by Bharat Mistry
With one month to go until the GDPR compliance deadline, there are many organisations still struggling to get the right security processes and controls in place. A new global poll of senior legal officers from KPMG found that over half of (54%) feel their businesses is not prepared for the new privacy laws. Yet it doesn’t have to be this way. The biggest challenge with regulations like GDPR has been interpretation not only for the organisation but also for the certifying body. In the case of GDPR these are written in legal terms as opposed to technological ones, making it challenging to know what exactly needs to be done in order to be compliant. Proven frameworks such as NIST 800-53 can support a solid information security programme to help appease regulators.
At the Amazon Web Services (AWS) Public Sector Summit in Brussel this week I told attendees how Trend Micro and AWS can help simplify the adoption and automation of these NIST controls to ease compliance headaches.
NIST to the rescue
It’s true that GDPR compliance can seem like a daunting task for security managers. Article 32 of the GDPR states that organisations must ensure “the ongoing confidentiality, integrity, availability and resilience of processing systems and services”, as well as being able to restore availability and access to personal data quickly after an incident. They also need a system to regularly test and evaluate the effectiveness of these tools.
This is where NIST can help. It’s 800-53 publication provides a catalogue of high impact controls supporting the development of secure and resilient information systems which store, process, or transmit data. Originally intended for US federal government agencies, it provides a good template for any organisation looking for help with GDPR compliance. It includes areas like access controls, audit and accountability, configuration management, authentication, systems & comms protection, and system & information integrity.
A shared responsibility
The shared responsibility model puts the responsibility of managing data privacy and usage squarely in the domain of the customers
But once you’ve found 800-53, how do you apply it to your cloud infrastructure? Unfortunately, too many IT security managers still don’t understand the concept of shared responsibility in the public cloud. AWS is pretty upfront about this: it takes care of “security of the cloud” — the hardware, software, networking, and other infrastructure components that run its cloud services. But it expects customers to handle “security in the cloud” — that is, data, applications, runtime and middleware: covering things like access controls, network security and data encryption.
What this means in practice is that you’ll need to supplement the built-in AWS controls with a trusted third-party security product in order to meet the requirements of NIST 800-53, and ultimately the GDPR. This is where Deep Security comes in. Trend Micro’s flagship datacentre security platform has been designed to integrate neatly with all the major cloud provider platforms, all from a single, centrally managed host-based tool.
On top of your AWS Identity and Access Management (IAM), CloudTrail, Amazon SNS, CloudWatch, Amazon VPC and other built-in tools, Deep Security offers:
Management and visibility: Of EC2 resources from a single console featuring integrated threat information, via the Deep Security Manager.
File controls: Thanks to Anti-Malware, Integrity Monitoring, Log Inspection, and Application Control. These capabilities help you spot and block new threats, monitor files for changes and inspect logs for unusual activity.
Network controls: Via intrusion detection and prevention, and firewall capabilities. This adds layer 7 visibility and inspection, and additional stateful controls to enhance security groups and NACLs.
That’s not all. For organisations that want to fast-track their NIST compliance efforts, there’s the AWS + Trend Micro Enterprise Accelerator: a quick-start framework that uses AWS CloudFormation to automate much of the hard work via plug-and-play templates.
Securing your cloud environment can be a complicated business, no organisation is perfect and there’s always a chance you could be compromised by an attack. But the GDPR regulators will be looking for a consistent, best practice approach to show you have the best interests of your customers at heart. That means NIST 800-53, and with the AWS + Trend Micro Enterprise Accelerator, you get maximum return from minimum effort.