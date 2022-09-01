Cloud service providers (CSPs) have changed the way organizations of all sizes architect and deploy their IT environments. CSPs now make it possible for organizations to rapidly implement new technologies with greater levels of ease and scalability.

As with any new opportunity, leveraging cloud technology also introduces new forms of risk. Industry standards provide organizations guidance to create policies and plans as well as to manage their cloud environments. Organizations that do not use industry standards to harden their environments leave themselves open to cyber attacks and misconfigurations.

Cloud environments evolve and change, and CSPs are constantly adding new functional services that come with unique configuration and security tools to manage them. However, organizations cannot be solely dependent on the CSP for security. The Shared Responsibility Model requires that organizations ensure security "in" the cloud by in the very least protecting their data.

CIS Foundations Benchmarks overview

One of the most effective ways for organizations to secure their public cloud accounts is to use the CIS Foundations Benchmarks. They are part of the CIS Benchmarks, which are consensus-based, vendor-agnostic secure configuration guidelines developed by the Center for Internet Security (CIS).

The CIS Foundations Benchmarks provide guidance for public cloud environments at the account level. Their recommendations cover Identity and Access Management (IAM), logging and monitoring, and networking for the following platforms:

Each recommendation in a CIS Foundations Benchmark includes the following components:

Profile Applicability – Identifies whether the recommendation relates to a Level 1 (standard security), or Level 2 (higher security) profile Description – An easy-to-understand explanation of the recommendation and why it’s important Audit – A detailed description of how to evaluate the status of the recommendation in its current configuration Remediation – Step-by-step guidance on how to successfully implement the recommendation References – Links to supporting documentation Additional Information – Further explanation, if necessary CIS Critical Security Controls – Maps the recommendation to the specific Control

Shared cloud security responsibility resources

The CIS Foundations Benchmarks are part of a portfolio of globally-recognized resources provided by CIS to help organizations secure their operations in public cloud environments. Here are some additional offerings for achieving security in the cloud:

The CIS Controls Cloud Companion Guide provides guidance on how to apply the security best practices found in the CIS Critical Security Controls to the four main “as-a-service” cloud environments. Additional steps needed in any cloud environment are explained based on the individual service models.

CIS Hardened Images are pre-configured virtual machine images hardened in accordance to the security recommendations of CIS Benchmarks. CIS Hardened Images are updated on a monthly basis to ensure the latest security configurations are in place and patched for vulnerabilities.

Become Part of the CIS Benchmarks Communities

CIS Foundations Benchmarks are created using a consensus review process leveraging the expertise of subject matter experts from around the world. Consensus participants provide perspectives from a diverse set of backgrounds including consulting, software development, audit and compliance, security research, operations, government, and legal.

Since public cloud environments evolve rapidly, the CIS Foundations Benchmarks require constant maintenance. We work with CSPs, CSP consumers, and cybersecurity experts to gain insights and collect the most up-to-date information. Please consider joining one of our Communities and participating in the development of these resources.