Aligning to the NIST Cybersecurity Framework in Google Cloud
As defined by the U.S. Patriot Act of 2001, critical infrastructure includes “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
In response to this Executive Order, the Cybersecurity Enhancement Act of 2014 (CEA) identified the National Institute of Standards and Technology (NIST) as the leader in facilitating and supporting the development of cybersecurity risk frameworks. The NIST would formalized the Cybersecurity Framework (CSF) – a consistent, iterative approach for identifying, assessing, and managing cybersecurity risk.
The NIST Cybersecurity Framework provides a standard mechanism for organizations to
- Describe their current cybersecurity posture.
- Describe their target state for cybersecurity.
- Identify and prioritize a continuous, repeatable process for reaching the target cybersecurity state.
- Assess progress toward the target state.
- Communicate cybersecurity risks to internal and external stakeholders
NIST Cybersecurity Framework: Functions
NIST generalizes cybersecurity activities into five core functions: Identify, Protect, Detect, Respond, and Recover. These functions help guide organizations in mapping out the management of cybersecurity risks. Organizations should perform these functions concurrently, continuously, and regularly to establish an operational culture for dynamically addressing cybersecurity risks.
| Identify | Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Functions include Asset Management, Governance, Business Environment, Risk Assessment, and Risk Management Strategy |
| Protect | Develop and implement appropriate safeguards to ensure the delivery of critical services. Functions include Identity & Access Management Control, Awareness & Training, Data Security, Maintenance, Protective Technologies, Information Protection Processes & Procedures. |
| Detect | Detect and implement appropriate activities to identify the occurrence of a cybersecurity event. Functions include Anomalies & Events, Security Continuous Monitoring, and Detection Processes |
| Respond | Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. Functions include Response Planning, Communications, Analysis, Mitigation, and Improvements. |
| Recover | Develop and implement appropriate activities to maintain resilience plans and restore any capabilities or services that were impacted due to a cybersecurity incident. Functions include Recovery Planning, Improvements, and Communications. |
NIST Cybersecurity Framework: Categories
Each NIST CSF function spans multiple categories, which outline the components of the function. These categories cover the cybersecurity risk management areas that organizations should implement. When adopting new technology, including Google Cloud, organizations should leverage products and services that meet the requirements for each of the following categories:
| IDENTIFY | PROTECT | DETECT | RESPOND | RECOVER |
|---|---|---|---|---|
| Asset Management | Identity and Access Control | Anomalies and Events | Response Planning | Recovery Planning |
| Business Environment | Awareness and Training | Security Continuous Monitoring | Communications | Improvements |
| Governance | Data Security | Detection Processes | Analysis | Communications |
| Risk Assessment | Information Protection Processes & Procedures | Mitigation | ||
| Risk Management Strategy | Maintenance | Improvements | ||
| Supply Chain Risk Management | Protective Technology |
Subcategories
Further detailing cybersecurity implementation considerations, each category of the NIST CSF has subcategory items that define the risks that should be assessed for each topic. Selecting technologies and cloud service providers that can meet these subcategoryy needs is key to effectively leveraging the NIST CSF. Each subcategory and related Google Cloud products, methodologyies, and services that can help meet these requirements will be outlined in the next section.
Implementing NIST CSF on Google Cloud
This section outlines each category and subcategories subcategory of the NIST Cybersecurity Framework. Corresponding to each NIST CSF category and subcategory, recommendations on meeting and implementing these requirements in Google Cloud are mapped accordingly. Organizations can leverage some or all of the suggested components to define, enforce, and manage cloud security and compliance.
Identify
Asset Management
- Physical devices and systems within the organization are inventoried
- Cloud Identity
- Google Admin Console
- Cloud Resource Manager: Cloud Asset Inventory
- Forseti Security: Asset Inventory
- Cloud Security Command Center (CSCC)
- Software platforms and applications within the organization are inventoried
- Cloud Resource Manager: Cloud Asset Inventory
- Forseti Security: Asset Inventory
- Cloud Security Command Center (CSCC)
- Cloud Data Catalog
- Cloud Private Catalog
- Organizational communication and data flows are mapped
- Cloud Resource Manager
- Cloud Identity & Access Management
- External information systems are cataloged
- Identity Platform
- Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.
