The shift to a global remote workforce is demonstrating just how difficult cloud security can be. This is especially true for organizations that host their infrastructure on-premises.
To address these challenges, many companies are migrating to the cloud, leveraging cloud service providers (CSPs) such as Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Oracle Cloud. These public cloud providers offer cost-effective, scalable cloud computing solutions.
Among the many benefits of being on the public cloud, users share the security responsibilities with the CSP. Typically, the CSP is responsible for the physical security of the cloud infrastructure, while the customer is responsible for securing the services and/or applications they use. The division of these responsibilities is known as the shared responsibility model for cloud security.
Shared Responsibility Model Characteristics
Based on the type of cloud environment required by an organization, the delineation of security responsibilities will differ. Responsibilities vary according to the four main types of cloud environments:
- Infrastructure as a Service (IaaS)
- Software as a Service (SaaS)
- Platform as a Service (PaaS)
- Function as a Service (FaaS)
Ultimately however, the protection of an organization’s data lies with the organization itself. And that’s where the Center for Internet Security (CIS) can help. CIS strives to make the connected world a safer place by developing, validating, and promoting best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats. Our vision is to lead the global community to secure our ever-changing connected world.
Cloud Security Resources Available from CIS
CIS works with a global community to develop security best practices, including:
CIS Controls – These are a prioritized set of 20 actions that collectively form a defense-in-depth set of best practices. The CIS Controls are practical and prescriptive actions that organizations should take to prevent common cyber-attacks.
The CIS Controls Cloud Companion Guide is a free resource that can help users apply the CIS Controls in the cloud. The guide maps the CIS Controls to the four main types of cloud environments.
CIS Benchmarks – These are configuration guidelines for technologies, operating systems, containers, and more. There are more than 100 CIS Benchmarks covering 25+ vendor product families.
The CIS Foundations Benchmarks, in particular, provide prescriptive guidance for configuring, deploying, and securing services in public cloud environments. A free CIS Foundations Benchmark is available for the following cloud environments:
- CIS Amazon Web Services (AWS) Foundations Benchmark
- CIS Azure Foundations Benchmark
- CIS Google Cloud Platform (GCP) Foundations Benchmark
- CIS Oracle Cloud Infrastructure Foundations Benchmark
CIS Hardened Images – These are virtual machine images for operating systems, containers, and applications. They’re pre-configured to CIS Benchmark recommendations. Backed by a global community of cybersecurity experts and built off of the base image provided by CSPs, CIS Hardened Images seamlessly integrate into an organization’s security procedures.
CIS updates these Hardened Images on a monthly basis to ensure the latest security configurations are in place, and that they are patched for vulnerabilities. Every CIS Hardened Image includes a CIS-CAT Pro report showing conformance to the CIS Benchmark, as well as an exception report showing configurations that cannot be applied in the cloud or CSP environment.
CIS Hardened Images are available on four major CSP marketplaces:
- AWS Marketplace including AWS GovCloud (US) region and AWS for the Intelligence Community
- Microsoft Azure Marketplace including Azure Government
- Google Cloud Platform Marketplace built on Google’s Shielded VMs
- Oracle Cloud Marketplace
Shared Security Model Resource
The shared responsibility model for cloud security provides clarity on security expectations for public cloud users. However, an understanding of the expectation is just the first step. Users must act on these responsibilities by creating policies and procedures for their portion of cloud security. In order to do this, cloud consumers should use cloud security tools and resources that directly address the needs of their cloud environment.
Used together or individually, CIS Controls, CIS Benchmarks, and CIS Hardened Images provide organizations moving to the cloud prescriptive guidance to navigate the migration. They also help organizations conform to the shared responsibility model with ease, transforming the virtual workplace into a secure “new norm.” In this white paper, we provide a deep dive into the shared responsibility model for cloud security, the division of user and CSP responsibilities, and how CIS resources help meet those responsibilities.