Privacy conscious cloud migrations: mapping the AWS Cloud Adoption Framework to the NIST Privacy Framework

This post will help you make privacy-conscious cloud migration decisions by mapping the National Institute of Standards and Technology (NIST) Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management (NIST Privacy Framework) to the AWS Cloud Adoption Framework (AWS CAF).

AWS Professional Services created the AWS CAF to help organizations successfully migrate to the cloud. The CAF’s guidance and best practices provide a comprehensive approach to cloud computing across your organization. For those already in the cloud, AWS offers our recently updated AWS Well-Architected Framework (AWS WAF), which provides a way for you to consistently measure your cloud architectures against best practices and identify areas for improvement. A forthcoming AWS blog will highlight how the AWS CAF, AWS WAF, and NIST’s globally-recognized Cybersecurity Framework (NIST CSF) are complementary tools in building a cloud security program. For example, the Well-Architected Security pillar is comprised of five best practices (Identity and Access Management, Detection, Infrastructure Protection, Data Protection, and Incident Response) that may also be adopted to address the management of your privacy risks. You can also use the AWS Well-Architected Tool in the AWS Console to review the state of your workloads. The tool will then provide a plan on how to architect for the cloud using established best practices.

While you have an opportunity to raise the security bar when moving your organization to the cloud, you also need to consider how best to protect privacy in the cloud. Depending on your organization’s cloud maturity, cloud adoption might require fundamental changes across your organization. These possible changes are detailed in An Overview of the AWS Cloud Adoption Framework. The AWS CAF helps you create an actionable, enterprise-wide cloud migration plan for your organization. Similarly, the NIST Privacy Framework is a voluntary and customizable tool that encourages cross-organizational coordination in managing privacy risks by creating equivalence between privacy risks and other risks within your organization. The NIST Privacy Framework, used in conjunction with the AWS CAF, should make it easier for you to move your privacy practices to the cloud.

In particular, the NIST Privacy Framework—which is agnostic to law and technology—helps you manage your organization’s privacy risks by:

  1. Considering privacy when designing and deploying systems, products, and services;
  2. Communicating your privacy practices within your organization and to your external stakeholders; and
  3. Encouraging enterprise-wide collaboration.

The following is a high-level overview of the two frameworks and a table mapping their similar attributes to aid you in your journey.

A familiar structure

The NIST Privacy Framework is modeled after NIST’s CSF, first released in 2014, so the two frameworks can be used in tandem when managing cybersecurity and privacy risks in preparation for your cloud migration journey. Similar to the NIST CSF, the three primary components of the NIST Privacy Framework are the Core, Profile, and Implementation Tiers. The NIST Privacy Framework Core, which is different from the NIST CSF Core, contains five functions each designated by a P to distinguish it from CSF functions.

  • Identify-P: Develop the organizational understanding to manage privacy risk for individuals arising from data processing.
  • Govern-P: Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.
  • Control-P: Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
  • Communicate-P: Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.
  • Protect-P: Develop and implement appropriate data processing safeguards.

Note: You can learn more about NIST CSF and AWS by reading AWS’s NIST Cybersecurity Framework (CSF), Aligning to the NIST CSF in the AWS Cloud.

AWS Cloud Adoption Framework

Using the AWS CAF in tandem with the NIST Privacy Framework will help your organization make better privacy-conscious decisions about how to manage data in the cloud during migration. Both frameworks encourage you to evaluate the current state, identify a target state, and then make changes to support your privacy risk management program as you begin or complete your cloud migration. Similar to the five functions of the NIST Privacy Framework, AWS CAF is divided into six business and technical focus areas or perspectives.

AWS CAF business perspectives

  1. Business perspective: Helps you move from separate strategies for business and IT to a business model that integrates IT strategy.
  2. Governance perspective: Provides guidance on identifying and implementing best practices for IT governance, and on supporting business processes with technology.
  3. People perspective: Assists human resources (HR) and personnel management prepare their teams for cloud adoption by updating staff skills and organizational processes to include cloud-based competencies.

AWS CAF technical perspectives

  1. Platform perspective: Helps you design, implement, and optimize the architecture of AWS technology based on business goals and objectives.
  2. Operations perspective: Helps you to run, use, operate, and recover IT workloads to levels that meet the requirements of your business stakeholders.
  3. Security perspective: Helps you structure the selection and implementation of controls.

