How to Evaluate and Enforce NIST Cybersecurity Framework (CSF) Security Compliance Standard in Cloud Environment

The National Institute of Standards and Technology Cyber Security Framework (NIST CSF) outlines leading business policies and technological requirements for managing risk. The framework consists of five concurrent and continuous functions: Identify, Protect, Detect, Respond, and Recover. This guide specifically focuses on key technological CSF requirements for four of the functions and explains how they map into controls within a cloud computing environment. Arm yourself with the information you need to ensure that your cloud compliance platform is equipped with the appropriate tools to align with NIST CSF.

The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) is designed as a foundational protocol for companies to follow to ensure an organization’s infrastructure is secure. Complying with NIST guidelines could also help achieve compliance with other regulations, such as HIPAA, FISMA, or SOX.

Read on this article to get a handy checklist of requirements that can be used to evaluate security solutions to protect your cloud computing environment based on the NIST Cyber Security Framework (CSF). Serverless architectures are inherently more secure, but there are nuances that organizations need to mitigate to ensure both security and compliance. Read on this article to learn:

• The drivers for NIST compliance
• NIST cloud security framework
• 6 critical capabilities of a cloud compliance solution
• A checklist of requirements to evaluate cloud security vendors that assess your adherence to NIST CSF controls
• NIST CSF controls and recommended actions to ensure compliance
• New factors that make continuous compliance for NIST CSF an imperative

Content Summary

Drivers for NIST 800-53 compliance
The shared responsibility model in the cloud
Cloud challenges faced when ensuring compliance
Why you need an automated solution today
NIST cloud security framework
NIST CSF controls
6 critical capabilities of a cloud compliance solution
Compliance solution selection checklist

Discover:

• New factors that make continuous compliance for NIST Cybersecurity Framework (CSF) an imperative
• NIST CSF controls and recommended actions to ensure compliance
• Six critical capabilities your organization should demand from a cloud compliance solution
• Checklist of requirements to evaluate cloud security vendors that assess your adherence to NIST CSF controls

Arm yourself with the information you need to ensure that your cloud compliance platform is equipped with the appropriate tools to align with NIST CSF.

Drivers for NIST 800-53 compliance

Overview

NIST Special Publication 800-53 (Revision 4) provides a catalog of security controls for U.S. federal information systems. Most U.S. federal information systems must implement their security and privacy controls based on this framework.

Federal Information Systems must go through an assessment and authorization process to ensure sufficient protection of confidentiality, integrity, and availability of information and information systems, based on the security category and impact level of the system (low, moderate, or high), and a risk determination.

Most U.S. federal information systems must specify their security and privacy controls based on NIST 800-53 framework. Each agency is responsible for implementing the minimum security requirements as outlined by NIST. Agencies that run federal information systems, are periodically assessed to determine their compliance level and results are presented to Congress. Poor compliance results can lead to heavy penalties and reputation damages.

NIST 800-53 Upcoming Changes

NIST Special Publication 800-53 (Revision 5) — draft version was released in August 2017 with the Final Public draft expected to be released by the end of Q1 2019. Revision 5 on NIST 800-53 introduces some significant changes:

• It incorporates the cybersecurity framework that allows integration with different risk and security approaches. For example, by using the NIST Cybersecurity Framework (CSF) appropriate language, it will now make the security and privacy control more outcome-based by changing the structure of the control.
• It provides a consolidated view of the privacy and security controls catalog.
• It includes new state-of-the-practice controls based on threat intelligence and empirical attack data.

While NIST CSF was primarily written by the National Institute of Standards and Technology (NIST), the same organization behind NIST 800-53, there are several differences between them. The CSF Framework is concise, voluntary, and builds on existing frameworks such as COBIT.

The CSF Framework is more high-level compared to NIST 800-53. It focuses on how to access and prioritize security functions, and references existing documents like NIST 800-53, COBIT 5, and ISO 27001.

The shared responsibility model in the cloud

Security in the public cloud is built on the shared responsibility model. The cloud provider manages the infrastructure, including the network, data storage, system resources, data centers, physical security, reliability, and supporting hardware and software.

AWS is solely responsible for configuring and managing the security of the cloud. AWS manages the security of the cloud and the customer is responsible for the security in the cloud. AWS inherited controls cover about 30% of the required controls for NIST CSF that are in the purview of the cloud provider.

The remaining controls are the responsibility of the customer which include the guest operating systems, deployed applications, and select networking resources (firewalls).

NIST CSF Specific Shared Responsibility

While some of the NIST CSF controls are handled natively by AWS, the responsibility for other controls is shared between AWS and the customer, while still others are the sole responsibility of the customer. The portion of shared controls that the customer is responsible for, and controls related to applications you implement on top of the AWS infrastructure, must be separately assessed and authorized by the customer.

Compliance teams can use the NIST Cybersecurity Framework (CSF) whitepaper to assess their AWS environment against the NIST CSF and improve the security measures for their cloud infrastructure.

While using third-party tools is not mandatory, an automated platform that can help assess the cloud infrastructure and monitor for NIST CSF or NIST 800-53 compliance, is critical. This is the only way to continuously monitor and ensure that rigorous standards are met because we live in the cloud era, where new instances and cloud assets are being spun up and down every second.

Cloud challenges faced when ensuring compliance

Design and implementation of technical security and privacy controls in the cloud present the unique challenges listed below:

Lack of visibility

According to a recent study of information security professionals, lack of visibility into infrastructure security is the biggest cloud management challenge. Per the latest 2018 Cloud Security Report based on a survey conducted of 400,000 Information Security professionals on LinkedIn, the top three security control challenges SOCs are struggling with are visibility into infrastructure security (43%), compliance (38%) and setting consistent security policies across cloud and on-premises environments (35%). Companies need tools that provide security visualization, management, and enforcement of compliance and security best practices.

