How to Meet the Shared Responsibility Model with CIS
In 2020, the shift to a global remote workforce demonstrated just how difficult securing a cloud environment can be. Now organizations face the challenge of securing hybrid environments. To address these challenges, many companies migrate to the cloud and leverage cloud service providers (CSPs) such as Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Oracle Cloud. These public cloud providers offer cost-effective, scalable cloud computing solutions.
Among the many benefits of operating on the public cloud, users share the security responsibilities with the CSP. Typically, the CSP is responsible for the physical security of the cloud infrastructure, while the customer is responsible for securing the services and/or applications they use. The division of these responsibilities is known as the shared responsibility model for cloud security.
Shared Responsibility Model Characteristics
Based on the type of cloud environment required by an organization, the delineation of security responsibilities will differ. Responsibilities vary according to the four main types of cloud environments:
- Infrastructure as a Service (IaaS)
- Software as a Service (SaaS)
- Platform as a Service (PaaS)
- Function as a Service (FaaS)
Ultimately however, the protection of an organization’s data lies with the organization itself. That’s where the Center for Internet Security (CIS) can help. CIS strives to make the connected world a safer place by developing, validating, and promoting best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats. Thus, our vision is to lead the global community to secure our ever-changing connected world. A portion of that is providing organizations with resources that can help them meet their part of the shared responsibility model for cloud security.
Cloud Security Resources Available from CIS
CIS works with a global community to develop three main security best practices that can help cloud consumers meet the shared responsibility model:
A prioritized set of 20 actions that collectively form a defense-in-depth set of best practices. The CIS Controls are practical and prescriptive actions that organizations should take to prevent common cyber-attacks.
The CIS Controls Cloud Companion Guide is a free resource that can help users apply the CIS Controls in the cloud. Notably, the guide maps the CIS Controls to the four main types of cloud environments.
The CIS Benchmarks are configuration guidelines for technologies, operating systems, containers, and more. There are more than 100 CIS Benchmarks covering 25+ vendor product families.
In particular, the CIS Foundations Benchmarks provide prescriptive guidance for configuring, deploying, and securing services in public cloud environments. This resource can assist cloud users with the shared responsibility model, notably identity and access management. A free CIS Foundations Benchmark is available for the following cloud environments:
- Amazon Web Services (AWS)
- Microsoft Azure
- Google Cloud Platform (GCP)
- Oracle Cloud Infrastructure
- Alibaba Cloud
- IBM Cloud
CIS Hardened Images
Lastly, CIS Hardened Images are virtual machine images for operating systems, containers, and applications. They’re pre-configured to CIS Benchmark recommendations. Backed by a global community of cybersecurity experts and built off of the base image provided by CSPs, CIS Hardened Images seamlessly integrate into an organization’s security procedures. Because they’re an IaaS environment, CIS Hardened Images can help with the host infrastructure part of the shared responsibility model.
What’s more, CIS updates and patches these Hardened Images on a monthly basis to ensure the latest security configurations are in place. Every CIS Hardened Image includes a CIS-CAT Pro report showing conformance to the CIS Benchmark. It also includes an exception report showing configurations that cannot be applied in the cloud.
CIS Hardened Images are available on four major CSP marketplaces:
- AWS Marketplace including AWS GovCloud (US) region
- Microsoft Azure Marketplace including Azure Government
- Google Cloud Platform Marketplace
- Oracle Cloud Marketplace
CIS Shared Responsibility Model Resource
The shared responsibility model for cloud security provides clarity on security expectations for public cloud users. However, an understanding of the expectation is just the first step. Users must act on these responsibilities by creating policies and procedures for their portion of cloud security. In order to do this, cloud consumers should use cloud security tools and resources that directly address the needs of their cloud environment.
In sum, whether they’re used together or individually, CIS Controls, CIS Benchmarks, and CIS Hardened Images provide organizations operating in the cloud prescriptive guidance to secure their environments. They also help organizations conform to the shared responsibility model with ease. In this guide, we provide a deep dive into the shared responsibility model for cloud security, the division of user and CSP responsibilities, and how CIS resources help meet those responsibilities.