CSF functions and elections
Identify
One category of the Identify function is conducting security risk assessments. An example for this function is the Risk Assessment 1 (ID.RA-1) subcategory, where asset vulnerabilities are identified and documented. There are a few AWS services that you can use to perform this activity, such as AWS Systems Manager, AWS IAM Access Analyzer, AWS Trusted Advisor, Amazon Inspector, and Amazon Macie.
Election officials and elections technology partners should also incorporate privacy by design concepts with their applications and infrastructure. In addition to general security risks, it is important to identify specific privacy compliance requirements and risks to personal data in their systems, applications, and networks and implement appropriate mitigations.
AWS Trusted Advisor
AWS Trusted Advisor
Amazon Inspector
Amazon Inspector
Amazon Macie
Amazon Macie
Macie automates the discovery of sensitive data at scale and lowers the cost of protecting your data. It automatically provides an inventory of Amazon S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with AWS accounts outside those you have defined in AWS Organizations. Then, Macie applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to sensitive data, such as personally identifiable information (PII). Macie’s alerts, or findings, can be searched and filtered in the AWS Management Console and sent to Amazon CloudWatch Events for easy integration with existing workflow or event management systems, or to be used in combination with AWS services, such as AWS Step Functions to take automated remediation actions.
AWS also has a couple of engagement offerings that can help customers identify vulnerabilities, not just from hackers, but risks to the application’s availability if demand is higher than expected or there is some natural or artificial disaster.
Security and resiliency-focused Well-Architected review
The AWS Well-Architected Framework was developed to help cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications.
Based on five pillars (operational excellence, security, reliability, performance efficiency, and cost optimization), the framework provides a consistent approach for customers and APN partners to evaluate architectures, and implement designs that will scale over time.
A security and resiliency-focused Well-Architected Review is an
engagement where an AWS solutions architect or AWS partner will
coordinate with you to assess a single elections application
hosted in AWS and provide a report on the adherence to AWS best
practices as outlined in the framework. The report identifies
strengths and opportunities to improve with recommendations.
This report can be used by you, an APN Partner, or AWS
professional services as a guide to implement changes in the
environment to tighten security and improve resiliency. Contact
your account manager to request a review. For more information,
refer to
AWS Well-Architected
AWS Infrastructure event management
A structured program available to Enterprise Support customers
(and Business Support customers, for an additional fee) that
helps you plan for large-scale events such as product or
application launches, marketing events, or elections. With
Infrastructure
Event Management
AWS has the largest network of security partners who can serve
as advisors or technology providers to meet the individual needs
of each customer and across each of the five CSF functions. You
can search through our partners by visiting the
AWS Marketplace
Protect
Protecting your elections infrastructure from unauthorized access is paramount. This includes access control, data security, and information protection processes and procedures. It is essential that the appropriate identity management, physical and data security, and Distributed Denial of Service (DDoS) protection services are incorporated into your cybersecurity and privacy risk management strategies. These services should be operated in accordance with well-documented data protection policies, processes, and procedures. There are a few examples that would be beneficial to highlight here, leveraging the shared responsibility model and AWS services.
Identity and Access Management (IAM) and authentication
There are several CSF subcategories in this area that IAM and other AWS identity and authentication services can assist with. These include:
-
PR.AC-1 – identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes),
-
PR.AC-4 – Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties), and
-
PR.AC-7 – Users, devices, and other assets are authenticated (e.g., single- factor, multi-factor) commensurate with the risk of the transaction) just to name a few.
For more information, refer to
AWS Identity and Access Management
Physical security
The first is Access Control 2 (PR.AC-2) which requires that physical access to assets be managed and protected. In AWS, physical assets that comprise our infrastructure and services are the responsibility of AWS. For an application that wholly resides in AWS, this can be an expensive and complex burden that has been lifted from the customer.
The customer would only retain responsibility for any physical
assets they own outside of AWS such as desktops and laptops
that may connect to the application hosted in AWS. For more
information about our data center and physical security, visit
the
Our
Data Centers
Data security
Another example from this function is Data Security 1 (PR.DR-1) which requires that data at rest be protected. Here, the customer is responsible for determining the level of protection required and for employing the appropriate AWS or third-party service to meet their requirement. AWS offers several encryption options such as client-side encryption, a few different server-side encryption options depending on the AWS storage services used, and key management services that are FIPS 140-2 Level 2 (AWS KMS) or Level 3 (AWS CloudHSM) validated. For more information about encryption services and options, refer to AWS Cryptography and PKI Documentation.
Perimeter security
AWS offers several services for boundary protection to build a defense-in-depth strategy at each layer of the customer’s application. This supports several CSF subcategories such as PR.AC-5 (Network integrity is protected).
AWS Shield
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.
All AWS customers benefit from the automatic protections of
AWS Shield Standard, at no additional charge. AWS Shield Standard defends against most common, frequently occurring
network and transport layer DDoS attacks that target your
website or applications. When you use AWS Shield Standard with
Amazon CloudFront
AWS Shield Advanced
For higher levels of protection against attacks targeting your
applications running on Amazon Elastic Compute Cloud (EC2),
Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 resources, you can subscribe
to AWS Shield
In support of the 2020 US elections, we offered a tailored offering of our AWS Shield Advanced service specifically to elections customers at a discounted price and reducing the annual commitment to just two months.
