Security perspective: compliance and assurance - An Overview of the AWS Cloud Adoption Framework

Also available on Audible, Kindle, and as an eBook.

Security perspective: compliance and assurance

The security perspective helps you achieve the confidentiality, integrity, and availability of your data and cloud workloads. It comprises nine capabilities shown in the following figure. Common stakeholders include CISO, CCO, internal audit leaders, and security architects and engineers.

A diagram depicting the AWS CAF Security perspective capabilities.

AWS CAF Security perspective capabilities

  • Security governance – Develop, maintain, and effectively communicate security roles, responsibilities, accountabilities, policies, processes, and procedures. Ensuring clear lines of accountability is critical to the effectiveness of your security program. Understanding your assets, security risks, and compliance requirements that apply to your industry and/or organization will help you prioritize your security efforts. Providing ongoing direction and advice will help accelerate your transformation by allowing your teams to move faster.

    Understand your responsibility for security in the cloud. Inventory, categorize, and prioritize relevant stakeholders, assets, and information exchanges. Identify laws, rules, regulations, and standards/frameworks that apply to your industry and/or organization. Perform an annual risk assessment on your organization. Risk assessments can assist in determining the likelihood and impact of identified risks and/or vulnerabilities affecting your organization. Allocate sufficient resources to identified security roles and responsibilities. Develop security policies, processes, procedures, and controls in line with your compliance requirements and organizational risk tolerance; continuously update based on evolving risks and requirements.

  • Security assurance – Continuously monitor, evaluate, manage, and improve the effectiveness of your security and privacy programs. Your organization, and the customers you serve, need trust and confidence that the controls that you have implemented will enable you to meet regulatory requirements, and effectively and efficiently manage security and privacy risks in line with your business objectives and risk tolerance.

    Document controls into a comprehensive control framework, and establish demonstrable security and privacy controls that meet those objectives. Review the audit reports, compliance certifications, or attestations that your cloud vendor has obtained to help you understand the controls they have in place, how those controls have been validated, and that controls in your extended IT environment are operating effectively.

    Continuously monitor and evaluate your environment to verify the operating effectiveness of your controls, and demonstrate compliance with regulations and industry standards. Review security policies, processes, procedures, controls, and records, and interview key personnel as required.

  • Identity and access management – Manage identities and permissions at scale. You can create identities in AWS or connect your identity source, and then grant users the necessary permissions, so they can sign-in, access, provision, or orchestrate AWS resources and integrated applications. Effective identity and access management helps validate that the right people and machines have access to the right resources under the right conditions.

    The AWS Well Architected Framework describes relevant concepts, design principles, and architectural best practices to manage identities. These include: relying on a centralized identity provider; leveraging user groups and attributes for fine-grained access at scale and temporary credentials; and using strong sign-in mechanisms, such as multi-factor authentication (MFA). To control access by human and machine identities to AWS and your workloads, set permissions to specific service actions on specific resources under specific conditions; use the principle of least privilege, set permissions boundaries, and use service control policies so the right entities can access the right resources as your environment and user base grow; grant permissions based on attributes (ABAC) so your policies can scale; and continuously validate that your policies provide the protection that you need.

  • Threat detection – Understand and identify potential security misconfigurations, threats, or unexpected behaviors. A better understanding of security threats will enable you to prioritize protective controls. Effective threat detection will allow you to respond to threats faster and learn from security events. Agree on tactical, operational, and strategic intelligence goals and overall methodology. Mine relevant data sources, process and analyze data, and disseminate and operationalize insights.

    Deploy monitoring ubiquitously within the environment to collect essential information and at ad hoc locations to track specific types of transactions. Correlate monitoring data from multiple event sources, including network traffic, operating systems, applications, databases, and endpoint devices to provide a robust security posture and enhance visibility. Consider leveraging deception technology (for example, honeypots) to gain understanding of unauthorized user behavior patterns.

  • Vulnerability management – Continuously identify, classify, remediate, and mitigate security vulnerabilities. Vulnerabilities may also be introduced with changes to existing systems or with addition of new systems. Regularly scan for vulnerabilities to help protect against new threats. Employ vulnerability scanners and endpoint agents to associate systems with known vulnerabilities. Prioritize remediation actions based on the vulnerability risk. Apply remediation actions and report to relevant stakeholders. Leverage red teaming and penetration testing to identify vulnerabilities in your system architecture; seek prior authorization from your cloud provider as required.

  • Infrastructure protection – Validate that systems and services within your workload are protected against unintended and unauthorized access and potential vulnerabilities. Protecting your infrastructure from unintended and unauthorized access and potential vulnerabilities will help you elevate your security posture in the cloud. Leverage defense in depth to layer a series of defensive mechanisms aimed at protecting your data and systems.

    Create network layers and place workloads with no requirements for internet access in private subnets. Use security groups, network access control lists, and network firewalls to control traffic. Apply Zero Trust to your systems and data in accordance with their value. Leverage virtual private cloud (VPC) endpoints for private connection to cloud resources. Inspect and filter your traffic at each layer; for example, via a web application firewall and/or a network firewall. Use hardened operating system images and physically secure any hybrid cloud infrastructure on-premises and at the edge.

  • Data protection – Maintain visibility and control over data, and how it is accessed and used in your organization. Protecting your data from unintended and unauthorized access, and potential vulnerabilities, is one of the key objectives of your security program. In order to help you determine appropriate protection and retention controls, classify your data based on criticality and sensitivity (for example, personally identifiable information). Define data protection controls and lifecycle management policies. Encrypt all data at rest and in transit, and store sensitive data in separate accounts. Leverage machine learning to automatically discover, classify, and protect sensitive data.

  • Application security – Detect and address security vulnerabilities during the software development process. You can save time, effort, and cost when you find and remediate security flaws during the coding phase of an application, and have confidence in your security posture as you launch into production. Scan and patch for vulnerabilities in your code and dependencies to help protect against new threats. Minimize the need for human intervention by automating security-related tasks across your development and operations processes and tools. Use static code analysis tools to identify common security issues.

  • Incident response – Reduce potential harm by effectively responding to security incidents. Quick, effective, and consistent responses to security incidents will help you reduce potential harm. Educate your security operations and incident response teams about cloud technologies and how your organization intends to use them. Develop runbooks and create a library of incident response mechanisms. Include key stakeholders to better understand the impact of your choices on the broader organization.

    Simulate security events and practice your incident response through table-top exercises and game days. Iterate on the outcome of your simulation to improve the scale of your response posture, reduce time to value, and further reduce risk. Conduct post-incident analyses to learn from security incidents by leveraging a standardized mechanism to identify and resolve root causes.