Balancing cloud security with performance and availability
Your business can’t realize the many benefits of cloud computing without ensuring performance and availability in its cloud environments.
Let’s look at some examples.
- Scalability: To scale your business’s cloud computing services, you need those services to be available and to perform according to your business’s requirements. Otherwise, your business might miss out on opportunities or end up paying for resources it doesn’t use.
- Disaster recovery: In the event of a disaster, you might need to recover from backups based in the cloud. Poor availability might render those backups inaccessible, while poor performance might limit your ability to recover fully. As a result, your business might lose access to data, intellectual property, and other critical assets.
- Innovation: Cloud service providers (CSPs) are constantly upgrading their platforms with new technology such as artificial intelligence and machine learning. Without performance and availability, however, you might not be able to experiment with these new technologies early enough to seize a competitive advantage.
The Center for Internet Security (CIS) understands how much you value performance and availability in your business’s cloud environments. It also recognizes how cloud security resources mean little if they don’t work for you and your business’s priorities, including cloud performance and availability.
To help support your business in the cloud, CIS tested its CIS Hardened Images with Azure Monitor Agent and Azure Update Manager. This blog will discuss the importance of testing CIS Hardened Images with popular cloud services, share examples of issues tested for, explain what this testing means for your business, and look to the future of testing CIS Hardened Images.
Lay a secure foundation in the cloud
CIS Hardened Images are virtual machine (VM) images of Windows, Linux, and macOS operating systems that are pre-hardened to the CIS Benchmarks. Every CIS Hardened Image includes a report illustrating the extent to which the image conforms to its corresponding Benchmark. With this information, you can plan out your efforts to secure your operating systems in the cloud.
CIS conducted compatibility testing of its CIS Hardened Images for two reasons. First, both Azure Monitor Agent and Azure Update Manager address foundational aspects of how your business uses virtual images. The former assists you in evaluating and remediating performance and availability issues in Microsoft Azure, while the latter supports you in updating your Azure virtual machine images. Second, current customers asked CIS to test its CIS Hardened Images for compatibility with these services, and it decided to help.
Here are some the results of this testing.
Azure Monitor Agent
CIS focused its initial testing on CIS Hardened Images for Linux. The Azure team made some slight modifications to Azure Monitor Agent during the testing process. Some of these tweaks addressed compatibility issues with various Linux distributions. Others fixed file/directory ownership and network setup issues that affected compliance with the Benchmarks following the installation of Azure Monitor Agent. No issues of degraded functionality involving Azure Monitor Agent.
At the end of its testing period, CIS validated Azure Monitor Agent for successful deployment and functionality (e2e data flow for all data types) on all CIS Hardened Images for Linux. Simultaneously, the Azure team integrated CIS Hardened Images into its pre-release validation process, which means it’ll re-validate new versions of Azure Monitor Agent with CIS Hardened Images for Linux.
Azure Update Manager
During its compatibility testing with Azure Update Manager, CIS found this service needs a shell to implement updates as well as gather and send information. CIS therefore removed its recommendation “Ensure default user shell timeout is 900 seconds or less” in CIS Hardened Images for Linux.
You can manually configure this recommendation using the remediation instructions in the CIS Benchmark PDF, but this will inhibit the functionality of Azure Update Manager on CIS Hardened Images for Linux. Additionally, you can review this Knowledge Base article for more information.
CIS eyes the future of compatibility testing
Going forward, CIS will continue to test its CIS Hardened Images for compatibility with services and applications based upon feedback from its customers. While it can’t test everything nor always make changes, it will document any issues it finds, communicate them to customers, and explain the setting’s impact. Please reach out to CIS about any services for which you might have encountered compatibility issues when using CIS Hardened Images.
Ready to balance security and functionality in your cloud environments?