Cloud service providers (CSPs) have changed the way organizations of all sizes architect and deploy their IT environments. CSPs now make it possible for organizations to rapidly implement new technologies with greater levels of ease and scalability.
As with any new opportunity, leveraging cloud technology also introduces new forms of risk. Industry standards provide organizations guidance to create policies, plans, and to manage their cloud environments. Organizations that do not use industry standards to harden their environments leave themselves open to cyber-attacks and misconfiguration.
Cloud environments evolve and change, and CSPs are constantly adding new functional services that come with unique configuration and security tools to manage them. However, organizations cannot be solely dependent on the CSP for security.
One of the most effective ways for organizations to secure their public cloud accounts is to use the CIS Foundations Benchmarks. Learn more about them and learn which new cloud security resources will be coming soon from CIS.
The CIS Foundations Benchmarks are a part of the family of cybersecurity standards managed by the Center for Internet Security (CIS). CIS Benchmarks are consensus-based, vendor-agnostic secure configuration guidelines for the most commonly used systems and technologies.
Take a closer look at the community consensus development process behind the CIS Benchmarks below.
There are more than 100 free CIS Benchmarks PDFs covering 25+ vendor product families such as operating systems, servers, cloud providers, mobile devices, desktop software, and network devices. The CIS Foundations Benchmarks provide guidance for public cloud environments at the account level.
The CIS Foundations Benchmarks cover:
CIS Benchmarks are consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia. The CIS Foundations Benchmarks are intended for system and application administrators, security specialists, auditors, help desk, platform deployment, and/or DevOps personnel who plan to develop, deploy, assess, or secure solutions in the cloud. They are available at no cost to download in PDF format.
While all CIS Foundations Benchmarks are tailored to their respective CSPs, the document contents all have common features and are organized with a similar structure. At a minimum, they provide prescriptive guidance specific to Identity and Access Management (IAM), logging and monitoring, and networking.
Take IAM as an example. In all CIS Foundations Benchmarks, there is at least one recommendation regarding multi-factor authentication (MFA). The configuration recommendations vary across the platforms, but the intent is the same. In each CIS Foundations Benchmark recommendation, you’ll find the following sections:
While the recommendations are specific to the services and tools of each platform, users can trust that all CIS Foundations Benchmarks provide prescriptive guidance to secure account-level elements of public cloud platforms.
The CIS Foundations Benchmarks are part of a portfolio of globally-recognized resources provided by CIS to help organizations secure their operations in public cloud environments. In addition, the CIS Controls Cloud Companion Guide can help CSP customers fulfill their part of the model for shared security responsibility in the cloud:
The CIS Foundations Benchmarks are not intended to cover all of a CSP’s services. They are a starting point to configure your public cloud account. CIS product and service-level Benchmarks for the cloud are in development to provide more prescriptive configuration guidance in the cloud.
CIS currently offers service-based CIS Benchmarks to cover Kubernetes end user computing and Azure services. Kubernetes service Benchmarks include Amazon Elastic Kubernetes (EKS),Google Kubernetes Service (GKE) and Oracle Cloud Infrastructure Kubernetes (OKE). CIS plans to release CIS Benchmarks for Azure Kubernetes Service, and Red Hat OpenShift Kubernetes in the coming months.
Additionally, CIS plans to introduce product-level coverage for multiple CSP services. We’re pleased to announce the CIS AWS End User Compute Services Benchmark as the first example of that. This CIS Benchmark covers AWS products including: Amazon WorkSpaces, Amazon WorkDocs, Amazon AppStream 2.0, and Amazon WorkLink. This Benchmark builds on the CIS Foundations Benchmark with an emphasis on the security settings when utilizing end user computing. We will continue to release product-level CIS Benchmarks across the CSPs, while continuing to expand the CIS Foundations Benchmarks.
Keep an eye out for more service-based CIS Benchmarks for additional guidance on public cloud services.
CIS Foundations Benchmarks are created using a consensus review process leveraging the expertise of subject matter experts from around the world. Consensus participants provide perspective from a diverse set of backgrounds including consulting, software development, audit and compliance, security research, operations, government, and legal.
Since public cloud environments evolve rapidly, the CIS Foundations Benchmarks require constant maintenance. We work with CSPs, CSP consumers and cybersecurity experts to gain insights and collect the most up-to-date information. Please consider joining one of our Communities and participating in the development of these resources.