Crowdstrike reported a 75% increase in cloud environment intrusions from 2022 to 2023 (source). IBM’s cost of data breach report shows that the global average cost of a data breach in 2024 is USD 4.88M, a 10% increase over last year and the highest total ever. Cyber attacks would scale much faster with the help of artificial intelligence. If organizations are not prepared, the consequences will be dire.
There are many security frameworks that can help organizations enable security and safety for their applications and users. In this blog post, we will discuss NIST CSF, one of the most used security frameworks that helps organizations understand and prevent cybersecurity risks. We will cover the key enhancements in NIST CSF 2.0 briefly, explain the primary components of CSF in detail, and show the best practices for maintaining NIST CSF in the cloud.
The NIST Cybersecurity Framework is designed to help private sector organizations evaluate and enhance their capacity to prevent, detect, and respond to cyber-attacks. The framework is meant to supplement an organization’s current risk management and cybersecurity procedures.
We can call it an add-on to an organization’s existing information/cyber security posture. The framework offers recommendations based on best practices and industry standards. It assists businesses of all sizes, from startups to major corporations, in determining the best course of action for enhancing cyber-security and cyber resilience and evaluating the present level of their cyber-security processes. In February 2024, NIST introduced NIST CSF v2.0 with several upgrades.
CSF 1.1 has 5 functions, 23 categories, and 108 subcategories. The CSF 2.0 has 6 functions, 22 categories, and 106 subcategories. CSF 2.0 is an extension of CSF 1.1 that includes several category realignments and the addition of the ‘Govern’ function.
Here are key enhancements in NIST CSF 2.0:
The images shows the newly added ‘Govern’ function.
There are three primary components of CSF 2.0:
We will cover each component pf CSF 2.0 in detail.
There are six core functions within NIST CSF 2.0.
Govern: This function involves cybersecurity risk management strategy, expectations, and policies.
Category | Key points | Security Enhancements |
---|---|---|
Organizational Context | Involves recognizing the unique aspects of the organization, its mission, goals, operational environment, regulatory requirements, and risk appetite, that influence how it manages cybersecurity risks It includes understanding Business Needs and Drivers - Tailoring the Framework - Risk Management - Resource Allocation - Communication - Continuous Improvement - Mission and Objectives - Stakeholder Expectations - Legal, Regulatory, and Contractual Requirements - Threat Landscape |
Strategic Alignment Asset Protection Clear Direction Accountability and Responsibility |
Risk Management Strategy | Risk management processes are established, managed, and agreed to by organizational stakeholders. Understanding and articulating risk tolerance is essential for making informed decisions about which risks to mitigate, accept, transfer, or avoid. It includes - Identifying Risks - Assessing Risks - Developing Risk Treatment Plans - Risk Acceptance - Continuous Monitoring |
Prioritization Informed Decision-Making Proactive Risk Mitigation Adaptability |
Roles, Responsibilities, and Authorities | Ensure clear accountability, define actions, and empower stakeholders for effective cybersecurity management. Establishment and Communication Leadership Accountability Clear Assignment Use of RACI Matrix Comprehensive Coverage Alignment with Organizational Structure Regular Review and Update Board and Executive Involvement Cross-functional Collaboration Empowerment and Authority |
Clear Accountability Effective Decision-Making Improved Communication and Coordination Reduced Risk of Human Error |
Policy | Policies establish guidelines and standards to ensure consistent cybersecurity practices across the organization. The below process is part of the policy lifecycle. Policy Development and Implementation Communication of Policies Policy Enforcement Regular Review and Update Alignment with Organizational Context Integration with Enterprise Risk Management Supply Chain Considerations Compliance and Regulatory Alignment Documentation and Accessibility |
Clear Expectations Consistent Practices Risk Management Accountability |
Oversight | Keeping a close eye on all aspects of cybersecurity Continuous Monitoring and Evaluation Performance Measurement Feedback and Improvement Governance Integration Stakeholder Communication |
Maintaining Effectiveness Promoting Accountability Driving Continuous Improvement Demonstrating Commitment |
Cybersecurity Supply Chain Risk Management | Program and Strategy Identifying and Assessing Suppliers and Third-Party Partners Understanding Supply Chain Dependencies Risk Management Integration Supplier Prioritization Contractual Security Requirements Due Diligence Continuous Monitoring Incident Planning and Response Post-Relationship Risk Management Managing Supply Chain Risks Communicating and Collaborating with Suppliers |
Reduces Risk Exposure Protects Critical Assets Strengthens Resilience Fosters Trust |
Identify: This function involves identifying assets, vulnerabilities, and threats within an organization’s environment.