AWS Web Application Firewall (AWS WAF)
AWS WAF
AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define. You can get started quickly using Managed Rules for AWS WAF, a pre-configured set of rules managed by AWS or AWS Marketplace Sellers. The Managed Rules for AWS WAF address issues like the OWASP Top 10 security risks. These rules are regularly updated as new issues emerge. AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of security rules.
AWS Network Firewall
AWS Network Firewall
you don't have to worry about deploying and managing any infrastructure. AWS Network Firewall’s flexible rules engine lets you define firewall rules that give you fine- grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious activity. You can also import rules you’ve already written in common open-source rule formats as well as enable integrations with managed intelligence feeds sourced by AWS partners. AWS Network Firewall works together with AWS Firewall Manager so you can build policies based on AWS Network Firewall rules and then centrally apply those policies across your VPCs and accounts.
AWS Network Firewall includes features that provide protections from common network threats. AWS Network Firewall’s stateful firewall can incorporate context from traffic flows, like tracking connections and protocol identification, to enforce policies such as preventing your VPCs from accessing domains using an unauthorized protocol. AWS Network Firewall’s intrusion prevention system (IPS) provides active traffic flow inspection so you can identify and block vulnerability exploits using signature-based detection. AWS Network Firewall also offers web filtering that can stop traffic to known bad URLs and monitor fully qualified domain names.
Amazon VPC
The Amazon Virtual Private Cloud
Access Control Lists (ACLs)
An ACL is an optional layer of security for your VPC that acts as a stateless firewall for controlling traffic in and out of one or more subnets. You can set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.
Security groups
A security group acts as a virtual stateful firewall for your Amazon EC2 instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign security groups to the instance. Security groups act at the instance elastic network interface level, not the subnet level. Therefore, each instance elastic network interface in a subnet in your VPC can be assigned to a different set of security groups. For more information, refer to Control traffic to resources using security groups.
Detect
Recent
industry reporting
The CSF Detect activities generally provide for building a baseline of known good configurations and behavior. Event data is collected and analyzed from multiple sources, and vulnerability scans are performed—all to detect anomalies and unauthorized changes.
Amazon GuardDuty
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. With the cloud, the collection and aggregation of account and network activities is simplified, but it can be time-consuming for security teams to continuously analyze event log data for potential threats. With GuardDuty, you have an intelligent and cost-effective option for continuous threat detection in the AWS Cloud.
The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs. With a few clicks in the AWS Management Console, GuardDuty can be enabled with no software or hardware to deploy or maintain. By integrating with AWS Security Hub and Amazon CloudWatch Events, GuardDuty alerts are actionable, easy to aggregate across multiple accounts, and straightforward to push into existing event management and workflow systems.
AWS CloudTrail
AWS CloudTrail
CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting. Also, you can use CloudTrail to detect unusual activity in your AWS accounts. These capabilities help simplify operational analysis and troubleshooting.
Amazon CloudWatch
Amazon CloudWatch
AWS Trusted Advisor
AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices, to include security and fault tolerance.
AWS Config
This is a service that enables you to assess, audit, and
evaluate the configurations of your AWS resources.
AWS Config
AWS Security Hub
AWS Security Hub
With Security Hub, you have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from APN Partner solutions.
AWS Security Hub continuously monitors your environment using automated security checks based on the AWS best practices and industry standards that your organization follows. You can also take action on these security findings by investigating them in Amazon Detective or by using Amazon CloudWatch Event rules to send the findings to ticketing, chat, Security Information and Event Management (SIEM), Security Orchestration Automation and Response (SOAR), and incident management tools or to custom remediation playbooks. Get started with AWS Security Hub in just a few clicks in the Management Console and once enabled, Security Hub will begin aggregating and prioritizing findings and conducting security checks.
Amazon Detective
This service makes it easy to analyze, investigate, and quickly identify the root cause
of potential security issues or suspicious activities. Amazon Detective
AWS security services like Amazon GuardDuty, Amazon Macie, and AWS Security Hub, as well as partner security products, can be used to identify potential security issues, or findings. These services are really helpful in alerting you when something is wrong and pointing out where to go to fix it.
But sometimes there might be a security finding where you need to dig a lot deeper and analyze more information to isolate the root cause and take action. Determining the root cause of security findings can be a complex process that often involves collecting and combining logs from many separate data sources, using extract, transform, and load (ETL) tools or custom scripting to organize the data, and then security analysts having to analyze the data and conduct lengthy investigations.
Amazon Detective simplifies this process by enabling your security teams to easily investigate and quickly get to the root cause of a finding. Amazon Detective can analyze trillions of events from multiple data sources such as Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and Amazon GuardDuty, and automatically creates a unified, interactive view of your resources, users, and the interactions between them over time. With this unified view, you can visualize all the details and context in one place to identify the underlying reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause.
