Aligning to the NIST Cybersecurity Framework in the AWS Cloud

Start Here

Get in touch with a
TriCore Solutions specialist

Blog | Jun 1, 2017

AWS/ Cloud Services Whitepaper: Aligning to the NIST Cybersecurity Framework in the AWS Cloud

On May 9, 2017, AWS released its latest whitepaper called "Aligning to the NIST Cybersecurity Framework in the AWS Cloud." We've put together a few highlights from the report and, as far as AWS/ Cloud Services goes, what you don't know might just surprise you. Here are five tips that we've gleaned from this report.

NIST in AWS.png

NIST means the National Institute of Standards and Technology. Globally, AWS has seen an increase in the use by governments, employment sectors, and other organizations of the NIST Cybersecurity Framework as the baseline for improving the risk management and system resilience. Originally intended for adoption by the critical infrastructure sector, both government and industry recommend use of the framework for any size organization in any industry.

NIST-a.jpg

What the whitepaper does. The whitepaper evaluates AWS offerings that public and private consumers may use to align with the NIST Cybersecurity Framework (CSF). The report is clear that there are no warranties of purpose and that users must come to their own conclusions about which AWS cloud security services are suitable to improve their own cybersecurity systems.

Core Functions. The whitepaper breaks down each of the five core management functions listed below into their sub-parts. The breakdowns are as follows:

  • Identify - Asset management, business environment, governance, risk assessment, risk assessment strategy.
  • Protect - Access control, awareness and training, data security, information protection/processes and procedures, maintenance, protective technology
  • Detect - Anomalies and events, security continuous monitoring, detection processes
  • Respond - Response planning, communications, analysis, mitigation, improvements
  • Recovery - Recovery planning, improvements, communications

Risk Management Functions. The whitepaper identifies AWS services that users may find helpful to align with the CSF in order to maintain "security in the cloud". Assessing each of the AWS services that helps with these core functions is outside the scope of this post. The following paragraph, however, provides an example of the kinds of information on AWS services that you will find in the full whitepaper under each of the five core management functions.

The following paragraph takes apart the Identify function to show the AWS services that help organizations align with CSF. 

Core Function: Identify. Identifying and managing an organization's cybersecurity systems requires knowing what IT assets the organization has. IT assets range from hardware like switches, servers, and firewalls to applications, operating systems, and other software used on the system. IT asset inventories are not only required for business reasons, like reports and knowing when to make system upgrades. Inventory is also often required to comply with regulations. AWS has several features that make IT resource inventory accurate and easy:

AWS Features Alignment to the NIST Cybersecurity Framework
Account Activity Page Provides a summary of details on usage by service and by region, including spending on IT resources at any point in time;
Amazon Glacier Vault Inventory Glacier can show all inventory resources;
AWS CloudHSM Provides hardware security modules (HSM) for encryption key storage;
AWS Management Console Shows all IT inventory running in AWS, by service, which includes actual run rate and costs;
AWS Config Shows all IT resources, currently existing and deleted assets; it helps determine whether your system complies with various rules; shows configuration details for each resource;
AWS Storage Gateway for Application Programming Interfaces (API) Manage resources through audit of inventory and data according to APIs, tools, and scripts.
Amazon EC2 Resource Tagging Applies search labels to computer resources which allows the business units to associate IT resources with expenditures on those resources.

If you would like to learn more about how AWS services can help you align with the Core Functions under CSF, download the full report from the AWS news release.

While many organizations see a move to the cloud as a key component to their digital transformation strategy, less than 20 percent of professionals surveyed said their organization is using the public cloud. Gartner predicts the worldwide public cloud services market will grow 18 percent in 2017 to $246.8B, up from $209.2B in 2016 – indicating increased public cloud use in the coming months. While the benefits of digital transformation are widely known – innovation, increased profits, rapid go-to-market, competitive advantage, increased customer satisfaction – there are still barriers to entry, halting many companies as they continue on their digital journey.

We know it’s a challenge to overcome these barriers, so TriCore Solutions dug a little deeper into the strategies supporting digital transformation to find out just how much progress has been made.

Get the Digital Transformation Survey Report

Looking for a snapshot of our digital transformation findings? Discover the who’s who of cloud adoption, digital transformation roadblocks and how to go from action to execution.

CLICK HERE TO VIEW THE INFOGRAPHIC