Category | Key points | Security Enhancements |
---|---|---|
Asset Management | The company inventories all software components and data used in its service. This includes identifying which data is sensitive and requires additional protection measures. - Asset Identification - Asset Classification - Asset Ownership and Responsibility - Asset Inventory Maintenance - Data Flow Mapping |
Targeted Protection Risk Prioritization Improved Incident Response Compliance Efficient Resource Management |
Risk Assessment | Conduct regular risk assessments to identify cybersecurity threats specific to the SaaS model, such as data breaches or unauthorized access to customer data. - Risk Identification - Risk Analysis - Risk Prioritization - Risk Communication - Continuous Risk Monitoring |
Informed Decision-Making Proactive Risk Mitigation Efficient Resource Allocation Improved Communication Adaptability |
Improvement | Continuous improvement is required to streamline the security tasks - Iterative Assessments - Feedback Loops - Adaptability |
Protect: The Protect function focuses on securing assets and limiting the impact of a potential cybersecurity event.
Category | Key points | Security Enhancements |
---|---|---|
Identity Management, Authentication, and Access Control | Identity Management - User Provisioning - Role-Based Access Control (RBAC) - Lifecycle Management Authentication - Multi-Factor Authentication (MFA) - Single Sign-On (SSO) Access Control - Access Control Lists (ACLs) - Policy Enforcement |
Prevents Unauthorized Access Limits Damage from Breaches Enforces Accountability Facilitates Compliance |
Awareness and Training | Security Awareness Programs Security Training Phishing Simulations Role-Based Training Continuous Learning |
Reduces Human Error Empowers Employees Strengthens Security Culture Supports Compliance |
Data Security | Encrypt sensitive customer data both in transit and at rest. Ensure that encryption keys are securely managed Data Classification Data Encryption Access Controls Data Masking and Tokenization Data Backup and Recovery Data Retention and Disposal Data Loss Prevention (DLP) |
Confidentiality Integrity Availability Compliance |
Platform Security | Secure Configuration Vulnerability Management Malware Defenses Secure Coding Practices Data Protection at Rest and in Transit |
Reduced Attack Surface Timely Vulnerability Management Proactive Malware Defense Secure Software Development Data Protection |
Technology Infrastructure Resilience | Data Backup Recovery Planning Redundancy Resilient Design Physical Protection |
Minimizes Downtime Protects Data Ensures Business Continuity |
Detect: The Detect function monitors and detects cybersecurity events.
Category | Key points | Security Enhancements |
---|---|---|
Continuous Monitoring | Real-Time Monitoring Alerting and Notifications Security Information and Event Management (SIEM) Anomaly Detection Vulnerability Scanning Threat Intelligence Change Detection |
Early Threat Detection Improved Incident Response Enhanced Situational Awareness Compliance |
Adverse Event Analysis | Event Correlation Impact and Scope Assessment Root Cause Analysis Incident Declaration Threat Intelligence Integration Information Sharing |
Accurate Incident Identification Targeted Response Proactive Risk Mitigation Improved Situational Awareness Collaboration and Information Sharing |
Respond: The Respond function involves responding to detected cybersecurity events.
Category | Key points | Security Enhancements |
---|---|---|
Incident Management | Incident Response Plan Incident Triage and Analysis Containment and Eradication Recovery Lessons Learned Communication |
Minimizes Impact Facilitates Recovery Improves Security Posture Maintains Stakeholder Confidence |
Incident Analysis | Comprehensive Investigation Root Cause Identification Impact Assessment Evidence Preservation Threat Actor Profiling Communication and Collaboration |
Effective Containment and Eradication Informed Decision-Making Improved Security Posture Proactive Threat Detection Legal and Compliance Support |
Incident Response Reporting and Communication | Internal Reporting External Reporting Stakeholder Communication Public Communication Lessons Learned Post-Incident Activities |
Facilitates Timely Response Minimizes Damage Enhances Collaboration Supports Compliance Promotes Continuous Improvement |
Incident Mitigation | Containment Strategies Eradication Activity Monitoring Protective Technology Coordination and Communication |
Limits Impact Enables Faster Recovery Improves Security Posture Demonstrates Preparedness |
Recover: The Recovery function involves restoring systems and assets affected by a cybersecurity event.
Category | Key points | Security Enhancements |
---|---|---|
Incident Recovery Plan Execution | Plan Activation Resource Coordination Prioritization System Restoration Testing and Validation Communication Plan Review and Improvement |
Minimizes Downtime Ensures Business Continuity Protects Data Facilitates Continuous Improvement |
Incident Recovery Communication | Internal Communication External Communication Stakeholder Updates Lessons Learned |
Facilitates Coordinated Response Minimizes Disruption Maintains Trust and Confidence Supports Continuous Improvement |
The NIST CSF implementation tiers are designed to help organizations understand the maturity of their cybersecurity risk management programs. The tiers range from 1 to 4, with each tier representing a different level of cybersecurity maturity:
The third primary component of NIST CSF is profiles. We create current and target profiles. The profile can be of the whole organization, any product, or any business unit where we want to improve the security posture. To create a profile, we need to understand the business requirements, sync with various teams, perform gap analysis, and create a detailed plan on how to fix the gaps identified and reach the target profile. There are multiple milestones to reach the target stage.
Know your cloud service provider’s security measures: The first step towards maintaining NIST CSF compliance in the cloud is understanding your cloud service provider’s security measures and the service alignment with the NIST CSF framework. All major cloud service providers have stringent security controls in place, but it is important to familiarize yourself with them and ensure they align with the NIST CSF framework.
