In 2020, the shift to a global remote workforce demonstrated just how difficult securing a cloud environment can be. Now organizations face the challenge of securing hybrid environments. To address these challenges, many companies migrate to the cloud and leverage cloud service providers (CSPs) such as Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Oracle Cloud. These public cloud providers offer cost-effective, scalable cloud computing solutions.
Among the many benefits of operating on the public cloud, users share the security responsibilities with the CSP. Typically, the CSP is responsible for the physical security of the cloud infrastructure, while the customer is responsible for securing the services and/or applications they use. The division of these responsibilities is known as the shared responsibility model for cloud security.
Shared Responsibility Model Characteristics
Based on the type of cloud environment required by an organization, the delineation of security responsibilities will differ. Responsibilities vary according to the four main types of cloud environments:
Infrastructure as a Service (IaaS)
Software as a Service (SaaS)
Platform as a Service (PaaS)
Function as a Service (FaaS)
Ultimately however, the protection of an organization’s data lies with the organization itself. That’s where the Center for Internet Security (CIS) can help. CIS strives to make the connected world a safer place by developing, validating, and promoting best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats. Thus, our vision is to lead the global community to secure our ever-changing connected world. A portion of that is providing organizations with resources that can help them meet their part of the shared responsibility model for cloud security.
Cloud Security Resources Available from CIS
CIS works with a global community to develop three main security best practices that can help cloud consumers meet the shared responsibility model:
CIS Controls
A prioritized set of 20 actions that collectively form a defense-in-depth set of best practices. The CIS Controls are practical and prescriptive actions that organizations should take to prevent common cyber-attacks.
The CIS Controls Cloud Companion Guide is a free resource that can help users apply the CIS Controls in the cloud. Notably, the guide maps the CIS Controls to the four main types of cloud environments.
CIS Benchmarks
The CIS Benchmarks are configuration guidelines for technologies, operating systems, containers, and more. There are more than 100 CIS Benchmarks covering 25+ vendor product families.
In particular, the CIS Foundations Benchmarks provide prescriptive guidance for configuring, deploying, and securing services in public cloud environments. This resource can assist cloud users with the shared responsibility model, notably identity and access management. A free CIS Foundations Benchmark is available for the following cloud environments:
Amazon Web Services (AWS)
Microsoft Azure
Google Cloud Platform (GCP)
Oracle Cloud Infrastructure
Alibaba Cloud
IBM Cloud
CIS Hardened Images
Lastly, CIS Hardened Images are virtual machine images for operating systems, containers, and applications. They’re pre-configured to CIS Benchmark recommendations. Backed by a global community of cybersecurity experts and built off of the base image provided by CSPs, CIS Hardened Images seamlessly integrate into an organization’s security procedures. Because they’re an IaaS environment, CIS Hardened Images can help with the host infrastructure part of the shared responsibility model.
What’s more, CIS updates and patches these Hardened Images on a monthly basis to ensure the latest security configurations are in place. Every CIS Hardened Image includes a CIS-CAT Pro report showing conformance to the CIS Benchmark. It also includes an exception report showing configurations that cannot be applied in the cloud.
CIS Hardened Images are available on four major CSP marketplaces:
AWS Marketplace including AWS GovCloud (US) region
Microsoft Azure Marketplace including Azure Government
Google Cloud Platform Marketplace
Oracle Cloud Marketplace
View all CIS Hardened Images
CIS Shared Responsibility Model Resource
The shared responsibility model for cloud security provides clarity on security expectations for public cloud users. However, an understanding of the expectation is just the first step. Users must act on these responsibilities by creating policies and procedures for their portion of cloud security. In order to do this, cloud consumers should use cloud security tools and resources that directly address the needs of their cloud environment.
In sum, whether they’re used together or individually, CIS Controls, CIS Benchmarks, and CIS Hardened Images provide organizations operating in the cloud prescriptive guidance to secure their environments. They also help organizations conform to the shared responsibility model with ease. In this guide, we provide a deep dive into the shared responsibility model for cloud security, the division of user and CSP responsibilities, and how CIS resources help meet those responsibilities.
More Stories
Smashing Security podcast #401: Hacks on the high seas, and how your home can be stolen under your nose
An Italian hacker makes the grade and ends up in choppy waters, and hear true stories of title deed transfer...
PlushDaemon APT Targeted South Korean VPN Software
PlushDaemon APT hacked South Korean VPN software with SlowStepper backdoor as part of a 2023 espionage campaign Read More
Tycoon 2FA Phishing Kit Upgraded to Bypass Security Measures
Threat researchers analyzed the updated Tycoon 2FA phishing kit, which bypasses MFA Read More
MasterCard DNS Error Went Unnoticed for Years
The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed...
73% of UK Education Sector Hit by Cyber-Attacks in Past Five Years
New ESET research reveals that 73% of UK educational institutions experienced at least one cyber-attack or breach in the past...
Ransomware Attacks Surge to Record High in December 2024
NCC Group observed 574 global ransomware attacks in December, the highest monthly volume it has recorded Read More