Serverless

Control Categories that apply to serverless FaaS 4 next meeting!

  • 1.  Control Categories that apply to serverless FaaS 4 next meeting!

    Posted Mar 10, 2022 11:17:00 AM
    Hi,

    I'm posting here the control categories that apply to serverless FaaS from NIST, as sent by our co-chair, Aradhna.
    Please have a look, share your feedback and let's discuss further on our working group call next Thursday the 17th of March.

    Based on the Control Categories Table in NIST 800-53:

    TABLE 1: SECURITY AND PRIVACY CONTROL FAMILIES 

    The Control Categories that apply to Serverless FaaS may be:

     AC              AT               AU

    CA               CM

    IA

    RA

    SA                SC             SI

    For each of these control categories there are detailed controls descriptions in NIST 800-53.
    We should map the detailed controls that are relevant to Serverless FaaS.
    Below is an example template that we can tweak as per the need to capture the mappings.
    Implementation details can be expanded as much as we like and provide more context.

                                                    Mapping of NIST 900-53 R5 controls to Serverless FaaS

     

     

    Sr. No

    Control Category

    Sub controls

    Description of control

    Implementation details and comments for Serverless

     

    1

    AC

    AC-1

    Policy and Procedures

    Enterprises must define standards and policies requiring access controls in FaaS. Typically these standards will drive the implementation of controls

     

    2

    AC

    AC-2

    Account Management

    Define and document the types of accounts allowed and specifically prohibited for use within the FaaS

    Next call:

    Thursday, 17 March 2022.
    Time: 09:00 a.m. PST / 12:00 p.m. EST / 17:00 GMT / 18:00 CET
    URL:  https://zoom.us/j/98681420926  (Meeting ID: 986 8142 0926)

    Kind regards,
    Marina

     



    ------------------------------
    Marina Bregkou,
    Senior Research Analyst,
    CSA
    ------------------------------