazon Web Services
 
Assessing Your Company's Cloud Readiness
Assessing Your Company's Cloud ReadinessAssessing Your Company's Cloud Readiness
Assessing Your Company's Cloud Readiness
Amazon Web Services
 
Cloud migration strategies
Cloud migration strategiesCloud migration strategies
Cloud migration strategiesSogetiLabs
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials Day
Amazon Web Services
 
Building Your Cloud Strategy
Building Your Cloud StrategyBuilding Your Cloud Strategy
Building Your Cloud Strategy
Amazon Web Services
 
[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy
☁ Hicham KADIRI ☁
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
Allen Brokken
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Amazon Web Services
 
(ISM305) Framework: Create Cloud Strategy & Accelerate Results
(ISM305) Framework: Create Cloud Strategy & Accelerate Results(ISM305) Framework: Create Cloud Strategy & Accelerate Results
(ISM305) Framework: Create Cloud Strategy & Accelerate Results
Amazon Web Services
 
Governance Strategies & Tools for Cloud Formation
Governance Strategies & Tools for Cloud Formation Governance Strategies & Tools for Cloud Formation
Governance Strategies & Tools for Cloud Formation
Amazon Web Services
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security Checklist
Amazon Web Services
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWS
Amazon Web Services
 
AWS Business Essentials Day
AWS Business Essentials DayAWS Business Essentials Day
AWS Business Essentials Day
Amazon Web Services
 
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAn Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - Webinar
Amazon Web Services
 
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
Amazon Web Services Korea
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure security
Bruno Capuano
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
Prime Infoserv
 

What's hot (20)

How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
 
Assessing Your Company's Cloud Readiness
Assessing Your Company's Cloud ReadinessAssessing Your Company's Cloud Readiness
Assessing Your Company's Cloud Readiness
 
Cloud migration strategies
Cloud migration strategiesCloud migration strategies
Cloud migration strategies
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials Day
 
Building Your Cloud Strategy
Building Your Cloud StrategyBuilding Your Cloud Strategy
Building Your Cloud Strategy
 
[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
 
(ISM305) Framework: Create Cloud Strategy & Accelerate Results
(ISM305) Framework: Create Cloud Strategy & Accelerate Results(ISM305) Framework: Create Cloud Strategy & Accelerate Results
(ISM305) Framework: Create Cloud Strategy & Accelerate Results
 
Governance Strategies & Tools for Cloud Formation
Governance Strategies & Tools for Cloud Formation Governance Strategies & Tools for Cloud Formation
Governance Strategies & Tools for Cloud Formation
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security Checklist
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWS
 
AWS Business Essentials Day
AWS Business Essentials DayAWS Business Essentials Day
AWS Business Essentials Day
 
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAn Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - Webinar
 
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure security
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
 

Similar to Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chicago AWS Summit

AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
Amazon Web Services
 
How to Enhance Your Application Security Strategy with F5 on AWS
How to Enhance Your Application Security Strategy with F5 on AWS How to Enhance Your Application Security Strategy with F5 on AWS
How to Enhance Your Application Security Strategy with F5 on AWS
Amazon Web Services
 
Elevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloudElevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloud
Amazon Web Services
 
Generational shiftsRedefining Customer Experience And The Way To Insure
Generational shiftsRedefining Customer Experience And The Way To InsureGenerational shiftsRedefining Customer Experience And The Way To Insure
Generational shiftsRedefining Customer Experience And The Way To Insure
Amazon Web Services
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Amazon Web Services
 
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Amazon Web Services
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
Srishti Ahuja
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
Srishti Ahuja
 
Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...
Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...
Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...
Amazon Web Services
 
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Amazon Web Services
 
Security in the cloud
Security in the cloudSecurity in the cloud
Security in the cloud
Reham Maher El-Safarini
 
AWS Security Week: Why Your Customers Care About Compliance
AWS Security Week: Why Your Customers Care About ComplianceAWS Security Week: Why Your Customers Care About Compliance
AWS Security Week: Why Your Customers Care About Compliance
Amazon Web Services
 
Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020
Cynthia Hsieh
 
Authority to Operate on AWS: Compliance as Code
Authority to Operate on AWS: Compliance as CodeAuthority to Operate on AWS: Compliance as Code
Authority to Operate on AWS: Compliance as Code
Amazon Web Services
 
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019 Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Amazon Web Services
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Amazon Web Services
 
AWS PROTECTED - Why This Matters to Australia.
AWS PROTECTED - Why This Matters to Australia.AWS PROTECTED - Why This Matters to Australia.
AWS PROTECTED - Why This Matters to Australia.
Amazon Web Services
 
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Amazon Web Services
 
Cloud-Based Innovation and Information Security - Choose Both
Cloud-Based Innovation and Information Security - Choose Both Cloud-Based Innovation and Information Security - Choose Both
Cloud-Based Innovation and Information Security - Choose Both Amazon Web Services
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
James Strong
 

Similar to Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chicago AWS Summit (20)

AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
 
How to Enhance Your Application Security Strategy with F5 on AWS
How to Enhance Your Application Security Strategy with F5 on AWS How to Enhance Your Application Security Strategy with F5 on AWS
How to Enhance Your Application Security Strategy with F5 on AWS
 
Elevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloudElevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloud
 
Generational shiftsRedefining Customer Experience And The Way To Insure
Generational shiftsRedefining Customer Experience And The Way To InsureGenerational shiftsRedefining Customer Experience And The Way To Insure
Generational shiftsRedefining Customer Experience And The Way To Insure
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
 
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
 
Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...
Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...
Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...
 