Use encryption for data protection: Encryption is a key component of data protection and a crucial aspect of NIST CSF compliance. Make sure all sensitive data stored or transmitted on your cloud infrastructure is encrypted using approved algorithms. This includes data at rest as well as data in transit.
Implement access controls: Controlling access to resources within your cloud environment is vital for maintaining NIST CSF compliance. Utilize Identity and Access Management (IAM) tools provided by your cloud service provider to manage user permissions and privileges effectively.
Regularly monitor your cloud environment: Monitoring your cloud infrastructure regularly helps detect any potential vulnerabilities or suspicious activities that could compromise your organization’s security posture. Set up alerts to track any unusual activity or changes made within your environment.
Conduct regular risk assessments: Conducting regular risk assessments allows you to identify potential risks within your environment and take steps to mitigate them before they turn into serious threats. This practice also aligns with one of the core functions of the NIST CSF - Identity.
Implement multi-factor authentication (MFA): MFA adds an extra layer of security to user authentication by requiring additional verification methods, such as a one-time password or biometric scan. This helps prevent unauthorized access and is recommended by the NIST CSF framework.
Keep your cloud infrastructure up-to-date: Regularly updating your cloud infrastructure and applications is crucial for maintaining NIST CSF-2.0 compliance. By doing this, the likelihood of a cyberattack is decreased by ensuring that any known vulnerabilities are patched.
Following these best practices will help organizations maintain NIST CSF compliance in their cloud environment and ensure the security of their critical assets and information. It is also important to note that maintaining compliance is an ongoing process, and regular audits should be conducted to identify any gaps or areas for improvement. By staying vigilant and following these practices, businesses can strengthen their security posture and protect themselves from potential cyber threats in the cloud.
When using the public cloud, there are multiple native services available that can help us align with the NIST CSF and improve the overall security posture. The table below maps the cloud services with the primary functions of NIST primary functions. Below is a list of various native services supported by various cloud providers at the time we were writing the blog.
CSF Function | AWS | GCP | Azure |
---|---|---|---|
Govern | AWS Identity and Access Management (IAM) AWS Organizations AWS CloudTrail AWS Config AWS Artifact AWS Compliance Center |
Security Command Center Policy Intelligence Cloud deployment manager Supply chain (GKE Security posture) Policy Compliance(GKE Security posture) |
Azure Policy Azure Blueprints Azure Compliance Manager Azure Security Center Azure Monitor Azure Governance Visualizer (AzGovViz) Microsoft Compliance Score |
Identify | AWS Config AWS CloudTrail Amazon Inspector AWS Risk and Compliance Program: AWS Cloud Adoption Framework (CAF) |
Cloud identity and access management Cloud asset inventory Security command center GKE security posture |
Azure Security Center Azure Active Directory (Azure AD) Azure Policy Azure Blueprints Azure Advisor |
Protect | AWS Identity and Access Management (IAM) Amazon Virtual Private Cloud (VPC) AWS Key Management Service (KMS) AWS Shield AWS WAF Amazon GuardDuty AWS Certificate Manager AWS CloudTrail AWS Config |
Cloud identity and access management Vpc service controls Shielded VM’s Security Command Center Policy Intelligence Cloud deployment manager Access approval API |
Azure Active Directory (Azure AD) Azure Information Protection Azure Security Center Azure Firewall Azure Key Vault Azure Multi-Factor Authentication (MFA) Azure Virtual Network |
Detect | Amazon GuardDuty AWS CloudTrail Amazon Macie AWS Network Firewall Amazon CloudWatch AWS Config |
Security Command Center Event threat detection Cloud logging and cloud monitoring GKE Security posture |
Azure Security Center Azure Sentinel Azure Monitor Microsoft Defender for Cloud (formerly Azure Security Center) |
Respond | AWS Lambda Amazon Simple Notification Service (SNS) AWS CloudWatch AWS Step Functions AWS Security Hub Amazon Detective |
Security Command Center Event threat detection Cloud functions and pub/sub Cloud logging and cloud monitoring |
Azure Security Center Azure Sentinel Azure Monitor Microsoft Defender for Endpoint Azure Logic Apps |
Recover | AWS Backup Amazon S3 Glacier AWS CloudFormation Amazon Route 53 AWS Elastic Beanstalk AWS CloudEndure Disaster Recovery |
Google cloud storage Persistent disk storage Cloud SQL backups Cloud KMS Google Kubernetes Engine(GKE) backups Disaster recovery planning guide |
Azure Backup Azure Site Recovery Azure Storage |
NIST CSF-2.0 is an impressive framework that covers all aspects of cybersecurity, its redesigned structure now involves and focuses on topics that were taken lightly in the past by organizations like open source compliance management. It is the cherry on top of current best practices which can guide organizations to streamline their cybersecurity posture.
I hope you found this blog post informative and engaging. I’d love to hear your thoughts on this post. Let’s connect and start a conversation on LinkedIn. Looking for help with securing your infrastructure or want to outsource DevSecOps to the experts? Learn why so many startups & enterprises consider us as one of the best DevSecOps consulting & services companies.