Unlike traditional IT security, cloud security has no well-defined perimeter to protect. The cloud-native architecture includes many dynamic elements, microservices, containers, serverless functions, etc., and platforms like Kubernetes, Docker, etc., whose security posture determines the overall cloud security.
In complex and fluid cloud environments, visibility is limited, and IT oversight is much less than in on-premises data centers. This allows attackers to make inroads and evade detection for weeks and months—the average threat dwell-times in the cloud of 200 days or more. In a recent study, 81% of respondents cited a lack of centralized visibility as a barrier to cloud security, governance, and compliance.
Cloud security has a shared responsibility model. Enterprise customers are responsible for keeping their cloud assets secure. According to Gartner, through 2023, 99% of cloud security failures will be the customers’ fault, often due to misconfigurations. In extremely programmable cloud environments, misconfigurations have been a leading cause of breaches costing U.S enterprises $5 trillion year-over-year. While the cloud fast-tracks business growth, inadequate management of cloud security posture takes a direct toll on ROI.
Benefits of managing the cloud security posture
Most cloud security controls focus on mitigating external threats and malicious insiders. However, mismanagement of configurations, incident handling, and lack of visibility is equally, if not more, serious threats in the cloud. An IDC study found every 8 in 10 companies in the United States experienced a data breach due to cloud misconfigurations. For example, in November 2020, an incorrectly configured S3 bucket leaked at least 10 million files exposing sensitive information of travelers and travel agents, which is one among many other high-profile data leaks plaguing the corporate sector in recent years.
Enterprises must proactively manage security posture to minimize unintentional threat vectors from going undetected for weeks, months, or until a breach.
Managing cloud security posture involves continuously monitoring risks in the cloud by implementing cloud security best practices from governance bodies such as the Center for Internet Security (CIS). Compliance with the CIS benchmarks for your service provider uncovers hidden threats, providing unified visibility in the public cloud, hybrid, and multi-cloud environments.
An IDC study found every 8 in 10 companies in the United States experienced a data breach due to cloud misconfigurations.
CIS Benchmarks for Managing Cloud Security Posture
The CIS benchmarks provide security recommendations for various cloud service providers to help organizations improve their cloud security and compliance posture. For all cloud service providers, CIS benchmarks provide security best practice recommendations in certain essential areas:
- Identity and access management
- Storage
- Logging and monitoring
- Networking
A deeper dive into the CIS benchmarks for the big three CSPs are provided below.
- Amazon Web Services (AWS)
AWS provides native security tools and features in five main areas:
- Infrastructure security tools ensure the network elements and access to the infrastructure are secure. This includes DDoS mitigation technologies and encryption of data traffic in AWS global and regional networks.
- Inventory and configuration management tools for:
- Creating and decommissioning AWS resources;
- Identifying AWS resources and managing changes to those resources over time;
- Creating standard, preconfigured, hardened virtual machines for Elastic container EC2 instances.
- Data encryption tools to encrypt data at rest; flexible key management options; dedicated, hardware-based cryptographic key storage; and encrypted message queues for the transmission of sensitive data.
- Identity and access control tools define and enforce user access policies across AWS services through AWS Identity and Access Management, AWS Directory Service, and AWS Single Sign-On.
- Monitoring and logging tools include AWS CloudTrail, Amazon CloudWatch, and Amazon GuardDuty to give organizations visibility into their AWS environments to identify issues before they impact the business and reduce their security risk.
The CIS benchmarks for AWS aim to help configure many of these AWS services more securely. AWS CIS benchmark provides guidelines for configuring the security options of:
- Identity and access management secure configuration recommendations for AWS Identity and Access Management (IAM)
- AWS CIS Logging Benchmark for AWS Config and AWS CloudTrail configurations
- AWS CIS Monitoring Benchmark for AWS CloudWatch configurations
- AWS CIS Networking Benchmark for AWS VPC and AWS Simple Notification Service (SNS) configurations
- AWS CIS Storage Benchmark for Simple Storage Service (S3) configurations
- Microsoft Azure
The CIS Benchmark for Azure has nine sections with a total of 111 controls or recommendations for improving cloud security posture in the Azure environment. The nine sections are briefly covered here:
Section 1: Identity and Access Management
This section provides security recommendations for configuring identity and access management (IAM) policies on an Azure Subscription. IAM policies are fundamental for securing an Azure Cloud Platform environment and for improving the security posture.
Section 2: Microsoft Defender for Cloud
The security recommendations in this section are for setting various security policies on an Azure Subscription. A security policy defines the set of controls that are recommended for resources within the specified Azure subscription. These recommendations do not actually enforce security settings by themselves but produce an alert in case of a security violation is found, which needs to be remedied.
Section 3: Storage Accounts
An Azure storage account provides a unique namespace to store and access Azure Storage data objects.
The security recommendations in this section are to set storage account policies on an Azure Subscription.
Section 4: Database Services
This section covers security recommendations to follow to set general database services policies on an Azure Subscription. Subsections will address specific database types such as the Azure SQL Server and SQL databases.
Section 5: Logging and Monitoring
The security recommendations in this section are for configuring logging and monitoring policies on an Azure Subscription, such as diagnostics alerts activity log alerts.
Section 6: Networking
This section covers security recommendations for configuring networking policies on an Azure subscription for securely accessing the network and various services.
Section 7: Virtual Machines
The security recommendations for configuring policies for the virtual machine are covered in this section.
Section 8: Other Security Configurations
This section covers security recommendations to follow in order to set general security and operational controls on an Azure Subscription.
Section 9: AppService
This section covers security recommendations for Azure App Service, for example, authentication configuration, Web App redirection of all HTTP traffic to HTTPS, etc.
- Google Cloud Platform (GCP)
The CIS benchmark for GCP includes infrastructure-as-a-service and platform-as-a-service in the Google Cloud. The recommendations span identity and access management, logging and monitoring, networking, storage, databases, and virtual machines. The GCP CIS benchmarks added a new section around Google Kubernetes Engine (GKE). GCP CIS Benchmark is spread across seven sections.
The section on Identity and Access Management includes security recommendations for configuring access controls like multifactor authentication, implementing security keys, separation of duties. Logging and monitoring security recommendations cover Cloud audit logging and log metric filters. The networking section cover recommendations around securing network and service access. The remaining recommendations are organized in sections on virtual machines, storage, cloud SQL databases, and GCP BigQuery datasets.
Managing cloud security posture involves continuously monitoring risks in the cloud by implementing cloud security best practices from governance bodies such as the Center for Internet Security (CIS).
Conclusion
Compliance with the CIS security best practices (the benchmarks) is an essential step towards managing cloud security posture. Automation plays a key role in implementing these recommendations as manual processes are both time-consuming and error-prone. You can leverage third-party solutions to scan your cloud assets to identify and alert non-compliance to these standards and avoid the costly consequences of misconfigurations.