The First Steps of Establishing Your Cloud Security Strategy

When you're working with Controls v8 and the CIS Controls Cloud Companion Guide, you need to lay a foundation on which you can build your unique cloud security efforts. Toward that end, you can tailor the Controls in the context of a specific Information Technology/Operational Technology (IT/OT) map. 

To help you make an impact at the beginning of your cloud security journey, we recommend you focus on two Controls in particular: CIS Control 3 – Data Protection and CIS Control 16 – Application Security.

Cloud Data Security with CIS Control 3

The purpose of CIS Control 3 is to help you create processes for protecting your data in the cloud. Consumers don't always know that they're responsible for cloud data security, which means they might not have adequate controls in place. For instance, without proper visibility, cloud consumers might be unaware that they're leaking their data for weeks, months, or even years. 

CIS Control 3 walks you through how to close this gap by identifying, classifying, securely handling, retaining, and disposing of your cloud-based data, as shown in the screenshot below.

A screenshot of CIS Control 3: Data Protection. (Source: CIS Controls v8)

Cloud Application Security with CIS Control 16

In addition to protecting your cloud-based data, you need to manage your cloud application security in accordance with CIS Control 16. Your responsibility in this area applies to applications developed by your in-house teams and acquired from external product vendors.

To prevent, detect, and remediate vulnerabilities in your cloud-based applications, you need a comprehensive program that brings together people, processes, and technology. Continuous Vulnerability Management, as discussed in CIS Control 7, sits at the heart of this program. You can then expand your security efforts by using supply chain risk management for externally acquired software and a secure software development life cycle (SDLC) for applications produced in house.

Hardening Your Cloud-Based Assets with MFA, Lack of Public Access

With CIS Controls 3 and 16 as your foundation, you can build upon your progress by hardening your accounts and workloads in the cloud with the security recommendations of the CIS Benchmarks, which map back to the Controls.

Want to learn more about the CIS Benchmarks? Check out our video below.

 

Using the CIS Amazon Web Services Foundations Benchmark v3.0.0 as an example, here are two recommendations you can implement to protect your data in the cloud.

Set up MFA for the 'Root' User Account

The 'root' user account is the most privileged user in your AWS account. In the event of a compromise, a cyber threat actor (CTA) could use your 'root' user account to access sensitive data stored in your AWS environment.

To address this threat, you need to safeguard your 'root' user account. You can do so by implementing Recommendation 1.5, which advises you to set up multi-factor authentication (MFA) using a dedicated device that's managed by your company. Do not use a personal device to protect your 'root' user account with MFA, as this could increase the risk of account lockout if the device owner leaves the company, changes their number, or loses their device.

Block Public Access on Your S3 Buckets

Amazon Simple Storage Service (S3) enables you to store objects in your AWS environment using a web interface. The issue is that not everyone configures their S3 buckets securely. By default, S3 buckets don't allow public access upon their creation. However, an Identity and Access Management (IAM) principal with sufficient permissions could enable public access to your S3 buckets. In doing so, they could inadvertently expose your buckets and their respective objects.

You can mitigate this risk by implementing Recommendation 2.1.4. This guideline consists of ensuring that you've configured S3 buckets to "Block public access" in both your individual bucket settings and in your AWS account settings. That way, you'll block the public from accessing any of your S3 buckets and its contained objects connected to your AWS account. 

Streamlining Your Use of Cloud Security Best Practices

The Controls and Benchmarks recommendations discussed above will help you take the first steps in implementing your cloud security strategy. From here, you can save time securely configuring your technologies using the CIS Hardened Images®, virtual machine images (VMIs) that are pre-hardened to the security recommendations of the Benchmarks.

Ready to begin the next stage of your cloud security journey? Spin up a Hardened Image.

Featured

  • futuristic crystal ball with holographic data projections

    Call for Opinions: 2025 Predictions for Education IT

    How will the technology landscape in education change in the coming year? We're inviting our readership to weigh in with their predictions, wishes, or worries for 2025.

  • stylized illustration of a global AI treaty signing, featuring diverse human figures seated around a round table

    First Global Treaty to Regulate AI Signed

    The United States, United Kingdom, European Union, and several other countries have signed "The Framework Convention on Artificial Intelligence, Human Rights, Democracy, and the Rule of Law," the world's first legally binding treaty aimed at regulating the use of artificial intelligence (AI).

  • human figures interacting with a tablet, surrounded by floating geometric maintenance icons and faint outlines of campus elements

    Miami-Dade County Public Schools Rolls Out Facilitron Facility Management Platform

    Miami-Dade County Public Schools (MDCPS) has announced a partnership with facility management systems provider Facilitron. MDCPS has about 350,000 students across 400 campuses and is the 19th Florida school district to use Facilitron’s platform.

  • close-up of a video game controller

    Verizon Launches Free Scholastic High School Esports League

    Through its Verizon Innovative Learning HQ suite of free learning content and resources, Verizon has launched its first-ever scholastic high school esports league. The league opened for registration on Aug. 8 and will run from Sept. 23 to Dec. 13.