cis foundations benchmark for aws security

Copyright © 2015 evident.io1

CIS FOUNDATIONS BENCHMARK FOR AWS SECURITYAdam Montville, Center for Internet Security (CIS)Tim Sandage, Amazon Web Services (AWS)Tim Prendergast, CEO Evident.ioMarch 30, 2016


WEBINAR LOGISTICS

• Question?To submit a question for the Q&Q click on the Questions button

• Vote To cast your vote for a poll question, click on the Votes button

• Additional ContentTo download other relevant content, click the Attachments button

• Tell us how we didTo provide a rating and feedback or comments click the Ratings button

• Tell a FriendTo share today’s webinar with a co-worker or colleague, click the Share

• Want the slides? To download the slides from today’s webinar go to blog.evident.io. The download link for the slides can be found in the blog post “CIS Foundations Benchmark for AWS Security” published March 14, 2016.

For more content on AWS security and compliance best practices check out our blog at blog.evident.io

http://blog.evident.io/


TODAY’S SPEAKERS:

Adam Montville is the Sr. Director for Security Controls and Automation at The Center for Internet Security (CIS), leading the teams working to define security configuration benchmarks and designing and implementing CIS’ security automation tools.

Tim Sandage is a Senior Risk & Compliance Strategist for Amazon Web Services (AWS) who is responsible for global strategic alignment of AWS cloud computing services with current and future compliance capabilities as well as external consulting with AWS customers, public policy organizations, and standard bodies across the globe.

CEO Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level. After years of building, operating, and securing services in AWS, he set out to make security approachable and repeatable for companies of all sizes. Tim also led technology teams at Adobe, Ingenuity, Ticketmaster, and McAfee. Follow Tim on Twitter @Auxome.

http://evident.io/

https://twitter.com/Auxome

https://twitter.com/Auxome


WHO IS CIS?

• 750+ members worldwide• Security program support

− MS-ISAC (SLTT support)− Security Controls and Automation− CIS Critical Security Controls

• Start secure, stay secure


CIS SUPPORTS SECURITY PROGRAMS

• SOC + Incident Response• CIS Critical Security Controls• Consensus benchmark development

process• Reduce guesswork• Automation support


WHAT IS A “BENCHMARK”?

• Security configuration guide• Consensus-based development process• Best Current Practice + Best Leading

Practice• 433K+ downloads last year


WHY DID AWS WORK WITH CIS TO PRODUCE THE BENCHMARK?

• Increase Customer Security• Leading Practice Guidelines• Supports various Security Standards• Repeatable & Verifiable• Auditability


SCOPE OF THE FOUNDATIONS BENCHMARK

• Identity & Access Management (IAM) • Logging• Monitoring • Networking


INTENT OF THE CIS FOUNDATION BENCHMARK

• Repeatable• Verifiable • Reliably • Auditable


CHALLENGES OVERCOME BUILDING OUT THE BENCHMARK

• Scope of Services• Architecture neutral• Leading Practice focused• Global Security Framework alignment


USE CASES FOR LEVERAGING THE BENCHMARK

Leading Practice Security Config:• AWS Identity and Access Management (IAM)• AWS Config• AWS CloudTrail• AWS CloudWatch• AWS Simple Notification Service (SNS)• AWS Simple Storage Service (S3)• AWS VPC (Default)


SECURITY BY DESIGN – AUTOMATION APPROACHES

• Build security in every layer • Think parallel • Plan for Breach• Don't fear constraints • Treat infrastructure as code


PARTNER INTEGRATION WITHIN SBD

• Evident.io• Splunk• Allgress • Center for Internet Security• Veris Group LLC


FUTURE AWS CIS BENCHMARKS

• 3-Tier Web Architecture• AWS Data Containers• Additional broad architectures


WHO SHOULD USE THE BENCHMARK - HOW AND WHEN?

• AWS Customers • AWS Partners • AWS System Integrators• AWS Consultants• AWS Auditors


LEVERAGING THE BENCHMARK TO BE MORE SECURE

• Everyone should target the benchmark• There are no silver bullets!• It’s a framework – treat it as such• If you don’t believe, you won’t succeed• Security is about the journey, not the

destination!


OPERATIONAL BENEFITS

• Clearer goals for Security• Measurable results (binary!)• Faster failure, faster success• DevOps can speak the benchmark• Security becomes part of the product

lifecycle! (Yay)


AUTOMATING IS THE KEY TO SUCCESS

• Continuous Monitoring is required (and achievable)

• Without automation, elastic and dynamic environments will outrun security

• If you can automate detection, you can automate response!


MEASURING YOUR SECURITY MATURITY

• Complete gap analysis• Select a cross-functional team to

implement• Establish the audit cycle• Begin automation work on relevant areas• Identify your current security posture, then

track drift and progress over time.


LEVERAGING FOR COMPLIANCE

• Compliance is based on Frameworks, too• Relevant industry teams are watching CIS• CIS controls lead to satisfaction of other

framework controls. Ex: CIS AWS 1.2 through 1.7 supports NIST800-53r4 IA5.1

• The smaller, step-sized security moves create greater success


COMMUNICATING SUCCESS TO PARTNERS, CUSTOMERS, INVESTORS

• Demonstrate your capacity for security• Evangelize your success• Iterate the benchmark (and participate!)• Take to the blogs!


STAY ENGAGED TO ENSURE YOUR CONTINUED SUCCESS

• Join the CIS• Seek out the working group members• Don’t just run it once – it must be part

of your DNA• Engage on Twitter, Blogs, and

discussion groups with us• See you at some meetups!


Q & A - ANY QUESTIONS?

THANKS FOR ATTENDING!

cis foundations benchmark for aws security

Technology