Call for participation: Help the CIS Controls Secure Mobile and Cloud Environments

We are at a fascinating point in the evolution of cyber defense. To help organizations understand the cyber threat we have seen the emergence of threat information feeds, reports, tools, alert services, standards, and threat sharing frameworks. Business complexity is growing, dependencies are expanding, users are becoming more mobile, and the threats are evolving.

Defending mobile and cloud environments

Developing mobile and cloud technologies introduce technological and societal benefits. It also means that data and applications are distributed across multiple locations, many of which are not within the organization’s infrastructure. With all these threats, how can we get on track with a roadmap of fundamentals and guidance to measure and improve mobile and cloud security? Which defensive steps have the greatest value?

The CIS Controls started as a grassroots activity over a decade ago to help organizations focus on the most fundamental and valuable cybersecurity actions. The CIS Controls are downloaded by thousands each year to help secure systems and data. Now, we’re bringing the trusted security of the CIS Controls to mobile and cloud environments with the CIS Controls Mobile Companion Guide and CIS Controls Cloud Companion Guide. These guides will break down and map the applicable CIS Controls and their implementation in mobile and cloud environments.

Security in the cloud: a shared responsibility

One of the main challenges in applying best practices to cloud environments is tied to the fact that these systems operate under different assumed security responsibilities than traditional on-premises computers. There is a shared security responsibility between the user and the cloud provider. Who is responsible for specific security tasks can depend on the specific cloud environment:

  • IaaS (Infrastructure as a Service) – A vendor provides users access to computing resources such as servers, storage and networking. Organizations use their own platforms and applications within a service provider’s infrastructure.
  • PaaS (Platform as a Service) – Provides users with a cloud environment in which they can develop, manage and deliver applications. In addition to storage and other computing resources, users are able to use a suite of prebuilt tools to develop, customize and test their own applications.
  • SaaS (Software as a Service) – Provides users with access to a vendor’s cloud-based software. Users do not install applications on their local devices. Instead, the applications reside on a remote cloud network accessed through the web or an API. Through the application, users can store and analyze data and collaborate on projects.
  • FaaS (Function as a Service) – A category of cloud computing services that provides a platform allowing customers to develop, run, and manage application functionalities without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app.

Mobile devices take security on the go

There are also unique security challenges to mobile environments, especially when devices owned by employees are granted access to organizational data and resources. Mobile is no longer a “nice to have” option offered by some businesses. Improperly managing mobile access to enterprise data can lead to shadow IT, where users are accessing sensitive data with an insecure device without the proper policies in place. Employees will download mobile apps to this same device, which may try to read enterprise data. Additionally, mobile devices are by their very nature constantly on the go, connecting to potentially insecure Bluetooth and WiFi networks, and they can be easily lost.

For the mobile companion guide, our community will focus on how to apply the CIS Controls security recommendations to Google Android and Apple iOS environments. Factors such as “Who owns the data?” and “Who owns the device?” all affect how the device can be secured, and against what threats. This means that various ways of managing how organizations purchase, provision, and provide devices to employees will need to be covered, such as Bring Your Own Device (BYOD) and Corporately-Owned, Personally-Enabled (COPE). The community will analyze the systems which help administer and monitor mobile devices, such as Enterprise Mobility Management, Mobile Device Management, and Mobile Threat Defense.

A community approach

At CIS, we believe in community-driven, consensus-developed resources that help every organization improve its cyber defenses. That’s why we’re creating the CIS Controls Mobile Companion Guide and CIS Controls Cloud Companion Guide. In these documents, we’ll provide guidance on how to apply the security best practices found in CIS Controls Version 7 to any mobile or cloud environment from the user perspective.

We’re excited to produce these guides, but we need your help. Are you an IT security expert or cloud technology super-user? Join our communities on CIS WorkBench. For each top-level CIS Control, we’ll discuss of how to interpret and apply the security recommendations in mobile and cloud environments. We’ll also examine any unique considerations or differences in applying the CIS Control to these systems as compared to more traditional IT environments.

To get involved, join CIS WorkBench – our free community collaboration platform. Once you’ve registered, search for the CIS Controls cloud or mobile community (or click on the links below) to start contributing to the discussion.

CIS Controls Cloud Companion Guide Community

CIS Controls Mobile Companion Guide Community