DevOps and cloud computing have become inseparable. But while the cloud started as primarily a dev/test environment — without stringent security and availability requirements — it has evolved into a mature platform for running production workloads. Moreover, devastating supply chain attacks like SolarWinds and Kaseya taught us all that development environments must also be secure.
Today, to practice DevOps, you require the cloud, and to avoid catastrophe you must ensure its security. The Center for Internet Security (CIS) is a research body that developed a series of “benchmarks,” essentially guidebooks to secure the configuration of computing systems. There are CIS benchmarks for all major public clouds.
Every DevOps professional must be familiar with these benchmarks, and ensure they are applying at least their basic recommendations across dev, test and production environments.
CIS Benchmarks include best practices that can help secure system configuration. CIS Benchmarks are created using a unique consensus-based process that includes cybersecurity professionals and subject matter experts from locations worldwide.
Created by a diverse pool of volunteer stakeholders, they include experts from academia and government, private community members, various businesses and relevant industries.
There are currently over 100 CIS benchmarks for more than 25 vendor product families. You can download these benchmarks for free in PDF format.
Each CIS benchmark contains configuration recommendations divided into two levels:
Cloud service providers (CSPs) have changed the way organizations of all sizes design and deploy their IT environments. However, the use of cloud technology also introduces new risks. The CIS Benchmarks provide guidance for organizations to establish policies, plan and manage secure cloud environments.
CIS has released Foundation Benchmarks for all major public cloud environments, including AWS, Azure, Google Cloud Platform, Oracle Cloud Infrastructure, IBM Cloud and Alibaba Cloud.
Users include systems and application administrators, security professionals, auditors, help desks, and DevOps personnel who want to develop, deploy, evaluate, or secure cloud solutions or platforms.
CIS Foundations benchmarks are tailored to specific CSPs, but the content of the documents all have common features. At a minimum, each benchmark provides prescriptive guidance regarding identity and access management (IAM), logging, monitoring and networking.
Obtaining the CIS benchmarks
You can download the AWS CIS Benchmark free by clicking here. The CIS website provides easy access to all other benchmarks, which you can download in PDF format.
Universal recommendations from all cloud CIS benchmarks
CIS benchmarks are great. But, they are not enough. Trying to manually configure every item of a public cloud benchmark (which typically covers hundreds of pages) is infeasible for even the most seasoned DevOps professional. However, there are automated tools, some free and open-source, some part of commercial solutions, which can automatically configure your cloud according to the benchmarks.
It is even more important to consider configuration drift. The cloud is a very dynamic environment, and what you configure today will be gone tomorrow. To ensure you stay secure, ensure you:
All of this information helps as you move one step closer towards hardening the DevOps cloud.
By investing in open source frameworks and LGTM tools, SRE teams can effectively monitor their apps and gain insights into…
Cognition Labs' Devin is creating a lot of buzz in the industry, but John Willis urges organizations to proceed with…
While most app developers work for organizations that have platform teams, there isn't much consistency regarding where that team reports.
Day Two DevOps is a phase in the SDLC that focuses on enhancing, optimizing and continuously improving the software development…
A global survey of 500 IT professionals suggests organizations are not making a lot of progress in their ability to…
In part five of this series, hosts Alan Shimel and Mitch Ashley are joined by Bryan Cole (Tricentis), Ixchel Ruiz…