New Guidance for Securing Cloud Environments

Cloud computing is poised to drive organizations' digital strategies over the coming years. According to Gartner, more than 85% of organizations will embrace a "cloud-first principle" by 2025. The same proportion said they'll look to cloud technologies to deliver on their business goals going forward.

Along the way, they'll need to consider the challenges of securing the cloud. Asset visibility, data protection, and other security functions become more complex when organizations don't own an environment's underlying physical infrastructure. Attackers know that organizations are struggling to navigate these complexities on their own. This explains why external cloud assets were more prevalent than on-premises resources in both incidents and breaches for 2021, as Verizon found in its Data Breach Investigations Report (DBIR).

Security Best Practices in the Cloud

Organizations don't need to go it alone in their cloud security efforts. In fact, they can use a familiar set of best practices to create secure cloud environments.

Working with an army of global adopters and cybersecurity experts, the CIS Critical Security Controls (CIS Controls) team has created a cloud security companion guide to help organizations secure their cloud-based assets. The CIS Controls v8 Cloud Companion Guide explains how to map and implement relevant CIS Safeguards in a cloud environment using consensus-developed best practices.

Cloud Challenge: Sharing the Responsibility

One of the main challenges in applying best practices to cloud environments is how these systems operate under assumed security responsibilities that differ from those of traditional on-premises environments. There is often a shared security responsibility between the user and the cloud provider. In the Guide, we identify who is responsible for cloud security tasks outlined in the Safeguards. These duties are specific to the four most common cloud service models:

  • IaaS (Infrastructure as a Service)
  • PaaS (Platform as a Service)
  • SaaS (Software as a Service)
  • FaaS (Function as a Service)

Throughout this Guide, we consider the unique mission and business requirements found in cloud environments. We also examine unique risks (vulnerabilities, threats, consequences, and security responsibilities) to cloud environments. These risks drive the priority of enterprise security requirements (e.g., availability, integrity, and confidentiality of data).

Using the CIS Controls v8 Cloud Companion Guide , the consumer will have the tools they need to tailor the CIS Controls in the context of a specific IT/OT cloud environment. It’s an essential starting point for those who wish to conduct a security improvement assessment and create a corresponding map for the road ahead.

Securing the Connected World

Advancements in cloud technologies have brought people together in new and exciting ways. The key to creating secure cloud environments comes from the community, too – specifically, bringing experts together to create consensus-developed resources like the CIS Controls companion guides.

We are deeply grateful for the volunteers who helped develop the CIS Controls v8 Cloud Companion Guide. We hope our resources help your enterprise bolster its defenses.