Optimizing cloud governance on AWS: Integrating the NIST Cybersecurity Framework, AWS Cloud Adoption Framework, and AWS Well-Architected
Your approach to security governance, risk management, and compliance can be an enabler to digital transformation and business agility. As more organizations progress in their digital transformation journey—empowered by cloud computing—security organizations and processes cannot simply participate, they must lead in that transformation.
Today, many customers establish a security foundation using technology-agnostic risk management frameworks—such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)—to understand their organization’s current capabilities, set goals, and develop a plan to improve and maintain security posture. However, you still need the right model to optimize security outcomes in the cloud. To help you adapt your security program for the cloud, AWS developed two tools the: AWS Cloud Adoption Framework (CAF) and AWS Well-Architected Framework. By complementing your risk-based foundation with the AWS CAF, you can integrate your organizational business drivers at scale as you move to the cloud; and, when you’re ready to implement specific workloads, you can use the AWS Well-Architected Framework to design, measure, and improve your technical implementation.
Through this post, we will explore the value and use of the NIST CSF as a framework to establish your security objectives, assess your organization’s current capabilities, and develop a plan to improve and maintain your desired security posture. We will then look at how to use the AWS CAF to help you begin your digital transformation journey in the AWS Cloud with strategies around organizational practices and governance at scale that align to your business drivers. Next, we will cover how the AWS Well-Architected Framework can enable security best practices at the workload level. And lastly, we will bring everything together to demonstrate how these frameworks are mutually supportive. Figure 1, below, shows how using these three complementary frameworks can optimize your security outcomes. While they can be used independently, each builds upon the other to strengthen and mature your cloud environment and organizational security program.
Using the AWS Cloud Adoption Framework (CAF) and AWS Well-Architected Framework to help meet NIST Cybersecurity Framework (CSF) Objectives and Achieve a Target Profile
As shown in Figure 1, this process involves the following steps:
- Establish your organization’s cybersecurity governance and desired security outcomes with the NIST CSF using the Core functions and implementation Tiers to create your target profile.
- Prepare for cloud migration and implement a scalable foundation using AWS CAF to map those capabilities in the cloud.
- Measure and improve your security architecture and operational practices with AWS Well-Architected and select the AWS services to support your security needs.
As you work to organize and optimize security on AWS, it is important to understand that security is a shared responsibility between you and AWS, as described in our shared responsibility model. This shared model can reduce your security burden and help you attain your risk-based security goals.
NIST CSF – Establish your security governance and desired security outcomes
Ideally, your organization is already using a framework for your organizational security program, but if not, you can consider using the NIST CSF, an internationally recognized risk management framework intended for use by any organization, regardless of sector or size. The CSF provides a simple and effective method for understanding and communicating security risk across your organization. Its technology and industry-agnostic approach allows for an outcome-based common taxonomy that you can use across your business, from the board level to your technical teams. We continue to see accelerating adoption of the CSF across industries and countries, and its principles are becoming standardized approaches, as we see in the latest ISO 27103:2018 and draft ISO 27101 standards.
The NIST CSF consists of three elements—Core, Tiers, and Profiles. The Core includes five continuous functions—Identify, Protect, Detect, Respond, and Recover—which you can map to other standards or control requirements as required by your business. The Tiers characterize an organization’s aptitude and maturity for managing the CSF functions and controls, and the Profiles are intended to convey the organization’s “as is” and “to be” security postures. Together, these three elements are designed to enable your organization to prioritize and address security risks consistent with your business and mission needs. See our whitepaper Aligning to the NIST CSF in the AWS Cloud to understand how AWS services and resources can integrate with your existing program.
The organizational context: Using the AWS Cloud Adoption Framework – Prepare your organization for the cloud
Cloud computing introduces a significant shift in how technology is procured, accessed, used, and managed. To operationalize and optimize your security program for the cloud, your organization needs to understand the new paradigm, and update skills, adapt existing processes, and introduce new processes. The AWS Cloud Adoption Framework (CAF) helps organizations plan for a successful cloud migration, and not just the technical aspects for a single application lift-and-shift, but with the intent to establish an organizational foundation to facilitate deploying, operating, and securing workloads at scale. This may include establishing a DevSecOps culture and processes, training staff and incorporating new paradigms into assignments and work, building shared cloud infrastructure and management service environments, implementing central governance and logging, and other aspects that will integrate with individual applications and use cases. Each organization’s path will be different, so it’s important to plan ahead and connect your business goals and desired security outcomes to the right processes and technologies.