- Cloud Resource Manager
- Cloud Identity & Access Management
- Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
- Cloud Identity & Access Management
- Cloud Identity
- Google Admin Console
Business Environment
- The organization’s role in the supply chain is identified and communicated
- Google Cloud Adoption Framework
- Professional Services: Transformation Advisory
- Professional Services: Change Management Advisory
- The organization’s place in critical infrastructure and its industry sector is identified and communicated
- Google Cloud Adoption Framework
- Professional Services: Transformation Advisory
- Professional Services: Change Management Advisory
- Priorities for organizational mission, objectives, and activities are established and communicated
- Google Cloud Adoption Framework
- Professional Services: Transformation Advisory
- Professional Services: Change Management Advisory
- Dependencies and critical functions for the delivery of essential services are established
- Google Cloud Services Overview
- Google Cloud Services Overview
Governance
- Organizational cybersecurity policy is established and communicated
- Cloud Security Command Center (CSCC)
- Forseti Security
- Cloud Identity & Access Management
- Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners
- Cloud Identity & Access Management
- Identity Platform
- Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
- Google’s Security & Trust Center
- Governance and risk management processes address cybersecurity risks
- Professional Services: Cloud Discover Security
- Policy Intelligence
Risk Assessment
- Asset vulnerabilities are identified and documented
- Cloud Security Scanner
- Container Registry Vulnerability Scanner: Container Analysis
- Cloud Armor
- Phishing Protection
- Cyber threat intelligence is received from information sharing forums and sources
- Forseti Security
- Cloud Security Command Center (CSCC)
- Threats, both internal and external, are identified and documented
- G Suite Security Center
- Cloud Operations Suite
- Cloud Security Command Center (CSCC)
- Potential business impacts and likelihoods are identified
- Cloud Security Command Center (CSCC)
- G Suite Security Assessment
- Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
- Forseti Security
- Cloud Security Command Center (CSCC)
Risk Management
- Risk management processes are established, managed, and agreed to by organizational stakeholders
- Google Cloud Adoption Framework
- Forseti Security
- Cloud Security Command Center (CSCC)
- The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector-specific risk analysis
- Forseti Security
- Cloud Security Command Center (CSCC)
- G Suite Security Center
- Policy Intelligence
Supply Chain Risk Management
- Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
- Must be implemented by the organization
- Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process
- Identity Platform
- Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
- Must be implemented by the organization
- Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluation to confirm they are meeting their contractual obligations.
- Must be implemented by the organization
- Response and recovery planning and testing are conducted with suppliers and third-party providers
- Must be implemented by the organization
Protect
Identity Management Authentication and Access Control
- Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes
- Cloud Identity & Access Management
- Cloud Identity
- Google Admin Console
- Physical access to assets is managed and protected
- Cloud Identity & Access Management
- VPC Service Controls
- Cloud Identity Aware Proxy
- Forseti Security
- Remote access is managed
- Cloud Identity Aware Proxy
- Cloud VPN
- Context-Aware Access
- Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
- Cloud Identity & Access Management
- Identity Platform
- Network integrity is protected (e.g., network segregation, network segmentation)
- Cloud VPC
- Cloud Resource Manager
- Identities are proofed and bound to credentials and asserted in interactions
- Cloud Identity
- Google Admin Console
- Identity Platform
- Users, devices, and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
- Cloud Identity & Access Management
- Cloud Identity
- Google Admin Console
- Identity Platform
Awareness and Training
- All users are informed and trained
- Google Cloud Training
- Privileged users understand their roles and responsibilities
- Cloud Identity & Access Management
- Cloud Identity
- Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities
- Identity Platform
- Senior executives understand their roles and responsibilities
- Google Cloud Adoption Framework
- Professional Services: Transformation Advisory
- Professional Services: Change Management Advisory
- Physical and cybersecurity personnel understand their roles and responsibilities
- Cloud Identity & Access Management
- Cloud Identity
Data Security
- Data-at-rest is protected
- Google Encryption at Rest
- Cloud Key Management Service
- Customer Supplied Encryption Keys (CSEKs)
- Cloud HSM
- Data-in-transit is protected
- Google Encryption in Transit
