You have probably seen or read the term CIS benchmarks when searching for cloud security compliance on the Internet. CIS benchmark is recognised as one of the market's popular cloud security best practices and standards. Still, what are CIS benchmarks and does your cloud infrastructure need to comply with them? This blog post will overview the CIS benchmarks and how they can be used for cloud infrastructure security and compliance.
CIS benchmark is a set of recommendations of configuration baselines and security best practices published by the Center for Internet Security (CIS), a non-profit and community-driven entity, to help organisations securely configure systems from evolving security threats. The benchmark covers more than 100 configuration guidelines across more than 30 vendors, where it is designed as a key component of a comprehensive cybersecurity program for the organisation.
Each recommendation in the benchmark references CIS Controls, a prioritised set of actions to mitigate the most prevalent cyber-attacks against systems. The CIS controls map to many established cybersecurity standards and regulatory frameworks, such as ISO 27000, PCI-DSS, HIPAA, and many more. The CIS community of security experts develops the benchmark for a specific system where it undergoes two phases of consensus-decision review before approval.
The CIS benchmarks consist of two profiles that can be implemented in the systems:
- Level 1 provides essential security-focused best practices that might impact the systems with minimum interruptions or effects on the systems.
- Level 2 extends the Level 1 profile to cover enhanced security requirements for critical environments that might impact the system in a certain way, e.g., cost or performance.
Each guideline is assigned a profile that the organisations can then decide to implement to achieve their unique security objectives.
CIS Benchmark for Cloud Infrastructure Security
The CIS has published many benchmarks for cloud providers and their supporting (cloud) services, such as Amazon Web Services and Microsoft Azure. Organisations as cloud customers could optionally implement and maintain the CIS benchmarks to establish secure baseline configurations for their cloud infrastructures by selecting suitable guidelines and the implementation profiles in the benchmark according to their requirements.
Organisations could also implement CIS Hardened Images, securely configured virtual machine images based on the CIS benchmarks, to provide secure, on-demand, scalable computing environments in the cloud infrastructure. The images are provided in the cloud provider marketplaces, where organisations could easily run a virtual machine using them without configuring it to comply with the CIS benchmarks.
There are several benefits for organisations by implementing CIS benchmarks for their cloud infrastructures:
- CIS benchmarks are recognised security standards for securing systems against cyberattacks. Cloud infrastructure will be secure following security best practices and secure configuration baselines tested and proven by security experts.
- By complying with the CIS benchmarks, organisations could convince their customers that their systems are secure where they have fulfilled their parts of the shared responsibility model with the cloud providers.
- Many of the recommendations in the benchmark can be mapped to established cloud security standards and best practices on the market, which would help organisations achieve other compliances if needed.
How Mitigant Can Help With CIS Benchmarks Compliance
Mitigant CSPM provides a continuous compliance functionality that allows organisations to achieve, continuously monitor, and maintain cloud security compliance for their cloud infrastructures. It supports many market cloud security best practices and standards simultaneously and automatically applied to the cloud infrastructure, such as CIS benchmarks, PCI-DSS, and HIPAA. Comprehensive reports are generated after security assessments that provide a high-level analysis of the cloud infrastructure and the recommended remediation steps for misconfigured cloud resources. Organisations could remediate identified issues following the assessment reports to ensure cloud infrastructure is secure and compliant.
Muhammad Ihsan Haikal Sukmana
Chief Product Officer & Co-Founder @Mitigant.