1Cloud Compliance in NIST CloudCheckr 2017

NIST Compliance:A Quick Reference Guide for the Public Cloud

WHITEPAPER

This document describes guidelines and recommendations for managing security and privacy in public cloud computing environments as enforced by the National Institute of Standards and Technology (NIST). The most common concerns and questions raised by CTOs and CIOs about public cloud computing are tied into security and compliance. Management is often unsure whether the public cloud can provide the same level of security and protection as an in-house hosted solution, and they also frequently are skeptical that cloud computing services can fulfill the NIST, HIPAA, or Sarbanes/Oxley standards that are required for their industry. This paper addresses these specific questions from the perspective of NIST/FISMA compliance, and provides best practices and recommendations for how to keep your public cloud environment secure.

The National Institute of Standards and Technology (NIST) is a United States non-regulatory government agency and measurement laboratory, whose main mission is to promote innovation and economic competitiveness among US-based organizations in the science and technology industries. NIST programs include many different fields, such as nanoscale technology, neutron research, material and physical measurement, engineering and information technology.

NIST has an important role in the IT world in the United States, since it produces standards and guidelines to help federal agencies meet the requirements of the Federal Information Security Management Act (FISMA). NIST, however, does not only protect information and information systems for those federal agencies. NIST guidelines are also leveraged by many other business entity that want to protect data and IT services with the help of its expert policies and recommendations.

NIST also generates Federal Information Processing Standards (FIPS), publicly announced standards developed for use in computer systems by non-military government agencies and government contractors, in accordance with FISMA. FIPS are reviewed and approved by the Secretary of Commerce, and federal agencies must fully comply with FIPS in order to conduct their business. One such standard is FIPS 140-2, which describes encryption measures needed to protect data at rest or in motion for all types of applications.

Abstract

An overview of NIST

2Cloud Compliance in NIST CloudCheckr 2017

NIST guidelines are based on specifications and advice from various security documents and publications, or by best practices already utilized and adopted by many organizations and their IT/security experts worldwide. Those guidelines are reviewed by IT professionals before adoption, and are grouped in NIST Frameworks. Widely adopted and very important is the NIST Cybersecurity Framework, which includes special publications starting with 800-numbers, explaining different security topics:

• NIST SP 800-53 deals with recommended and required security control mechanisms for your IT systems

• NIST SP 800-137 helps with continuous reporting and monitoring in an IT environment

• NIST SP 800-37 is a document that serves as a guide for security life cycle

• NIST SP 800-171 is for protecting classified information in non-federal IT systems

NIST SP 800-171 is one of the newest publications, currently listed as a final public draft, and is actually a subset of NIST SP 800-53, with an emphasis on storing sensitive data in non-federal environments.

The FISMA law was enacted in 2002. It applies to all federal agencies within the US government. FISMA also applies to all state agencies that administer federal programs, such as those involved in insurance, healthcare, and education. Throughout the years, FISMA has been expanded into the private sector as well; so any private entity with a contractual relationship with the US government—whether to provide or lease services and products, or to receive money from grant programs—must comply with FISMA.

Even if your company doesn’t have any interaction with the US federal government, you can choose to follow NIST guidelines; doing so will protect your data and IT environment, making them more secure and reliable. Furthermore, by following NIST guidelines, you will perform well in any internal or external IT audit process, if and when required.

Providers of cloud computing services demonstrate they are FISMA compliant by following the NIST standards for security, undergoing an independent third-party security assessment (which is conducted on a yearly basis), and obtaining a Provisional Authority to Operate (P-ATO), which federal agencies may require when they want to operate their IT services inside a public cloud environment. FISMA compliance also benefits non-government customers of public cloud providers, since they can utilize

Who Must Comply?

NIST/FISMA in the Cloud

NIST Compliance in a Nutshell

3Cloud Compliance in NIST CloudCheckr 2017

cloud services that follow NIST guidelines, and indicate that they are secure and reliable in protecting information outside of their premises.

In order to create standards for certification and to ease the authorization process for the use of public cloud providers by federal agencies, the US government established the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for public cloud computing. Whenever a cloud provider states that it is compatible with NIST and FISMA, it has also been cleared by FedRAMP for government use.

Why It MattersEven if your company doesn’t have any interaction with the US government, you can choose to follow NIST guidelines to proactively protect your cloud, while ensuring good security posture if (or when) you conduct an IT audit.

Amazon Web Services (AWS), along with its entire infrastructure, has been verified by third-party authorities against the latest, fourth revision of the NIST 800-53 standard. It has received the required FedRAMP clearance for all of its regions in the US, both public ones (East and West AWS regions), as well as the GovCloud. Launching services in NIST-approved AWS regions doesn’t mean that these cloud-hosted application or services are, by default, NIST compliant. There is a line at which AWS responsibility ends, and where the customer must take care to secure its own AWS environment. Note the following three responsibility models:

Shared Responsibility: The customer provides the configuration of its environment, and is responsible for the security of provisioned resources, while AWS provides security for the underlying infrastructure.

Customer-Only Responsibility: The customer is completely responsible for services deployed on AWS, such as guest operating systems in EC2 instances, deployed applications in those instances, and networking inside its deployment (Virtual Private Cloud setup with its “main” subnet, all smaller subnets, and network access rights inside that networking environment, such as firewalls or routing rules).

AWS-Only Responsibility: Amazon has sole responsibility to manage data centers and their physical security, as well as the hardware provisioned in those data centers, such as servers, storage and network devices, and software running on top of that hardware, such as virtualization hypervisors on which customers will provision their services. This also includes AWS managed services, such as AWS Relational Database Service (RDS), where the customer uses database software deployed and secured by AWS itself.

