The First Steps of Establishing Your Cloud Security Strategy

When you're working with Controls v8 and the CIS Controls Cloud Companion Guide, you need to lay a foundation on which you can build your unique cloud security efforts. Toward that end, you can tailor the Controls in the context of a specific Information Technology/Operational Technology (IT/OT) map. 

To help you make an impact at the beginning of your cloud security journey, we recommend you focus on two Controls in particular: CIS Control 3 – Data Protection and CIS Control 16 – Application Security.

Cloud Data Security with CIS Control 3

The purpose of CIS Control 3 is to help you create processes for protecting your data in the cloud. Consumers don't always know that they're responsible for cloud data security, which means they might not have adequate controls in place. For instance, without proper visibility, cloud consumers might be unaware that they're leaking their data for weeks, months, or even years. 

CIS Control 3 walks you through how to close this gap by identifying, classifying, securely handling, retaining, and disposing of your cloud-based data, as shown in the screenshot below.

A screenshot of CIS Control 3: Data Protection. (Source: CIS Controls v8)

Cloud Application Security with CIS Control 16

In addition to protecting your cloud-based data, you need to manage your cloud application security in accordance with CIS Control 16. Your responsibility in this area applies to applications developed by your in-house teams and acquired from external product vendors.

To prevent, detect, and remediate vulnerabilities in your cloud-based applications, you need a comprehensive program that brings together people, processes, and technology. Continuous Vulnerability Management, as discussed in CIS Control 7, sits at the heart of this program. You can then expand your security efforts by using supply chain risk management for externally acquired software and a secure software development life cycle (SDLC) for applications produced in house.

Hardening Your Cloud-Based Assets with MFA, Lack of Public Access

With CIS Controls 3 and 16 as your foundation, you can build upon your progress by hardening your accounts and workloads in the cloud with the security recommendations of the CIS Benchmarks, which map back to the Controls.

Want to learn more about the CIS Benchmarks? Check out our video below.

 

Using the CIS Amazon Web Services Foundations Benchmark v3.0.0 as an example, here are two recommendations you can implement to protect your data in the cloud.

Set up MFA for the 'Root' User Account

The 'root' user account is the most privileged user in your AWS account. In the event of a compromise, a cyber threat actor (CTA) could use your 'root' user account to access sensitive data stored in your AWS environment.

To address this threat, you need to safeguard your 'root' user account. You can do so by implementing Recommendation 1.5, which advises you to set up multi-factor authentication (MFA) using a dedicated device that's managed by your company. Do not use a personal device to protect your 'root' user account with MFA, as this could increase the risk of account lockout if the device owner leaves the company, changes their number, or loses their device.

Block Public Access on Your S3 Buckets

Amazon Simple Storage Service (S3) enables you to store objects in your AWS environment using a web interface. The issue is that not everyone configures their S3 buckets securely. By default, S3 buckets don't allow public access upon their creation. However, an Identity and Access Management (IAM) principal with sufficient permissions could enable public access to your S3 buckets. In doing so, they could inadvertently expose your buckets and their respective objects.

You can mitigate this risk by implementing Recommendation 2.1.4. This guideline consists of ensuring that you've configured S3 buckets to "Block public access" in both your individual bucket settings and in your AWS account settings. That way, you'll block the public from accessing any of your S3 buckets and its contained objects connected to your AWS account. 

Streamlining Your Use of Cloud Security Best Practices

The Controls and Benchmarks recommendations discussed above will help you take the first steps in implementing your cloud security strategy. From here, you can save time securely configuring your technologies using the CIS Hardened Images®, virtual machine images (VMIs) that are pre-hardened to the security recommendations of the Benchmarks.

Ready to begin the next stage of your cloud security journey? Spin up a Hardened Image.

Featured

  • Two digital hands made of interconnected lines and nodes shaking hands firmly against a minimal technological background

    IBM to Acquire AI and Data Solutions Provider DataStax

    IBM has announced the planned acquisition AI and data solutions provider DataStax, in a move aimed at enhancing its watsonx portfolio and advancing generative artificial intelligence (AI) capabilities for enterprises.

  • teacher and children working with a LEGO Education Science kit

    LEGO Education Debuts Science Kits for Hands-on Learning

    LEGO Education has announced a new learning solution to engage students in hands-on science learning. Available in three kits by grade band, LEGO Education Science provides 120-plus standards-aligned science lessons, teacher materials, and select LEGO bricks and hardware.

  • Rebind platform

    Grant Program to Give Free Access to AI-Powered Reading Platform

    E-reading publishing company Rebind has announced a new "Classics in the Classroom" grant program for United States high school and college educators, providing free access to the company's AI-powered reading platform for the Fall 2025 term.

  • DreamBox Math

    Discovery Education Announces Accessibility Enhancements for DreamBox Math

    Discovery Education has updated DreamBox Math, an online math program for K–8 students to supplement core instruction, to improve accessibility for K–5 students, according to a news release. DreamBox Math provides personalized instruction by adapting to individual learners’ responses and providing an engaging, dynamic learning environment.