DevOps Teams can meet NIST compliance standards with automation Cloud Advocate

Three service models:

  1. Software as a service (SaaS)
  2. Platform as a service (PaaS)
  3. Infrastructure as a service (IaaS)

Four deployment models:

  1. Private
  2. Community
  3. Public
  4. Hybrid

Who has to comply?
In an ideal world, everyone. You might read that and think: “chill Big Brother,” but NIST isn’t about controlling you, it’s about giving you control over your cloud environments. Think of using NIST like following a fitness plan with the goal of doing 100 push-ups. The more you follow the plan, the more likely you’ll reach your goal. But if you decide to starfish in bed the entire time instead, your chances of doing 100 push-ups diminish.
 

It’s no secret that there is a significant knowledge gap between organizations when it comes to securing high-value assets, often because a lot of laws and regulations tell you to be secure but fail to tell you how to be secure. NIST aims to eliminate these gaps by providing detailed guidance, no matter the industry or organization size. That’s why many companies have voluntarily started leveraging NIST guidelines and standards to implement, manage, operate, monitor, and improve their security programs for a stronger defense posture.

Thanks to the Federal Information Security Modernization Act of 2014 (FISMA), US government agencies and their contractors are now required to implement “effective information security programs” that include risk management, security governance, security evaluation and testing, and incident response capabilities. And how do you think they go about doing that? You guessed it—following NIST standards.

NIST in action
Since NIST is more of a guidebook than an actual law, one cannot accurately say a breach occurred because the organization didn’t follow NIST. But, if you take a look at the cause of breaches, you’ll recognize how leveraging NIST could’ve led to a better outcome. Here are some recent breaches that could’ve used a little help from NIST:
 

Facebook: Oops, I did it again
Starting with the latest Facebook data breach. This one resulted in phone numbers and email addresses of 533 million users being exposed and posted on a popular hacker forum. Facebook responded that it was no big deal because the breach occurred in 2019, which is actually more concerning.

In lieu of the fact this breach actually happened two years ago, elements #4 and #5 of NCF come to mind. Facebook claims they “found and fixed” the issue in August 2019, but since then they’ve experience similar email/phone number breaches in September and December 2019 and early 2020. Also, Facebook did a poor job on the recovery front—as the scraped data went on to be exposed nearly two years later.

Estee Lauder: Not so beautiful breach
The cosmetic giant exposed more than 440 million data pieces due to an unsecured database. And when we say unsecured, we mean there was no password protection in place. Estee Lauder needs to go back to NCF element #1 and identify which systems need to be protected, and then work toward a more secure and protected infrastructure.

U.S. Cellular: Customer service blunder
In January 2021, hackers targeted retail employees of the fourth-largest wireless carrier in the US. Through an undisclosed method, hackers were able to trick employees into downloading malicious software to gain remote access to the company’s customer relationship management (CRM) software and company devices containing records for nearly 5 million customers. The silver lining of this breach is that U.S. Cellular detected it just two days after the attack. While we may think breaches take place on servers, this event shows that the human attack vector needs to be secured as well. This is where NCF element #1 comes in play—security isn’t just about configurations, it’s also educating employees on the signs of a potential scam.

Why does this matter to you?
It’s your responsibility to ensure that the applications you build, the servers you deploy, and the services you utilize are built and configured to protect your business from security breaches. Meeting compliance is part of that, because the goals of compliance laws and regulations are similar to yours: making sure everything is safe. Adhering to the NIST CSF and other evaulations based on the NCCP, also enables a strong DevOps or DevSecOps culture, which as we discussed here (shameless promotion plug), benefits you.
 

Read More HERE