How to use the NIST framework to secure your cloud
Using cloud services such as AWS, Azure and Google Cloud together with the NIST Cybersecurity Framework can improve your cloud security posture. Here's how the framework works best for the cloud.
A lot of security practitioners are familiar with the NIST Cybersecurity Framework. Reputable security practitioners benefit from it since it provides a universal language that normalizes all discussions. Efforts can be made by any organization to improve their security posture using the CSF. This streamlines security management, and allows for better sharing of information.
The framework was initially criticized for being insufficiently specific about cloud environments when it was released in 2014. There has been increased documentation provided by cloud providers aimed at clarifying any ambiguities in the NIST framework. As part of their commitment to ensuring cloud security, cloud providers have taken it a step further and aligned their products to the NIST framework for cloud security.
Every cloud provider communicates this in a different way. The following sections will discuss some of the specific artifacts created and published by cloud service providers in detail and how they can be used to follow the NIST Framework for cloud security initiatives.
AWS Cloud support for NIST CSF
"Aligning to the NIST Cybersecurity Framework in the AWS Cloud" provides a comprehensive overview of the features built into AWS, corresponding to each of the five CSF domains. Each of the five CSF domains - Identify, Protect, Detect, Respond and Recover - as well as AWS's corresponding features and functions are described in the document.
AWS includes, among other features, its Simple Notification Service, the S3 access logs, the database logs, CloudTrail, CloudWatch and other detection features within the Detect section of the CSF domain. AWS collects threat intelligence feeds through its other services and then analyzes the log information using machine learning and artificial intelligence. Customers can also integrate their SIEM systems with it.
In addition, the white paper addresses other topics associated with the CSF. This includes independent certification from Kratos SecureInfo stating that AWS "demonstrates its adherence to the NIST CSF" through FedRAMP and ISO controls. The report provides a roadmap of AWS features in the context of the CSF.
Microsoft Azure Cloud support for NIST CSF
Microsoft published a set of documents corresponding to each of the NIST CSF domains for its Azure platform. The document "Microsoft Azure Enables NIST CSF Compliance: Recover Function" outlines specific guidance regarding how to use the Azure platform to perform data recovery. The Azure report, presented in a more narrative format compared to AWS, outlines various features that align with the Recover section of the CSF domain.
There are also areas in Microsoft's documentation where customers must take responsibility together with the service provider, including areas with a call to action. Microsoft provides NIST and other standard specifications for its products. Also included is an independent attestation confirming Azure's alignment with NIST standards.
Google Cloud support for NIST CSF
A Google document entitled "NIST Cybersecurity Framework & Cloud" explains how the NIST CSF framework aligns with Google's products. Google maps each of the five CSF domains with their own products and briefly explains what they each offer. The report presents the products available to satisfy compliance for each CSF domain ID. Each product's benefits for each domain are outlined in brief bullet points, along with links to each product's URLs. For instance, under the Identify domain, the document notes that Forseti Security - captures and stores information about your GCP (Google Cloud Platform) resources using the Cloud Asset API.
Coalfire, a security advisor, provides Google third-party attestation that Google "implemented all NIST SP 800-171 controls but noted three deviations.".
Other cloud providers' support for NIST CSF
Both Oracle Cloud and IBM Cloud have documentation regarding implementing the NIST framework for cloud security. What the CSF is and how it should be integrated into a risk management program are outlined by IBM. It also discusses its products and services that assess an organization's security posture and how it maps the NIST CSF framework to the cloud.
According to Oracle's documentation, its cloud products and services are aligned with the NIST CSF.
How are these all valuable?
Various ways! It can, for example, be a factor in your security team's risk mitigation discussions. Also, it may be used to help select controls for addressing issues arising from threat modeling analysis, as well as to identify compensating controls when other issues are detected.
You need a trusted partner to help you with your NIST CSF and other compliance roadmaps, and make your journey to an improved cybersecurity posture as smooth as possible. Contact us for cybersecurity assessment and compliance services.