AWS Public Sector Blog

Elevating cloud security to address regulatory requirements for security and disaster recovery

Organizations that operate in multiple European Union (EU) states must navigate and comply with a combination of EU and member states’ laws and regulations, all of which may have various technical requirements. For example, the EU adopted the Directive on Security of Network and Information Systems (the NIS Directive) in 2016 to provide member states legal measures to improve cybersecurity for collective benefit. All EU Member States have implemented the NIS Directive through local regulations and laws. You can use the European Commission’s NIS website to get an updated summary on its implementation and some of its key rules.

In this blog post, learn how Amazon Web Services (AWS) can support customers’ efforts in building their security environment to better address regulatory requirements through some core security objectives. You learn how you can build a foundation of security objectives practices that can be adapted to meet a dynamic policy environment and support the missions of national computer security incident response teams (CSIRT), operators of essential services (OES), digital service providers (DSP), and other identified sector organizations. This post covers information technology/operational technology (IT/OT) security operations areas like continuous monitoring, incident response, and disaster recovery. Plus, find additional links to resources for further deep dives and recommended next steps at the end of this post.

Please note that this blog post is a survey of some common security measures customers can take. Taking these measures alone may not suffice to meet the requirement of any particular regulation. Customers should seek out their own expert guidance on how to comply with any specific laws or regulations based on their own use case.

How AWS can enable national CSIRTs, OESs, and DSPs

Security is our top priority at AWS, and we build our infrastructure and services to meet the most stringent security and compliance requirements around the globe. You can benefit from our efforts with the ability to inherit security controls from the infrastructure you use, and employ AWS services and features to implement additional security controls within your environment to meet your specific objectives. AWS aligns or complies with several European compliance standards and provides services that you can use to help build a compliant application. You can review AWS compliance programs here.

This benefit extends to CSIRTs, OESs, DSPs, and as we demonstrated throughout the COVID-19 pandemic, AWS also provides these organizations with agility and scale for mission critical applications that have to adapt to unexpected market demands and the shift to a mobile and distributed workforce. The shift of organizations to the AWS Cloud was key to establish availability in business continuity planning. Many organizations found that their traditional on-premises application architectures and perimeter security models were not sufficient to support such a drastic change in government and business operations, which slowed their transition to new models to restore or scale services.

Each organization’s business, security, and compliance objectives and requirements are unique, so it is important to be cognizant of how the operational changes onset by the pandemic may affect your organization’s requirements. The good news is that AWS helps organizations around the globe meet similar requirements, and you can begin to plan for how to meet your national cybersecurity requirements using AWS. I’ll provide a few example services—delivered by AWS and our partners—that you can consider to help meet common security requirements.

Continuous monitoring

It is important for organizations to continuously monitor their environment for new threats, and detect unauthorized configuration changes and security events. Read on for a few AWS services that can be employed to meet this objective.

AWS Security Hub provides you with a single place that aggregates, organizes, and prioritizes security alerts and/or findings from other AWS security services and third-party partner solutions.

Figure 1. The AWS Security Hub framework, which includes Amazon GuardDuty, Amazon Macie, Amazon Inspector, AWS Firewall Manager, IAM Access Analyzer, and integrated partner solutions, continuously aggregates and prioritizes emerging trends and possible issues to conduct automated security checks.

Figure 1. The AWS Security Hub framework, which includes Amazon GuardDuty, Amazon Macie, Amazon Inspector, AWS Firewall Manager, IAM Access Analyzer, and integrated partner solutions, continuously aggregates and prioritizes emerging trends and possible issues to conduct automated security checks.

When enabled, it displays findings from multiple AWS services, such as Amazon GuardDuty, an intelligent threat detection service; Amazon Inspector, an automated security assessment service; and, Amazon Macie, a service that employs machine learning to detect, classify, and protect sensitive data stored in Amazon Simple Storage Service (Amazon S3). Sensitive data types include personal identifiable information (PII) such as names, addresses, and credit card numbers. It allows you to define your own custom sensitive data types so you can discover and protect what’s unique to your mission.

Security Hub enables you to monitor your security environment and compliance posture, giving you insight into the gaps and risks according to your defined requirements. Most importantly, you can also take action in response to these findings, including investigation.

For compliance monitoring, you can run automated, continuous security checks based on industry standards such as the Center for Internet Security (CIS) AWS Foundations Benchmark and Payment Card Industry Data Security Standard (PCI DSS). These reviews provide a security score and identify specific accounts and resources that require your attention.

Figure 2 depicts an example of the CIS-Monitoring dashboard:

 Figure 2. An example dashboard featuring the CIS AWS Foundations Benchmark. It displays a security score, and also features (not pictured) 48 fully automated, nearly continuous decks, with findings displayed on the main dashboard for quick access, and best practices information to help mitigate gaps to be in compliance.

 Figure 2. An example dashboard featuring the CIS AWS Foundations Benchmark. It displays a security score, and also features (not pictured) 48 fully automated, nearly continuous decks, with findings displayed on the main dashboard for quick access, and best practices information to help mitigate gaps to be in compliance.

