CSF functions and elections - Digital Transformation and IT Modernization for Elections in AWS

CSF functions and elections

Identify

One category of the Identify function is conducting security risk assessments. An example for this function is the Risk Assessment 1 (ID.RA-1) subcategory, where asset vulnerabilities are identified and documented. There are a few AWS services that you can use to perform this activity, such as AWS Systems Manager, AWS IAM Access Analyzer, AWS Trusted Advisor, Amazon Inspector, and Amazon Macie.

Election officials and elections technology partners should also incorporate privacy by design concepts with their applications and infrastructure. In addition to general security risks, it is important to identify specific privacy compliance requirements and risks to personal data in their systems, applications, and networks and implement appropriate mitigations.

AWS Trusted Advisor

AWS Trusted Advisor is a tool that provides real-time guidance to help you provision your resources following AWS best practices in five categories: Cost Optimization, Performance, Security, Fault Tolerance, and Service Limits.

A diagram that shows a summary of AWS Trusted Advisor .

Summary of AWS Trusted Advisor

Amazon Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

Amazon Macie

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.

Macie automates the discovery of sensitive data at scale and lowers the cost of protecting your data. It automatically provides an inventory of Amazon S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with AWS accounts outside those you have defined in AWS Organizations. Then, Macie applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to sensitive data, such as personally identifiable information (PII). Macie’s alerts, or findings, can be searched and filtered in the AWS Management Console and sent to Amazon CloudWatch Events for easy integration with existing workflow or event management systems, or to be used in combination with AWS services, such as AWS Step Functions to take automated remediation actions.

A diagram that shows a summary of Amazon Macie .

Summary of Amazon Macie

AWS also has a couple of engagement offerings that can help customers identify vulnerabilities, not just from hackers, but risks to the application’s availability if demand is higher than expected or there is some natural or artificial disaster.

Security and resiliency-focused Well-Architected review

The AWS Well-Architected Framework was developed to help cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications.

Based on five pillars (operational excellence, security, reliability, performance efficiency, and cost optimization), the framework provides a consistent approach for customers and APN partners to evaluate architectures, and implement designs that will scale over time.

A security and resiliency-focused Well-Architected Review is an engagement where an AWS solutions architect or AWS partner will coordinate with you to assess a single elections application hosted in AWS and provide a report on the adherence to AWS best practices as outlined in the framework. The report identifies strengths and opportunities to improve with recommendations. This report can be used by you, an APN Partner, or AWS professional services as a guide to implement changes in the environment to tighten security and improve resiliency. Contact your account manager to request a review. For more information, refer to AWS Well-Architected.

AWS Infrastructure event management

A structured program available to Enterprise Support customers (and Business Support customers, for an additional fee) that helps you plan for large-scale events such as product or application launches, marketing events, or elections. With Infrastructure Event Management, you get strategic planning assistance before your event, as well as real-time support during these moments that matter most for your business. Contact your account manager to request this offering.

A diagram that shows a summary of AWS Infrastructure event management .

Summary of AWS Infrastructure event management

AWS has the largest network of security partners who can serve as advisors or technology providers to meet the individual needs of each customer and across each of the five CSF functions. You can search through our partners by visiting the AWS Marketplace.

Protect

Protecting your elections infrastructure from unauthorized access is paramount. This includes access control, data security, and information protection processes and procedures. It is essential that the appropriate identity management, physical and data security, and Distributed Denial of Service (DDoS) protection services are incorporated into your cybersecurity and privacy risk management strategies. These services should be operated in accordance with well-documented data protection policies, processes, and procedures. There are a few examples that would be beneficial to highlight here, leveraging the shared responsibility model and AWS services.

Identity and Access Management (IAM) and authentication

There are several CSF subcategories in this area that IAM and other AWS identity and authentication services can assist with. These include:

  • PR.AC-1 – identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes),

  • PR.AC-4 – Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties), and

  • PR.AC-7 – Users, devices, and other assets are authenticated (e.g., single- factor, multi-factor) commensurate with the risk of the transaction) just to name a few.

For more information, refer to AWS Identity and Access Management, Amazon Cognito, AWS Single Sign-On, and AWS Certificate Manager.

Physical security

The first is Access Control 2 (PR.AC-2) which requires that physical access to assets be managed and protected. In AWS, physical assets that comprise our infrastructure and services are the responsibility of AWS. For an application that wholly resides in AWS, this can be an expensive and complex burden that has been lifted from the customer.

The customer would only retain responsibility for any physical assets they own outside of AWS such as desktops and laptops that may connect to the application hosted in AWS. For more information about our data center and physical security, visit the Our Data Centers webpage.