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
 
Security in the cloud
Security in the cloudSecurity in the cloud
Security in the cloud
 
AWS Security Week: Why Your Customers Care About Compliance
AWS Security Week: Why Your Customers Care About ComplianceAWS Security Week: Why Your Customers Care About Compliance
AWS Security Week: Why Your Customers Care About Compliance
 
Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020
 
Authority to Operate on AWS: Compliance as Code
Authority to Operate on AWS: Compliance as CodeAuthority to Operate on AWS: Compliance as Code
Authority to Operate on AWS: Compliance as Code
 
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019 Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
 
AWS PROTECTED - Why This Matters to Australia.
AWS PROTECTED - Why This Matters to Australia.AWS PROTECTED - Why This Matters to Australia.
AWS PROTECTED - Why This Matters to Australia.
 
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
 
Cloud-Based Innovation and Information Security - Choose Both
Cloud-Based Innovation and Information Security - Choose Both Cloud-Based Innovation and Information Security - Choose Both
Cloud-Based Innovation and Information Security - Choose Both
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chicago AWS Summit

  • 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Aligning to the NIST Cybersecurity Framework in the AWS cloud Tim Anderson Sr. technical industry specialist AWS Security S E C 2 0 4
  • 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Agenda What is the NIST Cybersecurity Framework (CSF)? Why use the NIST CSF? AWS responsibilities: AWS alignment with the NIST CSF Customer responsibilities: Use of AWS services to align to the NIST CSF
  • 3. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is the NIST CSF?
  • 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What is the NIST Cybersecurity Framework? 4 • A voluntary framework composed of best practices to help organizations of any size and in any sector improve the cybersecurity, risk management, and resilience of their systems • Common taxonomy to align an organization’s business drivers and security considerations specific to its use of technology • Uses existing standards to scale across borders, evolve with technological advances and business requirements, and provide economies of scale • Originally intended for critical infrastructure, but applicable across all organization types
  • 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Why was the NIST CSF created? 5 Executive Order Presidential Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” charges NIST in Feb. 2013 Legislation Cybersecurity Enhancement Act of 2014 reinforced the legitimacy and authority of the CSF by codifying its development and voluntary adoption into law In February 2014, the National Institute of Standards and Technology (NIST) published the “Framework for Improving Critical Infrastructure Cybersecurity” (or CSF), a voluntary framework to help organizations of any size and sector improve the cybersecurity, risk management, and resilience of their systems. Originally intended for critical infrastructure, but broader applicability across all organization types. Executive Order Presidential EO 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” mandates the use of CSF for all federal IT
  • 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What is considered critical infrastructure? 7 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. 1. Chemical 2. Commercial Facilities 3. Communications 4. Critical Manufacturing 5. Dams 6. Defense Industrial Base 7. Emergency Services 8. Energy 9. Financial Services 10. Food and Agriculture 11. Government Facilities 12. Healthcare and Public Health 13. Information Technology 14. Nuclear Reactors, Materials, and Waste 15. Transportation Systems 16. Water and Wastewater Systems
  • 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What is the NIST Cybersecurity Framework? The CSF offers a simple yet effective, risk-based, outcome-focused framework consisting of three elements—Core, Tiers, and Profiles. • The Core represents a set of cybersecurity practices, outcomes, and technical, operational, and managerial security controls (referred to as Informative References) that support the five risk management functions Core • Tiers characterize an organization’s aptitude for managing cybersecurity risk Tiers • Profiles are intended to convey the organization’s “as is” and “desired” risk posture Profiles Identify Protect Detect Respond Recover Tier 4- Adaptive Tier 3- Repeat- able Tier 2- Risk Informed Tier 1- Partial Current Target These three elements enable organizations to prioritize and address cybersecurity risks consistent with their business and mission needs.
  • 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Identify Protect Detect Respond Recover Asset management Business environment Governance Risk Assessment Risk Assessment Strategy Supply Chain Risk Management Access Control Awareness and Training Data Security Information Protection Processes and Procedures Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications Subcategories (108 outcome-based security activities) NIST CSF | Core 23 Categories
  • 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T NIST CSF | Core Function— overarching organization of cybersecurity life cycle management Category—desired security outcome Subcategory—risk- based security activity (i.e., controls) Informative references—standards mapping
  • 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T NIST CSF | Core