- Assets are formally managed throughout removal, transfers, and disposition
- Cloud Resource Manager
- Cloud Private Catalog
- Cloud Data Catalog
- Adequate capacity to ensure availability is maintained
- GCP Quotas
- Autoscaling
- Protections against data leaks are implemented
- Cloud Data Loss Prevention
- Phishing Protection
- Access Approval API
- VPC Service Controls
- Integrity checking mechanisms are used to verify software, firmware, and information integrity
- Titan Security Key
- Shielded VMs
- reCAPTCHA Enterprise
- Binary Authorization
- The development and testing environment(s) are separate from the production environment
- GKE Sandbox
- Cloud Resource Manager
- Integrity checking mechanisms are used to verify hardware integrity
- Titan Security Key
- Shielded VMs
Information Protection Processes and Procedures
- A baseline configuration for information technology/industrial control systems is created and maintained incorporating security principles (e.g., the concept of most minor functionality)
- Forseti Security
- Cloud Security Command Center (CSCC)
- Policy Intelligence
- Cloud Deployment Manager
- A System Development Life Cycle to manage systems is implemented
- Cloud Deployment Manager
- Binary Authorization
- Configuration change control processes are in place
- Access Approval API
- Binary Authorization
- Backups of information are conducted, maintained, and tested
- Google Cloud Storage
- Policy and regulations regarding the physical operating environment for organizational assets are met
- Must be implemented by the organization
- Data is destroyed according to policy
- Google Cloud Data Deletion
- Protection processes are improved
- Policy Intelligence
- Cloud Security Command Center (CSCC)
- G Suite Security Assessment
- The effectiveness of protection technologies is shared
- Forseti Security
- Cloud Security Command Center (CSCC)
- Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
- Incident Response Management
- Response and recovery plans are tested
- Incident Response Management
- Google Cloud Disaster Recovery Planning Guide
- Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
- Cloud Identity & Access Management
- Cloud Operations Suite
- A vulnerability management plan is developed and implemented
- Forseti Security
- Cloud Operations Suite
- Cloud Security Command Center (CSCC)
Maintenance
- Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools
- Cloud Identity & Access Management
- Cloud Identity
- Google Admin
- Console
- Cloud Operations Suite
- Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
- Identity Platform
- Cloud Identity Aware Proxy
- VPC Service Controls
- Cloud VPC
- Cloud Operations Suite
Protective technology
- Audit/log records are determined, documented, implemented, and reviewed per policy
- Cloud Operations Suite
- Forseti Security
- Cloud Security Command Center (CSCC)
- Removable media is protected, and its use restricted according to policy
- Cloud Identity & Access Management
- The principle of most minor functionality is incorporated by configuring systems to provide only essential capabilities
- Cloud Identity & Access Management
- Communications and control networks are protected
- Cloud VPC
- VPC Service Controls
- Cloud VPN
- Cloud Armor
- Mechanisms (e.g., failsafe, load balancing, hot-swap) are implemented to achieve resilience requirements in every day and adverse situations
- Global, Regional, Zonal Resources
- Google Cloud Load Balancing
- Cloud CDN
- Autoscaling
- Google Deployment Manager
Detect
Anomalies and Events
- A baseline of network operations and expected data flows for users and systems is established and managed
- Cloud VPC
- Traffic Director
- VPC Service Controls
- Detected events are analyzed to understand attack targets and methods
- Cloud Armor
- G Suite Phishing & Malware Protection
- Network Telemetry
- Incident Response Management
- Cloud Operations Suite
- Cloud Security Scanner
- Container Registry Vulnerability Scanner: Container Analysis
- Event data is collected and correlated from multiple sources and sensors
- Cloud Operations Suite
- Cloud Security Command Center (CSCC)
- G Suite Security Center
- The impact of events is determined
- Cloud Security Command Center (CSCC)
- G Suite Security Center
- Incident alert thresholds are established
- Incident Response Management
- Cloud Operations Suite
Security Continuous Monitoring
- The network is monitored to detect potential cybersecurity events
- Network Telemetry
- Cloud Armor
- VPC Service Controls
- Traffic Director
- The physical environment is monitored to detect potential cybersecurity events
- Cloud Operations Suite
- G Suite Security Center
- Cloud Security Command Center (CSCC)
- Personnel activity is monitored to detect potential cybersecurity events
- Cloud Operations Suite
- Malicious code is detected
- Cloud Security Scanner
- Container Registry Vulnerability Scanner: Container Analysis
- Unauthorized mobile code is detected
- Android Enterprise
- Cloud Security Scanner
- Container Registry Vulnerability Scanner: Container Analysis
- External service provider activity is monitored to detect potential cybersecurity events
