CIS Hardened Images: Reconciling Cloud Security and Services

Cloud computing carries many benefits for your business...as long as you're able to ensure the performance and availability of your cloud environments.

Let's take the following three cloud computing benefits as examples.

  • Cloud icon—surrounded by a circle, a cloud comes up over a cloud with a cloud in it, variability.Rapidly scale cloud services: In the absence of performance and availability, you can’t reliably scale your cloud computing services to fit your needs. This means that your organization could miss out on taking advantage of certain resources, or it might need to pay for resources it no longer needs for a period of time.
  • cloud security icon with lock Faster disaster recovery of cloud services: Poor availability in the cloud means that you can’t count on having cloud-based backups available in the event of a disaster. Even if they are available, poor performance might render those backups incomplete, potentially costing your organization due to lost data, intellectual property, etc.
  • Cloud icon—surrounded by a circle, a cloud with a gear on it is held by an open hand, support.Access to innovative technology: In the absence of performance and availability, you can't use the cloud to adequately experiment with new technology such as artificial intelligence and machine learning. This can provide you with an inaccurate picture of how new technologies work, causing you to lose out by not innovating now.

At the Center for Internet Security® (CIS®), we understand the importance of performance and availability for your cloud environments. We also understand that cloud security is one of your priorities but that you need security in the cloud to work for you. Whatever cloud security resources you’re using must be compatible with the services you use to power your environments

I get it. Which is why I'm pleased to announce that CIS Hardened Images® have been tested with two popular cloud services: Azure Monitor Agent and Azure Update Manager. In this blog, I'll explain the importance of this testing, provide some examples of issues tested for, explore what compatibility with these services means for you, and briefly discuss the future of CIS Hardened Images testing.

Make Sure Your Cloud Security Essentials Are Covered

The CIS Hardened Images are virtual machine images that are pre-hardened to the security recommendations of the CIS Benchmarks™. Every CIS Hardened Image comes with a CIS-CAT® Pro assessment report. This enables you to see how well the image conforms to the corresponding CIS Benchmark so that you can make an informed decision about securing your operating systems in the cloud.

Want to learn more about how the CIS Hardened Images can help you to secure your cloud-based assets? Check out our video below.

We decided to pursue compatibility testing for our CIS Hardened Images for two main reasons. First, the cloud services we selected perform essential functions related to your use of virtual images.

  • Azure Monitor Agent is a service that helps you evaluate and remediate issues affecting the availability and performance of your applications and services in Microsoft Azure.
  • Azure Update Manager enables you to monitor, manage, schedule, and implement updates for your Azure virtual machines.

This leads to the second reason: customers like you have requested that CIS review the compatibility of CIS Hardened Images with these services. We've seen your requests about Azure Monitor Agent and Azure Update Manager, and we want to help, so we began testing the compatibility of CIS Hardened Images with these services.

Let's take a look at the results of our testing with each of the two services discussed above.

Azure Monitor Agent

Our initial testing focused on CIS Hardened Images for Linux. Overall, the testing process went smoothly. The Azure team made a few tweaks to Azure Monitor Agent throughout the investigation with CIS to account for the differences across various Linux distributions. Even so, there weren't any issues where the Azure Monitor Agent functionality was degraded when installed on a CIS machine.

When the Azure team did make some changes to Azure Monitor Agent, it did so for failures to comply with the CIS Benchmarks settings post-Azure Monitor Agent install. Primarily, these changes involved file/directory ownership (overly lax permissions) and network setup of an Azure Monitor Agent sub-component (it was listening on all interfaces rather than loopback).

With this testing period over, Azure Monitor Agent is now validated for successful deployment and overall functionality (e2e data flow for all data types) on images for all CIS Linux Hardened Images.

What's more, the Azure team has integrated CIS Hardened Images into the pre-release validation process for continual re-validation when new Azure Monitor Agent versions become available. This ensures no Azure Monitor Agent functionality regression, thereby helping you maintain the performance and availability of these pre-hardened virtual machine images for Linux going forward.

Azure Update Manager

In testing for compatibility with Azure Update Manager, we found that this service requires a shell to execute the updates, gather instance information, and send information back to Azure from the omsagent. To accommodate this in the CIS Linux Hardened Images, we removed the hardening for recommendation, "Ensure default user shell timeout is 900 seconds or less."

You can configure this recommendation manually by following the remediation instructions in the CIS Benchmark PDF, which will inhibit the functionality of Azure Update Manager with a CIS Linux Hardened Image. Additionally, you can review our Knowledge Base article for more information.

As of this writing, Azure Update Manager supports 35 CIS Hardened Images. Several more are in progress, according to Microsoft.

Our Plans for Future Compatibility Testing

We will continue to test some of the highly requested services and applications to help you balance security and functionality going forward. We can't always make changes, nor can we test everything; if a recommendation causing conflict brings significant security value, we won’t change the configuration. But it can still help to identify where the issue is so we can document it, communicate it to you, and explain the impact of the setting.

With this in mind, we encourage you to give us feedback on services for which you're using with CIS Hardened Images that may have compatibility issues. This is completely user-generated work. We're willing to listen and to try to help.

Ready to balance security and functionality in your cloud environments?


About the Author

Mia LaVadaMia LaVada is a product manager for the CIS Benchmarks and Cloud products at the Center for Internet Security (CIS). She has been with CIS since June 2019. As a strong believer in the power of community, LaVada regularly works with CIS Members to help ensure CIS addresses the needs of the global cybersecurity community. She's also particularly passionate about finding solutions to further secure the ever-changing cloud ecosystem.