  • 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Why use the NIST Cybersecurity Framework? Common taxonomy around risk management No cost Risk-based, outcome-focused Leverages existing accreditations, standards, and controls Flexible and adaptive Relevant to techs and execs Sector agnostic Health Care Commercial Sector Federal Agencies States Italy, Japan, Israel, Uruguay Financial Services
  • 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Why use the NIST Cybersecurity Framework? According to Gartner, the CSF is used by approximately 30 percent of U.S. private sector organizations and projected to reach 50 percent by 2020. As of the release of this report, all 16 U.S. critical infrastructure sectors use the CSF and over 20 states have implemented it. Since fiscal year 2016, U.S. federal agency Federal Information Security Modernization Act (FISMA) metrics have been organized around the CSF and now reference it as a “standard for managing and reducing cybersecurity risks.” Over 20 states have implemented the CSF, and it has been supported by the NGA/NASCIO.
  • 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Internationalization of the NIST CSF ISO/IEC 27103:2018— Cybersecurity and ISO and IEC Standards (Feb. 2018) - Technical report on implementing a cybersecurity framework leveraging existing standards - Promotes the same concepts and best practices reflected in the NIST CSF FINAL ISO 27103 DRAFT ISO 27101— Cybersecurity framework development guidelines - Concepts include five functions (Identify, Protect, Detect, Respond, Recover) and foundational activities that crosswalk to existing standards, accreditations and frameworks DRAFT ISO 27101
  • 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Aligning to the NIST CSF in the AWS cloud AWS accomplishes two objectives with the whitepaper: Security of the cloud—Provides a third-party attestation that AWS infrastructure and services conform to NIST CSF risk- management practices, assuring customers that their data is protected across AWS. Security in the cloud—Maps the NIST CSF to AWS cloud offerings that customers can use to align to the NIST. We provide a detailed breakout of AWS services and associated customer and AWS responsibilities to facilitate alignment to the NIST CSF.
  • 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS services alignment with the CSF • As validated by our third-party assessor, the services that maintain an accreditation under FedRAMP Moderate and/or ISO 27001/27101/27017 align with the CSF. ✓ Validated the NIST CSF Citations mapping to NIST SP 800-53 security control requirements ✓ Reviewed the AWS services that have undergone the FedRAMP Moderate and ISO 9001/27001/27017/27018 accreditations that meet the citation or control requirement ✓ During the service validation, identified additional citations that may have available scoped services that meet the requirement ✓ All services recommended for inclusion were validated as in scope to the AWS FedRAMP Moderate and ISO attestations—marked with *italics in workbook When deploying AWS solutions, organizations can have the assurance that AWS services uphold risk management best practices defined in the CSF and can leverage these solutions for their own alignment to the CSF.
  • 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Aligning to the NIST CSF in the AWS cloud How to use the whitepaper: 1. Executive level • Summary of AWS and customer responsibilities to align to each of the five functions in the CSF (Identify, Protect, Detect, Respond, Recover) • Third-party attestation 2. Technical level • Detailed mapping of AWS services and resources (beyond FedRAMP and ISO 27001) • Customer responsibilities • AWS responsibilities
  • 17. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Asset Management (ID.AM) Business Environment (ID.BE) Governance (ID.GV) Risk Assessment (ID.RA) Risk Management Strategy (ID.RM) Supply Chain Risk Management (ID.SC) Inventory Lambda Function Event (event-based) Lambda Function Event (event-based) Enterprise Agreement NIST CSF | Identify
  • 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T NIST CSF | Protect Identity Management, Authentication, and Access Control (PR.AC) Awareness and Training (PR.AT) Data Security (PR.DS) Information Protection Processes and Procedures (PR.IP) Maintenance (PR.MA) Protective Technology (PR.PT) AWS Security Token Service (AWS STS) MFA token Role Permissions
  • 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Auto Scaling group Public Subnet Public Subnet Auto Scaling group Protect in AWS Architecture AWS Cloud AWS Region VPC Availability Zone A Availability Zone B App Subnet App Subnet DB Subnet DB Subnet DB Primary DB Secondary Web Servers Web Servers App Servers App Servers
  • 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T NIST CSF | Detect Anomalies and Events (DE.AE) Security Continuous Monitoring (DE.CM) Detection Processes (DE.DP) Flow logs Lambda Function Event (event-based)
  • 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Response Planning (RS.RP) Communications (RS.CO) Analysis (RS.AN) Mitigation (RS.MI) Improvements (RS.IM) Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. AWS service configurations and security automation are updated/ improved. NIST CSF | Respond Filtering rule ACL Subnet Rule
  • 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Event (event- based) Lambda Function Filtering rule Other AWS & Partner Services Automate with integrated services
  • 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T NIST CSF | Recover Recovery Planning (RC.RP) Improvements (RC.IM) Communications (RC.CO) Organizational recover activities are improved by incorporating lessons learned from current and previous detection/response activities. AWS service configurations and security automation are updated/ improved.
  • 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Tim Anderson Sr. technical industry specialist AWS Security tdander@amazon.com