The Center for Internet Security provides consensus-based, vendor-agnostic configuration standards for the cloud. Known as CIS Foundations Benchmarks, these best practices were developed to help organizations secure public cloud environments at the account level.
Security leaders and cloud engineering teams can use the CIS benchmarks for cloud security in a couple of ways. First, referencing independent standards of best practice security controls and configuration settings can aid in defining internal requirements for secure cloud deployments. This is imperative when defining and ratifying policies and standards that all business units and IT operations teams are expected to adhere to in their own cloud accounts and subscriptions. Second, the benchmarks can help organizations develop a continuous monitoring and reporting strategy for cloud control plane and asset compliance.
How implementation improves security
Public cloud customers can experience both immediate and lasting benefits from implementing CIS benchmarks for cloud security. Short-term payoffs include an improved security posture and a reduced amount of vulnerabilities in common cloud asset categories, such as VMs and other workloads. Implementing the framework can also scale down the immediate attack surface tied to exposed and potentially misconfigured cloud control plane services.
Long-term benefits include an improved security posture overall within an organization's cloud environment, as well as enhanced monitoring and reporting on configuration. This enables the development of more accurate metrics and reporting on vulnerabilities, thus driving improvements in both security and operational efficiency.
Many question whether the CIS cloud security framework should be considered an advanced end goal or more of a security starting point. In many ways, the answer is both. CIS benchmarks are created with two tiers of recommendations. Level 1 recommendations are intended to provide immediate security benefits. They are relatively practical, simple to implement and rarely inhibit or break cloud service or asset functionality in any way. Level 1 benchmark items should be the starting point for all organizations and are widely considered baseline best practices that can be enabled quickly and easily by almost anyone.
Level 2 items, however, provide stronger security capabilities and a more layered defense-in-depth posture. CIS cloud security controls at this level may lead some services or assets to perform poorly or even break in some scenarios. Organizations subject to stringent security requirements may regard Level 2 CIS benchmark items as short-term goals, but most will pursue them as part of a longer-range strategy.
Scope of CIS Foundations for public cloud
Currently, CIS benchmarks are available to download for each of the following public cloud environments:
- Alibaba Cloud
- Google Cloud Platform
- Google Workspace
- IBM Cloud
- Microsoft Azure
- Oracle Cloud Infrastructure
Though CIS benchmarks for one given platform may vary from those of other platforms, there are notable commonalities. All CIS benchmarks for the public cloud have similar suggested categories of control, ranging from VM workload security to storage and data security settings to privileged access control.
CIS cloud security control recommendations
Among the most universal and actionable recommendations from CIS are the following:
- Create secure cloud workloads that adhere to industry best practices and hardening standards. Store and monitor these new images.
- Enable cloud control plane logging via tools such as AWS CloudTrail or Google Cloud's operations suite (formerly Stackdriver) to provide visibility into all API calls made within a cloud service account. Additionally, cloud-native monitoring and alerting should be configured and enabled.
- Enable strong authentication to any cloud administration interfaces, including the web portal or command line. Implement least privilege identity policies for different cloud operations roles.
- Enable encryption and other data protection measures for cloud storage services.
- Secure cloud-native network access controls to minimize access and enable network flow data to monitor network behavior.
How the CIS cloud security framework can improve
Large cloud service environments are evolving at an increasingly rapid pace. Though CIS Foundations Benchmarks cover the core fundamentals of cloud security controls and configuration, more frequent updates to the consensus-based guidelines would help better serve organizations by providing the most current guidance.
Additionally, aligning the benchmarks with industry attack models and frameworks, such as Mitre ATT&CK for cloud, would help educate stakeholders on which controls can protect them in real-world cloud attack scenarios.