Tackling Audits and Cloud Security Efficiently and at Scale

minnesotaThe State of Minnesota is tasked with managing vast amounts of data. As a state entity, Minnesota needs to ensure the data they manage is protected with the proper cybersecurity controls in place. This is a common requirement; states across the U.S. are regularly audited to ensure compliance with the controls they’ve implemented. Implementing a secure baseline to prepare for audits can be a challenging task, which becomes more complex as organizations move data and infrastructure to the cloud.

Compliance and auditing challenges

Preparing for audits and security scanning was a major challenge for State of Minnesota Security Architects Lisa Ulrich and Terry Seiple. Their team needed a configuration security baseline that would help them pass compliance audits.
Ulrich and Seiple’s team took a manual and ad hoc approach to developing their baselines. “Initially, when we were writing our standards…it ended up being problematic to do compliance audits and scans. And it came to fruition one day when was I speaking with our vulnerability management team that they were using the [CIS] Benchmarks.”

The manual approach to configuration security had made it difficult for their team to track configuration settings and monitor for security and compliance. By leveraging the CIS Benchmarks configuration guidelines, they could align with a trusted and consensus-developed security baseline. The CIS Benchmarks also help the Security Architects ensure compliance to prepare for audits.

A solution for baseline security

The team discovered they needed a faster and easier way to assess their compliance with the controls they’ve implemented, visualize it to identify any non-compliance and quickly remediate any issues that they discovered.

They determined the best way to meet this challenge was to become a CIS SecureSuite Member. As a member the state was able to quickly and easily deploy the CIS Benchmarks as their baseline security standard.

“Due to the portability of the standards and how they align with NIST, it sets us up well for configuration success,” adds Seiple. “Since we switched over to a standardized CIS Benchmark, it’s easy for us to give the auditor the data and say yeah, we’re using CIS and these devices are going to be compliant with that because we implement the CIS Benchmarks through group policy.”

Along with being able to deploy CIS Benchmarks through group policy across the state’s IT infrastructure, Seiple and the team are also leveraging their SecureSuite Membership to help ensure compliance with the recommendations in the Benchmarks with CIS-CAT Pro.

This tool quickly compares the configuration of a system to CIS Benchmark recommendations and reports how well the system conforms to the recommendation.

This combination of ease deployment of – and quick evaluation to – standards has made the team’s job much easier in the face of an audit or security scanning.

“If we fall in alignment with these configuration standards, it just clearly makes sense that it could really lighten the workload on the team of the State of Minnesota,” explains Seiple.

The State of Minnesota operates at roughly 80% on-premises and 20% cloud infrastructure. Multiple agencies within the state rely on the cloud, making it important to keep their cloud infrastructure just as secure as their on-premises environments.

For the state’s cloud environment, Seiple’s team leverages the CIS Amazon Web Services Foundations Benchmark to harden against baseline cybersecurity vulnerabilities. CIS Foundations Benchmarks are available for multiple cloud service providers and offers a strong starting point for securely configuring cloud accounts and services.

Community-driven consensus

Ulrich and Seiple don’t just apply the CIS Benchmarks best practices to their environments – they help develop them, too. The CIS Benchmarks are developed through a unique community consensus process which implements guidance from experts around the world. Ulrich and Seiple participate in the Microsoft Windows, Amazon Web Services (AWS), and Internet Explorer communities where they help develop security best practices and recommendations. “To be able to read in the communities and see what others have done [is] very helpful,” explains Ulrich.

Volunteers participate in cybersecurity discussions on CIS WorkBench, an open community platform for developing security best practices. CIS WorkBench also features additional forums and content for CIS SecureSuite Members.

A huge security value with CIS

CIS SecureSuite Membership helps the State of Minnesota bring systems into compliance using a secure baseline. From implementing and auditing against CIS Benchmarks, to hardening cloud environments, to the security community they’ve discovered, the duo is very pleased with CIS SecureSuite Membership. “I’m really impressed [by] the value you get with CIS,” says Seiple. “It’s huge.”