The First Steps of Establishing Your Cloud Security Strategy

When you're working with Controls v8 and the CIS Controls Cloud Companion Guide, you need to lay a foundation on which you can build your unique cloud security efforts. Toward that end, you can tailor the Controls in the context of a specific Information Technology/Operational Technology (IT/OT) map. 

To help you make an impact at the beginning of your cloud security journey, we recommend you focus on two Controls in particular: CIS Control 3 – Data Protection and CIS Control 16 – Application Security.

Cloud Data Security with CIS Control 3

The purpose of CIS Control 3 is to help you create processes for protecting your data in the cloud. Consumers don't always know that they're responsible for cloud data security, which means they might not have adequate controls in place. For instance, without proper visibility, cloud consumers might be unaware that they're leaking their data for weeks, months, or even years. 

CIS Control 3 walks you through how to close this gap by identifying, classifying, securely handling, retaining, and disposing of your cloud-based data, as shown in the screenshot below.

A screenshot of CIS Control 3: Data Protection. (Source: CIS Controls v8)

Cloud Application Security with CIS Control 16

In addition to protecting your cloud-based data, you need to manage your cloud application security in accordance with CIS Control 16. Your responsibility in this area applies to applications developed by your in-house teams and acquired from external product vendors.

To prevent, detect, and remediate vulnerabilities in your cloud-based applications, you need a comprehensive program that brings together people, processes, and technology. Continuous Vulnerability Management, as discussed in CIS Control 7, sits at the heart of this program. You can then expand your security efforts by using supply chain risk management for externally acquired software and a secure software development life cycle (SDLC) for applications produced in house.

Hardening Your Cloud-Based Assets with MFA, Lack of Public Access

With CIS Controls 3 and 16 as your foundation, you can build upon your progress by hardening your accounts and workloads in the cloud with the security recommendations of the CIS Benchmarks, which map back to the Controls.

Want to learn more about the CIS Benchmarks? Check out our video below.

 

Using the CIS Amazon Web Services Foundations Benchmark v3.0.0 as an example, here are two recommendations you can implement to protect your data in the cloud.

Set up MFA for the 'Root' User Account

The 'root' user account is the most privileged user in your AWS account. In the event of a compromise, a cyber threat actor (CTA) could use your 'root' user account to access sensitive data stored in your AWS environment.

To address this threat, you need to safeguard your 'root' user account. You can do so by implementing Recommendation 1.5, which advises you to set up multi-factor authentication (MFA) using a dedicated device that's managed by your company. Do not use a personal device to protect your 'root' user account with MFA, as this could increase the risk of account lockout if the device owner leaves the company, changes their number, or loses their device.

Block Public Access on Your S3 Buckets

Amazon Simple Storage Service (S3) enables you to store objects in your AWS environment using a web interface. The issue is that not everyone configures their S3 buckets securely. By default, S3 buckets don't allow public access upon their creation. However, an Identity and Access Management (IAM) principal with sufficient permissions could enable public access to your S3 buckets. In doing so, they could inadvertently expose your buckets and their respective objects.

You can mitigate this risk by implementing Recommendation 2.1.4. This guideline consists of ensuring that you've configured S3 buckets to "Block public access" in both your individual bucket settings and in your AWS account settings. That way, you'll block the public from accessing any of your S3 buckets and its contained objects connected to your AWS account. 

Streamlining Your Use of Cloud Security Best Practices

The Controls and Benchmarks recommendations discussed above will help you take the first steps in implementing your cloud security strategy. From here, you can save time securely configuring your technologies using the CIS Hardened Images®, virtual machine images (VMIs) that are pre-hardened to the security recommendations of the Benchmarks.

Ready to begin the next stage of your cloud security journey? Spin up a Hardened Image.

Featured

  • minimalist geometric grid pattern of blue, gray, and white squares and rectangles

    Windows Server 2025 Now Generally Available

    Microsoft has announced the general availability of Windows Server 2025. The release will enable organizations to deploy applications on-premises, in hybrid setups, or fully in the cloud, the company said.

  • cloud icon connected to a data network with an alert symbol (a triangle with an exclamation mark) overlaying the cloud

    U.S. Department of Commerce Proposes Reporting Requirements for AI, Cloud Providers

    The United States Department of Commerce is proposing a new reporting requirement for AI developers and cloud providers. This proposed rule from the department's Bureau of Industry and Security (BIS) aims to enhance national security by establishing reporting requirements for the development of advanced AI models and computing clusters.

  • A top-down view of a person walking through a maze with walls made of glowing blue Wi-Fi symbols on dark pathways

    Navigating New E-Rate Rules for WiFi Hotspots

    Beginning in funding year 2025, WiFi hotspots will be eligible for E-rate Category One discounts. Here's what you need to know about your school's eligibility, funding caps, tracking requirements, and more.

  • stylized illustration of diverse students holding laptops, smartphones, and sitting at computers

    Student Device Access Skews Along Income, Racial Lines

    A recent study on the "digital divide" among high school students shows improving device access, but persistent barriers for historically underprivileged populations.