- Cloud Operations Suite
- Identity Platform
- Monitoring for unauthorized personnel, connections, devices, and software is performed
- Cloud Operations Suite
- Cloud Security Command Center (CSCC)
- Cloud Identity
- Google Admin Console
- Identity Platform
- Vulnerability scans are performed
- Cloud Armor
- Container Registry Vulnerability Scanner: Container Analysis
- Cloud Security Scanner
Detection Processes
- Roles and responsibilities for detection are well defined to ensure accountability
- Cloud Identity & Access Management
- Cloud Identity
- Google Admin Console
- Identity Platform
- Detection activities comply with all applicable requirements
- Cloud Operations Suite
- G Suite Security Center
- Cloud Security Command Center (CSCC)
- Detection processes are tested
- Google’s Security & Trust Center
- Event detection information is communicated
- Event Threat Detection
- Cloud Security Command Center (CSCC)
- Cloud Pub/Sub
- G Suite Security Center
- Cloud Functions
- Detection processes are continuously improved
- Policy Intelligence
- Cloud Security Command Center (CSCC)
Respond
Response Planning
- A response plan is executed during or after an incident
- Incident Response Management
- G Suite Security Center
- Cloud Security Command Center (CSCC)
Communications
- Personnel know their roles and order of operations when a response is needed
- Cloud Identity & Access Management
- Cloud Identity
- Google Admin Console
- Identity Platform
- Incidents are reported consistent with established criteria
- Incident Response Management
- Cloud Operations Suite
- Information is shared consistently with response plans
- Log Exports
- Coordination with stakeholders occurs consistently with response plans
- Incident Response Management
- Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness
- Identity Platform
- Incident Response Management
- Cloud Identity & Access Management
Analysis
- Notifications from detection systems are investigated
- Cloud Security Command Center (CSCC)
- G Suite Security Center
- Cloud Operations Suite
- The impact of the incident is understood
- G Suite Security Center
- Incident Response Management
- Cloud Security Command Center (CSCC)
- Forensics are performed
- Cloud Security Command Center (CSCC)
- Log Exports
- BigQuery
- Incidents are categorized consistently with response plans
- Incident Response Management
- Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g., internal testing, security bulletins, or security researchers)
- Cloud Security Command Center (CSCC)
- G Suite Security Center
- Event Threat Detection
- Forseti Security
Mitigation
- Incidents are contained
- Incident Response Management
- Event Threat Detection
- Incidents are mitigated
- Cloud Security Scanner
- Cloud Armor
- Container Registry Vulnerability Scanner: Container Analysis
- Phishing Protection
- Newly identified vulnerabilities are mitigated or documented as accepted risks
- Cloud Security Command Center (CSCC)
- G Suite Security Center
- Cloud Security Scanner
- Cloud Armor
- Container Registry Vulnerability Scanner: Container Analysis
- Phishing Protection
Improvements
- Response plans incorporate lessons learned
- Incident Response Management
- Event Threat Detection
- Response strategies are updated
- Cloud Security Command Center (CSCC)
- Forseti Security
- G Suite Security Center
Recover
Recovery Planning
- A recovery plan is executed during or after a cybersecurity incident
- Google Cloud Disaster Recovery Planning Guide
- Global, Regional, Zonal Resources
- Google Cloud Load Balancing
- Cloud CDN
- Autoscaling
- Google Deployment Manager
- Incident Response Management
Improvements
- A recovery plan is executed during or after a cybersecurity incident
- Google Cloud Disaster Recovery Planning Guide
- Global, Regional, Zonal Resources
- Google Cloud Load Balancing
- Cloud CDN
- Autoscaling
- Incident Response Management
- Google Deployment Manager
- Recovery strategies are updated
- Google Cloud Disaster Recovery Planning Guide
- Global, Regional, Zonal Resources
- Incident Response Management
- Google Deployment Manager
Communications
- Public relations are managed
- Contact Center AI
- Reputation is repaired after an incident
- Must be implemented by the organization
- Recovery activities are communicated to internal and external stakeholders as well as executive and management teams
- Incident Response Management
- Contact Center AI
- Google Cloud Status Dashboard
Conclusion
Having Google Cloud aligned with the NIST CSF enables customers to improve their cloud security posture with appropriate risk management and industry-compliant cloud services. Encryption Consulting, a leading cyber-security firm, offers various GCP and NIST-related cybersecurity Cconsulting Services catering to its customers. Encryption Consulting will conduct a risk and security control maturity assessment based on the outlined standards. Encryption Consulting helps customers get familiar with NIST CSF and GCP security tools & documentation and assists them in conducting a meaningful and quantifiable cybersecurity assessment while keeping the organization’s business goals intact.
