How the CIS Foundations Benchmarks Are Key to Your Cloud Security

Many organizations are migrating their workloads to the cloud. But there are challenges along the way. Specifically, security leaders are concerned about their ability to protect their cloud-based data using secure configurations.

Tripwire found this out when it partnered with Dimensional Research to survey 310 professionals who held IT security responsibilities for their organizations’ public cloud environments across more than a dozen different sectors. In that study, 37% of respondents told Tripwire that their risk management capabilities in the cloud were somewhat lacking compared to the same resources used for other parts of their organizations’ infrastructure. More than three-quarters (76%) of survey participants said it was difficult to maintain secure configurations in the cloud, a finding which illuminates why 93% of leaders said they were worried that human error could cause their employers to accidentally expose their cloud-based data.

These survey results raise an important question: how are organizations supposed to maintain secure configurations in the cloud?

The CIS Foundations Benchmarks as a Starting Point

Organizations can begin by turning to the Center for Internet Security (CIS). This community-driven group has created a series of benchmarks consisting of best practices that organizations can use to stay secure. Some of those benchmarks pertain to OSes like Windows and Linux, while others relate to applications.

The CIS benchmarks that concern us today are those that provide prescriptive guidance for configuring the security options of organizations’ AWS, Azure and Google accounts. Those best practices are designed to help organizations not open themselves up to certain risks from the moment they set up their cloud accounts. As such, the benchmarks do not get into how organizations can secure their individual cloud-based workloads and services.

The cloud benchmarks vary depending on the provider. But there are a few shared elements between them. These are as follows:

Identity and Access Management

Identity and Access Management (IAM) is about making sure that the right people are able to log in with the right privilege levels. As such, organizations can use IAM to determine that there aren’t problematic settings through which unprivileged users can access privileged information.

Steve Tipton, ISC senior sales engineer for Tripwire, explains that IAM is so important today given the increasing complexity of organizations’ IT networks:

In this continually evolving technological world, organizations have more data to protect in a variety of places such as on-premises, the cloud, mobile devices, legacy applications, etc. The normal boundaries that were used to protect data are disappearing rapidly. This has created massive challenges for organizations that want to control data access in a connected and distributed environment.

It’s therefore important that organizations work to implement IAM for the cloud. Towards that end, they can use CIS Critical Security Control (CSC) 16 to maintain an inventory of all accounts with the help of an authentication system. This measure will ensure that organizations know about all of the users that they need to secure. Additionally, they need to make sure that they have an automated process for revoking system access when an employee’s role changes in the organization of when they no longer work at the organization. Such a process should involve disabling user accounts but not deleting them so as to preserve audit trails.

Logging and Monitoring

Organizations need to have access to the details of when a critical system change occur and/or when something goes wrong with their cloud infrastructure. Absent that information, organizations won’t have the visibility into their cloud environments that they need in order to investigate potential attacks and root out potential intrusions before they balloon into security incidents. That’s why organizations need access to their system logs.

To achieve this level of visibility, organizations can use CIS Control 6 to ensure that local logging is operational on all cloud systems and network devices, activate settings for collecting detail logs on their protected systems and make sure that they have adequate storage place to house their logs. They also need a way to manage these logs so that they can gain insight into critical events while reducing unnecessary noise.

Networking

Finally, organizations need to determine that malicious actors can’t achieve anonymous access into their cloud infrastructure. At issue is the threat of data exfiltration. Nefarious individuals could infiltrate an organization’s network, move laterally to sensitive systems and send its sensitive information back to a server under their control. Such activity would undermine organization’s cloud data security and threaten both their compliance efforts and reputation.

Acknowledging that reality, organizations can harden their cloud security using CIS CSC 14. This security measure recommends that organizations use access control lists to enforce the principle of least privilege. It also specifies how organizations can use automated controls to enforce access controls concerning their cloud-based data.

Strengthening Cloud Security with Tripwire

Tripwire can help organizations to configure their cloud accounts correctly using the CIS Controls identified above as well as other security measures. More information is available here.