AWS Security Blog
Introducing the Ransomware Risk Management on AWS Whitepaper
May 10, 2022: The Ransomware Risk Management on AWS Using the NIST Cyber Security Framework (CSF) whitepaper has been archived, so we have updated the link in this blog post accordingly.
AWS recently released the Ransomware Risk Management on AWS Using the NIST Cyber Security Framework (CSF) whitepaper. This whitepaper aligns the National Institute of Standards and Technology (NIST) recommendations for security controls that are related to ransomware risk management, for workloads built on AWS. The whitepaper maps the technical capabilities to AWS services and implementation guidance. While this whitepaper is primarily focused on managing the risks associated with ransomware, the security controls and AWS services outlined are consistent with general security best practices.
The National Cybersecurity Center of Excellence (NCCoE) at NIST has published Practice Guides (NIST 1800-11, 1800-25, and 1800-26) to demonstrate how organizations can develop and implement security controls to combat the data integrity challenges posed by ransomware and other destructive events. Each of the Practice Guides include a detailed set of goals that are designed to help organizations establish the ability to identify, protect, detect, respond, and recover from ransomware events.
The Ransomware Risk Management on AWS Using the NIST Cyber Security Framework (CSF) whitepaper helps AWS customers confidently meet the goals of the Practice Guides the following categories:
Identify and protect
- Identify systems, users, data, applications, and entities on the network.
- Identify vulnerabilities in enterprise components and clients.
- Create a baseline for the integrity and activity of enterprise systems in preparation for an unexpected event.
- Create backups of enterprise data in advance of an unexpected event.
- Protect these backups and other potentially important data against alteration.
- Manage enterprise health by assessing machine posture.
Detect and respond
- Detect malicious and suspicious activity generated on the network by users, or from applications that could indicate a data integrity event.
- Mitigate and contain the effects of events that can cause a loss of data integrity.
- Monitor the integrity of the enterprise for detection of events and after-the-fact analysis.
- Use logging and reporting features to speed response time for data integrity events.
- Analyze data integrity events for the scope of their impact on the network, enterprise devices, and enterprise data.
- Analyze data integrity events to inform and improve the enterprise’s defenses against future attacks.
- Restore data to its last known good configuration.
- Identify the correct backup version (free of malicious code and data for data restoration).
- Identify altered data, as well as the date and time of alteration.
- Determine the identity/identities of those who altered data.
To achieve the above goals, the Practice Guides outline a set of technical capabilities that should be established, and provide a mapping between the generic application term and the security controls that the capability provides.
AWS services can be mapped to theses technical capabilities as outlined in the Ransomware Risk Management on AWS Using the NIST Cyber Security Framework (CSF) whitepaper. AWS offers a comprehensive set of services that customers can implement to establish the necessary technical capabilities to manage the risks associated with ransomware. By following the mapping in the whitepaper, AWS customers can identify which services, features, and functionality can help their organization identify, protect, detect, respond, and from ransomware events. If you’d like additional information about cloud security at AWS, please contact us.
If you have feedback about this post, submit comments in the Comments section below.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.