IDENTIFY > PROTECT > DETECT > RESPOND > RECOVER.
These are the five key functions of the NIST Cybersecurity Framework. At PTP, we leverage the Framework as a vehicle to discuss the layered approach to security with our growing Amazon Web Services (AWS) customers, because as mature organizations know, there is no silver bullet for protecting data.
As an AWS Advanced Consulting Partner, we engage with our customers across the spectrum of cloud design, migration, operations and security. With new, innovative and impactful services being released by AWS weekly, we’re also educating our customers on the technical solution and business benefits these services entail. The conversation that is always layered across these services is ensuring that the right level of security is designed and deployed to meet the security needs of the customer. Enter the NIST Cybersecurity Framework as the foundation for the discussion.
Earlier this year, AWS released this White Paper to provide guidance on aligning the NIST Cybersecurity Framework with the AWS Cloud. As AWS customers are intimately aware, the AWS Shared Security Model outlines the responsibilities of both AWS and the customer, for security of the cloud and security in the cloud, respectively. This white paper outlines AWS’ security of the cloud and it’s alignment with the most widely-accepted cybersecurity framework in our industry. In an excerpt from the white paper AWS states, “When deploying AWS solutions, organizations can have the assurance that AWS services uphold risk management best practices defined in the CSF and can leverage these solutions for their own alignment to the CSF.”
Our role at PTP is to help our customers leverage a technology platform that can help accelerate their business in AWS, work from an acceptable framework in NIST for employment of data security practices, and fill gaps with our PeakPlus services between the AWS security of the cloud and our customers’ capabilities to secure their users’ access to the cloud and their data in the cloud.
Adopt and Follow an Accepted Security Framework
The security team at PTP favors the NIST Cybersecurity Framework as we assess environments, discuss technologies for hardening, and review processes and solutions for ongoing security and risk monitoring. The framework contains five major sections for consideration: Identify, Protect, Detect, Respond and Recover. Without turning this piece into a NIST framework training, the takeaway is the reduction of risk from a breach comes from implementing process and systems to apply to each area – – identifying critical/sensitive data and it’s whereabouts, applying protection policies and technologies that are commensurate with the business risk and budget, having the discipline (previous PTP blog here on the subject) to continually monitor for potential threat, and when an identified breach occurs, to have the appropriate procedures in place to eradicate the breach and recover from the attack. If you are in the AWS cloud or considering the move, AWS has a helpful white paper to review related to mapping their cloud infrastructure to NIST. Check it out here.
The AWS Cloud is the Gartner Leader, Fast-Growing, and Secure
Recent announcements on earnings and growth from AWS showed a continued impressive growth due to adoption. They announced a 37% growth on the cloud business with 2nd Quarter revenue up to $8.38B. A key customer, Slack, a communications provider, announced a commitment to spending at least $250M on AWS over the next 5 years. Similarly, Lyft committed to spending $300M on AWS in the next 3 years and Pinterest committed to spending $750M on AWS in the next 6 years. This growth speaks to the usability and speed-to-market that AWS offers users. Companies that wish to turn Information Technology into a differentiator, advancing application development faster due to eliminating the effort to deploy and manage datacenter and infrastructure. While none of this growth speaks to the security measures for the IaaS and PaaS provided by AWS, the use by such public brands supports the due-diligence to ensure the appropriate protections are in place. On June 25th and 26th AWS hosted its innaugural re:Inforce security conference in Boston, MA. The incredibly well-attended event featured leading security personnel from AWS and customers discussing measures AWS takes to protect and tools it provides uses to aid in data protection. Highlights of the event can be found here.
Your Business, AWS and PTP in the AWS Shared Responsibility Model
AWS has done a great job outlining the cooperative effort between their responsibility of the cloud infrastructure and the responsibility of their customers in what they call the Shared Responsibility Model. While AWS accepts the fundamental security “OF” the cloud, the customer is responsible for their data security “IN” the cloud. As I outlined above with regards to NIST, the policies, procedures, tools and security expertise needs do not go away in the cloud, the needs are simply different. Mis-configurations can occur, poor policies can still be deployed, data may not be encrypted, data segmentation could be inadequate, too many admins can be allowed, and much more. Security in the cloud still requires a layered approach. The “Customer” functions in the graphic above show the elements that require alignment with a security framework such as NIST for proper security and oversight.
Our Mission at PTP – Enable Secure and Compliant Use of the AWS Cloud
Our services help provide the oversight to data inside the AWS cloud. We provide insight, reporting and analysis of cloud configurations, alignment of configurations with security and compliance frameworks such as NIST and HIPAA, scan for vulnerabilities at the OS and application levels, and monitor on a 24×7 basis for security threats, which can be analyzed by the PTP Security Operations Center (SOC). Recognizing that the cloud environment is dynamic and ever-changing, we provide these services on an ongoing basis to be our customers governance extension, escalating issues that require remediation every month. The tools we use in our platform, along with our expert staff are delivered at a low recurring monthly cost, delivering lower risk, critical information for compliance, cost-optimization that’s critical for the CFO, and the discipline to execute on our mission every day of every year. Embrace the cloud, make your Information Technology a differentiator for your business, and ensure you have the security oversight that matches your level of risk.
