Making Security Happen

By: Adam Montville

Our mission here at CIS is pretty clear: Lead communities to shepherd security best practices and continuously develop world-class security solutions supporting those practices. I generally like to think of this as working to “make security happen”. In support of this mission we have two important announcements to make today.

First, we have released the first-ever benchmark for your Amazon Web Services accounts, “CIS Amazon Web Services Foundations Benchmark v1.0.0” (here). This benchmark covers the bases for basic AWS services, such as: Identity and Access Management, AWS Config, CloudTrail, CloudWatch, Simple Notification Service, and Simple Storage Service. We have worked with Amazon and other organizations steeped in AWS services and technology to bring this benchmark to release (the folks over at Amazon have some more goodies for you as well – take a look here) using our well-known and respected consensus process. The recommendations embodied in this benchmark are not coming directly from CIS, but from a community of security-conscious, AWS-knowledgeable folks who want to share their work with the rest of the world.

The AWS Foundations benchmark covers the following topic areas which forms, well, the foundation for AWS benchmarks to come (hint: Take a look at our AWS 3-Tier Web Architecture Benchmark draft here). More specifically, these sections are:

• Identity and Access Management
• Data Protection and Resiliency
• Audit and Logging
• Networking

The AWS Foundations benchmark follows a standard CIS profile scheme. Recommendations in the Level 1 profile can be thought of as those which provide a clear security benefit without adversely impacting the technology, and recommendations in the Level 2 profile can be thought of as those which provide a defense-in-depth measure of security or take a more stringent view of security, and may adversely impact the utility of the technology. I like to think of it like this: Level 1 covers the environments you might consider “unclassified” in your enterprise, and Level 2 covers those of your environments you might consider “classified”.

The second important announcement we have to make is that the release of our AWS Foundations benchmark marks a turning point in the way CIS provides its benchmarks to the world. Historically, CIS benchmarks embodied in PDF form have been restricted in their use. Consequently, good folks were not permitted to create any derivatives of the benchmark, even if that derivative was open source. This all changes now, beginning with AWS Foundations. From this point forward, CIS benchmarks will now be released in PDF formant under Creative Commons licensing—specifically, the Attribution-NonCommercial-ShareAlike 4.0 International license (full legalese here).

What does this mean? Quite a bit actually. First and foremost you’ll now be able to take a freely available benchmark and remix, build upon, or transform it for non-commercial use and say it’s based on a CIS benchmark. Before you run out and do this, however, note that there are some caveats. Any derivative work you create that alters the information in the original work is expressly NOT a CIS benchmark. On the other hand, if your derivative work represents the full benchmark and only the benchmark (essentially a translation from PDF form into some other form) you can, and should, state that it’s a CIS benchmark. In both cases, attribution is required, so you’ll need to give credit where it is due. In neither case is your derivative considered a CIS Certified solution; certification comes with membership, and then only after subjecting your derivative to our certification process.

At this point maybe you’re wondering what this means for all the rest of the benchmarks in our stable—all those we’ve previously published. We have a plan. Benchmarks published from this point forward will be subject to the Creative Commons license as noted above. The first priority will be given to those benchmarks we are already planning to turn out this year (see our projects in flight here). Second priority will be given to the rest. Of course, if a benchmark you need is not already published under Creative Commons, contact us to let us know—we’ll do what we can to prioritize your request. Our goal is to have all of the latest benchmarks across our benchmark lines updated to Creative Commons licensing before the end of this year (if not much sooner).

2016 is a pivotal year for CIS. We have a bold goal to make security happen not just for our members, but for non-members as much as possible. The release of our AWS Foundations benchmark with Creative Commons licensing marks this turning point. Keep an eye out for other exciting news later in the year!