CIS Benchmarks from the Center of Internet Security (CIS) sets the global standards for implementing security with best practices for securing IT systems and data against any cyberattacks. Robust security starts with the process of hardening the infrastructure before doing any monitoring. CIS provides many well-defined methods and practices to help organizations assess and improve their security. You can directly download the benchmarks here https://www.cisecurity.org/cis-benchmarks/ as per your organisation’s need and follow the guidelines to implement effective security measures.
Does only CIS Benchmark ensure flawless security for your infrastructure?
Well, the answer is no. Simply implementing all the CIS benchmarks is not enough. You should also need to do custom hardening benchmarks along with the CIS benchmarks. Nowadays, all major public cloud service providers support CIS benchmarks in their security and auditing services.
How CIS benchmark covers AWS?
Security hub in AWS supports the standard of the CIS AWS Foundation benchmark. Security hub performs a list of security checks as per the CIS standard guidelines and evaluates the security in an automated way. But still, there are some security checks that are not supported in Security hub. More info on https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis-checks-not-supported.html. AWS Security Hub has satisfied the requirements of CIS Security Software Certification and has been awarded CIS Security Software Certification for the following CIS Benchmarks:
- CIS Benchmark for CIS Amazon Web Services Foundations Benchmark, v1.2.0, Level 1
- CIS Benchmark for CIS Amazon Web Services Foundations Benchmark, v1.2.0, Level 2
CIS Benchmark in Kubernetes
CIS Benchmark provides consensus-driven security guidelines for the Kubernetes Server Software. What do we mean by consensus-driven here? Yes, here the CIS benchmark community plays a vital role because consensus-driven is a group of people creating something and agreeing among themselves. They keep on enhancing the standards and document them in detail. Anyone who knows Kubernetes could say that security is the major challenge with such microservices architecture implementations. So, it is an absolute necessity to configure Kubernetes with a strong security posture. Hence CIS benchmark has a set of standards and guidelines to support that. In the market, there are already a huge number of open source tools available like Kube-bench for running Kubernetes CIS Benchmark tests. Before you do the security implementations, you need to understand an important concept called the Shared responsibility model. Kubernetes on the cloud solves yet another major challenge of installing and managing the Kubernetes control plane components. With this shared responsibility model, the cloud provider takes care of managing the Kubernetes control plane components and you should take care of the rest like managing the data, configuring the cluster as per your need, and underlying OS in the worker nodes, their kubelets and AMI configuration. You as a customer, don’t have access to the control plane and don’t have to worry about the hardening of the control plane as they will be taken care of by the provider. In addition to that, it is worth mentioning that the CIS Benchmark is tied to a specific Kubernetes release. It is important to note that like the OS distributions like Linux, the Kubernetes benchmarks are not updated frequently. When you set up the cluster, there are always two major components the master node and the worker nodes. Cloud providers like AWS, for example, have a managed service called EKS (Elastic Kubernetes Service) through which the master node that contains the major control plane components can be managed by it. The Kubelet and the Kube proxy in the worker nodes the resource quotas, and the identity and access control policies to and from the worker nodes should be managed by the customer.
Conclusion
Hence, this concludes the high-level overview of the CIS Benchmark for implementing robust security in various platforms. As mentioned in this blog earlier, it is important to make use of the global security standards but should not completely rely on them. You have to have your customised hardening practice for strengthening the security as we tend to go over the internet most of the time and always keep in mind the risk involved with our data being exposed.