AWS Public Sector Blog

Protecting transportation agencies in the era of cybersecurity

Transportation agencies are increasing their focus on cybersecurity prevention due to persistent threats. Federal agencies recently outlined four actions that can help transportation agencies with their cybersecurity posture.

Learn how transportation agencies can use Amazon Web Services (AWS) to support these four cybersecurity best practices and position their organizations against cyber threats.

1. Develop network segmentation policies and controls

AWS offers vetted solutions and architectural guidance to solve a wide variety of business challenges. One of the existing solutions is Workload Isolation Boundary, which enables organizations to create and manage isolated environments. This approach reduces the scope of impact due to cybersecurity events and eases compliance complexity by providing mechanisms to isolate access and resources.

Workloads often have distinct security profiles that require separate control policies and mechanisms. The resources and data that make up a workload are separated from other environments and workloads with defined isolation boundaries. An identity and access management (IAM) isolation boundary reduces the risk of an update impacting a different workload, simplifies cost management, and allows application teams to operate within a bounded environment.

AWS Control Tower enables organizations to set up and govern a secure, multi-account AWS environment in under 30 minutes. It automates security tools that have built-in governance. AWS Control Tower automates configuration of AWS Organizations, which offers policy-based management for multiple AWS accounts; AWS CloudTrail, which helps enable governance, compliance, and operational and risk auditing of AWS accounts; and AWS IAM Identity Center (successor to AWS Single Sign-On), which helps securely create or connect workforce identities and manage their access centrally across AWS accounts and applications. IAM Identity Center is the recommended approach for workforce authentication and authorization on AWS for organizations of any size and type.

Figure 1. How AWS Control Tower supports an organization’s AWS environment. AWS Control Tower simplifies AWS experiences by orchestrating multiple AWS services while maintaining the security and compliance needs of your organization.

Figure 1. How AWS Control Tower supports an organization’s AWS environment. AWS Control Tower simplifies AWS experiences by orchestrating multiple AWS services while maintaining the security and compliance needs of your organization.

2. Create access control measures

AWS Identity and Access Management (IAM) enables organizations to securely manage identities and access to AWS services and resources. Customers can centrally manage fine-grained permissions and analyze access to refine permissions across their environment. Users are granted access to only the services, resources, and information that they need to perform tasks. Each user can also be assigned unique security credentials, access keys, and multi-factor authentication devices. Organizations can integrate IAM policies and permissions with directories that they already manage, including Microsoft Active Directory, AWS Directory Service, or an OpenID Connect provider. AWS identity and networking services provide core Zero Trust building blocks as standard features that can be applied to both new and existing workloads.

Implementing controls on isolated resource environments can provide cloud customers with the autonomy to build workloads to meet their business objectives while supporting compliance with standards and regulations. Controls can be either preventative or detective. Other controls include generating and using encryption keys with AWS CloudHSM, which helps customers manage single-tenant hardware security modules (HSMs) on AWS. Encryption keys can also be used to digitially sign and protect data. Customers can also use AWS Key Management Service (AWS KMS) to create, manage, and control cryptographic keys across your applications and AWS services.

Figure 2. AWS Identity and Access Management.

Figure 2. AWS Identity and Access Management supports fine-grained permissions across AWS services and resources.

 Data security is measured not by the number of people who are fingerprinted but by the ability to eliminate access to data altogether. The AWS Nitro System virtual compute instances operate on a locked-down security model that prohibits all administrative access, including those of Amazon employees, eliminating the possibility of human error and tampering. This restricts access to managed resources (virtual devices, services, virtual private clouds, etc.) to only authorized customer personnel. These technical controls, featured in the FBI CJIS Security Policy, can be seamlessly implemented in transportation solutions built on AWS.

3. Implement continuous monitoring and detection policies and procedures

Amazon GuardDuty is a threat detection service that automatically and continuously monitors workloads for malicious activity. It exposes threats quickly using anomaly detection, machine learning (ML), behavioral modeling, and threat intelligence feeds. GuardDuty delivers detailed security findings for visibility and remediation, which can then be acted on using tools like AWS Security Hub or Automated Security Response on AWS.

AWS Security Hub automates and aggregates security alerts from both AWS services and partner products in a standardized format. Other AWS security posture tools include identification of vulnerabilities, sensitive data classifications, and resource configuration issues. All security findings are normalized before they are ingested into Security Hub, reducing time-consuming and resource-intensive processes. Security Hub has out-of-the-box integrations with ticketing, chat, security information and event management (SIEM), security orchestration automation and response (SOAR), threat investigation, governance risk and compliance (GRC), and incident management tools to provide users with a complete security operations workflow.

Similar to the Workload Isolation Boundary solution, customers can use the Automated Security Response on AWS solution. The solution is an add-on that works with Security Hub and provides predefined response and remediation actions based on industry compliance standards and best practices for security threats. It includes a portfolio of predefined security response and remediation actions, or playbooks. Customers can choose the individual playbooks they want to deploy.

Figure 3. AWS Security Hub.

Figure 3. AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation.

4. Apply security patches and updates

AWS Systems Manager is the operations hub for AWS applications and resources. It provides a secure end-to-end management solution for hybrid cloud environments that enables secure operations at scale. A capability of AWS Systems Manager is Patch Manager, which automates the process of patching managed nodes with both security-related updates and other types of updates. Patch Manager can also automatically process the installation of security-related updates for both the operating system and applications.

Figure 4. AWS Systems Manager.

Figure 4. AWS Systems Manager is a secure end-to-end management solution for resources on AWS and in multi-cloud and hybrid environments.

Learn more about AWS for transportation authorities

AWS is commited to supporting transportation agencies and entities as they develop cybersecurity and resiliency strategies to support the nation’s critical infrastructure. Transportation agencies and authorities around the world, including airport and aircraft operators, use AWS to secure their operations while innovating for constituent service improvements.

To learn more about how AWS can support your organization in meeting cybersecurity best practices, including how to set up a more detailed security architecture, start a conversation with the AWS for Airports team.

Read related stories on the AWS Public Sector Blog:

Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.

Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.

Tyler Subasic

Tyler Subasic

Tyler Subasic is the US airport lead for Amazon Web Services (AWS). He is focused on cloud services that support airport modernization and resiliency. Prior to working at AWS, Tyler led airport affairs for Amazon Air, where he increased network destinations by 400% and led selection criteria and negotiation for four nine-figure projects. Tyler has also been a senior consultant supporting Hartsfield-Jackson Atlanta International Airport, a quality control lead for nuclear construction, and is a licensed professional engineer.