Organizations have increased public cloud usage, as there are obvious benefits (elasticity, pay-as-you-go subscription model, etc.). While adoption across cloud layers (IaaS, PaaS, SaaS) varies across organizations, one thing for sure is that IaaS usage is most prevalent. Organizations end up shifting to the cloud in an urgency and likely with a “lift and shift” approach. This results in applications/services/assets which were earlier sitting behind corporate firewalls, now being exposed via the cloud.
Most vulnerability solutions simply provide a vulnerability assessment report for organizational assets (virtual machines / containers) in the public cloud. However, this leaves a large unaddressed gap as misconfigurations are the single biggest cause of data breaches in the cloud. These data breaches have exposed more than 33 billion records and costed close to $5 trillion in 2018 and 2019.
- Not understanding the shared responsibility model – Most cloud providers require a shared responsibility model when it comes to security. However, most business users think that the cloud provider is a solely responsible for all security aspects.
- Ease of (mis-)configuration – Cloud services are designed for rapid deployment and usage. However, this results in default settings creeping into the production directly.
- Ease of making temporary deviations – This is similar to the above point but the key difference is that any deviation made from the blueprint can persist and have devastating effects.
Also as organizations tends to distribute / balance their eggs across multiple baskets, DevSecOps teams struggle with multiple cloud providers.
- SSH/RDP ports open to the internet
- Cloud storage folders openly accessible via internet
- Weak password policy for cloud users
- Missing rotation policy for API keys/tokens
Traditional vulnerability solutions do not take a wholistic approach when it comes to cloud. These tend to focus on vulnerability management and leave you in the dark when it comes to security posture management for the cloud. Security benchmarks from Center for Internet Security (CIS) are a golden standard when it comes to cloud security posture management (CSPM). CIS benchmarks are configuration baselines and best practices for securely configuring a system. Each of the guidance recommendations references one or more CIS controls that were developed to help organizations improve their cyber defense capabilities. CIS controls map to many established standards and regulatory frameworks, including NIST Cybersecurity Framework (CSF), NIST SP 800-53, ISO 27000 series, PCI DSS, HIPAA and others.
- Level 1 recommends essential basic security requirements that can be configured on any system and should cause little or no interruption of service or reduced functionality
- Level 2 recommends security settings for environments requiring greater security that could results in some reduced functionality.
- Identity and Access Management
- Logging
- Monitoring
- Networking
- Compute / Virtual machine services
- Database services
It is key to note that CIS Security Benchmarks provide well-defined, unbiased, consensus-based industry best practices to help organizations assess and improve their security.
ThreatWorx CIS Security Benchmarks are supported for major public cloud providers (Azure, AWS, Google Cloud Platform) and docker as well. Periodic assessments help ensure ongoing compliance and help flag any deviations.