Cloud service providers (CSPs) have changed the way organizations of all sizes architect and deploy their IT environments. CSPs now make it possible for organizations to rapidly implement new technologies with greater levels of ease and scalability.
As with any new opportunity, leveraging cloud technology also introduces new forms of risk. Industry standards provide organizations guidance to create policies, plans, and to manage their cloud environments. Organizations that do not use industry standards to harden their environments leave themselves open to cyber-attacks and misconfiguration.
Cloud environments evolve and change, and CSPs are constantly adding new functional services that come with unique configuration and security tools to manage them. However, organizations cannot be solely dependent on the CSP for security.
One of the most effective ways for organizations to secure their public cloud accounts is to use the CIS Foundations Benchmarks. Learn more about them and learn which new cloud security resources will be coming soon from CIS.
The CIS Foundations Benchmarks are a part of the family of cybersecurity standards managed by the Center for Internet Security (CIS). CIS Benchmarks are consensus-based, vendor-agnostic secure configuration guidelines for the most commonly used systems and technologies.
There are more than 100 free CIS Benchmarks PDFs covering 25+ vendor product families such as operating systems, servers, cloud providers, mobile devices, desktop software, and network devices. The CIS Foundations Benchmarks provide guidance for public cloud environments at the account level.
The CIS Foundations Benchmarks cover:
CIS Benchmarks are consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia. The CIS Foundations Benchmarks are intended for system and application administrators, security specialists, auditors, help desk, platform deployment, and/or DevOps personnel who plan to develop, deploy, assess, or secure solutions in the cloud. They are available at no cost to download in PDF format.
While all CIS Foundations Benchmarks are tailored to their respective CSPs, the document contents all have common features and are organized with a similar structure. At a minimum, they provide prescriptive guidance specific to Identity and Access Management (IAM), logging and monitoring, and networking.
Take IAM as an example. In all CIS Foundations Benchmarks, there is at least one recommendation regarding multi-factor authentication (MFA). The configuration recommendations vary across the platforms, but the intent is the same. In each CIS Foundations Benchmark recommendation, you’ll find the following sections:
While the recommendations are specific to the services and tools of each platform, users can trust that all CIS Foundations Benchmarks provide prescriptive guidance to secure account-level elements of public cloud platforms.
The CIS Foundations Benchmarks are part of a portfolio of globally-recognized resources provided by CIS to help organizations secure their operations in public cloud environments. In addition, the CIS Controls Cloud Companion Guide can help CSP customers fulfill their part of the model for shared security responsibility in the cloud:
The CIS Controls Cloud Companion Guide provides guidance on how to apply the security best practices found in the CIS Controls to the four main “as-a-service” cloud environments. Additional steps needed in any cloud environment are explained, based on the individual service models.
CIS Hardened Images are pre-configured virtual machine images hardened in accordance to the security recommendations of CIS Benchmarks. CIS Hardened Images are updated on a monthly basis to ensure the latest security configurations are in place and patched for vulnerabilities.