Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Aligning to the NIST Cybersecurity Framework in the AWS

The NIST Cybersecurity Framework (CSF) is recognized as the de facto guide for best practices in cybersecurity and risk-management for organizations of any size and in any sector or location. In this session, learn how to implement AWS services to align to the 108 outcome-based security activities in the NIST CSF. We discuss the AWS whitepaper and customer workbook at a high level, which maps many AWS services that customers can use to align to the NIST CSF, including IAM, AWS CloudTrail, Amazon CloudWatch, Amazon GuardDuty, Amazon Macie, Amazon EC2, Amazon Cognito, AWS SSO, and VPC Flow Logs. (Note: This is not a technical deep dive.)

  • Sé el primero en comentar

Aligning to the NIST Cybersecurity Framework in the AWS

  1. 1. P U B L I C S E C T O R S U M M I T Washington, D.C.
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Aligning to the NIST Cybersecurity Framework in the AWS Cloud Min Hyun Global Lead, Growth Strategies AWS Security Assurance S e s s i o n 3 1 9 0 2 8 Michael South Americas Regional Leader, Security and Compliance AWS Worldwide Public Sector
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Agenda What is the NIST Cybersecurity Framework (CSF)? Why Use the NIST CSF? AWS Responsibilities: AWS Services Alignment with the NIST CSF Customer Responsibilities: Use of AWS Services to Align to the NIST CSF
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T What is the NIST Cybersecurity Framework? 5 • A voluntary framework comprised of best practices to help organizations of any size and in any sector improve the cybersecurity, risk management, and resilience of their systems • A Common taxonomy to align organization’s business drivers and security considerations specific to its use of technology • Uses existing standards to scale across borders, evolve with technological advances and business requirements, and provide economies of scale • Originally intended for critical infrastructure but applicable across all organization types
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T What is considered critical infrastructure? 7 In the US, 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the US that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. 1. Chemical 2. Commercial Facilities 3. Communications 4. Critical Manufacturing 5. Dams 6. Defense Industrial Base 7. Emergency Services 8. Energy 9. Financial Services 10. Food and Agriculture 11. Government Facilities 12. Healthcare and Public Health 13. Information Technology 14. Nuclear Reactors, Materials, and Waste 15. Transportation Systems 16. Water and Wastewater Systems
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T What is the NIST Cybersecurity Framework? 8 Executive Order Presidential Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” charges NIST in Feb 2013 Legislation Cybersecurity Enhancement Act of 2014 reinforced the legitimacy and authority of the CSF by codifying it and its voluntary adoption into law. In February 2014, the National Institute of Standards and Technology (NIST) published the “Framework for Improving Critical Infrastructure Cybersecurity” (or CSF), a voluntary framework to help organizations of any size and sector improve the cybersecurity, risk management, and resilience of their systems. Originally intended for critical infrastructure, but broader applicability across all organization types. Executive Order Presidential EO 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” mandates the use of CSF for all Federal IT
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T What is the NIST Cybersecurity Framework? The CSF offers a simple-yet-effective risk-based, outcome-focused framework consisting of three elements – Core, Tiers, and Profiles • The core represents a set of cybersecurity practices, outcomes, and technical, operational, and managerial security controls (referred to as Informative References) that support the five risk management functions. Core • Tiers characterize an organization’s aptitude for managing cybersecurity risk. Tiers • Profiles are intended to convey the organization’s “as is” and “desired” risk posture. Profiles Identify Protect Detect Respond Recover Tier 4- Adaptive Tier 3- Repeatable Tier 2- Risk Informed Tier 1- Partial Current Target These three elements enable organizations to prioritize and address cybersecurity risks consistent with their business and mission needs.
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Identify Protect Detect Respond Recover Asset management Business environment Governance Risk Assessment Risk Assessment Strategy Supply Chain Risk Management Access Control Awareness and Training Data Security Information Protection Processes and Procedures Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications Subcategories (108 outcome-based security activities) NIST CSF | Core 23 Categories
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T NIST CSF | Core Function - overarching organization of cybersecurity lifecycle management Category - desired security outcome Subcategory - risk- based security activity (i.e. controls) Informative references - standards mapping
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T NIST CSF | Core
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Why Use the NIST Cybersecurity Framework? Common taxonomy around risk management No cost Risk-based, outcome-focused Leverages existing accreditations, standards, and controls Flexible and adaptive Relevant to techs and execs Sector agnostic Healthcare Commercial sector Federal Agencies States Italy, Japan, Israel, Uruguay Financial Services
