Ensuring your organization follows best practices to hold hackers at bay and knowing you are not accountable if things go really, really wrong are two powerful reasons why managers implement security standards. But which standard matters when architecting your cloud security posture? This article provides the answer by looking at the CIS, ISO, MITRE, and CSA standards and frameworks.
ISO 27001 & Cloud Security Architecture
The ISO 27001 international standard family (Figure 1) has been present in IT security for longer than most of us. Based on the British BS-7799 standard from the mid-90s, the first iteration of ISO 27001 dates back to 2005. The standard defines how to establish and manage an information security management system (ISMS). The term “system” does not refer to technical solutions per se, instead relating to an organizational capability to manage information security, which might require software. It is probably the most relevant standard for cloud security since many corporate customers, CIOs, CISOs, or boards of directors insist on the certification.
Figure 1 - The ISO 27000/27001 standard family
ISO 27001 has two crucial parts: First, its main section elaborates on the ISMS. Second, Appendix A lists the controls companies must implement and manage with their ISMS. It covers organizational aspects, such as HR topics, a need for policy documents, and technical features and capabilities. Examples of the latter are asset inventories or necessities for cryptography.
The ISO 27002 document “Information security controls” elaborates more on how companies can implement the controls from ISO 27001 Appendix A. The ISO 27017 document “Code of practice for information security controls based on ISO/IEC 27002 for cloud services” can be helpful for cloud security architects. It details the controls in the cloud context, differentiating between cloud providers’ responsibilities and the ones of their customers.
The shared responsibility of provider and customer is a fundamental cloud security principle (Figure 2):
- Cloud providers must follow the ISO 27001 standard for their organizational procedures and setup, technical infrastructure, and all software components they run. All prominent vendors have such certificates.
- When cloud customers want an ISO 27001 certification, they must configure their cloud environment and resources in conformance with the ISO 27001 standard. Also, their customer-side processes and organization must adhere to the standard’s requirements.
- Cloud providers offer compliance reports to their customers if the latter aim for an ISO 27001 certification. The clouds assess the compliance of customer components and their cloud configuration. However, these reports cover only parts of ISO 27001, for example, what clouds can automatically validate. They cannot capture and assess process- or organization-related requirements.
Figure 2 - ISO 27001 Audit Reports, a shared responsibility of the cloud provider and the customer. Example reports from Azure.
The NIST Cybersecurity Framework (CSF)
The US National Institute of Standards and Technologies publishes the NIST cybersecurity framework. Its purpose is to assess the security posture of US agencies, organizations, and companies. It overlaps partially with the ISO 27001 norm but with one significant difference: ISO relies on external audits, whereas self-assessments are big with NIST.
The NIST framework has three main elements. The first is the Framework Core, a list of activities, outcomes, or controls organized along five functions: identify, protect, detect, respond, and recover. The framework divides the functions further into categories and subcategories such as “PR.DS-5: Protection against data leaks are implemented” or “DE.DP-3: Processes are tested.”
The second CSF element, Framework Tiers, formalizes the sophistication of an organization’s cybersecurity risk management -- essential for any organization but not the main focus when architecting the cloud security tooling landscape.
The third element, Framework Profiles, helps security architects define their roadmap. NIST distinguishes between current profiles and target profiles. Current profiles describe the status quo, target profiles define what a concrete organization should have in place based on its risk appetite. Closing the gap between the current and the target profile is work for security architects in the years to come.
NIST and ISO directly impact the work of cloud security architects. Both list security capabilities potentially relevant for an organization’s security architecture. NIST comes with more freedom to incorporate company needs, though this is a workshop-intense task. In addition, both standards formulate additional requirements, for example, about change processes, which can impact an IT department’s tooling for running workloads and developing applications in the cloud.
The CSA Guideline
The Cloud Security Alliance (CSA) publishes its influential “Enterprise Architecture Reference Guide,” which builds on existing standards, such as ISO-27002, PCI-DSS, or Cobit. It comprehensively lists security-relevant capabilities that IT security organizations, IT departments, and other company units, such as HR or legal and compliance, might need. This is helpful for companies preferring a broad view without looking at too many standards.
The CSA’s approach to combining and reinterpreting existing standards for public clouds rather than coming up with totally new controls and requirements has a reassuring message: today’s security frameworks are mature. The cloud does not create chaos for security capabilities, though the technical implementation might require new technology.
The Center for Internet Security (CIS) Benchmarks
CIS publishes benchmarks for many standard software solutions and services, from operating systems, browsers, and databases to cloud vendors, such as Microsoft Azure, Amazon AWS, and Google Cloud Platform. CIS benchmarks differ entirely from ISO, NIST, and CSA. They are low-level technical configuration benchmarks that do not incorporate organizational, procedural aspects, or necessary tooling beyond the single product or cloud. They provide implementation and verification details for essential cloud services of a particular platform, be it AWS, GCP, or Azure. The CIS rule names reflect this focus, for example, “5.1 Ensure that Cloud Storage bucket is not anonymously or publicly accessible (GCP)” or “6.1 Ensure that RDP access is restricted from the internet (Azure).” The cloud providers provide ready-to-use rule sets, as Figure 3 illustrates for Azure.
Figure 3 - Available CIS benchmark rules in Azure
CIS benchmarks protect companies from severe, easy-to-prevent misconfigurations. They are not cloud security architecture designs, frameworks, or methodologies. They also don’t cover multi-cloud topics, security challenges when combining cloud services (e.g., VMs, serverless cloud functions, database cloud services) with solutions, or security tooling in general (e.g., for vulnerability scanning or preventing data loss). So, security architects have to understand and enforce the CIS standard, but they cannot rely on it for crafting their cloud security architectures.
MITRE ATT&CK Framework
The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework compiles today’s widespread hacking techniques. It organizes them based on cyber-attack phases, for example, reconnaissance (attackers collect information about potential targets and their infrastructure), initial access, lateral movements, exfiltration, and impact. Plus, the framework links typical attack techniques and known attacker groups.
The ATT&CK framework helps ethical hackers simulate typical attacks. It also supports security operations centers in setting up rules to detect common and advanced attacks. Rather than implementing these rules themselves, companies can subscribe to advanced cloud security services, such as Microsoft Defender or Amazon GuardDuty. That is only one reason the ATT&CK framework has a limited impact on cloud security architecture. The other reason is that analyzing and prioritizing the most recent attacks in detail as input for designing a cloud security architecture is too time-consuming for most companies to be a risk-adequate approach.
Figure 4 - MITRE ATT&CK framework
Conclusion
NIST CSF, ISO, CIS, CSA, and ATT&CK are some of today’s most widespread security standards. All have different aims and, therefore, complement each other. So, cloud security architects should aim to implement two or three of them rather than trying to determine the “best.”
The CIS benchmark helps eradicate the most significant security flaws within days or weeks. ISO, CSA, and NIST help establish organizational structures and identify missing essential technical security capabilities. Such projects need at least some months, and NIST CSF takes a little more than ISO due to more tailoring needs. Finally, high-risk organizations, for example in the high-tech sector, military, or governments, might also look at the ATT&CK framework to better understand potential attack techniques and design specific detection and defense mechanisms. It is a resource- and time-consuming undertaking most companies prefer to avoid.