Data security

Another example from this function is Data Security 1 (PR.DR-1) which requires that data at rest be protected. Here, the customer is responsible for determining the level of protection required and for employing the appropriate AWS or third-party service to meet their requirement. AWS offers several encryption options such as client-side encryption, a few different server-side encryption options depending on the AWS storage services used, and key management services that are FIPS 140-2 Level 2 (AWS KMS) or Level 3 (AWS CloudHSM) validated. For more information about encryption services and options, refer to AWS Cryptography and PKI Documentation.

Perimeter security

AWS offers several services for boundary protection to build a defense-in-depth strategy at each layer of the customer’s application. This supports several CSF subcategories such as PR.AC-5 (Network integrity is protected).

AWS Shield

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.

All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your website or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks.

AWS Shield Advanced

For higher levels of protection against attacks targeting your applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced. In addition to the network and transport layer protections that come with Standard, AWS Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall. AWS Shield Advanced also gives you 24x7 access to the AWS DDoS Response Team (DRT) and protection against DDoS related spikes in your Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 charges.

In support of the 2020 US elections, we offered a tailored offering of our AWS Shield Advanced service specifically to elections customers at a discounted price and reducing the annual commitment to just two months.

AWS Web Application Firewall (AWS WAF)

AWS WAF helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources.

AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define. You can get started quickly using Managed Rules for AWS WAF, a pre-configured set of rules managed by AWS or AWS Marketplace Sellers. The Managed Rules for AWS WAF address issues like the OWASP Top 10 security risks. These rules are regularly updated as new issues emerge. AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of security rules.

A diagram that shows a summary of AWS WAF .

Summary of AWS WAF

AWS Network Firewall

AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs). The service can be setup with just a few clicks and scales automatically with your network traffic, so

you don't have to worry about deploying and managing any infrastructure. AWS Network Firewall’s flexible rules engine lets you define firewall rules that give you fine- grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious activity. You can also import rules you’ve already written in common open-source rule formats as well as enable integrations with managed intelligence feeds sourced by AWS partners. AWS Network Firewall works together with AWS Firewall Manager so you can build policies based on AWS Network Firewall rules and then centrally apply those policies across your VPCs and accounts.

AWS Network Firewall includes features that provide protections from common network threats. AWS Network Firewall’s stateful firewall can incorporate context from traffic flows, like tracking connections and protocol identification, to enforce policies such as preventing your VPCs from accessing domains using an unauthorized protocol. AWS Network Firewall’s intrusion prevention system (IPS) provides active traffic flow inspection so you can identify and block vulnerability exploits using signature-based detection. AWS Network Firewall also offers web filtering that can stop traffic to known bad URLs and monitor fully qualified domain names.

A diagram that shows a summary of AWS Network Firewall .

Summary of AWS Network Firewall

Amazon VPC

The Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications. You can easily customize the network configuration of your Amazon VPC. For example, you can create a public- facing subnet for your web servers that have access to the internet. You can also place your backend systems, such as databases or application servers, in a private-facing subnet with no internet access.

Access Control Lists (ACLs)

An ACL is an optional layer of security for your VPC that acts as a stateless firewall for controlling traffic in and out of one or more subnets. You can set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.

Security groups

A security group acts as a virtual stateful firewall for your Amazon EC2 instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign security groups to the instance. Security groups act at the instance elastic network interface level, not the subnet level. Therefore, each instance elastic network interface in a subnet in your VPC can be assigned to a different set of security groups. For more information, refer to Control traffic to resources using security groups.

Detect

Recent industry reporting indicates that the average time to detect a data breach for a US organization is 186 days. This means that a data breach that occurs 6 months prior to the election may not even be detected until after the election, when it’s too late to respond and save the integrity of the election. The detect function is the ability to discover a cybersecurity event, such as anomalies and events, through security continuous monitoring. This is a critical CSF function where AWS has been building advanced capabilities for customers through a number of new services over the past few years. You can improve your alignment with several CSF subcategories using these services, such as DE.AE-1 through -5 and DE.CM-1 through -5, -7, and -8.

The CSF Detect activities generally provide for building a baseline of known good configurations and behavior. Event data is collected and analyzed from multiple sources, and vulnerability scans are performed—all to detect anomalies and unauthorized changes.

Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. With the cloud, the collection and aggregation of account and network activities is simplified, but it can be time-consuming for security teams to continuously analyze event log data for potential threats. With GuardDuty, you have an intelligent and cost-effective option for continuous threat detection in the AWS Cloud.

The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs. With a few clicks in the AWS Management Console, GuardDuty can be enabled with no software or hardware to deploy or maintain. By integrating with AWS Security Hub and Amazon CloudWatch Events, GuardDuty alerts are actionable, easy to aggregate across multiple accounts, and straightforward to push into existing event management and workflow systems.

A diagram showing a summary of Amazon GuardDuty.

Summary of Amazon GuardDuty

AWS CloudTrail

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.

CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting. Also, you can use CloudTrail to detect unusual activity in your AWS accounts. These capabilities help simplify operational analysis and troubleshooting.

A diagram showing a summary of AWS CloudTrail.

Summary of AWS CloudTrail

Amazon CloudWatch

Amazon CloudWatch is a monitoring and observability service built for DevOps engineers, security teams, site reliability engineers (SREs), and IT managers. CloudWatch provides you with data and actionable insights to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, providing you with a unified view of AWS resources, applications, and services that run on AWS and on-premises servers. You can use CloudWatch to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.

A diagram showing a summary of Amazon CloudWatch .

Summary of Amazon CloudWatch

AWS Trusted Advisor

AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices, to include security and fault tolerance.

A diagram showing a summary of AWS Trusted Advisor.

Summary of AWS Trusted Advisor

AWS Config

This is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With AWS Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational

A diagram showing a summary of AWS Config.

Summary of AWS Config

AWS Security Hub

AWS Security Hub gives you a comprehensive view of your high-priority security alerts and security posture across your AWS accounts. There are a range of powerful security tools at your disposal, from firewalls and endpoint protection to vulnerability and compliance scanners. But this often leaves your team switching back-and-forth between these tools to deal with hundreds, and sometimes thousands, of security alerts every day.

With Security Hub, you have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from APN Partner solutions.

AWS Security Hub continuously monitors your environment using automated security checks based on the AWS best practices and industry standards that your organization follows. You can also take action on these security findings by investigating them in Amazon Detective or by using Amazon CloudWatch Event rules to send the findings to ticketing, chat, Security Information and Event Management (SIEM), Security Orchestration Automation and Response (SOAR), and incident management tools or to custom remediation playbooks. Get started with AWS Security Hub in just a few clicks in the Management Console and once enabled, Security Hub will begin aggregating and prioritizing findings and conducting security checks.

A diagram that shows a summary of AWS Security Hub .

Summary of AWS Security Hub

Amazon Detective

This service makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.

AWS security services like Amazon GuardDuty, Amazon Macie, and AWS Security Hub, as well as partner security products, can be used to identify potential security issues, or findings. These services are really helpful in alerting you when something is wrong and pointing out where to go to fix it.

But sometimes there might be a security finding where you need to dig a lot deeper and analyze more information to isolate the root cause and take action. Determining the root cause of security findings can be a complex process that often involves collecting and combining logs from many separate data sources, using extract, transform, and load (ETL) tools or custom scripting to organize the data, and then security analysts having to analyze the data and conduct lengthy investigations.

Amazon Detective simplifies this process by enabling your security teams to easily investigate and quickly get to the root cause of a finding. Amazon Detective can analyze trillions of events from multiple data sources such as Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and Amazon GuardDuty, and automatically creates a unified, interactive view of your resources, users, and the interactions between them over time. With this unified view, you can visualize all the details and context in one place to identify the underlying reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause.

A diagram that shows a summary of Amazon Detective .

Summary of Amazon Detective

Respond

Outages and attacks happen fast, and the time between detecting a suspicious activity or event and responding to it is critical. Even with a well-trained staff that is able to monitor and respond to every detected event, they cannot respond at the speed of cyber. Humans need work-breaks, and even when following the same procedures, have different levels of knowledge, experience, and judgment resulting in inconsistent results. We are not the best tool for rote procedures where there is an expectation of consistency and reliability for every action. This is where computers are ideal, and automation is key to speed and consistency.

The same industry report mentioned in the Detect section of this document found that the average time for US organizations to contain a breach is 51 days. Our government elections customers and elections technology partners have expressed that this is unacceptable. In the Respond function, there are a few CSF subcategories where AWS can elevate an elections technology solution, such as RS.RP-1 (response plan is executed during or after an incident) that would include RS-MI-1/2 (incidents are contained and incidents are mitigated). Some of these AWS services include the following.

Amazon EventBridge

Amazon EventBridge is a serverless event bus that makes it easy to connect applications together using data from your own applications, integrated software as a service (SaaS) applications, and AWS services. EventBridge delivers a stream of real- time data from event sources, such as Zendesk, Datadog, or Pagerduty, and routes that data to targets like AWS Lambda. You can set up routing rules to determine where to send your data to build application architectures that react in real time to all of your data sources.

A diagram that shows a summary of Amazon EventBridge .

Summary of Amazon EventBridge

AWS Lambda

AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume. With Lambda, you can run code for virtually any type of application or backend service—all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. The critical capability here for security response is that you can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.

