DevOps and cloud computing have become inseparable. But while the cloud began primarily as a development / test environment – without strict security and availability requirements – it has evolved into a mature platform for running production workloads. Also devastating Supply chain Attacks like SolarWinds and Kaseya taught us all that development environments also need to be secure.
To practice DevOps today, you need the cloud, and to avoid disasters you need to keep it safe. the Internet Security Center (CIS) is a research organization that has developed a series of “benchmarks”, essentially guidelines for securing the configuration of computer systems. There are CIS benchmarks for all major public clouds.
Every DevOps professional needs to be familiar with these benchmarks and ensure that they apply at least their basic recommendations in development, test, and production environments.
What are CIS benchmarks?
CIS benchmarks include best practices that can help ensure a secure system configuration. CIS benchmarks are created using a unique consensus-based process that includes cybersecurity experts and subject matter experts from locations around the world.
They were created by a diverse pool of volunteer stakeholders and include experts from academia and government, members of private communities, various companies and relevant industries.
How does the process work?
- The initial benchmark development process defines the scope of the benchmark and leads to discussion.
- Next, volunteers create and test the working draft process.
- On the CIS WorkBench Community Web site, contributors can create threads to continue the dialogue until consensus is reached on the proposed recommendations and working drafts.
- Once all employees have reached consensus, they publish the final benchmark and post it online.
There are currently over 100 CIS benchmarks for more than 25 product families from manufacturers. You can download these benchmarks free of charge in PDF format.
Each CIS benchmark contains configuration recommendations that are divided into two levels:
- Level 1 includes basic configurations that are easier to implement and have the least impact on business functions.
- Level 2 is intended for a high security environment. Recommendations at this level require more coordination and planning to implement with minimal business disruption.
CIS benchmark categories best suited for cloud environments
- Hardening of the operating system–cover security configurations of core operating systems such as Microsoft Windows, Linux and Apple OS X. This includes best practice guidelines for restricting local and remote access, user profiles, driver installation protocols, and configuration of Internet browsers.
- Server software– covers the security configurations of common server software such as Microsoft Windows Server, SQL Server, VMware, Docker and Kubernetes. These benchmarks include recommendations for configuring Kubernetes PKI certificates, API server settings, server management controls, vNetwork policies, and storage limits.
- Security of the cloud provider—Supports secure configurations from Amazon Web Services (AWS), Microsoft Azure, Google, IBM, and other public clouds. It contains guides on configuration of identity and access (IAM), system log logs, network configuration, compliance management, backup automatic scaling and more.
- mobile devices– Covers mobile operating systems such as iOS and Android and focuses on developer options and settings, operating system privacy configuration, browser settings, application permissions and more.
Reinforced cloud security with CIS benchmarks
Cloud Service Providers (CSPs) have changed the way companies of all sizes design and deploy their IT environments. However, the use of cloud technology also brings with it new risks. The CIS benchmarks provide guidance to organizations in setting policies, planning, and managing secure cloud environments.
CIS has published Foundation benchmarks for all major public cloud environments, including AWS, Azure, Google Cloud Platform, Oracle Cloud Infrastructure, IBM Cloud and Alibaba Cloud.
Users include system and application administrators, security professionals, auditors, help desks, and DevOps staff who want to develop, deploy, evaluate, or secure cloud solutions or platforms.
The CIS Foundations benchmarks are tailored to specific CSPs, but the content of the documents has all the similarities. Each benchmark provides at least mandatory guidelines on identity and access management (IAM), logging, monitoring, and networking.
Obtaining the CIS benchmarks
You can download the AWS CIS Benchmark for free from click here. The CIS website provides easy access to all other benchmarks which you can download in PDF format.
Universal recommendations from all cloud CIS benchmarks
- Create Secure cloud workloads that adhere to industry best practices, store your tested, compliant images, and monitor them to prevent tampering.
- Enable Logging of the cloud control plane via tools such as AWS CloudTrail or Google Cloud Operations Suite. Keep track of all API calls in your cloud service account.
- Configure and enable cloud-native monitoring and notification tools for your workloads.
- Enable strong authentication for all cloud management interfaces, including web portals and the command line.
- To implement a least privileged identity strategy for various cloud operational roles.
- Enable Encryption and other data protection measures for cloud storage services.
- For sure Cloud-native network access to minimize access and ensure that all network activity is monitored.
Take the configuration drift into account
CIS benchmarks are great. But they are not enough. Trying to manually configure every element of a public cloud benchmark (which is typically hundreds of pages) is impossible for even the most seasoned DevOps professional. However, there are automated tools, some free and open source, some commercial solutions that can automatically configure your cloud according to the benchmarks.
It is even more important to consider configuration drift. The cloud is a very dynamic environment and what you configure today is gone tomorrow. To ensure your safety, make sure that you:
- Take control of all the processes to create new cloud workloads and services, and make sure they enforce security standards.
- Use cloud-native tools like Infrastructure-as-Code (IaC) to automate secure configurations – just like anything else.
- Use a configuration monitoring solution, such as: B. Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP) or Cloud Security Access Broker (CASB), which can automatically scan and check secure configurations.
All of this information will help you get one step closer to hardening the DevOps cloud.
#CIS #Benchmarks #DevOps #Guide #Hardening #Cloud