Privacy conscious cloud migrations: mapping the AWS Cloud Adoption Framework to the NIST Privacy Framework

This post will help you make privacy-conscious cloud migration decisions by mapping the National Institute of Standards and Technology (NIST) Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management (NIST Privacy Framework) to the AWS Cloud Adoption Framework (AWS CAF).

AWS Professional Services created the AWS CAF to help organizations successfully migrate to the cloud. The CAF’s guidance and best practices provide a comprehensive approach to cloud computing across your organization. For those already in the cloud, AWS offers our recently updated AWS Well-Architected Framework (AWS WAF), which provides a way for you to consistently measure your cloud architectures against best practices and identify areas for improvement. A forthcoming AWS blog will highlight how the AWS CAF, AWS WAF, and NIST’s globally-recognized Cybersecurity Framework (NIST CSF) are complementary tools in building a cloud security program. For example, the Well-Architected Security pillar is comprised of five best practices (Identity and Access Management, Detection, Infrastructure Protection, Data Protection, and Incident Response) that may also be adopted to address the management of your privacy risks. You can also use the AWS Well-Architected Tool in the AWS Console to review the state of your workloads. The tool will then provide a plan on how to architect for the cloud using established best practices.

While you have an opportunity to raise the security bar when moving your organization to the cloud, you also need to consider how best to protect privacy in the cloud. Depending on your organization’s cloud maturity, cloud adoption might require fundamental changes across your organization. These possible changes are detailed in An Overview of the AWS Cloud Adoption Framework. The AWS CAF helps you create an actionable, enterprise-wide cloud migration plan for your organization. Similarly, the NIST Privacy Framework is a voluntary and customizable tool that encourages cross-organizational coordination in managing privacy risks by creating equivalence between privacy risks and other risks within your organization. The NIST Privacy Framework, used in conjunction with the AWS CAF, should make it easier for you to move your privacy practices to the cloud.

In particular, the NIST Privacy Framework—which is agnostic to law and technology—helps you manage your organization’s privacy risks by:

1. Considering privacy when designing and deploying systems, products, and services;
2. Communicating your privacy practices within your organization and to your external stakeholders; and
3. Encouraging enterprise-wide collaboration.

The following is a high-level overview of the two frameworks and a table mapping their similar attributes to aid you in your journey.

A familiar structure

The NIST Privacy Framework is modeled after NIST’s CSF, first released in 2014, so the two frameworks can be used in tandem when managing cybersecurity and privacy risks in preparation for your cloud migration journey. Similar to the NIST CSF, the three primary components of the NIST Privacy Framework are the Core, Profile, and Implementation Tiers. The NIST Privacy Framework Core, which is different from the NIST CSF Core, contains five functions each designated by a P to distinguish it from CSF functions.

• Identify-P: Develop the organizational understanding to manage privacy risk for individuals arising from data processing.
• Govern-P: Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.
• Control-P: Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
• Communicate-P: Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.
• Protect-P: Develop and implement appropriate data processing safeguards.

Note: You can learn more about NIST CSF and AWS by reading AWS’s NIST Cybersecurity Framework (CSF), Aligning to the NIST CSF in the AWS Cloud.

AWS Cloud Adoption Framework

Using the AWS CAF in tandem with the NIST Privacy Framework will help your organization make better privacy-conscious decisions about how to manage data in the cloud during migration. Both frameworks encourage you to evaluate the current state, identify a target state, and then make changes to support your privacy risk management program as you begin or complete your cloud migration. Similar to the five functions of the NIST Privacy Framework, AWS CAF is divided into six business and technical focus areas or perspectives.

AWS CAF business perspectives

1. Business perspective: Helps you move from separate strategies for business and IT to a business model that integrates IT strategy.
2. Governance perspective: Provides guidance on identifying and implementing best practices for IT governance, and on supporting business processes with technology.
3. People perspective: Assists human resources (HR) and personnel management prepare their teams for cloud adoption by updating staff skills and organizational processes to include cloud-based competencies.

AWS CAF technical perspectives

4. Platform perspective: Helps you design, implement, and optimize the architecture of AWS technology based on business goals and objectives.
5. Operations perspective: Helps you to run, use, operate, and recover IT workloads to levels that meet the requirements of your business stakeholders.
6. Security perspective: Helps you structure the selection and implementation of controls.

Aligning the NIST Privacy Framework to the AWS Cloud Adoption Framework

The following tables map the five functions of the NIST Privacy Framework and their categories, to the six perspectives of AWS CAF and their capabilities. We encourage all organizations moving to the cloud to establish a privacy risk management strategy that supports your business objectives. Your approach may be based on the NIST Privacy Framework, or another framework. You might even choose to create your own approach that combines attributes from different frameworks and standards, if that best serves your data protection and privacy needs.

NIST Identify-P categories and AWS CAF Business perspective capabilities

NIST Govern-P (GV-P) categories and AWS CAF People perspective capabilities

NIST Communicate-P (CM-P) categories and AWS CAF People perspective capabilities

NIST Govern-P (GV-P) categories and AWS CAF Governance perspective capabilities

NIST Control-P (CT-P) categories and AWS CAF Platform perspective capabilities

NIST Protect-P (PR-P) categories and AWS CAF Security perspective capabilities

NIST Control-P (CT-P) categories and AWS CAF Operations perspective capabilities

Conclusion

NIST’s Privacy Framework is a useful companion to the CAF, but whether you choose NIST’s framework or another framework or approach, we recommend having a privacy risk management strategy as you migrate to the cloud.

Learn more about AWS Privacy, Cloud Adoption Framework, and Well-Architected Framework

• AWS Data Privacy
• AWS Data Privacy FAQ
• The AWS Cloud Adoption Framework: Creating an Action Plan
• Webinar: How to Manage Organizational Change and Cultural Impact During a Cloud Transformation
• Announcing the New Version of the Well-Architected Framework

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.