Figure 3 includes examples of preconfigured rules for CIS standards:

Figure 3. Post-it notes with four CIS Benchmark examples for security standards: 1) Avoid the use of the “root” account; 2) Make sure AWS CloudTrail is enabled on all regions; 3) Make sure no security groups allow ingress from to port 22; 4) Make sure AWS Identity and Access Management (IAM) policies that allow full “*.*” administrative privleges are not created. There are 45+ pre-configured rules for CIS.

You can send findings to Security Hub or forward them to your preferred Security Information and Event Management (SIEM) solution. AWS Partner solutions can push your findings to Security Hub automatically in a standardized format to help make it easier for you to interpret your data. Check out the list of over 40 third-party products integrated with Security Hub. Review the Partner Integration Guide for advice on how to share findings with Security Hub and partner options.

AWS IAM Access Analyzer provides capabilities to identify resources shared with an external entity so you can spot potential security risks. You can also use AWS Firewall Manager, a security management service that allows you to centrally configure and manage firewall rules across your environment.

Create a business continuity and disaster recovery plan

Disaster recovery is another objective of many regulatory frameworks and a priority for many organizations, especially given the uncertainty of natural disasters and cybersecurity threats such as ransomware.

Migrating workloads to the cloud is a good first step to addressing the challenge, since on-premise data center failures, server corruptions, and cyber-attacks can disrupt operational continuity and lead to data and revenue loss. Actually, you can migrate any workload – applications, websites, databases, storage, physical, or virtual servers—and even entire data centers from an on-premises environment, hosting facility, or other public cloud to AWS. During your migration, you can leverage AWS’s years of experience to build organizational, operational, and technical capabilities, so that you can gain business benefits faster.

To be prepared for failure, natural disaster, and security events, an organization should have a backup strategy for its workload data that runs periodically or is continuous. The backup should also offer a way to restore the data to the point in time in which it was taken. Backup with point-in-time recovery is available through the following AWS services and resources: Amazon Elastic Block Store (Amazon EBS) snapshot, Amazon DynamoDB backup, Amazon Relational Database Service (Amazon RDS) snapshot, Amazon Aurora DB snapshot,  Amazon Elastic File System (Amazon EFS) backup (when using AWS Backup), Amazon Redshift snapshot, and Amazon Neptune snapshot. For example, with Amazon S3, you can use Amazon S3 Cross-Region Replication (CRR) to asynchronously copy objects to an S3 bucket in the disaster recovery region continuously, while providing versioning for the stored objects so that you can choose your restoration point.

One cost-effective and automated option for Amazon Elastic Compute Cloud (Amazon EC2) is CloudEndure Disaster Recovery, which continuously replicates operating systems, system state configurations, databases, applications, and more into a low-cost staging area in a target AWS account and preferred Region. In the case of a disaster, you can push CloudEndure Disaster Recovery to automatically launch thousands of your machines in their fully provisioned state in minutes. In addition to using CloudEndure to protect your AWS workloads, you can also use it to protect your on-premises workloads, where they are replicated and ready to deploy in AWS in the event of an on-premises failure.

Figure 4. The CloudEndure framework.

Figure 4. The CloudEndure framework.

You can read in greater detail about disaster recovery options in the cloud in this AWS whitepaper, “Disaster recovery options in the cloud.”

There is one note to emphasize that relates to the data that needs to be processed on premises with low latency. If you need to run essential services with sensitive data that you need to store and process locally, one hybrid cloud solution available to you is AWS Outposts. With Outposts, you can control where your workloads run and where your data resides, while using local operational tooling for things like monitoring and stability. It also allows low-friction movement of workloads between public cloud and the edge, and vice versa. The service offers the same hardware infrastructure, services, APIs, management, and operations on premises as in the cloud, which enables a consistent user experience across your hybrid cloud. Check out recent announcements on AWS Outposts from re: Invent 2020 to learn more.

Summary and next steps

AWS provides organizations from small businesses to large government enterprises to national CSIRTs the ability protect, detect, respond, and recover from a myriad of operational and security events. You can use AWS and partner services to help meet your industry regulations and compliance requirements. In addition, to understand the fundamentals of responding to security incidents within the cloud environment, consider reading the “AWS Security Incident Response Guide.” The whitepaper reviews how to prepare for detecting and responding to security incidents, explores the controls and capabilities at your disposal, provides topical examples, and outlines remediation methods that leverage automation to improve response speed.

To help customers plan their cloud adoption in a programmatic way, we offer the AWS Cloud Adoption Framework (CAF) which provides guidance and best practices to build a cloud foundation for agility and scale. You can learn about technology needs and the different perspectives on requirements like people, business, governance, platform, security, and operations. And at the workload level, our AWS Well-Architected guidance describes the key concepts, design principles, and architectural best practices for designing and running workloads in the cloud. It is based on five pillars–operational excellence, security, reliability, performance efficiency, and cost optimization–that help customers maximize their benefit of building and operating in AWS.

Learn more about our commitments to protect EU customer data.

Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.