Cloud Hardening: Security Configuration Best Practices For Fast and Effective

by Douglas Bernardini

Cloud service providers (CSPs) have changed the way organizations of all sizes architect and deploy their IT environments. CSPs now make it possible for organizations to rapidly implement new technologies with greater levels of ease and scalability.

As with any new opportunity, leveraging cloud technology also introduces new forms of risk. Industry standards provide organizations guidance to create policies, plans, and to manage their cloud environments. Organizations that do not use industry standards to harden their environments leave themselves open to cyber-attacks and misconfiguration.

Cloud environments evolve and change, and CSPs are constantly adding new functional services that come with unique configuration and security tools to manage them. However, organizations cannot be solely dependent on the CSP for security.

One of the most effective ways for organizations to secure their public cloud accounts is to use the CIS Foundations Benchmarks. Learn more about them and learn which new cloud security resources will be coming soon from CIS.


CIS Foundations Benchmarks Overview

The CIS Foundations Benchmarks are a part of the family of cybersecurity standards managed by the Center for Internet Security (CIS). CIS Benchmarks are consensus-based, vendor-agnostic secure configuration guidelines for the most commonly used systems and technologies.

There are more than 100 free CIS Benchmarks PDFs covering 25+ vendor product families such as operating systems, servers, cloud providers, mobile devices, desktop software, and network devices. The CIS Foundations Benchmarks provide guidance for public cloud environments at the account level.

The CIS Foundations Benchmarks cover:

  • Amazon Web Services see pdf
  • Microsoft Azure see pdf
  • Google Cloud Computing Platform see pdf 
  • Oracle Cloud Infrastructure
  • IBM Cloud
  • Alibaba Cloud

CIS Benchmarks are consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia. The CIS Foundations Benchmarks are intended for system and application administrators, security specialists, auditors, help desk, platform deployment, and/or DevOps personnel who plan to develop, deploy, assess, or secure solutions in the cloud. They are available at no cost to download in PDF format.


How CIS Foundations Benchmarks Work

While all CIS Foundations Benchmarks are tailored to their respective CSPs, the document contents all have common features and are organized with a similar structure. At a minimum, they provide prescriptive guidance specific to Identity and Access Management (IAM), logging and monitoring, and networking.

Take IAM as an example. In all CIS Foundations Benchmarks, there is at least one recommendation regarding multi-factor authentication (MFA). The configuration recommendations vary across the platforms, but the intent is the same. In each CIS Foundations Benchmark recommendation, you’ll find the following sections:

  • Profile Applicability – Identifies whether the recommendation relates to a Level 1 (standard security), or Level 2 (higher security) profile
  • Description – An easy-to-understand explanation of the recommendation and why it’s important
  • Audit – A detailed description of how to evaluate the status of the recommendation in its current configuration
  • Remediation – Step-by-step guidance on how to successfully implement the recommendation
  • References – Links to supporting documentation
  • Additional Information – Further explanation, if necessary
  • CIS Controls – Maps the recommendation to the specific CIS Control

While the recommendations are specific to the services and tools of each platform, users can trust that all CIS Foundations Benchmarks provide prescriptive guidance to secure account-level elements of public cloud platforms.


Shared Cloud Security Responsibility Resources

The CIS Foundations Benchmarks are part of a portfolio of globally-recognized resources provided by CIS to help organizations secure their operations in public cloud environments. In addition, the CIS Controls Cloud Companion Guide can help CSP customers fulfill their part of the model for shared security responsibility in the cloud:

  • Shared Responsibility Model describes the shared responsibilities between the cloud provider, the users, and the IT organization. Rather than leaving the responsibility and trust solely in the CSP’s hands, the model outlines what security actions an organization is responsible for and what security actions the CSP should manage.

The CIS Controls Cloud Companion Guide provides guidance on how to apply the security best practices found in the CIS Controls to the four main “as-a-service” cloud environments. Additional steps needed in any cloud environment are explained, based on the individual service models.

CIS Hardened Images are pre-configured virtual machine images hardened in accordance to the security recommendations of CIS Benchmarks. CIS Hardened Images are updated on a monthly basis to ensure the latest security configurations are in place and patched for vulnerabilities.