Blogs

CIS Benchmarks: DevOps Guide to Hardening the Cloud

DevOps and cloud computing have become inseparable. But while the cloud started as primarily a dev/test environment — without stringent security and availability requirements — it has evolved into a mature platform for running production workloads. Moreover, devastating supply chain attacks like SolarWinds and Kaseya taught us all that development environments must also be secure. 

Today, to practice DevOps, you require the cloud, and to avoid catastrophe you must ensure its security. The Center for Internet Security (CIS) is a research body that developed a series of “benchmarks,” essentially guidebooks to secure the configuration of computing systems. There are CIS benchmarks for all major public clouds. 

Every DevOps professional must be familiar with these benchmarks, and ensure they are applying at least their basic recommendations across dev, test and production environments.

What are CIS Benchmarks?

CIS Benchmarks include best practices that can help secure system configuration. CIS Benchmarks are created using a unique consensus-based process that includes cybersecurity professionals and subject matter experts from locations worldwide. 

Created by a diverse pool of volunteer stakeholders, they include experts from academia and government, private community members, various businesses and relevant industries. 

How does the process work?

  • The initial benchmark development process defines the scope of the benchmark and leads to a discussion.
  • Next, volunteers create and test the process of working drafts.
  • The CIS WorkBench community website lets contributors establish discussion threads to continue the dialogue, until a consensus on the proposed recommendations and the working drafts is achieved.
  • Once all collaborators reach a consensus, they publish the final benchmark and release it online.

There are currently over 100 CIS benchmarks for more than 25 vendor product families. You can download these benchmarks for free in PDF format.

Each CIS benchmark contains configuration recommendations divided into two levels:

  • Level 1 covers basic configurations that are easier to implement and have the least impact on business functions.
  • Level 2 is intended for a high-security environment. Recommendations at this level require more coordination and planning to implement with minimal disruption to the business.

CIS benchmark categories most applicable to cloud environments

  • Operating system hardeningcover security configurations of core operating systems such as Microsoft Windows, Linux, and Apple OS X. This includes best practice guidelines for restricting local and remote access, user profiles, driver installation protocols and configuring Internet browsers.
  • Server software—covers the security configurations of popular server software such as Microsoft Windows Server, SQL Server, VMware, Docker and Kubernetes. These benchmarks include recommendations for configuring Kubernetes PKI certificates, API server settings, server management controls, vNetwork policies and storage limits.
  • Cloud provider security—supports secure configurations of Amazon Web Services (AWS), Microsoft Azure, Google, IBM and other public clouds. It includes guidance on configuring identity and access (IAM), system logging protocols, network configuration, compliance management, securing auto-scaling and more.
  • Mobile devices—covers mobile operating systems such as iOS and Android, and focuses on developer options and settings, operating system privacy configuration, browser settings, application permissions and more.

Hardening cloud security with CIS Benchmarks

Cloud service providers (CSPs) have changed the way organizations of all sizes design and deploy their IT environments. However, the use of cloud technology also introduces new risks. The CIS Benchmarks provide guidance for organizations to establish policies, plan and manage secure cloud environments.

CIS has released Foundation Benchmarks for all major public cloud environments, including AWS, Azure, Google Cloud Platform, Oracle Cloud Infrastructure, IBM Cloud and Alibaba Cloud. 

Users include systems and application administrators, security professionals, auditors, help desks, and DevOps personnel who want to develop, deploy, evaluate, or secure cloud solutions or platforms.

CIS Foundations benchmarks are tailored to specific CSPs, but the content of the documents all have common features. At a minimum, each benchmark provides prescriptive guidance regarding identity and access management (IAM), logging, monitoring and networking.

Obtaining the CIS benchmarks

You can download the AWS CIS Benchmark free by clicking here. The CIS website provides easy access to all other benchmarks, which you can download in PDF format.

Universal recommendations from all cloud CIS benchmarks

  • Create secure cloud workloads that comply with industry best practices, save your tested, compliant images and monitor them to avoid tampering.
  • Enable cloud control plane logging through tools, such as AWS CloudTrail or Google Cloud Operations Suite. Keep track of all API calls made in your cloud service account.
  • Configure and enable cloud-native monitoring and alerting tools for your workloads.
  • Enable strong authentication for all cloud management interfaces, including web portals and the command line.
  • Implement a least-privileged identity strategy for various cloud operations roles.
  • Enable encryption and other data protection measures for cloud storage services.
  • Secure cloud-native network access to minimize access, and ensure all network activity is monitored.

Consider configuration drift

CIS benchmarks are great. But, they are not enough. Trying to manually configure every item of a public cloud benchmark (which typically covers hundreds of pages) is infeasible for even the most seasoned DevOps professional. However, there are automated tools, some free and open-source, some part of commercial solutions, which can automatically configure your cloud according to the benchmarks.

It is even more important to consider configuration drift. The cloud is a very dynamic environment, and what you configure today will be gone tomorrow. To ensure you stay secure, ensure you:

  • Gain control over all processes to create new cloud workloads and services, and ensure they enforce security standards.
  • Use cloud-native tools like infrastructure-as-code (IaC) to automate secure configurations — just as you do with everything else.
  • Put a configuration monitoring solution in place, such as cloud security posture management (CSPM), cloud workload protection platform (CWPP), or cloud security access broker (CASB), which can automatically scan and verify secure configurations.

All of this information helps as you move one step closer towards hardening the DevOps cloud.

Gilad David Maayan

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.

Recent Posts

Building an Open Source Observability Platform

By investing in open source frameworks and LGTM tools, SRE teams can effectively monitor their apps and gain insights into…

13 hours ago

To Devin or Not to Devin?

Cognition Labs' Devin is creating a lot of buzz in the industry, but John Willis urges organizations to proceed with…

14 hours ago

Survey Surfaces Substantial Platform Engineering Gains

While most app developers work for organizations that have platform teams, there isn't much consistency regarding where that team reports.

1 day ago

EP 43: DevOps Building Blocks Part 6 – Day 2 DevOps, Operations and SRE

Day Two DevOps is a phase in the SDLC that focuses on enhancing, optimizing and continuously improving the software development…

1 day ago

Survey Surfaces Lack of Significant Observability Progress

A global survey of 500 IT professionals suggests organizations are not making a lot of progress in their ability to…

1 day ago

EP 42: DevOps Building Blocks Part 5: Flow, Bottlenecks and Continuous Improvement

In part five of this series, hosts Alan Shimel and Mitch Ashley are joined by Bryan Cole (Tricentis), Ixchel Ruiz…

1 day ago