https://www.techtarget.com/searchsecurity/tip/How-to-use-CIS-benchmarks-to-improve-public-cloud-security
The Center for Internet Security provides consensus-based, vendor-agnostic configuration standards for the cloud. Known as CIS Foundations Benchmarks, these best practices were developed to help organizations secure public cloud environments at the account level.
Security leaders and cloud engineering teams can use the CIS benchmarks for cloud security in a couple of ways. First, referencing independent standards of best practice security controls and configuration settings can aid in defining internal requirements for secure cloud deployments. This is imperative when defining and ratifying policies and standards that all business units and IT operations teams are expected to adhere to in their own cloud accounts and subscriptions. Second, the benchmarks can help organizations develop a continuous monitoring and reporting strategy for cloud control plane and asset compliance.
Public cloud customers can experience both immediate and lasting benefits from implementing CIS benchmarks for cloud security. Short-term payoffs include an improved security posture and a reduced amount of vulnerabilities in common cloud asset categories, such as VMs and other workloads. Implementing the framework can also scale down the immediate attack surface tied to exposed and potentially misconfigured cloud control plane services.
Long-term benefits include an improved security posture overall within an organization's cloud environment, as well as enhanced monitoring and reporting on configuration. This enables the development of more accurate metrics and reporting on vulnerabilities, thus driving improvements in both security and operational efficiency.
Many question whether the CIS cloud security framework should be considered an advanced end goal or more of a security starting point. In many ways, the answer is both. CIS benchmarks are created with two tiers of recommendations. Level 1 recommendations are intended to provide immediate security benefits. They are relatively practical, simple to implement and rarely inhibit or break cloud service or asset functionality in any way. Level 1 benchmark items should be the starting point for all organizations and are widely considered baseline best practices that can be enabled quickly and easily by almost anyone.
Level 2 items, however, provide stronger security capabilities and a more layered defense-in-depth posture. CIS cloud security controls at this level may lead some services or assets to perform poorly or even break in some scenarios. Organizations subject to stringent security requirements may regard Level 2 CIS benchmark items as short-term goals, but most will pursue them as part of a longer-range strategy.
Currently, CIS benchmarks are available to download for each of the following public cloud environments:
Though CIS benchmarks for one given platform may vary from those of other platforms, there are notable commonalities. All CIS benchmarks for the public cloud have similar suggested categories of control, ranging from VM workload security to storage and data security settings to privileged access control.
Among the most universal and actionable recommendations from CIS are the following:
Large cloud service environments are evolving at an increasingly rapid pace. Though CIS Foundations Benchmarks cover the core fundamentals of cloud security controls and configuration, more frequent updates to the consensus-based guidelines would help better serve organizations by providing the most current guidance.
Additionally, aligning the benchmarks with industry attack models and frameworks, such as Mitre ATT&CK for cloud, would help educate stakeholders on which controls can protect them in real-world cloud attack scenarios.
06 May 2021