Thinking about Cloud Security Baselines

Greg
2 min readFeb 4, 2024

--

What are Cloud Security Baselines

A process and approach to use industry benchmarks and best practices for the technical cloud infrastructure configuration in your organisation so that you can work collaboratively with engineering teams to:

  1. Set and agree to what good looks like
  2. Measure and track where you are in reaching your target state
  3. As a means to have informed discussions about what needs to be prioritised next

Alone compliance frameworks like CIS Benchmarks have their place and describe a pragmatic state for service configurations that do not require additional commercial tooling. The drawback with them is they don’t have the context about your organisation, environments and specifics about how services are used.

This is where CSB’s can help describe the configuration that meets the business needs and risk appetite. Security is never perfect, to have perfect security would be hugely expensive and slow the business down in delivering value to its customers.

As is often the case with security “it depends” and tradeoffs for acceptable risk have to be found.

Getting started

A spreadsheet works fine when you have a small number of areas to consider, but when you want to scale that up to cover more services, more checks and best practices it quickly becomes unwieldy and difficult to maintain as the technology and best practices evolve.

This is where I have started to look at tooling to improve the technical controls of your cloud infrastructure and implement and maintain Cloud Security Baselines.

I have already looked at the tooling for CSPM, which is now consolidated into CNAPP as Gartner terms them.

CNAPP offers more than the initial goals of Cloud Security Baselines and brings in capabilities for real-time threat detection and response, reducing over-permissioned IAM roles (CIEM) and vulnerability management. These platforms are usually licenced in a way that means you may invest a lot, but not get a full return for a while.

Tooling that could help

--

--

Greg
Greg

Written by Greg

Security addict, 17+ years in industry making systems more secure and finding those that aren’t

No responses yet