DevOps and cloud computing have become inseparable. But as the cloud started out as a development / test environment – without stringent security and availability requirements – it has grown into a mature platform for running production workloads. Additionally, devastating supply chain attacks like SolarWinds and Kaseya have taught us all that development environments must be secure as well.
Today, to practice DevOps, you need the cloud, and to avoid disaster, you need to keep it secure. the Center for Internet Security (CIS) is a research organization which has developed a series of âbenchmarksâ, essentially guides for securing the configuration of computer systems. There are CIS benchmarks for all major public clouds.
Every DevOps professional should be familiar with these benchmarks and ensure that they at least apply their basic recommendations in development, test, and production environments.
What are CIS benchmarks?
CIS benchmarks include best practices that can help secure system configuration. CIS benchmarks are created using a unique consensus-based process that includes cybersecurity professionals and subject matter experts from around the world.
Created by a diverse group of volunteer stakeholders, they include experts from academia and government, members of the private community, various relevant businesses and industries.
How does the process work?
- The initial benchmark development process defines the scope of the benchmark and leads to a discussion.
- Then the volunteers create and test the work drafts process.
- The CIS WorkBench community website allows contributors to establish discussion threads to continue the dialogue, until consensus on proposed recommendations and draft work is reached.
- Once all employees have reached a consensus, they publish the final benchmark and put it online.
There are currently over 100 CIS references for more than 25 supplier product families. You can download these benchmarks for free in PDF format.
Each CIS benchmark contains configuration recommendations divided into two levels:
- Level 1 covers basic configurations that are easier to implement and have the least impact on business functions.
- Level 2 is intended for a high security environment. Recommendations at this level require more coordination and planning to be implemented with minimal disruption to the business.
CIS reference categories most applicable to cloud environments
- Hardening of the operating system–cover security configurations of basic operating systems such as Microsoft Windows, Linux and Apple OS X. This includes best practice guidelines for restricting local and remote access, user profiles, driver installation protocols and the configuration of Internet browsers.
- Server softwareâCovers security configurations for popular server software such as Microsoft Windows Server, SQL Server, VMware, Docker, and Kubernetes. These benchmarks include recommendations for configuring Kubernetes PKI certificates, API server settings, server management controls, vNetwork policies, and storage limits.
- Cloud provider securityâSupports secure configurations of Amazon Web Services (AWS), Microsoft Azure, Google, IBM, and other public clouds. It includes guidance on Identity and Access Configuration (IAM), system logging protocols, network configuration, compliance management, security auto scaling and more.
- Mobile devicesâCovers mobile operating systems such as iOS and Android, and focuses on developer options and settings, operating system privacy configuration, browser settings, app permissions, and more.
Strengthening Cloud Security with CIS Benchmarks
Cloud Service Providers (CSPs) have changed the way organizations of all sizes design and deploy their IT environments. However, the use of cloud technology also introduces new risks. CIS Benchmarks provide guidance to organizations to establish policies, plan and manage secure cloud environments.
CIS has published Foundation Benchmarks for all major public cloud environments including AWS, Azure, Google Cloud Platform, Oracle Cloud Infrastructure, IBM Cloud, and Alibaba Cloud.
Users include systems and application administrators, security professionals, auditors, help desks, and DevOps personnel who want to develop, deploy, evaluate, or secure cloud solutions or platforms.
CIS Foundations references are tailored to specific CSPs, but the content of the documents all have common characteristics. At a minimum, each reference provides prescriptive guidance for Identity and Access Management (IAM), logging, monitoring, and networking.
Obtaining CIS benchmarks
You can download AWS CIS Benchmark for free in click here. The CIS website offers easy access to all other benchmarks, which you can download in PDF format.
Universal recommendations of all CIS cloud benchmarks
- To create Secure cloud workloads that meet industry best practices, save your tested and compliant images, and monitor them to prevent tampering.
- Activate Cloud control plane logging through tools, such as AWS CloudTrail or Google Cloud Operations Suite. Keep track of all API calls made in your cloud service account.
- Configure and enable cloud native monitoring and alerting tools for your workloads.
- Activate Strong authentication for all cloud management interfaces including web portals and command line.
- Enforce a least preferred identity strategy for various cloud operations roles.
- Activate encryption and other data protection measures for cloud storage services.
- Secured Cloud native network access to minimize access and ensure all network activity is monitored.
Take into account the configuration drift
SIC’s benchmarks are excellent. But, they are not enough. Trying to manually configure every element of a public cloud benchmark (which typically spans hundreds of pages) is impossible, even for the most seasoned DevOps professional. However, there are automated tools, some free and open source, some part of commercial solutions, that can automatically configure your cloud based on benchmarks.
It is even more important to consider configuration drift. The cloud is a very dynamic environment, and what you set up today will be gone tomorrow. To ensure your safety, make sure you:
- Take control of all the processes to create new workloads and cloud services, and make sure they adhere to security standards.
- Use cloud-native tools like infrastructure as code (IaC) to automate secure configurations, just like you do with everything else.
- Set up a configuration monitoring solution, such as Cloud Security Post Management (CSPM), Cloud Workload Protection Platform (CWPP), or Cloud Security Access Broker (CASB), which can automatically analyze and verify secure configurations.
All of this information helps you take one step closer to strengthening the DevOps cloud.