Aligning the NIST Privacy Framework to the AWS Cloud Adoption Framework

The following tables map the five functions of the NIST Privacy Framework and their categories, to the six perspectives of AWS CAF and their capabilities. We encourage all organizations moving to the cloud to establish a privacy risk management strategy that supports your business objectives. Your approach may be based on the NIST Privacy Framework, or another framework. You might even choose to create your own approach that combines attributes from different frameworks and standards, if that best serves your data protection and privacy needs.

NIST Identify-P categories and AWS CAF Business perspective capabilities

NIST Privacy Framework AWS CAF
Inventory and mapping (ID.IM-P)
Data processing by systems, products, or services is understood and informs the management of privacy risks.Business environment (ID.BE-P)
The organization’s mission, objectives, stakeholders, and activities are understood and prioritized. This information is used to inform privacy roles, responsibilities, and risk management decisions.Risk assessment (ID.RA-P)
The organization understands the privacy risks to individuals and how such privacy risks may create follow-on impacts on organizational operations, including mission, functions, other risk management priorities (e.g., compliance, financial), reputation, workforce, and culture.

Data processing ecosystem risk management (ID.DE-P)
The organization’s priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions associated with managing privacy risk and third parties within the data processing ecosystem.

IT finance
Addresses your capacity to plan, allocate, and manage the budget for IT expenses with the use-based cost model of cloud services.IT strategy
Helps you take advantage of cloud-based IT approach to deliver value and end-user adoption.Benefits realization
Assists you to measure the benefits of your IT investments using methods for a cloud-based IT operating model.

Business risk management
Helps you estimate the potential business impact of preventable, strategic, and/or external risks.

NIST Govern-P (GV-P) categories and AWS CAF People perspective capabilities

NIST Privacy Framework AWS CAF
Governance policies, processes, and procedures (GV.PO-P)
The policies, processes, and procedures to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of privacy risk.Risk management strategy (GV.RM-P)
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.Awareness and training (GV.AT-P)
The organization’s workforce and third parties engaged in data processing are provided privacy awareness education and are trained to perform their privacy-related duties and responsibilities consistent with related policies, processes, procedures, and agreements and organizational privacy values.

Monitoring and review (GV.MT-P)
The policies, processes, and procedures for ongoing review of the organization’s privacy posture are understood and inform the management of privacy risk.

Incentive management
Helps you implement a compensation program that will attract and retain the personnel required to operate a cloud-based IT model.Training management
Provides guidance on how to develop or acquire training for your employees so they can perform their roles in a cloud environment.

NIST Communicate-P (CM-P) categories and AWS CAF People perspective capabilities

NIST Privacy Framework AWS CAF
Communication policies, processes, and procedures (CM.PO-P)
Policies, processes, and procedures are maintained and used to increase transparency of the organization’s data processing practices (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment) and associated privacy risks.Data processing awareness (CM.AW-P)
Individuals and organizations have reliable knowledge about data processing practices and associated privacy risks, and effective mechanisms are used and maintained to increase predictability consistent with the organization’s risk strategy to protect individuals’ privacy.
Resource management
Helps you understand and forecast new personnel needs for a cloud-based model.Career management
Assists you to identify, acquire, and retain the skills needed for your cloud migration and ongoing operating model.Organizational change management
Helps you manage the impact of business, structural, and cultural changes caused by cloud adoption.

NIST Govern-P (GV-P) categories and AWS CAF Governance perspective capabilities

NIST Privacy Framework AWS CAF
Governance policies, processes, and procedures (GV.PO-P)
The policies, processes, and procedures to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of privacy risk.Risk management strategy (GV.RM-P)
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.Awareness and training (GV.AT-P)
The organization’s workforce and third parties engaged in data processing are provided privacy awareness education and are trained to perform their privacy-related duties and responsibilities consistent with related policies, processes, procedures, and agreements and organizational privacy values.

Monitoring and review (GV.MT-P)
The policies, processes, and procedures for ongoing review of the organization’s privacy posture are understood and inform the management of privacy risk.

Portfolio management
Provides a mechanism to manage it based on desired business outcomes. It can help to determine cloud-eligibility for workloads when prioritizing which services to move to the cloud.Program and project management
Helps you manage technology projects using methodologies that take advantage of the agility and cost management benefits inherent to cloud services.Business performance measurement
Assists you measure the impact of the cloud on business objectives.

License management
Defines methods to procure, distribute, and manage the licenses needed for IT systems, services, and software.

