Avoid Cloud Misconfigurations with CIS Hardened Images

Organizations with cloud workloads need to protect themselves against a variety of risks. While most organizations focus on security against hackers, breaches resulting from simple misconfigurations can be just as damaging.

The 2020 Verizon Data Breach Investigation Report (DBIR) found that misconfigurations are on the rise. The report states that errors are now just as common as social breaches and occur more frequently than malware. In fact, it found that errors were the cause of 22% of breaches.

To further illustrate the challenge, Gartner Group predicts that over the next five years, “at least 99% of cloud security failures will be the customer’s fault.” Many of these are errors resulting from misconfigurations.

While misconfigurations can result from any number of factors, breaches resulting from misconfigurations usually occur when a server or storage bucket is left unsecured. Costly breaches have occurred at well-known companies due to the misconfiguration of a single security setting. This seemingly small error can give intruders access to hundreds of thousands of confidential records.

Steering Clear of Configuration Drift

Another frequently overlooked threat is configuration drift. This can be very common in cloud environments, where new versions of software are constantly being pushed out. Configuration drift occurs when the actual state of the environment does not align with the logged state or test environment. This is common among DevOps teams because of the necessary agility for their production. Although common, these minor differences in environments can cause software rollouts to fail, or existing systems to cease functioning, often at the worst possible time. Critical functions such as disaster recovery require that backup environments support ongoing business processes, but a misconfigured environment or environment configured without logging changes, can mean a complete business shutdown.

How to Avoid Misconfiguration

So what can an IT professional do to help prevent costly mistakes resulting from misconfigurations and configuration drift? A thorough review of permission controls, ongoing configuration audits, and appropriate logging should be part of any program. But this can be very time-consuming and costly if not done properly.

Pre-configured virtual machine images are a cost-effective, easily implemented solution that can help avoid misconfigurations. A hardened virtual image of an operating system, application, or other piece of software is by definition more secure than a standard image. This is especially true if it’s already hardened to recognized security standards and updated regularly. Deploying industry recognized pre-configured virtual machine images is one of the best ways to ensure that cloud infrastructure remains stable when leveraging public cloud service providers (CSPs).

CIS Hardened Images Help Prevent Misconfiguration

CIS Hardened Images are pre-configured virtual machine (VM) images that conform to the CIS Benchmarks, a globally-recognized security standard managed by the Center for Internet Security (CIS). CIS Hardened Images offer security to protect against malware, insuffi­cient authorization, and remote intrusion.

By using a CIS Hardened Image, an organization can trust that their operating systems have secure configurations, and that CIS updates every image regularly. New versions of CIS Hardened Images are made available any time there is a major or minor update to the corresponding CIS Benchmark itself.

To increase the efficiency of configuration audits, every CIS Hardened Image includes a CIS-CAT Pro report showing conformance to the CIS Benchmark, as well as an exception report showing configurations that cannot be applied in the cloud. This provides you with a comprehensive list of every configuration included in the CIS Hardened Image. A README text file accompanies this report as well as exceptions necessary for that CIS Hardened Image to run in the cloud.

There are more than 30 unique CIS Hardened Images available on Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Oracle Cloud Marketplaces.

Meeting the Shared Security Responsibility

The shared responsibility model describes the shared responsibilities between the cloud service provider and the cloud consumers. Rather than leaving the responsibility and trust solely in the CSP’s hands, the model outlines what security actions an organization is responsible for and what security actions the CSP should manage.

CIS Hardened Images help organizations to meet a portion of their obligations under the shared responsibility model. These hardened VMs help cloud consumers secure their operating systems, applications, and web servers. CIS Hardened Images also help cloud consumers avoid misconfigurations by securely pre-configuring the images and providing a detailed report on those configurations within the image.

Avoid Misconfigurations and Costly Mistakes

With high chances of user error, limited security resources, and constantly evolving computing environments, commercial and public organizations working in the cloud need practical, real-world solutions that are both affordable and reliable.

CIS Hardened Images can help IT professionals around the globe avoid misconfigurations and configuration drift.