One of the most time-consuming and painstaking aspects of cybersecurity, both on-prem and in the cloud, is configuration management.
Configuration management is critical because many products come with default settings that do not provide adequate security. One area of particular concern is the operating system, especially when considering cybersecurity in the cloud.
Every agency has various operating systems running on the servers and endpoint devices scattered across the enterprise. IT teams typically struggle to manage the dozens or hundreds of configurations needed to promote secure operations. And it can be hard to know whether the chosen configuration is the best and most appropriate one. That’s why it’s important to use trusted, industry-recognized best practices in your configuration management program.
“Industry-recognized standards and best practices are a core foundation of a strong configuration management program.” said Mia LaVada, Product Owner of CIS Benchmarks and Cloud at the Center for Internet Security (CIS). CIS is a nonprofit organization that promotes globally-recognized best practices for securing IT.
Standards are the starting point. From there, you’ll need an implementation plan to configure your environments to those standards. “If you’re manually configuring to a standard, it can be time consuming,” LaVada said.
Secure From the Start
One way to make configuration management in the cloud more manageable is to use a hardened image. A hardened image is a virtual machine image in which the settings are customized to create a more secure state than the default, out-of-the-box system.
As a pre-configured virtual machine image, the CIS Hardened Image offers a streamlined way to implement all those security configurations reliably and at one time. “The CIS Benchmarks settings are built into the image, so all you have to do is deploy the virtual machine,” LaVada said.
A hardened image goes a long way toward lightening the load on the IT team and ensuring a consistent approach to OS security.
“If someone is using a Microsoft Windows Server operating system, for example, there are more than 300 unique settings within that operating system that need to be configured in a certain way to be considered hardened to CIS Benchmarks standards,” LaVada said.
How It Works
CIS delivers Hardened Images for most Microsoft Windows Server operating systems, several flavors of Linux, and Apple macOS. CIS Hardened Images are available on four public cloud marketplaces: Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Oracle Cloud Platform.
For organizations and industries that want to achieve compliance with Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) standards, CIS offers several CIS Benchmarks and CIS Hardened Images for Windows and Linux mapped to STIG standards.
Billed at 2 cents per compute hour, the Hardened Images can be implemented across a wide or narrow range of users, depending on the organizational need, on a self-service basis.
“An agency might start out using CIS Hardened Images for a specific project – they’re building a piece of software or a program and they want to ensure that the operating systems are secured to the CIS standard,” LaVada said.
“When they see that CIS Hardened Images help save time, they may then roll them out to other groups within the organization, or across the agency.” she said.
CIS Hardened Images are built to CIS Benchmarks standards developed by over 12,000 experts across the globe – cybersecurity experts in academia, government, and the commercial sector – and each Image includes a report from CIS’s configuration assessment tool, CIS-CAT Pro.
“Once that image is hardened, our Solution Architects scan the image and supply an HTML report to show how well that image conforms to the CIS Benchmark standard,” LaVada said. “If you need to provide that information for an audit, or to comply with internal policy, this is a very clean, tangible way of doing that.”
What’s the best way to put Hardened Images to work? It helps to be a part of a community that has an eye toward keeping configurations current, since configuration guidelines change over time, as do systems themselves.
State and local governments can get free membership into the CIS SecureSuite, which gives them access to the CIS-CAT Pro tool, among other resources, to scan their Hardened Images for ongoing compliance and configuration management.
“CIS SecureSuite Members can use CIS-CAT Pro if anything changes after they spin up the image and they want to scan again – or if they have an internal policy that calls for continuous monitoring of the configuration of that system,” LaVada said.
It’s also important to keep current on patching. Even in a hardened image, IT teams will want to track vendor updates and apply required remediations. Here, too, CIS offers support, in the form of applying monthly updates according to the vendor’s updates to its Hardened Images. With a CIS Hardened Image based on internationally-recognized CIS Benchmarks, an agency can reduce the personnel effort needed to configure systems, while ensuring a higher degree of consistency in their deployments. In this way, agencies can better mitigate against threats such as malware and remote intrusion, with systems that are continuously aligned to the most current security guidelines.
This post originally appeared on October 7, 2022.