Ever-changing cloud technology

Existing security solutions are not designed to support dynamic cloud infrastructure that is rapidly changing.

Knowledge gap

One of the cloud computing challenges is the lack of specific cloud security knowledge in the DevOps/Compliance teams. This knowledge gap makes it even more difficult to develop enterprise-wide guidelines and best practices with detailed technical recommendations.

Large amounts of data

Existing security and compliance tools are focused on analyzing large volumes of data and generating text-heavy reports. These tools cannot visualize configuration/activity data, and cannot support real-time monitoring of compliance and security requirements.

Remediation challenges

Complex cloud architectures make it difficult to identify known issues immediately upon discovery and perform the necessary remediation actions all from a single platform.

Why you need an automated solution today

Data security and compliance is a never-ending task. The dynamic nature of the cloud environment combined with growing cloud footprints that organizations maintain today makes this task even harder. As things change within a cloud’s infrastructure, it becomes difficult to keep track of whether you are still compliant with current standards and policies. Using traditional tools and performing compliance assessments once or twice a year is no longer enough. Once an organization has established the security controls required for regulatory compliance, it should enforce continuous auditing and testing to validate and prove that compliance is maintained.

This guide contains a handy checklist of requirements that can be used to evaluate security solutions to protect your cloud computing environment based on the NIST Cybersecurity Framework (CSF).

NIST cybersecurity framework

The NIST CSF outlines the set of business policies and technological requirements for managing risk. It consists of five concurrent and continuous functions: Identify, Protect, Detect, Respond, and Recover. This guide specifically focuses on key technological CSF requirements for four of the functions and explains how they map into controls within a cloud computing environment.

Most of the NIST CSF controls can be categorized as being either procedural or technical controls. Procedural controls are usually policies, procedures, and process-related. Technical controls typically relate to the configuration of your cloud environment and should be implemented and assessed using cloud security tools.

NIST CSF controls

If your organization is running workloads in the cloud, the platform natively provides controls that can help you ensure compliance requirements. For example, AWS provides compliance checks for 30% of NIST CSF controls. Yet by using the Compliance Engine from CloudGuard Dome9, customers can automate an additional 25% of NIST CSF requirements.

6 critical capabilities of a cloud compliance solution

Customers looking for a cloud compliance solution should look for the following 6 must-have capabilities that will simplify their compliance journey in the cloud:

Visibility into all of your cloud assets

Changes in cloud environments occur every minute, which can significantly impact cloud security posture. Since 2011, the cost of non-compliance has increased by 45%, now coming out to $14.82 million2. Without proper visibility, teams lack insight into their cloud compliance posture. IT teams should leverage tools that provide comprehensive visibility into their NIST CSF, and NIST 800-53 compliance status across all cloud regions and accounts. This tool should visualize the infrastructure as well as collect and report on all cloud assets via a “single pane of glass” for comprehensive visibility of your cloud environment.

Automated and continuous compliance monitoring

As development scales up in the cloud and across multiple accounts, manual control monitoring within production environments becomes increasingly time-consuming and can lead to configuration and compliance drift. This inefficiency can be costly and slow down product innovation and time-to-market. Once an organization has established the security controls required for regulatory compliance, it should enforce continuous audit monitoring to validate and report on any issues or incidents. In fact, according to Ponemon, automated compliance technologies saved the average organization $1.43 million a year3. Compliance teams should monitor their infrastructure on an ongoing basis and assess whether their cloud security configuration is compliant with NIST standards.

Instant alert notification

Alerts and notifications should be generated based on continuous scanning of the cloud infrastructure and be easily investigated. Flexibility and customization are key attributes along with various notification options (email, SNS, Slack, etc.) to ensure the SOC team can appropriately respond.

Automatic Remediation

Leveraging auto-remediation capabilities enables you to instantly mitigate risk, helping to maintain a robust security posture, and limiting human error as you scale. The sharp rise in the number of recent S3 bucket leaks (FedEx, Honda) and attacks (etc DDOS attack) in the news has led to a large scale financial and reputation damage. The only reliable way to consistently accelerate time-to-misconfiguration detection and time-to-resolution in a cloud environment are through automation. Attacks can happen for a multitude of reasons, but the delay in time-to-resolution largely occurs due to the inefficiencies in SOC workflows today. After well-defined and mature policies are in place for your organization, customers should implement automatic remediation of critical workflows as best practice. For example, the SOC team can add tags to S3 buckets and subsequently enable automatic remediation of misconfigurations (for example: remove public-facing permissions on the bucket, delete bucket). Or if common vulnerabilities and exposures (CVE) for a missing update are detected, an automatic trigger to invoke Lambda functions to update the instance can be established.

Verification of Backup and Recovery Configurations

The FBI recommends backing up your most sensitive information regularly. It is also recommended by the FBI to verify the integrity and security of those backups. The best way to protect backups is to maintain these separately from the production environment since ransomware can corrupt backup copies. Snapshots and replication are vulnerable to time-delayed ransomware attacks and should be continuously monitored. For more info, see FBI Report.

Validation of Vendor Solution Compliance

Several third-party cloud security and compliance automation tools claim their platforms are secure. For companies, as their customer data and workloads grow, they need to validate that the security platform itself is compliant with regulatory standards. When choosing a security and compliance solution provider, be sure the vendor meets rigorous security, privacy, and compliance standards.

Compliance solution selection checklist

Customers use this checklist to evaluate cloud security and compliance tools for your NIST 800-53 and CSF compliance needs.

Source: Leader in Cyber Security Solutions | Check Point Software