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Why Use the NIST Cybersecurity Framework? According to Gartner, the CSF is used by approximately 30 percent of US private sector organizations and projected to reach 50 percent by 2020. As of the release of this report, all 16 US critical infrastructure sectors use the CSF and over 20 states have implemented it. Since Fiscal Year 2016, US federal agency Federal Information Security Modernization Act (FISMA) metrics have been organized around the CSF, and now reference it as a “standard for managing and reducing cybersecurity risks.” Over 20 states have implemented the CSF and it has been supported by the NGA/NASCIO
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Internationalization of the NIST CSF ISO/IEC 27103:2018-- Cybersecurity and ISO and IEC Standards (Feb 2018) - Technical report on implementing a cybersecurity framework leveraging existing standards - Promotes the same concepts and best practices reflected in the NIST CSF FINAL ISO 27103 DRAFT ISO 27101- Cybersecurity framework development guidelines - Concepts include five functions (Identify, Protect, Detect, Respond, Recover) and foundational activities that crosswalk to existing standards, accreditations and frameworks DRAFT ISO 27101
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Aligning to the NIST CSF in the AWS Cloud AWS accomplishes two objectives with the whitepaper: Security of the cloud - Provides a third-party attestation that AWS infrastructure and services conform to NIST CSF risk-management practices based on FedRAMP and ISO 27001 accreditations, assuring customers that their data is protected across AWS. Security in the cloud - Maps the NIST CSF to AWS Cloud offerings that customers can use to align to the NIST. We provide a detailed breakout of AWS services and associated customer and AWS responsibilities to facilitate alignment to the NIST CSF.
  16. 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T AWS Services Alignment with the CSF • As validated by our third-party assessor, the services that maintain an accreditation under FedRAMP Moderate and/or ISO 27001/27101/27017 align with the CSF.  Validated the NIST CSF Citations mapping to NIST SP 800-53 security control requirements  Reviewed the AWS services that have undergone the FedRAMP Moderate and ISO 9001 / 27001 / 27017 / 27018 accreditations that meet the citation or control requirement  During the service validation, identified additional citations that may have available scoped services that meet the requirement.  All services recommended for inclusion were validated as in scope to the AWS FedRAMP Moderate and ISO attestations- marked with *italics in workbook When deploying AWS solutions, organizations can have the assurance that AWS services uphold risk management best practices defined in the CSF and can leverage these solutions for their own alignment to the CSF.
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Aligning to the NIST CSF in the AWS Cloud How to use this resource: 1. Executive level • Summary of AWS and customer responsibilities to align to each of the five functions in the CSF (Identify, Protect, Detect, Respond, Recover) • Third-party attestation 2. Technical level • Detailed mapping of AWS services and resources (beyond FedRAMP and ISO 27001) • Customer responsibilities • AWS responsibilities
  18. 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T
  19. 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Asset Management (ID.AM) Business Environment (ID.BE) Governance (ID.GV) Risk Assessment (ID.RA) Risk Management Strategy (ID.RM) Supply Chain Risk Management (ID.SC) NIST CSF: Identify Inventory Lambda Function Event (event-based) Lambda Function Event (event-based) Enterprise Agreement
  20. 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T NIST CSF: Protect Identity Management, Authentication and Access Control (PR.AC) Awareness and Training (PR.AT) Data Security (PR.DS) Information Protection Processes and Procedures (PR.IP) Maintenance (PR.MA) Protective Technology (PR.PT) AWS STS MFA token Role Permissions
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Auto Scaling group Public Subnet Public Subnet Auto Scaling group Protect in AWS Architecture AWS Cloud AWS Region VPC Availability Zone A Availability Zone B App Subnet App Subnet DB Subnet DB Subnet DB Primary DB Secondary Web Servers Web Servers App Servers App Servers
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T NIST CSF: Detect Anomalies and Events (DE.AE) Security Continuous Monitoring (DE.CM) Detection Processes (DE.DP) Flow logs Lambda Function Event (event-based)
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Response Planning (RS.RP) Communications (RS.CO) Analysis (RS.AN) Mitigation (RS.MI) Improvements (RS.IM) Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. AWS service configurations and Security Automation are updated/improved. NIST CSF: Respond Filtering rule ACL Subnet Rule
  24. 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Event (event- based) Lambda Function Filtering rule Other AWS & Partner Services Automate with integrated services
  25. 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T NIST CSF: Recover Recovery Planning (RC.RP) Improvements (RC.IM) Communications (RC.CO) Organizational recover activities are improved by incorporating lessons learned from current and previous detection/response activities. AWS service configurations and Security Automation are updated/improved.
  26. 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Min Hyun hyunmin@amazon.com Michael South mlsouth@amazon.com
  27. 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T

×