The document discusses how public cloud services align with the NIST Cybersecurity Framework (CSF). It provides an overview of the CSF functions and an example of how they apply to end user computing security on AWS. It also discusses adjacent security frameworks like CIS benchmarks and how automation and processes tie into lifecycle management. Cloud adoption frameworks like CAF and WAF are summarized in relation to their alignment with CSF and security best practices.

1. NIST Cybersecurity Framework (CSF) on the
Public Cloud

2. Topics
• Introduction
• ExampleWorkload: End User Computing
• What can go wrong? Ransomware Incident Response in End User Computing
• End User Computing Security Best Practices
• Modernizing Security Controls
• NIST Cybersecurity Framework
• Adjacent Frameworks
• Public Cloud Services alignment to NIST Cybersecurity Framework

3. Introduction

4. Public Cloud Revenue – has/is forecasted to increaseYoY

5. Users andVulnerable Software – Still a Challenge
Verizon 2021 Data Breach Investigations Report
https://www.verizon.com/business/resources/reports/2021-data-breach-investigations-report.pdfx

6. CustomerWorkload Personas – Growth inVariety
• Migrated
• Server Based
• Migrated & Optimized
• Blends of Server and Service Based
• Serverless/Native
• Service Based
• Orchestrated
• ECS, EKS, K8s
• Inherited
• Wildcard!
• Hybrid
• Wildcard!

7. Service Categories – Also Growth inVariety
• Analytics
• Application Integration
• AR &VR
• AWS Cost Management
• Blockchain
• Business Applications
• Compute
• Customer Engagement
• Database
• Developer Tools
• End User Computing
• GameTech
• Internet ofThings
• Machine Learning
• Management & Governance
• Media Services
• Migration &Transfer
• Mobile
• Networking & Content Delivery
• QuantumTechnologies
• Robotics
• Satellite
• Security, Identity, & Compliance
• Storage

8. The Scenario

9. Shared Responsibility Model

10. End User Computing Sample Deployment

11. What’s missing?
• Ingress Security Group toWorkspace
• Egress Security Group fromWorkspace to (Internet)
• Security Groups to/from other Services (AWS and On Premises)
• Security of the Workspace Environment
• Security of supporting servers (Active Directory)
• Security of other network-accessible resources (Web Servers)
• User Permissions (Non-Local Admin, Local Admin, Global Admin)
• Access of the Workspace (PKI Cert, PKI PIV, Network, MFA)
• The rest of the AWSAccount?The rest of the AWSAccount! (Services, APIs)

12. End User Computing Sample Deployment

13. What could go wrong?
• Ingress Security Group toWorkspace
• Egress Security Group fromWorkspace to (Internet)
• Security Groups to/from other Services (AWS and On Premises)
• Security of the Workspace Environment
• Security of supporting servers (Active Directory)
• Security of other network-accessible resources (Web Servers)
• User Permissions (Non-Local Admin, Local Admin, Global Admin)
• Access of the Workspace (PKI Cert, PKI PIV, Network, MFA)
• The rest of the AWSAccount?The rest of the AWSAccount! (Services, APIs)

14. The Approach

15. Overview
• Through the lens of the NIST Cybersecurity Framework we will look at frameworks developed
by, and services available onAWS.
• Cloud Services, such as those offered by AWS either/both play a supporting role in your security
posture, supporting both non-AWS resources andAWS resources alike but secure configuration
of AWS resources can also play a role in supporting your security posture.
• The NIST Cybersecurity Framework provides a policy framework of computer security guidance
for how private sector organizations in the United States can assess and improve their ability to
prevent, detect, and respond to cyber attacks.

16. The Cybersecurity Framework
Core
Desired cybersecurity outcomes organized in a hierarchy
and aligned to more detailed guidance and controls
Profiles
Alignment of an organization’s requirements and
objectives, risk appetite and resources using the desired
outcomes of the Framework Core
ImplementationTiers
A qualitative measure of organizational cybersecurity risk
management practices

17. The Cybersecurity Framework - Functions
• Identify
• Develop an organizational understanding to manage cybersecurity risk to systems, people, assets,
data, and capabilities.
• Protect
• Develop and implement appropriate safeguards to ensure delivery of critical services.
• Detect
• Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
• Respond
• Develop and implement appropriate activities to take action regarding a detected cybersecurity
incident.
• Recover
• Develop and implement appropriate activities to maintain plans for resilience and to restore any
capabilities or services that were impaired due to a cybersecurity incident.

