The First Steps of Establishing Your Cloud Security Strategy

When you're working with Controls v8 and the CIS Controls Cloud Companion Guide, you need to lay a foundation on which you can build your unique cloud security efforts. Toward that end, you can tailor the Controls in the context of a specific Information Technology/Operational Technology (IT/OT) map. 

To help you make an impact at the beginning of your cloud security journey, we recommend you focus on two Controls in particular: CIS Control 3 – Data Protection and CIS Control 16 – Application Security.

Cloud Data Security with CIS Control 3

The purpose of CIS Control 3 is to help you create processes for protecting your data in the cloud. Consumers don't always know that they're responsible for cloud data security, which means they might not have adequate controls in place. For instance, without proper visibility, cloud consumers might be unaware that they're leaking their data for weeks, months, or even years. 

CIS Control 3 walks you through how to close this gap by identifying, classifying, securely handling, retaining, and disposing of your cloud-based data, as shown in the screenshot below.

A screenshot of CIS Control 3: Data Protection. (Source: CIS Controls v8)

Cloud Application Security with CIS Control 16

In addition to protecting your cloud-based data, you need to manage your cloud application security in accordance with CIS Control 16. Your responsibility in this area applies to applications developed by your in-house teams and acquired from external product vendors.

To prevent, detect, and remediate vulnerabilities in your cloud-based applications, you need a comprehensive program that brings together people, processes, and technology. Continuous Vulnerability Management, as discussed in CIS Control 7, sits at the heart of this program. You can then expand your security efforts by using supply chain risk management for externally acquired software and a secure software development life cycle (SDLC) for applications produced in house.

Hardening Your Cloud-Based Assets with MFA, Lack of Public Access

With CIS Controls 3 and 16 as your foundation, you can build upon your progress by hardening your accounts and workloads in the cloud with the security recommendations of the CIS Benchmarks, which map back to the Controls.

Want to learn more about the CIS Benchmarks? Check out our video below.

 

Using the CIS Amazon Web Services Foundations Benchmark v3.0.0 as an example, here are two recommendations you can implement to protect your data in the cloud.

Set up MFA for the 'Root' User Account

The 'root' user account is the most privileged user in your AWS account. In the event of a compromise, a cyber threat actor (CTA) could use your 'root' user account to access sensitive data stored in your AWS environment.

To address this threat, you need to safeguard your 'root' user account. You can do so by implementing Recommendation 1.5, which advises you to set up multi-factor authentication (MFA) using a dedicated device that's managed by your company. Do not use a personal device to protect your 'root' user account with MFA, as this could increase the risk of account lockout if the device owner leaves the company, changes their number, or loses their device.

Block Public Access on Your S3 Buckets

Amazon Simple Storage Service (S3) enables you to store objects in your AWS environment using a web interface. The issue is that not everyone configures their S3 buckets securely. By default, S3 buckets don't allow public access upon their creation. However, an Identity and Access Management (IAM) principal with sufficient permissions could enable public access to your S3 buckets. In doing so, they could inadvertently expose your buckets and their respective objects.

You can mitigate this risk by implementing Recommendation 2.1.4. This guideline consists of ensuring that you've configured S3 buckets to "Block public access" in both your individual bucket settings and in your AWS account settings. That way, you'll block the public from accessing any of your S3 buckets and its contained objects connected to your AWS account. 

Streamlining Your Use of Cloud Security Best Practices

The Controls and Benchmarks recommendations discussed above will help you take the first steps in implementing your cloud security strategy. From here, you can save time securely configuring your technologies using the CIS Hardened Images®, virtual machine images (VMIs) that are pre-hardened to the security recommendations of the Benchmarks.

Ready to begin the next stage of your cloud security journey? Spin up a Hardened Image.

Featured

  • glowing digital human brain composed of abstract lines and nodes, connected to STEM icons, including a DNA strand, a cogwheel, a circuit board, and mathematical formulas

    OpenAI Launches 'Reasoning' AI Model Optimized for STEM

    OpenAI has launched o1, a new family of AI models that are optimized for "reasoning-heavy" tasks like math, coding and science.

  • landscape photo with an AI rubber stamp on top

    California AI Watermarking Bill Supported by OpenAI

    OpenAI, creator of ChatGPT, is backing a California bill that would require tech companies to label AI-generated content in the form of a digital "watermark." The proposed legislation, known as the "California Digital Content Provenance Standards" (AB 3211), aims to ensure transparency in digital media by identifying content created through artificial intelligence. This requirement would apply to a broad range of AI-generated material, from harmless memes to deepfakes that could be used to spread misinformation about political candidates.

  • clock with gears and digital circuits inside

    Report Estimates Cost of AI at Nearly $300K Per Minute

    A report from cloud-based data/BI specialist Domo provides a staggering estimate of the minute-by-minute impact of today's generative AI boom.

  • glowing lines connecting colorful nodes on a deep blue and black gradient background

    Juniper Intros AI-Native Networking and Security Management Platform

    Juniper Networks has launched a new solution that integrates security and networking management under a unified cloud and artificial intelligence engine.