NIST in AWS Cloud

4Cloud Compliance in NIST CloudCheckr 2017

Shared resources controlled by the customer have to be separately assessed and audited by third-party organizations in order to achieve NIST compliance. To support customers with implementation of NIST 800-53, AWS has published documentation on how to configure systems so they are compliant with this standard, and have defined a standardized architecture that customers can follow.

Standardized AWS NIST 800-53 architecture references three VPC networks: management (used to access all the resources, and typically here customers would deploy their security applications for monitoring and logging), development (which is optional, used for testing of the software which should go into production) and production (where the most critical business applications are located). The three VPCs use VPC peering with access lists segment network traffic and permissions, while inside every VPC, all services are deployed in at least two different availability zones, for redundancy and fault tolerance.

NIST 800-53 Standardized Architecture on the AWS Cloud

5Cloud Compliance in NIST CloudCheckr 2017

Production VPC is organized in three sections, one public and two private. The public section is a demilitarized zone (DMZ), which allows external access from the internet, and is where customers should put their internet front-facing services, such as load balancers or proxies, which will handle external access requests. The two private subnets are divided in terms of their usage. One subnet is used as the host application for EC2 instances, which receives requests from DMZ, while the other hosts Amazon RDS for storing relational data. Between these three tiers, access is controlled by using ACLs or security groups, only allowing traffic based on specific ports. For example, application servers can only access RDS subnets by sending TCP packets to allowed database ports (e.g.: 3309 for MySQL and 1433 for Microsoft SQL server).

After the initial deployment per NIST guidelines, NIST 800-53 also emphasizes some important AWS managed services that will help you continuously monitor and audit your cloud computing environment and to stay compliant with NIST standards:

• Identity and Access Management - For access control management in AWS cloud

• CloudTrail - Serves as a log and monitoring tool for all AWS API calls in your cloud

• CloudWatch - Provides real-time monitoring service, with alarms and metrics tracking

• Config - An inventory service, used to track all the configuration changes

Auditing AWS from a NIST Perspective

6Cloud Compliance in NIST CloudCheckr 2017

NIST 800-53 is a thorough document with many recommendations and advice for how to configure your AWS environment so it is NIST compliant (and more importantly, completely secure). Any IT professional concerned with securing their public cloud should consult these guidelines; however, here are some key recommendations:

Account ManagementDefine users and appropriate groups utilizing the rule of least privileges. Protect their accounts with strong passwords and password rotation, and if applicable, enforce two-factor authentication. API keys should also be rotated, on a regular basis. Establish regular checks to see if the assigned permissions are matching written security policies. Also, a policy should be in place for change access management, when access is granted or revoked for all users.

Continuous MonitoringCloudTrail is disabled by default, so before using AWS services it is important to enable CloudTrail and configure a separate, protected S3 bucket for storing CloudTrail logs. A policy should be in place to regularly check written logs, and log rotation should be enforced by using AWS Glacier and S3 bucket policies, in order to preserve old logs. Access to S3 bucket containing CloudTrail logs should be available only to a select group of users, awarded through separate identity access management (IAM) rights.

Configuration Change ControlIn order to track configuration changes, AWS customers should use AWS Config in combination with CloudWatch alarms. When configured, Config tool can notify users of any changes in the cloud environment, and serve as an inventory service, where users would store all the revisions of their provisioned services. Config is an excellent resource for compliance auditing and security analysis. It is also useful for troubleshooting, because its history allows users to see which changes were made that potentially led to issues in an environment.

System MonitoringTo monitor all systems and services in real time, AWS customers should use CloudWatch. It is one of the most crucial AWS services. Prior to the start of metrics collection, alarms and notifications should be configured according to the thresholds of the specific environment. Access to CloudWatch should be delegated to specific IAM users or groups, and should be audited on a regular basis.

Best Practices and Advice

7Cloud Compliance in NIST CloudCheckr 2017

The CloudCheckr cloud management platform unifies cost, security, and inventory management with visibility and intelligence to mitigate security risks, optimize costs, and increase operational efficiencies across cloud infrastructure. With continuous monitoring, 400 best practice checks, and built-in automation, CloudCheckr enables IT, Security, and Finance teams to manage their AWS environments with confidence. Government organizations and Global 2000 enterprises trust CloudCheckr to unify their native AWS data and deliver the most robust cloud management platform in today’s marketplace.

About CloudCheckr

VISIT US ONLINE

The previous section gave an outline for securing and hardening an AWS environment based on NIST recommendations. The complete list from the NIST 800-53 and 800-171 special publications is quite long, and configuring an entire environment to be compliant with NIST can be an extensive task, even for experienced AWS professionals. Staying compliant is also not easy when considering the frequent changes in provisioned applications and services. In these situations, companies can seek assistance from compliance partners and their security products.

A viable compliance solution from AWS Marketplace is CloudCheckr, a unified cost and security automation platform that gives you visibility, insight, and automation for your AWS environment. CloudCheckr’s Security & Compliance module has been verified by Allgress Regulatory Product Mapping Tool as an appropriate solution for implementing PCI, FISMA, and NIST compliance. Allgress (an AWS Configuration partner) designed this tool specifically for customers deployed within AWS who want to reduce the complexity, increase the speed, and shorten the time frame of achieving required compliance with NIST, FISMA, HIPAA, or other standards. CloudCheckr provides comprehensive support for AWS audit services (CloudTrail, Config, IAM and others), as well as real-time monitoring with more than 400 prepackaged security best-practice checks and alerts.

CloudCheckr Support for NIST Audits and Accountability