What are CIS Benchmarks in Cloud Security?

The CIS Benchmarks are a set of prescriptive configuration recommendations for hardening an organization’s technologies against cyberattacks. Created in 2000 as a nonprofit organization, the Center for Internet Security (CIS) maintains over 100 CIS Benchmarks, covering more than 25 vendor product families.

CIS Benchmarks are created and maintained by a consensus-driven, global community

This free resource was created via consensus and is maintained through a global community of more than 12,000 security professionals, technology vendors, and academics. Used by governments, businesses, research, and academic institution, the CIS Benchmark community identifies the need for a new or updated benchmark. Experts collectively create, vet, and test their recommendations until consensus and the final benchmark is published.

As the program sponsor, the Center for Internet Security is known for its creation of CIS Controls, which is a comprehensive guide of 20 safeguards and countermeasures for effective cyber defense. The CIS Benchmarks map to these controls, and the community refers to them when creating new or updated configuration recommendations.

What technologies do CIS Benchmarks cover?

CIS Benchmarks offer a set of best practices as a starting point for creating new product or service deployment plans or verifying that current deployments are configured to maximum security.

There are 8 categories that provide CIS Benchmarks across the following IT technologies:

  • Cloud providers
  • Desktop software
  • DevSecOps tools
  • Mobile devices
  • Multi-function print devices
  • Network devices
  • Operating systems
  • Server software

Within each category are specific guidelines for current products or vendors. For example, Cloud Providers covers Alibaba, AWS, Google Cloud, Google Workspace, IBM Cloud, Microsoft 365, Microsoft Azure, Microsoft Dynamics 365, and Oracle Cloud. And, for AWS, benchmarks are available for the latest versions, including AWS Compute Services, Amazon Web Services Foundations, AWS End User Compute Services, and Amazon Web Services Three-tier Web Architecture.

How are CIS Benchmarks recommendations organized?

CIS Benchmarks and their recommendations are organized into 7 areas across 3 levels.

Benchmark levels

The CIS assigns a profile level to each CIS Benchmark guideline, allowing organizations to choose a profile based on their unique security or compliance requirements.

Level 1 includes basic security recommendations for configuring IT systems. They are straightforward and avoid impacting business functionality or uptime.

Level 2 is intended for highly sensitive data where security is a priority. These recommendations call for professional expertise and focused security planning to attain higher-level security with minimal disruptions to operations. The Level 2 profile supports regulatory compliance as well.

Level 3 includes the Security Technical Implementation Guide (STIG) baselines from the Defense Information Systems Agency (DISA), as well as Level 1 and Level 2 recommendations. CIS Benchmarks specify a Level 3 STIG profile to support compliance with US government requirements.

Benchmark recommendations

Each vendor or product benchmark includes 7 recommendation areas detailing specific guidelines.

  • Profile Applicability designates whether the recommendation is Level 1, 2, or 3 STIG.
  • A description explains the recommendation and its importance.
  • Audit recommendations provide details on how to evaluate the status of the recommendation in its current configuration.
  • Remediation offers step-by-step guidance on how to implement the recommendation.
  • References offers links to supporting documentation.
  • Additional Information may be provided.
  • CIS Controls shows how the recommendations map to specific CIS Controls.

Every benchmark follows this format, making implementation straightforward and standardized.

Why would an organization adopt CIS Benchmarks?

Adopting CIS Benchmarks provides significant valuable benefits at no cost. Not only are the benchmarks created, vetted, and approved by an international committee of experts, which approves needed benchmarks and their final recommendations by consensus. These recommendations provide best practices that organizations can use as a starting point or for further education when choosing technologies, purchasing cloud services, or configuring IT resources. The benchmark repository provides up-to-date, step-by-step instructions for the major IT systems that can be used internally or when vetting third-party IT support or cloud services. Lastly, because the CIS Benchmarks align with major security and data privacy frameworks like NIST, HIPAA, and PCI DSS, they provide a foundation that supports regulatory compliance.

How are CIS Benchmarks used?

CIS Benchmarks are packaged as configuration guidebooks. Organizations use their guidance to create policies and procedure manuals, as well as plan and manage their IT systems and secure cloud environments. Foundationally, the benchmarks provide best practices specific to Identity and Access Management (IAM), logging and monitoring, and networking.

DevOps teams can implement CIS Benchmarks and stay apprised of version releases. However, CIS offers free and paid tools to automate CIS benchmark configuration maintenance and compliance. These tools scan IT systems and alert when current configurations don’t meet CIS Benchmark recommendations.

CIS Benchmarks provide access to expert best practices for configuring IT technologies

With a global community of over 12,000 security professionals, the CIS Benchmarks provide prescriptive guidance for configuring IT technologies most securely. This free resource enables education and decision-making based on consensus-driven, vetted best practices that organizations of every size can access.

[CTA] Modern Cloud-native security starts with Panoptica

Cisco’s Emerging Technologies and Incubation (ET&I) team is paving the way with “DevOps-friendly” cloud-native security solutions that fundamentally simplify conventional offerings. Built from the ground up to meet the needs of mission-critical modern applications, our Panoptica solution simplifies cloud-native application security, making it easy to embed into the software development lifecycle. Panoptica protects the full application stack from code to runtime by scanning for security vulnerabilities in the cloud infrastructure, microservices (Containers or Serverless), the software bill of materials, and the interconnecting APIs. And best of all, it integrates with the tools that your application development and SecOps teams are already using.