Many organizations are migrating their workloads to the cloud. But there are challenges along the way. Specifically, security leaders are concerned about their ability to protect their cloud-based data using secure configurations.

Tripwire found this out when it partnered with Dimensional Research to survey 310 professionals who held IT security responsibilities for their organizations’ public cloud environments across more than a dozen different sectors. In that study, 37% of respondents told Tripwire that their risk management capabilities in the cloud were somewhat lacking compared to the same resources used for other parts of their organizations’ infrastructure. More than three-quarters (76%) of survey participants said it was difficult to maintain secure configurations in the cloud, a finding which illuminates why 93% of leaders said they were worried that human error could cause their employers to accidentally expose their cloud-based data.

These survey results raise an important question: how are organizations supposed to maintain secure configurations in the cloud?

The CIS Foundations Benchmarks as a Starting Point

Organizations can begin by turning to the Center for Internet Security (CIS). This community-driven group has created a series of benchmarks consisting of best practices that organizations can use to stay secure. Some of those benchmarks pertain to OSes like Windows and Linux, while others relate to applications.

The CIS benchmarks that concern us today are those that provide prescriptive guidance for configuring the security options of organizations’ AWS, Azure and Google accounts. Those best practices are designed to help organizations not open themselves up to certain risks from the moment they set up their cloud accounts. As such, the benchmarks do not get into how organizations can secure their individual cloud-based workloads and services.

The cloud benchmarks vary depending on the provider. But there are a few shared elements between them. These are (Read more...)