Secure cloud products and services with new CIS Benchmarks
The cloud continues to expand with new products and services constantly introduced by cloud service providers (CSPs). The Center for Internet Security (CIS) responded with more resources to help secure these capabilities in the cloud. The Beginner’s Guide to Secure Cloud Configurations describes how users can secure public cloud accounts, products, services, and more.
New guidance from the CIS Benchmarks community
CIS called upon its network of volunteers to expand their guidance for the public cloud. This effort resulted in CIS Benchmarks specific to cloud CSP products and services.
CIS honed its resources and did not create a CIS Benchmark for every unique service. Instead, CIS followed the lead of the CSPs, and grouped services by CSP product. Each CSP offers dozens of products, grouping cloud services based on the function they provide.
Three levels of CIS cloud Benchmarks
The guide presents the three CIS Benchmark categories applicable to the cloud:
- CIS Foundations Benchmarks
- Cloud product-level CIS Benchmarks
- Standalone cloud service CIS Benchmarks
Each Benchmark level provides an additional layer of security, starting with the CIS Foundations Benchmarks, and ends with securing virtual machines via CIS Hardened Images.
- CIS Foundations Benchmarks provide an account-level starting point for configuring securely in the public cloud. These resources cover identity and access management, logging and monitoring, networking, etc. Foundational guidance is available for AWS, Azure, Google Cloud Platform, Oracle Cloud, IBM Cloud, and Alibaba Cloud.
- Cloud Product-Level CIS Benchmarks provide CSP product and service configuration guidance and include areas such as compute, databases, storage, and containers. These CIS Benchmarks allow the user to choose the applicable cloud services and configure them according to their environment. The product-level CIS Benchmarks complement the CIS Foundations Benchmarks by providing an additional layer of security built into the cloud services used within the cloud account.
- Standalone Cloud Service CIS Benchmarks are specific to a CSP service that requires more extensive configuration guidance. In these cases, the product-level CIS Benchmark will have a section for the service and will point to the standalone CIS Benchmark for the service.
CIS AWS End User Compute and Kubernetes Benchmarks
The first release of a cloud product-level CIS Benchmark is the CIS AWS End User Compute Services Benchmark. This includes configuration recommendations for Amazon WorkSpaces, Amazon WorkDocs, Amazon AppStream 2.0, and Amazon WorkLink. The user can choose the applicable services and configure them according to what’s running in their environment.
In some cases, the configurations needed for services warrants a CIS Benchmark specific to one cloud service. With this scenario, the product-level CIS Benchmark will include a section for the cloud service, but will point to a separate CIS Benchmark for the service. An example of the standalone cloud service CIS Benchmarks are the CIS Kubernetes Benchmarks.
CIS currently offers multiple CIS Benchmarks for Kubernetes:
- Alibaba Cloud Container Service For Kubernetes (ACK)
- Amazon Elastic Kubernetes (EKS)
- Azure Kubernetes Service (AKS)
- Google Kubernetes Service (GKE)
- Kubernetes & Kubernetes V1.20
- Oracle Cloud Infrastructure Kubernetes (OKE)
- Red Hat OpenShift Kubernetes & Red Hat OpenShift Kubernetes v4
Secure configurations with CIS Hardened Images
A virtual image is a snapshot of a virtual machine (VM) that provides the same functionality as a physical computer. Virtual images reside on the cloud and enable users to cost-effectively perform routine computing operations without investing in local hardware and software.
Hardening is a process of limiting potential weaknesses that make systems vulnerable to cyber-attacks. More secure than a standard image, hardened virtual images reduce system vulnerabilities to help protect against malware, insufficient authorization, and remote intrusion.
Securely pre-configured CIS Hardened Images help organizations secure their operating systems in the cloud. CIS Hardened Images meet the requirements of the CIS Benchmarks, and are available on four major cloud computing marketplaces: AWS, Azure, Google Cloud Platform, and Oracle Cloud.
Additional layers of cloud security
CIS works directly with the CSPs to identify the top used cloud products and services on each platform. We then use that information to inform the development plan for future CIS Benchmarks.
All CIS Benchmarks recommendations reference other guidelines and additional resources. With these cloud guides, CIS demonstrates the relationship between the CIS Benchmarks and the CSP documentation. The intention is to inform the user of the guidance available from the CSP for both security and otherwise. This documentation helps the user recognize the responsibility the CSP has, and is assisting with when running the service.
The rapid pace of cloud expansion means that many more products and services are soon to come. CIS is working closely with the CSPs to stay ahead of developments. By doing so, we plan to bring timely and effective guidance at no cost to the global user community.