A guide: How to apply the NIST Cybersecurity Framework to AWS implementations
If public cloud services are in your IT mix, the NIST Cybersecurity Framework (CSF) is a great way to evaluate security needs and develop a robust security strategy. The NIST CSF identifies five key cybersecurity functions - “Identify,” “Protect,” “Detect,” “Respond,” and “Recover” - to organise recommended security controls into actionable work streams. AWS users can use the CSF to plan security strategies and investments for optimal protection and coverage.
To get you started, let’s look at the five top-level CSF functions and identify some of the unique issues you’ll face when applying them to your public cloud implementation. Visibility (or the lack of it) is a common theme for each area, and it’s a problem that needs to be addressed.
Here are the five CSF functions (descriptive quotes directly from NIST):
"Develop the organisational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.” - NIST
Understanding your specific cloud implementation is, of course, necessary before you can plan and implement an effective security strategy. It’s tougher than you might think: the cloud is far harder to get your arms around than a captive data centre (where servers can be physically counted and institutional controls are more mature).
Clouds are completely virtual, they change incredibly fast, and relationships between cloud entities can be very tough to see and visualise. If you can’t see the core elements of your cloud, you can’t identify what needs to be done to secure them. What is needed is a platform that can clarify your cloud so you can visualise exactly what’s going on.
"Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services." - NIST
Choosing security tools and services to protect your infrastructure is a familiar task. But the cloud’s different: recent data breaches attributed to S3 configuration errors show how easily things can go wrong. Need to share some data with a third party? A quick and easy bucket permissions change gets it done instantly - but it can also instantly create a huge vulnerability.
Continuous automation is the answer and should be one of the most powerful capabilities of your platform. Monitoring the security posture of thousands of ephemeral cloud entities is a task well beyond human reach - so your platform should do it for you.
"Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event." - NIST
The final three CSF functions change the focus from “planning and preparing” to “responding.” NIST’s “detect” function includes controls for improving coverage, reducing time-to-detection, and assessing event severity.
If you’re familiar with AWS CloudTrail, you know you have plenty of data about your cloud’s operations. A lack of data isn’t the problem - but making sense of what you have is another matter. By automatically analysing AWS CloudTrail data to eliminate spurious alerts, you can zero in on the incidents that really matter - quickly and decisively.
"Develop and implement the appropriate activities to take action regarding a detected cybersecurity event." – NIST
Responding to a cybersecurity incident is a bit like organising a battlefield counterattack. It’s chaotic, stressful and confusing - and if you don’t understand your adversary’s original attack, your odds of success are low. On AWS, understanding incidents is a challenge: you’ll have plenty of data (AWS logs everything) but analysing that data to understand the attack takes skill and time.
You need a platform that excels at correlating data from across AWS to clarify the who, what and how of every incident. That way, you’ll have a clear map to guide your response, develop mitigation strategies, assess impacts and provide definitive updates to technical and non-technical stakeholders.
"Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event." - NIST
The last CSF function deals with two imperatives: restoring systems to normal (yours and any third-party systems affected by the attack) and integrating what you’ve learned back into your security framework. Your platform must have the ability to deliver a complete and accurate picture of the attack pays dividends. Without it, recovery efforts are likely to be incomplete and coordination with other affected parties will be a challenge.
Organise and guide cloud security efforts
Applying NIST’s CSF framework to your AWS implementation is great way to organise and guide your cloud cybersecurity efforts. Use it to identify gaps, organise your teams and guide security investments with an eye on the unique demands of AWS. Having a platform that has the ability to capitalise on the extensive data available from AWS will go a long way towards meeting the goals set out in the NIST CSF.