18. An Excerpt from the Framework Core
5 Functions 23 Categories 108 Subcategories 6 Informative References

19. ImplementationTiers
1 2 3 4
Partial Risk Informed Repeatable Adaptive
Risk
Management
Process
The functionality and repeatability of cybersecurity risk
management
Integrated Risk
Management
Program
The extent to which cybersecurity is considered in
broader risk management decisions
External
Participation
The degree to which the organization:
• monitors and manages supply chain risk
• benefits my sharing or receiving information from
outside parties

20. CIS Controls & Benchmarks
• Controls
• Similar, though more prescriptive than NIST CSF
• Can be mapped to CSF
• Benchmarks
• Prescriptive steps to apply controls to specific technologies
• AWS
• Workspaces
• Windows/Linux
• Other Services

21. CIS Benchmark End User Computing Example

22. CloudWorkload Lifecycle Management Framework
• Workload
• Architecture
• Monitoring
• Automation
• Processes

23. Workload + Architecture Drives Service Selection
• Virtual Machines
• AMI
• Patching
• Multi-threaded/Multi-task
• Hours to Months
• PerVM/Per Hour
• Functions/Services
• Code
• Versioning
• Single-threaded/Single-task
• Microseconds to Seconds
• Per Memory/Second/Per Request
• Containers
• Container File
• Versioning
• Multi-threaded/Single-task
• Minutes to Days
• PerVM/Per Hour

24. Integration

25. Automation + Processes Drives Lifecycle Management Selection
• Organizations
• Cross-AccountAsset Management + Governance
• ControlTower
• Account vending/default standardization
• Service Catalog
• Workload platform vending/default standardization
• CloudFormation
• IaC
• Ephemeral Compute + API Managed Data/Control Plane for PersistenceTiers
• Hands off/Lights out

26. Processes
• Patching
• Backup/RestoreTesting
• FailoverTesting (AZ)
• Credential Rotation/CredentialAudit
• Event ResponseTesting
• Incident ResponseTesting
• PerformanceTesting
• Performance/Cost Review
• Vulnerability/PenetrationTesting

27. Cloud Adoption Framework (CAF)
https://docs.aws.amazon.com/whitepapers/latest/overview-aws-cloud-adoption-framework/accelerating-business-outcomes.html

28. Cloud Adoption Framework (CAF)
• Perspectives
• Business
• Value Realization
• People
• Roles & Readiness
• Governance
• Prioritization & Control
• Platform
• Applications & Infrastructure
• Security
• Risk & Compliance
• Operations
• Manage & Scale

29. Cloud Adoption Framework (CAF) - Capabilities
https://docs.aws.amazon.com/whitepapers/latest/overview-aws-cloud-adoption-framework/foundational-capabilities.html

30. Cloud Adoption Framework (CAF) – Capabilities - Security
https://docs.aws.amazon.com/whitepapers/latest/overview-aws-cloud-adoption-framework/security-perspective.html

31. CAF – Security Perspective
• Directive
• Account Ownership and contact information
• Change and asset management
• Least privilege access
• Preventive
• Identity and access
• Infrastructure protection
• Data protection
• Detective
• Logging and monitoring
• Asset inventory
• Change detection
• Responsive
• Vulnerabilities
• Privilege escalation
• DDoS attack

32. Well Architected Framework (WAF)
• General
• Event-Triggered
• Workload-Focused
• General Design Principals
• Pillars
• Design Principals
• Best Practices
• Lenses

33. WAF – Pillars
• Operational Excellence
• Security
• Reliability
• Performance Efficiency
• Cost Optimization
• Sustainability – New!

34. WAF – Lenses
• High Performance Computing (HPC)
• Serverless
• Internet ofThings (IOT)
• Financial Services Industry (FinServ)
• FoundationalTechnical Review (FTR)
• SaaS
• Streaming Media
• Machine Learning
• SAP
• DataAnalytics
• Games Industry
• Hybrid Networking
• Management and Governance –Well Aligned!

