The First Steps of Establishing Your Cloud Security Strategy

When you're working with Controls v8 and the CIS Controls Cloud Companion Guide, you need to lay a foundation on which you can build your unique cloud security efforts. Toward that end, you can tailor the Controls in the context of a specific Information Technology/Operational Technology (IT/OT) map. 

To help you make an impact at the beginning of your cloud security journey, we recommend you focus on two Controls in particular: CIS Control 3 – Data Protection and CIS Control 16 – Application Security.

Cloud Data Security with CIS Control 3

The purpose of CIS Control 3 is to help you create processes for protecting your data in the cloud. Consumers don't always know that they're responsible for cloud data security, which means they might not have adequate controls in place. For instance, without proper visibility, cloud consumers might be unaware that they're leaking their data for weeks, months, or even years. 

CIS Control 3 walks you through how to close this gap by identifying, classifying, securely handling, retaining, and disposing of your cloud-based data, as shown in the screenshot below.

A screenshot of CIS Control 3: Data Protection. (Source: CIS Controls v8)

Cloud Application Security with CIS Control 16

In addition to protecting your cloud-based data, you need to manage your cloud application security in accordance with CIS Control 16. Your responsibility in this area applies to applications developed by your in-house teams and acquired from external product vendors.

To prevent, detect, and remediate vulnerabilities in your cloud-based applications, you need a comprehensive program that brings together people, processes, and technology. Continuous Vulnerability Management, as discussed in CIS Control 7, sits at the heart of this program. You can then expand your security efforts by using supply chain risk management for externally acquired software and a secure software development life cycle (SDLC) for applications produced in house.

Hardening Your Cloud-Based Assets with MFA, Lack of Public Access

With CIS Controls 3 and 16 as your foundation, you can build upon your progress by hardening your accounts and workloads in the cloud with the security recommendations of the CIS Benchmarks, which map back to the Controls.

Want to learn more about the CIS Benchmarks? Check out our video below.

 

Using the CIS Amazon Web Services Foundations Benchmark v3.0.0 as an example, here are two recommendations you can implement to protect your data in the cloud.

Set up MFA for the 'Root' User Account

The 'root' user account is the most privileged user in your AWS account. In the event of a compromise, a cyber threat actor (CTA) could use your 'root' user account to access sensitive data stored in your AWS environment.

To address this threat, you need to safeguard your 'root' user account. You can do so by implementing Recommendation 1.5, which advises you to set up multi-factor authentication (MFA) using a dedicated device that's managed by your company. Do not use a personal device to protect your 'root' user account with MFA, as this could increase the risk of account lockout if the device owner leaves the company, changes their number, or loses their device.

Block Public Access on Your S3 Buckets

Amazon Simple Storage Service (S3) enables you to store objects in your AWS environment using a web interface. The issue is that not everyone configures their S3 buckets securely. By default, S3 buckets don't allow public access upon their creation. However, an Identity and Access Management (IAM) principal with sufficient permissions could enable public access to your S3 buckets. In doing so, they could inadvertently expose your buckets and their respective objects.

You can mitigate this risk by implementing Recommendation 2.1.4. This guideline consists of ensuring that you've configured S3 buckets to "Block public access" in both your individual bucket settings and in your AWS account settings. That way, you'll block the public from accessing any of your S3 buckets and its contained objects connected to your AWS account. 

Streamlining Your Use of Cloud Security Best Practices

The Controls and Benchmarks recommendations discussed above will help you take the first steps in implementing your cloud security strategy. From here, you can save time securely configuring your technologies using the CIS Hardened Images®, virtual machine images (VMIs) that are pre-hardened to the security recommendations of the Benchmarks.

Ready to begin the next stage of your cloud security journey? Spin up a Hardened Image.

Featured

  • Abstract geometric pattern with interconnected nodes and lines

    Microsoft 365 Copilot Updates Offer Expanded AI Capabilities, Collaboration Tools

    Microsoft has announced updates to its Microsoft 365 Copilot AI assistant, including expanded AI capabilities in individual apps, the ability to create autonomous agents, and a new AI-powered collaboration workspace.

  • An open book with text transforming into smooth lines represents reading ease

    Fluency Innovator Grants to Award Free Subscriptions to WordFlight Literacy Intervention Solution

    The call for applications is now open for Foundations in Learning's Fall 2024 Fluency Innovator Grants program. Teachers and administrators from schools and districts serving grades 3-8 may apply to receive a free subscription to WordFlight, a literacy assessment and intervention solution for students with deficits in reading fluency and comprehension, for the Fall 2024 semester.

  • AI-themed background with sparse circuit lines and minimal geometric shapes

    Microsoft to Introduce AI Agent Building Tools in Copilot Studio

    In November, Microsoft plans to roll out a public preview of a new feature within Copilot Studio, allowing users to create autonomous AI "agents" designed to handle routine tasks.

  • landscape photo with an AI rubber stamp on top

    California AI Watermarking Bill Supported by OpenAI

    OpenAI, creator of ChatGPT, is backing a California bill that would require tech companies to label AI-generated content in the form of a digital "watermark." The proposed legislation, known as the "California Digital Content Provenance Standards" (AB 3211), aims to ensure transparency in digital media by identifying content created through artificial intelligence. This requirement would apply to a broad range of AI-generated material, from harmless memes to deepfakes that could be used to spread misinformation about political candidates.