×
Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Why CIS

Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world



About Us Leadership Principles Testimonials

Solutions

secure your organization
Secure Your Organization


secure specific platforms
Secure Specific Platforms


cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments


View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities



CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers

Resources

resources
Resources


learn
Learn


filter by topic
Filter by Topic


View All Resources  
CIS Logo Show Search Expand Menu

How to Meet the Shared Responsibility Model with CIS

In 2020, the shift to a global remote workforce demonstrated just how difficult securing a cloud environment can be. Now organizations face the challenge of securing hybrid environments. To address these challenges, many companies migrate to the cloud and leverage cloud service providers (CSPs) such as Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Oracle Cloud. These public cloud providers offer cost-effective, scalable cloud computing solutions.

Among the many benefits of operating on the public cloud, users share the security responsibilities with the CSP. Typically, the CSP is responsible for the physical security of the cloud infrastructure, while the customer is responsible for securing the services and/or applications they use. The division of these responsibilities is known as the shared responsibility model for cloud security.

Shared Responsibility Model Characteristics

Based on the type of cloud environment required by an organization, the delineation of security responsibilities will differ. Responsibilities vary according to the four main types of cloud environments:

  • Infrastructure as a Service (IaaS)
  • Software as a Service (SaaS)
  • Platform as a Service (PaaS)
  • Function as a Service (FaaS)

cloud-security-shared-responsibility-model-center-for-internet-security

Ultimately however, the protection of an organization’s data lies with the organization itself. That's where the Center for Internet Security (CIS) can help. CIS strives to make the connected world a safer place by developing, validating, and promoting best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats. Thus, our vision is to lead the global community to secure our ever-changing connected world. A portion of that is providing organizations with resources that can help them meet their part of the shared responsibility model for cloud security.

Cloud Security Resources Available from CIS

CIS works with a global community to develop three main security best practices that can help cloud consumers meet the shared responsibility model:

CIS Controls

A prioritized set of 20 actions that collectively form a defense-in-depth set of best practices. The CIS Controls are practical and prescriptive actions that organizations should take to prevent common cyber-attacks.

The CIS Controls Cloud Companion Guide is a free resource that can help users apply the CIS Controls in the cloud. Notably, the guide maps the CIS Controls to the four main types of cloud environments.

CIS Benchmarks

The CIS Benchmarks are configuration guidelines for technologies, operating systems, containers, and more. There are more than 100 CIS Benchmarks covering 25+ vendor product families.

In particular, the CIS Foundations Benchmarks provide prescriptive guidance for configuring, deploying, and securing services in public cloud environments. This resource can assist cloud users with the shared responsibility model, notably identity and access management. A free CIS Foundations Benchmark is available for the following cloud environments:

CIS Hardened Images

Lastly, CIS Hardened Images are virtual machine images for operating systems, containers, and applications. They're pre-configured to CIS Benchmark recommendations. Backed by a global community of cybersecurity experts and built off of the base image provided by CSPs, CIS Hardened Images seamlessly integrate into an organization’s security procedures. Because they're an IaaS environment, CIS Hardened Images can help with the host infrastructure part of the shared responsibility model.

What's more, CIS updates and patches these Hardened Images on a monthly basis to ensure the latest security configurations are in place. Every CIS Hardened Image includes a CIS-CAT Pro report showing conformance to the CIS Benchmark. It also includes an exception report showing configurations that cannot be applied in the cloud.

CIS Hardened Images are available on four major CSP marketplaces:

View all CIS Hardened Images

CIS Shared Responsibility Model Resource

The shared responsibility model for cloud security provides clarity on security expectations for public cloud users. However, an understanding of the expectation is just the first step. Users must act on these responsibilities by creating policies and procedures for their portion of cloud security. In order to do this, cloud consumers should use cloud security tools and resources that directly address the needs of their cloud environment.

In sum, whether they're used together or individually, CIS Controls, CIS Benchmarks, and CIS Hardened Images provide organizations operating in the cloud prescriptive guidance to secure their environments. They also help organizations conform to the shared responsibility model with ease. In this guide, we provide a deep dive into the shared responsibility model for cloud security, the division of user and CSP responsibilities, and how CIS resources help meet those responsibilities.