35. WAF – General Design Principals
• Stop guessing your capacity needs
• Test systems at production scale
• Automate to make architectural experimentation easier
• Allow for evolutionary architectures
• Drive architectures using data
• Improve through game days

36. WAF – Game Days
• Prepare
• Is the process/are the processes to be tested during the game day well defined? Is access in place? Has
training been performed?
• Define
• Workload, Personnel, Scenario, Environment, Schedule
• Execute
• Start, Middle, End
• Analyze
• Debrief, Examine, Document, Root Cause Analysis (RCA), Correction of Error (CoE)

37. WAF – Security Pillar
• Design Principles
• Implement a strong identity foundation
• Enable traceability
• Apply security at all layers
• Automate security best practices
• Protect data in transit and at rest
• Keep people away from data
• Prepare for security events
• Best Practices
• Identity and Access Management
• Detection
• Infrastructure Protection
• Data Protection
• Incident Response

38. Let’s tie it all together…
https://aws.amazon.com/blogs/security/optimizing-cloud-governance-on-aws-integrating-the-nist-cybersecurity-framework-aws-
cloud-adoption-framework-and-aws-well-architected/

39. Identify

40. Identify
• Everything on the previous slides 

41. Identify
• Audit Manager
• Cost Management Services (Individual Services)
• Certificate Manager (Public + Private)
• Firewall Manager (WAF + Security Groups)
• Directory Service + Identity and Access Management (+ Services with their own Policies)
• AccessAdvisor,Access Analyzer,Organization Activity
• Inspector
• Key Management Service + Secrets Manager
• Macie
• Premium Support +Trusted Advisor + Personal Health Dashboard
• Systems Manager
• Security Hub + Config + Config Rules
• Tags

42. Identify – Organizations
• Tag policies
• Artifact
• Backup
• CloudFormation StackSets
• CloudTrail
• Config
• Directory Service
• Firewall Manager
• Resource Access Manager
• Service Catalog
• Single Sign-On
• Systems Manager

43. Protect/Detect

44. Protect
• VPC: Security Groups (Stateful Firewall) + NACLs (Stateless Firewall), Network Firewall, DNS
Firewall,Gateway Load Balancer
• WAF: Layer 7WAF
• Shield + AutoScaling + ELB + Cloud Front: DoS/DDoS Protection
• VPC:VGW (Point to Point and IPSECConnectivity) + Peering (VPC toVPC Connectivity) +
Endpoints (Private Connectivity to AWS Services), ClientVPN (Client toVPC Connectivity)
• IAM + Directory Service + SSO: Standalone and Federated AAA
• KMS: FIPS 140-2 Certified cryptographic module with integration to various AWS services,
provides expiration and ability to provide self-generated cryptographic material
• ACM: Public and Private PKI Certificate Authority
• Secure Credential Storage: Secrets Manager, Systems Manager
• Nitro Enclaves

45. Protect
• AWS Auto Scaling: EC2, Dynamo,Aurora Autoscaling
• Code Commit/ECS (Image Scanning)/Signer: Secure Application and Artifact Repository +
dedicated account
• Code Deploy/Systems Manager: “Hands off” OS and configuration management + application
deployment
• EC2: Systems Manager (OS and above patching + auditing), Amazon Linux 2 Live Patching
• AWS Backup: EC2, RDS, EFS, Dynamo Backups + dedicated account
• Workspaces: Secure Bastion
• CloudFormation + OpsWorks + Elastic Beanstalk: “Hands off” infrastructure management
• S3/Glacier: File based storage with AAA, versioning, secure delete + policy based retention
• Host Based Security

46. Detect

47. Detect
• Guard Duty
• Config: Point in time snapshots of configuration items, Exportable as JSON to
idempotent storage
• VPC: Flow Logs (NetFlow) + Port Mirroring
• CloudWatch Logs: OS and above log management
• CloudTrail: AuditTrail, Exportable as JSON to idempotent storage
• Cloudfront, ALB andWAF: All log (CloudFront and ALB in S3,WAF in Kinesis)
• S3/Glacier: File based storage with AAA, versioning, secure delete + policy based
retention + dedicated account

48. Respond/Recover

49. Respond
• Detective
• Disk Snapshots
• Don’t forget to remove from retention policy
• Automated withThreatResponse,GRR
• Memory Snapshots
• Automated withThreatResponse,GRR,Volatility, Rekall
• Logs
• Don’t forget to remove from retention policy
• Query and Correlate with Athena
• Measure

50. Recover
• Block Access (WAF, Security Group, ACL, IAM)
• Revert to Known Good State (Snapshots,Versioning)
• Identify/Correct Root Cause (Logs!)
• Rotate Credentials (people and things)
• Measure

51. Conclusion
• Iterate introduction of your security controls – some in the short term is better than none in the
long term.
• Detective Controls are just as important as Preventative Controls, they play a significant
response in incident detection and response.
• Whether your workload is onAWS or not,AWS services can be used to supplement your controls.
• There is no lack of frameworks – pick and choose from them to make a framework that works
best for your organization’s needs.

52. ThankYou!