CIS Controls™ Cloud Companion Guide and Public Call for IoT Companion Guide
Working with an army of global adopters and cybersecurity experts, the CIS Controls team created a cloud security companion guide to help secure cloud environments. This guide helps organizations break down and map the applicable CIS Controls and their implementation in cloud environments using consensus-developed best practices.
Cloud Challenge: Sharing the Responsibility
One of the main challenges in applying best practices to cloud environments is tied to the fact that these systems operate under different assumed security responsibilities than traditional on-premises environments. There is often a shared security responsibility between the user and the cloud provider. In this guide, we identify who is responsible for cloud security tasks outlined in the controls that are specific to the service models:
- IaaS (Infrastructure as a Service)
- PaaS (Platform as a Service)
- SaaS (Software as a Service)
- FaaS (Function as a Service)
Throughout this document, we take into consideration the unique mission and business requirements found in cloud environments. The guide also examines unique risks (vulnerabilities, threats, consequences, and security responsibilities) to cloud environments. These risks drive the priority of enterprise security requirements (e.g., availability, integrity, and confidentiality of data).
Using this guide, the consumer should be able to tailor the CIS Controls in the context of a specific IT/OT cloud environment. It’s an essential starting point for those who wish to conduct a security improvement assessment and roadmap.
Developing the Internet of Things (IoT) Security Companion Guide
Just like the CIS Controls, the companion guides are developed by a community consensus process. Up next, the team is developing a companion guide to help implement the CIS Controls in IoT environments. Enterprise IoT security presents unique and complex challenges for security professionals. IoT devices have become embedded into organizations around the world and often can’t be secured via standard enterprise security methods, such as endpoint agents. Yet for ease of use, IoT devices are often connected to the same networks employees use day in and day out, and may also be directly internet connected. Such devices include smart speakers, security cameras, door locks, window sensors, thermostats, headsets, watches, and more.
We need your help to develop this guide! Join the discussion and help us determine best practices securing IoT environments. To participate, log in to CIS WorkBench and navigate to our CIS Controls IoT Community, where you’ll find helpful documentation and be able to join discussion forums on each sub-control. CIS WorkBench is a collaboration and development platform where you’ll see comments provided by the members of the CIS Controls communities.
We look forward to everyone’s feedback by February 28, 2019, and once again thank you for your support. Thank you for your participation and for being part of our cybersecurity community.
Securing the Connected World
Advancements in cloud and IoT technologies have brought people together in new and exciting ways. The solution to securing these environments comes from the community, too – working together to create consensus-developed resources like the CIS Controls companion guides. We are deeply grateful for the volunteers who helped develop the CIS Controls Cloud Companion Guide and those who will help develop the IoT Companion Guide. We hope these resources help your organization bolster its defenses.