NIST Cybersecurity Framework and Your Cloud
October 25, 2019
The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) is currently one of the most popular standards for small to medium sized companies with an emphasis on cloud computing. Introduced in 2014 and updated in 2018, CSF offers an alternative to the NIST 800-53 standard. NIST 800-53 was developed in 2005 as an implementation of the Federal Information Security Modernization Act of 2002 (FISMA) which was passed due to the demand for greater protection from cyber threats after 9/11. It was a complicated standard and intended for non-military governmental systems. It became quite popular with private sector businesses however, as it was high quality and quite complete in its coverage. Still, it was focused largely on on-premise infrastructure and had some requirements that brought little value outside of a government setting. Responding to the need for a modern set of guidance for private sector businesses, CSF was created.
CSF is not a regulatory standard, but rather a voluntary guidance framework. There is no way to become “certified” as complying with it. Some companies such as Amazon have used independent auditors to validate that their services “align” with the framework, but even this is based on certification for other standards such as ISO and FedRAMP. With CSF, passing audit is not the goal, but rather it focuses on quality risk analysis and is outcome driven. That is not to say it is not useful in matters of regulation. It was proposed (but did not pass) in an amendment to define “reasonable security procedures and practices” in California’s new CCPA law. This follows a long legacy of legislatures using NIST standards as a measuring stick for legal compliance. The message seems clear that a security program built around NIST CSF will provide a strong legal argument for due diligence under several laws and will generally be a useful stepping stone toward implementing other industry standards.
It is easy to see its usefulness, and you might wonder what is actually involved with implementing it. The framework divides into 5 areas: Identify, Protect, Detect, Respond, Recover. If you have been working in the Information Security Incident Response field for very long these should strike you as a familiar variation on the theme of SANS PICERL or NIST 800-61. This choice emphasizes the framework’s pragmatic approach to security. The framework further is divided into three components: Core, Tiers, and Profiles. The Core is a set of activities or outcomes that form the heart of CSF alignment. This is the list of things you must do. Tiers defines the rigor, or maturity, of the various parts of the program. Of the things you do, how well do you do them? If you are familiar with the Capability Maturity Model (CMM) these will again be familiar territory. The final component, Profiles, is where the framework shows off its flexibility. Profiles are where you can use a formalized process to align your business objectives, risk appetite, and budget and resource constraints with implementation of the framework. Not all companies face the same threats. Some push hard for innovation and its accompanying risks, while others try to support customers with tried and true services that have rock solid security. Developing an appropriate profile for your company is one of the most important steps in implementing the framework. As the framework is voluntary, there are no wrong choices. Companies may implement as much or as little of the framework as fits their needs, but using a formalized profile will help executives feel comfortable that their decisions are based on sound reasoning rather than simply focusing on easy wins.
Lacework is an excellent partner through every step of this process. Lacework has trained experts on CSF and has implemented powerful tools to apply these security principles to the cloud. For example, one of the major challenges to cloud implementations is the lack of visibility. With constantly changing virtual systems it can be difficult to determine what types of interactions between systems or internet resources represent normal business operations and what may present a problem. Lacework uses sophisticated threat intelligence and machine learning with its close integration with cloud services, such as CloudTrail, to analyze and surface the most significant events. This supports many aspects of the Detect and Respond portions of the framework.
Lacework also uses its substantial experience with cloud services to detect common misconfigurations, such as those that have recently made headlines. This supports the Protect aspect. Lacework also has one of the easiest automated deployments in the industry. This allows Lacework to keep pace with the sometimes volatile inventories of cloud environments. This is essential to implement the Identify portion of the framework. Finally Lacework has powerful tools that allow you to take immediate action based on alerts, supporting the Respond and Recover portion of the framework.
You may notice that the above descriptions do not eliminate the need for quality security professionals. No security program can run itself, but Lacework through powerful tools and award winning support can enable your security professionals to get the most out of their abilities and resources as they build a complete program based on the CSF.