The Center for Internet Security’s Critical Security Controls has become an industry standard set of controls for securing the enterprise. Now on version 8, the original 20 controls are down to 18 with several sub controls added.

The first six basic controls can prevent 85 percent of the most common cyber attacks, and even though the controls have been developed with traditional data centers and process in mind, there is no reason they can’t be adapted to DevOps practices.

DevOps and CIS Security

A quick review of the basic controls will provide some ideas of how they fit for DevOps and where they don’t align with DevOps practices. Control 1 and Control 2 are about inventories: inventory and control of enterprise and software assets.

Infrastructure in a cloud environment becomes virtualized infrastructure – containers and repositories, virtual machines, lambda functions, microservices, APIs, etc. The principle still stands, however, that knowing what underlying infrastructure is authorized in your environment and detecting unauthorized deployments is critical.

In a highly dynamic cloud system with ephemeral servers being deployed and destroyed constantly, it’s even more important to know whether what is being deployed should be deployed and whether it is authorized to be in your environment. Consider your current controls and how you monitor your runtime environment. How do you know what is running is authorized to be running and is running approved apps and services?

If you don’t have an answer for those questions, review your architectural diagrams and CI/CD pipeline and think about tools at your disposal to get a better view of your “hardware” assets. Those may be native to your cloud environment, third-party solutions and/or an inventory management process you point in place. There is an additional advantage to tracking and ensuring the assets in your environment are authorized (Read more...)