If or when a detection service like Amazon GuardDuty detects a threat and logs it as an Amazon CloudWatch Event, you can have a Lambda script triggered to take some action. For example, if GuardDuty logs an event where one of your EC2 instances is communicating with a known malicious botnet command and control (C2) server, then Lambda can trigger and block that suspicious activity at the AWS Web Application Firewall (AWS WAF) service, in the EC2 Security Group, in other third-party partner solutions, log the changes, and notify staff via email and SMS text messages all within seconds to minutes and without any human intervention.

A diagram that shows a summary of AWS Lambda.

Summary of AWS Lambda

AWS Config

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With AWS Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.

A diagram that shows a summary of AWS Config.

Summary of AWS Config

AWS Auto Scaling

AWS Auto Scaling monitors your applications and automatically adjusts capacity to maintain steady, predictable performance at the lowest possible cost. Using AWS Auto Scaling, it’s easy to set up application scaling for multiple resources across multiple services in minutes.

The service provides a simple, powerful user interface that lets you build scaling plans for resources including Amazon EC2 instances and Spot Fleets, Amazon ECS tasks, Amazon DynamoDB tables and indexes, and Amazon Aurora Replicas. AWS Auto Scaling makes scaling simple with recommendations that allow you to optimize performance, costs, or balance between them.

An Auto Scaling group also enables you to use Amazon EC2 Auto Scaling features such as health check replacements to quickly identify when a server has failed and automatically replace it. When combined with one of the Elastic Load Balancing (ELB) services, the affected server’s communications are shifted to other healthy servers until the replacement EC2 instance is brought online and checks in as healthy.

A diagram that shows a summary of AWS Auto Scaling.

Summary of AWS Auto Scaling

Recover

There is only a small window of time leading up to an election day, and the day itself, where the entire purpose of election systems exists. Every delay in recovering from an event and restoring the system functionality equals voters not registered, ballots not delivered, or votes not cast and can risk the entire democratic process.

There is only one CSF subcategory in the Recover Function where technology and automation can take the lead to reduce downtime and minimize the impact, and that is RC.RP-1 (Recovery plan is executed during or after a cybersecurity incident). The other subcategories are more manual and require people to lead the effort.

AWS brings the ability to build resilient architectures that are self-healing and that shift risk mitigation to the front of an event. The foundation for this is the AWS global infrastructure with 24 geographic Regions and 77 Availability Zones. For more information, refer to Regions and Availability Zones.

Region

For AWS, a Region is a physical location around the world where we cluster data centers. We group data centers within a Region into logical fault isolation zones called an Availability Zone. Each AWS Region consists of multiple, isolated, and physically separate Availability Zones within a geographic area.

Unlike other cloud providers, who often define a Region as a single data center, the multiple Availability Zone design of every AWS Region offers you many advantages. Each Availability Zone has independent power, cooling, and physical security and is connected by redundant, ultra-low-latency networks. AWS customers who are focused on high availability can design their applications to run in multiple Availability Zones to

achieve even greater fault-tolerance and resiliency. AWS infrastructure Regions meet the highest levels of security, compliance, and data protection.

Availability Zone

An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region. Availability Zones give customers the ability to operate production applications and databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center.

All Availability Zones in an AWS Region are interconnected with high-bandwidth, low- latency networking, over fully redundant, dedicated metro fiber providing high- throughput, low-latency networking between Availability Zones. All traffic between Availability Zones is encrypted. The network performance is sufficient (<2ms latency) to accomplish synchronous replication between Availability Zones.

Availability Zones make it easy to partition applications for high availability. If an application is partitioned across Availability Zones, companies are better isolated and protected from issues such as power outages, lightning strikes, tornadoes, earthquakes, and more. Availability Zones are physically separated by a meaningful distance, many kilometers, from any other Availability Zone although all are within 100 km (60 miles) of each other.

So, what does this mean for elections technology solution providers or election officials? Traditionally, applications are built on a single server or server stack (a standard three- tier web application would include a database server, application server, and a web server) all housed in a single data center. If the data center had an outage due to any number of environmental events (for example, loss of power due to tornado) or if one of the servers failed, the application would be offline and customers would go unserved until everything could be restored. Recovery could take hours or days or even weeks to either rebuild a physical server and restore data from backups in an alternate data center, or to repair any facility damage to the current data center and restore utilities (for example, power, HVAC, or internet connectivity). This is simply unacceptable to the Election’s mission.

If you move to AWS and refactor applications to decouple application processes and data, you can build an elections technology solution that would span multiple physical data centers within a specified geographic Region. This solution would replicate data synchronously, and be able to automatically respond to events so that there is no business impact. This would allow elections technology providers and elections officials to shift from a reactive disaster recovery risk model to a proactive resiliency risk model. This doesn’t mean that risk can be reduced to zero. But much of the residual risk could be mitigated on the front end (before an event) rather than on the backend (after an event). Even so, we still recommend that a disaster recovery (DR) plan and capabilities be in place, which AWS can provide.