Using CIS benchmarks to set expectations in a DevOps environment
In the old world there was often a divide between developers, security and operations working in their own silos. This is not an effective approach that can result in a wall of confusion.
By embracing DevSecOps we can break down barriers between engineering, security and privacy teams; GoCardless is leveraging the Centre for Internet Security(CIS) benchmarks to build a shared understanding and approach with the teams.
Why did we adopt CIS benchmarks? 📚
The CIS benchmarks are guides on best practices for the secure configuration of a target system that are not reliant upon 3rd party commercial solutions. AWS, Google, Microsoft and IBM as cloud providers assess their services against the CIS benchmarks. The CIS benchmarks cover a broad range of service and products including OS hardening, databases, switches, firewalls and security appliances.
They are developed through a consensus-based process by security practitioners and subject matter experts around the world. “CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by the government, business, industry, and academia” — CIS Benchmarks FAQ.
Through collaboration between the security and engineering teams to tailor the CIS benchmarks to our environment we have built a shared understanding of the current security baseline and our target state.
How do they fit into the wider context for DevSecOps? 🤝
Improving our understanding of the security posture across the company allows us to identify gaps in our security controls and configuration, while demonstrating our maturity to merchants and regulators. This is enabling us to build for new geos and technologies safely.
Demonstrating our security and privacy controls is particularly important for larger enterprise merchants that require a higher bar in their due diligence. The work we have done to set our security baselines and how we maintain them alongside our certifications enables us to efficiently respond to merchants’ due diligence.
Benchmarking gives us the confidence that new services and devices are set up securely from the start; having a secure baseline then protects us against basic attacks, which in turn increases the cost for more sophisticated attackers. This enables us to focus on more difficult security problems, whilst raising the overall security bar and makes us better equipped to handle our merchants’ funds and data without compromising our ethical, regulatory and contractual obligations.
How are they helping us? 🙌
Privacy and Security are a small part of the engineering function with a broad remit. Getting the basics of security right has a huge benefit before you go deep on particular areas.
Through collaboration with our engineering teams we have agreed a consistent approach to securing services and gained buy-in from the engineering teams, rather than controls being imposed upon them.
By establishing agreed baselines we have been able to measure and demonstrate our security posture to manage the risks in our services and maintain compliance.
For example:
- ISO27001 — Security compliance
- FCA and other financial regulators around the globe
- SOC II — Security compliance as we implement it
- Our enterprise risk management
The Utopia project led by the Core Infrastructure team is providing a consistent way of defining services. Through the use of CIS benchmarks in the build of Utopia we have gained confidence in the building blocks for teams so that they can self-serve knowing that guard rails are already implemented for security and privacy.
To help us on our journey, we are using Prisma Cloud from PaloAlto to measure our Cloud Security Posture across our cloud environments. This is enabling our SecOps team to track deviations in configuration and take early action with engineering teams.
Impact and what next ✈️
Now that we have defined what good looks like, the owners of each service will not be blocked on the need to speak to Security & Privacy when working on new projects, as they can follow the standards that we have prepared.
All engineering teams have access to the GoCardless customised CIS benchmarks and tools to monitor. We are using Prisma Cloud to automatically assess the service configurations against our guidelines and provide engineering teams with advice on how to reach our security baselines and real time visibility.
Enabling engineers to self-serve is helping us keep our velocity and quality high, while ensuring that security is an essential part of our production pipeline, increasing GeeCees’ overall security skills and knowledge.
Using a standardised approach has increased our visibility of our security posture and has allowed us to demonstrate to auditors and other stakeholders how we apply security. We will further improve this information in order to allow more teams to use this, for example for answering security questions from prospective merchants.
We are continually investing in building tuned checks against the CIS benchmarks and taking account of new developments in the products and services that we use to improve our overall security posture. We have adopted the MITRE ATT&CK framework to help us assess our detection capabilities and the continuous monitoring of our cloud services is one element within our overall capability set.
We’d love to hear about what your thoughts are on our approach to using CIS benchmarks. You can get in touch with us via Twitter, Instagram or LinkedIn.
We are hiring across our engineering and product teams, you can see all of our open roles here: https://gocardless.com/about/jobs/
Article by Greg Smith and Niko Nikolov
