The Center for Internet Security is a nonprofit entity whose mission is to ‘identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.’ It draws on the expertise of cybersecurity and IT professionals from government, business, and academia from around the world. To develop standards and best practices, including CIS benchmarks, controls, and hardened images, they follow a consensus decision-making model.
CIS Benchmarks
CIS benchmarks are configuration baselines and best practices for securely configuring a system. Each of the guidance recommendations references one or more CIS controls that were developed to help organizations improve their cyberdefense capabilities. CIS controls map to many established standards and regulatory frameworks, including the NIST Cybersecurity Framework (CSF) and NIST SP 800-53, the ISO 27000 series of standards, PCI DSS, HIPAA, and others.
CIS benchmarks provide two levels of security settings:
- Level 1 recommends essential basic security requirements that can be configured on any system and should cause little or no interruption of service or reduced functionality.
- Level 2 recommends security settings for environments requiring greater security that could result in some reduced functionality.
In Microsoft Azure, the following CIS benchmarks can be adopted and tracked:
- CIS Microsoft Azure Foundations Benchmark v2.0.0
- CIS Azure Compute Microsoft Windows Server 2022 Benchmark v1.0.0
- CIS Distribution Independent Linux Benchmark v2.0.0
- CIS Microsoft SQL Server 2022 Benchmark v1.0.0
In addition, for M365 the following benchmark is available
- CIS Microsoft 365 Foundations Benchmark v2.0.0
CIS Hardened VM Images in Azure
CIS Hardened Images are securely configured virtual machine images based on CIS Benchmarks hardened to either a Level 1 or Level 2 CIS benchmark profile. Hardening is a process that helps protect against unauthorized access, denial of service, and other cyberthreats by limiting potential weaknesses that make systems vulnerable to cyberattacks.
Please note that offerings states “this image has been hardened by CIS and is configured with the majority of the recommendations included in the free PDF version of the corresponding CIS Benchmark”.
The pricing for CIS Hardened Images is currently $0.02 per hour over and above the standard Azure VM cost.
Monitoring of CIS Compliance
Microsoft Azure Policy
Azure’s built-in CIS Microsoft Azure Foundations Benchmark 1.4.0 Regulatory Compliance policy will be deployed in the Azure subscription to monitor compliance with the CIS controls.
Controls are associated with one or more Azure Policy definitions. These policies help to assess compliance with the CIS control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliance in Azure Policy refers only to the policy definitions themselves; this doesn’t ensure you’re fully compliant with all requirements of a control.
In addition, the compliance standard includes controls that aren’t addressed by any Azure Policy definitions currently. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard change over time. Hence the recommendation and utilisation of the official hardened images.