As shown in Figure 2, the AWS CAF is comprised of six perspectives that you can use for planning and strategic considerations, based on common principles that apply to most organizations. Three perspectives—Business, People, and Governance—focus on the organization, while technical aspects are considered in the Platform, Security, and Operations perspectives. As we have seen with the NIST CSF, all of these perspectives influence management of security risks and help achieve your security outcomes. Using the AWS CAF, you can structure your security program to meet your desired outcomes with agility, scale, speed, and innovation that comes with AWS. The Security Perspective of the AWS CAF helps customers operationalize their security goals through its four principles: Directive, Preventive, Detective, and Responsive. Similar to the NIST CSF Identify, the Directive principle provides guidance to help you understand your environment and data in the cloud. Preventive provides guidance to help you operate selected security controls in AWS; Detective provides a means to analyze the environment and alert on anomalies and risks; and then Responsive looks to mitigate detected risks, with an emphasis on automation.
The AWS CAF Security Perspective is comprised of 5 core + 5 augmenting security epics—or themes—as depicted in Figure 3. Consistent with the principles of the NIST CSF, an organization’s foundational capabilities focus on identifying, applying, and scaling security best practices at the program and organizational levels to support business outcomes. Security epics begin with identity and access management as the backbone to secure cloud deployment.
Secure and resilient system architecture: Using AWS Well-Architected Framework to measure and improve your workload architecture
The AWS Well-Architected Framework helps you understand considerations and key decision points for building systems on AWS— it is a framework for guiding and evaluating your workload architectures. By using AWS Well-Architected, you will learn architectural best practices for designing and operating reliable, secure, efficient, and cost-effective systems in the cloud. It provides a way for you to consistently measure your architectures against best practices and identify areas for improvement. The process for reviewing an architecture is a constructive conversation about architectural decisions and having AWS Well-Architected systems increases the likelihood of business success.
To assist customers in documenting and measuring their workloads, we offer the AWS Well-Architected Tool (see Figure 5)— a questionnaire available on the AWS Management Console that helps you answer, “Am I well-architected?” AWS Well-Architected focuses on the workload level—your infrastructure, systems, data, and processes—by examining five core pillars: Operational Excellence, Security, Reliability, Performance Efficiency, and Cost Optimization.
You can use AWS Well-Architected for designing, evaluating, and continuously improving your architectures. After preparing, planning, and scaling for cloud migration using the Cloud Adoption Framework, AWS Well-Architected can inform how you secure specific workloads in line with the security outcomes (and Target Profile) applied from the NIST CSF.
Putting it all together
Using NIST CSF, AWS CAF, and AWS Well-Architected, you can tailor your approach to incorporate security management best practices for your cloud journey. These three frameworks offer related, but distinct lenses on how to approach security for your organization, connecting business goals and outcomes to your security program.
Using the NIST CSF, you can develop an organizational understanding to managing security risks. Using the AWS CAF, you can plan your cloud security approach and map activities to security controls operating in the cloud and scale them throughout the organization. This will help you build out your architecture. You can use AWS Well-Architected to consistently measure your workload against best practices and identify areas for improvement.
The intent of this blog post is to demonstrate how the AWS Cloud Adoption Framework (CAF) and AWS Well-Architected can help you align with and meet the NIST Cybersecurity Framework (CSF) objectives, and provide an understanding that they are mutually supportive.
Below are a few recommendations to help you take advantage of this new understanding and guide you through the different frameworks that can help you meet your security and compliance objectives:
- Download and review:
- Aligning to the NIST Cybersecurity Framework in the AWS Cloud white paper and associated workbook
- AWS Cloud Adoption Framework, specifically the Security Perspective
- AWS AWS Well-Architected Framework, specifically the Security and Reliability pillars
- AWS Service documentation for those services you are using or consider using
- Use the AWS Well-Architected tool to perform a self-assessment of your alignment to AWS best practices. If you have questions about the results from your well-architected review and:
- you do not have a support plan and are not assigned an AWS account executive, leverage the free AWS Forums.
- you have Basic, Developer, or Business Support, and you have an assigned AWS account executive, request a meeting with a solutions architect to discuss.
- you have Enterprise Support, contact your aws account executive and technical account manager (TAM) to request a meeting to discuss.
- If you’re not an existing customer, start your journey on AWS by reaching out to us here.
- If you’re looking for migration support, look into AWS Professional Services offerings and AWS consulting partners that can assist with implementing the AWS CAF and WAF as part of your cloud migration or optimization strategy.
- If you’re new to AWS, there are many online and in-person training and certification options provided by AWS and our partners.
If you have feedback about this post, submit comments in the Comments section below.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.