3 CIS Resources to Help You Drive Your Cloud Cybersecurity
In a previous blog post, we discussed how security and compliance are two of the biggest factors for why cloud migrations fail. Specifically, you and your cloud service provider commonly have different security and compliance goals that you need to navigate.
In the process of moving to the cloud, you need a security-first cloud migration strategy that considers both your security and compliance requirements upfront. In this blog post, we’ll discuss how you can use resources from the Center for Internet Security® (CIS®) to create such an approach.
Security Choices in the Cloud
To create a cloud security program, you have two main options to consider. As your first option, you can choose to manage the security of your workloads yourself. The advantage of choosing this route is that you will implement a custom fit to your organization and the needs of your business. However, you might not have knowledge of cloud security best practices, in-house expertise, or the desire to spend significant resources towards cloud security management. Cloud security is complex, requiring different technical skill sets and tooling than on-premises security programs.
Alternatively, you can buy pre-configured or managed services to create a comprehensive cloud security program. In doing so, you'll get to use a partner or product as a force multiplier that will enable you to safely operate in the cloud without incurring unnecessary technical debt and expense. This option can be especially helpful if you're in the beginning stages of wanting to keep your cloud secure.
Neither of the two options discussed above is better than the other. It's about identifying your organization's needs and selecting a method that works best for you to achieve them.
Getting Started with CIS Resources in the Cloud
At CIS, our mission is to make the connected world a safer place. We have numerous tools and resources that can help organizations of every size make their cloud migration journey simpler and more secure. Let's go over them below.
The CIS Critical Security Controls® (CIS Controls®)
The CIS Controls consist of prescriptive, prioritized, and simplified security best practices that you can use to strengthen your cybersecurity posture across your environments, including in the cloud. The CIS Controls v8 Cloud Companion Guide provides context around how each Control applies not only to the cloud but also to individual service models, what your responsibility looks like for a Control within applicable service models, and what products, tools, and threat information (if any) you need to consider. In that way, you can plan your implementation efforts to maximize your time, effort, and efficacy.
The CIS Benchmarks™
The CIS Benchmarks are secure configuration guidelines developed through consensus that you can use to harden your operating systems (OSes) across 25+ vendor product families. Their security recommendations don't just map back to the Controls; they are also referenced by several industry frameworks such as PCI DSS and HIPAA.
In the context of the cloud, the Benchmarks have several resources to help. These are the Foundations Benchmarks, the Compute Benchmarks, and the CIS Build Kits and CIS Configuration Assessment Tool (CIS-CAT)®.
The CIS Foundations Benchmarks
The CIS Foundations Benchmarks are designed to help you create foundational security in the cloud by focusing on three essential areas: identity and access management (IAM), logging and monitoring, and networking. They consist of 50-60 security recommendations so that you can get started in the cloud and quickly set up essential security policies on a specific cloud service provider (CSP) platform.
Each CIS Foundations Benchmark includes sections that tell you exactly which CSP services we cover. Some are essential to your security. As an example, our CIS AWS Foundations Benchmark includes a section that says, "Ensure MFA is enabled on the root account." You need to use Amazon IAM to configure that recommendation. By contrast, other sections depend on the consumption of your service. If you don't use Amazon EC2, for instance, you can disregard those recommendations.
The CIS Cloud Service Category Benchmarks
The Foundations Benchmarks' 50-60 recommendations intentionally make it easy for you to create foundational security on a CSP platform. From there, you can take additional efforts to holistically secure your could environment using the CIS Cloud Service Category Benchmarks, like the CIS AWS Compute Services Benchmark. These resources tell you which security recommendations to implement if you're using specific services that are beyond the scope of the Foundations Benchmarks. In that way, you can securely configure your use of cloud services for compute, databases, storage, and other services in a CSP.
CIS Build Kits and CIS-CAT
The Benchmarks, including the Foundations Benchmarks and Cloud Service Category Benchmarks, are available in Word, Excel, and PDF formats. However with CIS-CAT, you can speed policy to implementation and automate your evaluation of your systems' configurations against other Benchmarks. You can also easily customize and rapidly apply the Benchmarks recommendations using the CIS Build Kits to remediate your system, which are available as Group Policy Objects and Bash shell scripts.
CIS Hardened Images®
You're ultimately responsible for the security of a guest operating system (OS) on virtual machine images in the cloud. This can be difficult to do. As mentioned previously, the CIS Benchmarks are documents that point the way to system hardening, but without additional resources, you'll need to manually implement the 200-300 security recommendations in the cloud one by one.
Fortunately, CIS Hardened Images can help! These virtual machine images are pre-configured to the security recommendations of the CIS Benchmarks. In that sense, you can spin up a pre-hardened OS without having to spend time and money on manual hardening.
Want to learn about navigating the shared responsibility model with CIS? Check out our video below.
Digging into the Details of Cloud Cybersecurity
The CIS Controls, CIS Benchmarks, and CIS Hardened Images all can help you secure the cloud via the applications we discussed above. In a future blog post, we'll dive deeper and discuss how you might begin using these resources once you've migrated to the cloud. You'll better understand the security impact of your individual implementation actions in the process.
Want to explore the CIS Hardened Images in the meantime?
About the Authors
Don Freeley
VP of IT Services
Don Freeley is a technologist with more than 25 years of experience leading architecture, engineering, and IT organizations. As Vice President of Information Technology Services, he is responsible for the delivery of innovative, reliable, and secure computing environments that support and enhance CIS’s global mission.
In addition to managing daily technology operations, Freeley provides strategic leadership for a fast-growing company globally recognized as a leader in cybersecurity. Prior to joining CIS in 2023, he led IT, Architecture, and Engineering organizations at global companies, helping public and private sector organizations deploy and use technology securely at scale.
Freeley holds a Bachelor of Science in Computer Science from the University of Massachusetts.
Mia LaVada
Product Manager, CIS Benchmarks and the Cloud
Mia LaVada is a product manager for the CIS Benchmarks and Cloud products at the Center for Internet Security (CIS). She has been with CIS since June 2019. As a strong believer in the power of community, LaVada regularly works with CIS Members to help ensure CIS addresses the needs of the global cybersecurity community. She’s also particularly passionate about finding solutions to further secure the ever-changing cloud ecosystem.
Charity Otwell
Director of the CIS Critical Security Controls (CIS Controls)
Charity Otwell is the Director of the CIS Critical Security Controls. She has nearly 20 years of experience in the financial services industry and has built and led various programs such as Business Continuity, Disaster Recovery, Technology Governance, and Enterprise Architecture in a highly regulated environment. Before coming to CIS, Otwell was a GRC champion and practitioner with a focus on risk assessment, process optimization, process engineering, and best practice adoption for a top-50 bank within the United States. She also helped manage the relationship with federal regulators and the management of federal regulatory exams. She completed undergraduate and graduate studies in Birmingham, AL and holds multiple industry