Foundational Cloud Security with CIS Benchmarks
Cloud service providers (CSPs) have changed the way organizations of all sizes architect and deploy their IT environments. CSPs now make it possible for organizations to rapidly implement new technologies with greater levels of ease and scalability.
As with any new opportunity, leveraging cloud technology also introduces new forms of risk. Industry standards provide organizations guidance to create policies, plans, and to manage their cloud environments. Organizations that do not use industry standards to harden their environments leave themselves open to cyber-attacks and misconfiguration.
Cloud environments evolve and change, and CSPs are constantly adding new functional services that come with unique configuration and security tools to manage them. However, organizations cannot be solely dependent on the CSP for security.
One of the most effective ways for organizations to secure their public cloud accounts is to use the CIS Foundations Benchmarks. Learn more about them and learn which new cloud security resources will be coming soon from CIS.
CIS Foundations Benchmarks Overview
The CIS Foundations Benchmarks are a part of the family of cybersecurity standards managed by the Center for Internet Security (CIS). CIS Benchmarks are consensus-based, vendor-agnostic secure configuration guidelines for the most commonly used systems and technologies.
There are more than 100 free CIS Benchmarks PDFs covering 25+ vendor product families such as operating systems, servers, cloud providers, mobile devices, desktop software, and network devices. The CIS Foundations Benchmarks provide guidance for public cloud environments at the account level.
The CIS Foundations Benchmarks cover:
- Amazon Web Services
- Microsoft Azure
- Google Cloud Computing Platform
- Oracle Cloud Infrastructure
- IBM Cloud
- Alibaba Cloud - Coming Soon
CIS Benchmarks are consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia. The CIS Foundations Benchmarks are intended for system and application administrators, security specialists, auditors, help desk, platform deployment, and/or DevOps personnel who plan to develop, deploy, assess, or secure solutions in the cloud. They are available at no cost to download in PDF format.
How CIS Foundations Benchmarks Work
While all CIS Foundations Benchmarks are tailored to their respective CSPs, the document contents all have common features and are organized with a similar structure. At a minimum, they provide prescriptive guidance specific to Identity and Access Management (IAM), logging and monitoring, and networking.
Take IAM as an example. In all CIS Foundations Benchmarks, there is at least one recommendation regarding multi-factor authentication (MFA). The configuration recommendations vary across the platforms, but the intent is the same. In each CIS Foundations Benchmark recommendation, you'll find the following sections:
- Profile Applicability – Identifies whether the recommendation relates to a Level 1 (standard security), or Level 2 (higher security) profile
- Description – An easy-to-understand explanation of the recommendation and why it’s important
- Audit – A detailed description of how to evaluate the status of the recommendation in its current configuration
- Remediation – Step-by-step guidance on how to successfully implement the recommendation
- References – Links to supporting documentation
- Additional Information – Further explanation, if necessary
- CIS Controls – Maps the recommendation to the specific CIS Control
While the recommendations are specific to the services and tools of each platform, users can trust that all CIS Foundations Benchmarks provide prescriptive guidance to secure account-level elements of public cloud platforms.
Shared Cloud Security Responsibility Resources
The CIS Foundations Benchmarks are part of a portfolio of globally-recognized resources provided by CIS to help organizations secure their operations in public cloud environments. In addition, the CIS Controls Cloud Companion Guide can help CSP customers fulfill their part of the model for shared security responsibility in the cloud:
- Shared Responsibility Model describes the shared responsibilities between the cloud provider, the users, and the IT organization. Rather than leaving the responsibility and trust solely in the CSP’s hands, the model outlines what security actions an organization is responsible for and what security actions the CSP should manage.
- The CIS Controls Cloud Companion Guide provides guidance on how to apply the security best practices found in the CIS Controls to the four main “as-a-service” cloud environments. Additional steps needed in any cloud environment are explained, based on the individual service models.
- CIS Hardened Images are pre-configured virtual machine images hardened in accordance to the security recommendations of CIS Benchmarks. CIS Hardened Images are updated on a monthly basis to ensure the latest security configurations are in place and patched for vulnerabilities.
Coming Soon – Product and Service-Level CIS Benchmarks for the Cloud
The CIS Foundations Benchmarks are not intended to cover all of a CSP’s services. They are a starting point to configure your public cloud account. CIS product and service-level Benchmarks for the cloud are in development to provide more prescriptive configuration guidance in the cloud.
CIS currently offers service-based CIS Benchmarks to cover Kubernetes end user computing and Azure services. Kubernetes service Benchmarks include Amazon Elastic Kubernetes (EKS),Google Kubernetes Service (GKE) and Oracle Cloud Infrastructure Kubernetes (OKE). CIS plans to release CIS Benchmarks for Azure Kubernetes Service, and Red Hat OpenShift Kubernetes in the coming months.
Additionally, CIS plans to introduce product-level coverage for multiple CSP services. We're pleased to announce the CIS AWS End User Compute Services Benchmark as the first example of that. This CIS Benchmark covers AWS products including: Amazon WorkSpaces, Amazon WorkDocs, Amazon AppStream 2.0, and Amazon WorkLink. This Benchmark builds on the CIS Foundations Benchmark with an emphasis on the security settings when utilizing end user computing. We will continue to release product-level CIS Benchmarks across the CSPs, while continuing to expand the CIS Foundations Benchmarks.
Keep an eye out for more service-based CIS Benchmarks for additional guidance on public cloud services.
Become Part of the CIS Benchmarks Communities
CIS Foundations Benchmarks are created using a consensus review process leveraging the expertise of subject matter experts from around the world. Consensus participants provide perspective from a diverse set of backgrounds including consulting, software development, audit and compliance, security research, operations, government, and legal.
Since public cloud environments evolve rapidly, the CIS Foundations Benchmarks require constant maintenance. We work with CSPs, CSP consumers and cybersecurity experts to gain insights and collect the most up-to-date information. Please consider joining one of our Communities and participating in the development of these resources.