Respond
Outages and attacks happen fast, and the time between detecting a suspicious activity or event and responding to it is critical. Even with a well-trained staff that is able to monitor and respond to every detected event, they cannot respond at the speed of cyber. Humans need work-breaks, and even when following the same procedures, have different levels of knowledge, experience, and judgment resulting in inconsistent results. We are not the best tool for rote procedures where there is an expectation of consistency and reliability for every action. This is where computers are ideal, and automation is key to speed and consistency.
The same industry report mentioned in the Detect section of this document found that the average time for US organizations to contain a breach is 51 days. Our government elections customers and elections technology partners have expressed that this is unacceptable. In the Respond function, there are a few CSF subcategories where AWS can elevate an elections technology solution, such as RS.RP-1 (response plan is executed during or after an incident) that would include RS-MI-1/2 (incidents are contained and incidents are mitigated). Some of these AWS services include the following.
Amazon EventBridge
Amazon EventBridge
AWS Lambda
AWS Lambda
If or when a detection service like Amazon GuardDuty detects a threat and logs it as an Amazon CloudWatch Event, you can have a Lambda script triggered to take some action. For example, if GuardDuty logs an event where one of your EC2 instances is communicating with a known malicious botnet command and control (C2) server, then Lambda can trigger and block that suspicious activity at the AWS Web Application Firewall (AWS WAF) service, in the EC2 Security Group, in other third-party partner solutions, log the changes, and notify staff via email and SMS text messages all within seconds to minutes and without any human intervention.
AWS Config
AWS Config
AWS Auto Scaling
AWS Auto Scaling
The service provides a simple, powerful user interface that lets
you build scaling plans for resources including
Amazon EC2
An Auto Scaling group also enables you to use Amazon EC2 Auto Scaling features such as health check replacements to quickly
identify when a server has failed and automatically replace it.
When combined with one of the
Elastic Load Balancing
Recover
There is only a small window of time leading up to an election day, and the day itself, where the entire purpose of election systems exists. Every delay in recovering from an event and restoring the system functionality equals voters not registered, ballots not delivered, or votes not cast and can risk the entire democratic process.
There is only one CSF subcategory in the Recover Function where technology and automation can take the lead to reduce downtime and minimize the impact, and that is RC.RP-1 (Recovery plan is executed during or after a cybersecurity incident). The other subcategories are more manual and require people to lead the effort.
AWS brings the ability to build resilient architectures that are
self-healing and that shift risk mitigation to the front of an
event. The foundation for this is the AWS global infrastructure
with 24 geographic Regions and 77 Availability Zones. For more
information, refer to
Regions
and Availability Zones
Region
For AWS, a Region is a physical location around the world where we cluster data centers. We group data centers within a Region into logical fault isolation zones called an Availability Zone. Each AWS Region consists of multiple, isolated, and physically separate Availability Zones within a geographic area.
Unlike other cloud providers, who often define a Region as a single data center, the multiple Availability Zone design of every AWS Region offers you many advantages. Each Availability Zone has independent power, cooling, and physical security and is connected by redundant, ultra-low-latency networks. AWS customers who are focused on high availability can design their applications to run in multiple Availability Zones to
achieve even greater fault-tolerance and resiliency. AWS infrastructure Regions meet the highest levels of security, compliance, and data protection.
Availability Zone
An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region. Availability Zones give customers the ability to operate production applications and databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center.
All Availability Zones in an AWS Region are interconnected with high-bandwidth, low- latency networking, over fully redundant, dedicated metro fiber providing high- throughput, low-latency networking between Availability Zones. All traffic between Availability Zones is encrypted. The network performance is sufficient (<2ms latency) to accomplish synchronous replication between Availability Zones.
Availability Zones make it easy to partition applications for high availability. If an application is partitioned across Availability Zones, companies are better isolated and protected from issues such as power outages, lightning strikes, tornadoes, earthquakes, and more. Availability Zones are physically separated by a meaningful distance, many kilometers, from any other Availability Zone although all are within 100 km (60 miles) of each other.
So, what does this mean for elections technology solution providers or election officials? Traditionally, applications are built on a single server or server stack (a standard three- tier web application would include a database server, application server, and a web server) all housed in a single data center. If the data center had an outage due to any number of environmental events (for example, loss of power due to tornado) or if one of the servers failed, the application would be offline and customers would go unserved until everything could be restored. Recovery could take hours or days or even weeks to either rebuild a physical server and restore data from backups in an alternate data center, or to repair any facility damage to the current data center and restore utilities (for example, power, HVAC, or internet connectivity). This is simply unacceptable to the Election’s mission.
If you move to AWS and refactor applications to decouple application processes and data, you can build an elections technology solution that would span multiple physical data centers within a specified geographic Region. This solution would replicate data synchronously, and be able to automatically respond to events so that there is no business impact. This would allow elections technology providers and elections officials to shift from a reactive disaster recovery risk model to a proactive resiliency risk model. This doesn’t mean that risk can be reduced to zero. But much of the residual risk could be mitigated on the front end (before an event) rather than on the backend (after an event). Even so, we still recommend that a disaster recovery (DR) plan and capabilities be in place, which AWS can provide.