NIST Control-P (CT-P) categories and AWS CAF Platform perspective capabilities

NIST Privacy Framework AWS CAF
Data processing policies, processes, and procedures (CT.PO-P)
Policies, processes, and procedures are maintained and used to manage data processing (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment) consistent with the organization’s risk strategy to protect individuals’ privacy.Data processing management (CT.DM-P)
Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy, increase manageability, and enable the implementation of privacy principles (e.g., individual participation, data quality, data minimization).Disassociated processing (CT.DP-P)
Data processing solutions increase disassociability consistent with the organization’s risk strategy to protect individuals’ privacy and enable implementation of privacy principles (e.g., data minimization).
Systems and solution architecture
Assists you to define and describe the system design and your architectural standards.Compute, network, storage, and database provisioning
Helps you develop new processes for provisioning infrastructure in a cloud environment. Provisioning shifts from an operational focus aligning supply with demand, to an architectural focus aligning services with requirements.Application development
Addresses your ability to support business goals with new or updated applications, and helps implement new skills and processes for software development that take advantage of the agility gained by cloud computing.

NIST Protect-P (PR-P) categories and AWS CAF Security perspective capabilities

NIST Privacy Framework AWS CAF
Data protection, policies, processes, and procedures (PR.PO-P)
Security and privacy policies (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment), processes, and procedures are maintained and used to manage the protection of data.Identity management, authentication, and access control (PR.AC-P)
Access to data and devices is limited to authorized individuals, processes, and devices, and is managed consistent with the assessed risk of unauthorized access.Data security (PR.DS-P)
Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy and maintain data confidentiality, integrity, and availability.

Maintenance (PR.MA-P)
System maintenance and repairs are performed in a way that’s consistent with policies, processes, and procedures.

Protective technology (PR.PT-P)
Technical security solutions are managed to ensure the security and resilience of systems, products, and services and associated data, consistent with related policies, processes, procedures, and agreements.

Identity and access management
Helps you integrate AWS into your identity management lifecycle, and sources of authentication and authorization.Detective control
Provides guidance to help identify potential security incidents within your AWS environment.Infrastructure security
Helps you implement control methodologies necessary to comply with best practices as well as meet industry or regulatory obligations.

Data protection
Helps you to implement appropriate safeguards that protect data in transit and at rest.

Incident response
Assists you define and execute a response to security incidents.

NIST Control-P (CT-P) categories and AWS CAF Operations perspective capabilities

NIST Privacy Framework AWS CAF
Data processing policies, processes, and procedures (CT.PO-P)
Policies, processes, and procedures are maintained and used to manage data processing (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment) consistent with the organization’s risk strategy to protect individuals’ privacy.Data processing management (CT.DM-P)
Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy, increase manageability, and enable the implementation of privacy principles (e.g., individual participation, data quality, data minimization).Disassociated processing (CT.DP-P)
Data processing solutions increase disassociability consistent with the organization’s risk strategy to protect individuals’ privacy and enable implementation of privacy principles (e.g., data minimization).
Service monitoring
Focuses on detecting and responding to IT operations health indicators, to meet your service level agreements and operating level agreements.Application performance monitoring
Provides you with new approaches for monitoring application performance in a cloud environment to ensure that application health meets defined requirements.Resource inventory management
Helps you manage virtual IT assets to provide services that are both high performing and cost efficient.

Release management and change management
Assists your teams adopt software development best practices such as automation and Continuous Integration/Continuous Delivery (CI/CD) techniques, increasing the pace of your innovations.

Reporting and analytics
Helps you monitor the health of cloud assets and provide insights to help you reach the desired level of performance.

Business continuity and disaster recovery (BC/DR)
Helps you implement processes to keep your business running during a catastrophic event.

IT service catalog
Helps you to offer cloud services to the business using a model that can help to improve efficiency of providing IT services as well as the productivity of consuming them.

Conclusion

NIST’s Privacy Framework is a useful companion to the CAF, but whether you choose NIST’s framework or another framework or approach, we recommend having a privacy risk management strategy as you migrate to the cloud.

Learn more about AWS Privacy, Cloud Adoption Framework, and Well-Architected Framework

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Author

Mark Becker

As the Senior Privacy Lead, Mark works across AWS to provide privacy solutions and guidance to help customers navigate global privacy challenges. Before joining AWS, he worked on privacy and civil liberties issues at the U.S. Department of Homeland Security. Mark is a Certified Information Privacy Professional who has authored book chapters and articles on privacy and telecommunications law.