How CloudCheckr Optimizes for Security With CIS
CloudCheckr provides comprehensive cloud management for organizations including service providers, public sector agencies, and modern, large enterprises. Their services help those working in the cloud operate securely and efficiently. CloudCheckr also helps clients meet 35 regulatory compliance frameworks such as PCI DSS, NIST, and HIPAA. Optimizing millions of compute hours every year isn’t simple – so how do they manage securing it all? It starts at the baseline level.
Implementing secure baselines
CloudCheckr helps secure over thousands of users across the globe using CIS (Center for Internet Security, Inc.) Benchmarks. CIS Benchmarks are industry-standard configuration guidelines to safeguard systems against today’s evolving cyber threats and are developed by a global community of cybersecurity experts. All of this takes place via CIS WorkBench, a unique community platform and hub for CIS resources. All CIS Benchmarks are available for free in PDF format.
Using the CIS Benchmarks for configuration helped CloudCheckr provide better cybersecurity for their clients. “CIS did most of the initial, tedious, and time-consuming work of distilling dozens of compliance frameworks into actionable goals”, says Travis Rehl, Director of Product at CloudCheckr.
"CloudCheckr then built sophisticated value-added compliance tools to help achieve those goals,” says Rehl. “And without CIS Benchmarks, it would’ve taken much longer to bring our system to market.”
“Not only do we use CIS Benchmarks externally,” says Rehl. “We use them internally.” The CloudCheckr security team relies on CIS Benchmarks, which are available for 100+ CIS Benchmarks covering more than 14 technology groups, to ensure compliance to standards including PCI DSS, FedRAMP, HIPPA, SOX and FISMA. CloudCheckr is using CIS Benchmarks and tools on their ongoing path to ensure compliance. “We use CIS Benchmarks, both Level 1 and Level 2, internally with our own security team,” describes Rehl. “We also use other CIS tools to allow us to move faster in adopting new compliance regulations.”
Automation and reporting
With CIS-CAT Pro Assessor, CloudCheckr automates their assessments of the CIS Benchmarks. “Here’s what you’re doing, here’s what you should be doing, and then here’s CloudCheckr's contribution with how to fix it,” explains Rehl. CIS-CAT Pro helps CloudCheckr’s team identify and remediate gaps in endpoint security.
Once target machines are assessed, CIS-CAT Pro Dashboard reporting demonstrates compliance with the CIS Benchmarks. For clients, CloudCheckr is able to produce customized reports showing how systems are hardened according to CIS Benchmark baselines. Rehl says that “CIS is a large portion of how we show specific benchmark configuration audits and describe them to the end-user.”
CIS-CAT Pro Assessor offers remote assessment functionality, allowing CloudCheckr to scan target machines from anywhere. CIS-CAT Pro is part of CIS SecureSuite Membership. CIS SecureSuite Members enjoy additional benefits including Build Kits for quickly implementing CIS Benchmark recommendations. Members can also use CIS WorkBench to develop custom configuration policy.
Securing the cloud
When it comes to optimizing cloud environments, CloudCheckr knows that security has to be implemented from the start. That’s why they recommend CIS Hardened Images. CIS Hardened Images are developed using the secure CIS Benchmarks to create virtual machines for operating systems and cloud containers. “We take the images of the base software and we apply the configuration settings so that it’s already hardened when it gets to the cloud,” says Kathleen Patentreger, Senior Vice President of CIS Benchmarks. CIS Hardened Images come with a report detailing each CIS Benchmark recommendation which could be applied to the cloud image, as well as any exceptions which could not be applied.
CIS Hardened Images, the gold standard
What’s the primary benefit of CIS Hardened Images? “When you are deploying a large system on the cloud, dozens or hundreds of servers that all have to be manipulated and managed, you want to have a gold standard to start from,” says Rehl. “The CIS Hardened Image is the gold standard you start from.” Because the images are based on the consensus-developed CIS Benchmarks, they provide vendor-agnostic security for cloud environments.
CIS Hardened Images are as flexible and scalable as any cloud machine. And they’re simple to use, too. “I can automate and deploy it en masse to multiple regions,” Rehl explains. “It makes it very easy to manage across the total cloud landscape.” CIS Hardened Images are available on AWS, Microsoft Azure, and Google Cloud Platform. CIS Hardened Images are also available on cloud regions specific to government and intelligence community organizations.
There’s no doubt that cloud environments are under attack. CloudCheckr is helping to secure cloud environments across the globe by leveraging the consensus-developed CIS Benchmark configurations and CIS resources to help implement them. By using CIS-CAT Pro and CIS Hardened Images, an organization is able to demonstrate conformance to secure CIS Benchmarks guidelines. While starting with a secure configuration is a must, there are no guarantees that a hardened configuration will stay that way. Continuous, ongoing security, change monitoring and alerts, delivered by CloudCheckr, can ensure compliance in the future. CloudCheckr’s clients – from startups to Fortune 500 companies – reap the benefits. Organizations can enjoy the speed and cost-savings of CloudCheckr’s expertise in cloud management while benefitting from industry-leading recommendations and configuration published by CIS.