X

Cloud Security Perspectives and Insights

Comparing the Top 20 Security Controls from CIS to DevSecOps

David B. Cross
SVP SaaS Security

Continuing this blog series on DevSecOps, I have a contributing guest author, Patrick McLaughlin. Patrick is a SaaS Security Architect in the Oracle SaaS Cloud Security engineering group and helps drive the transformation of DevSecOps in Oracle SaaS.

What are the Top 20 Security Controls?

The Center for Internet Security (CIS) is a non-profit organization best known for its top 20 controls. For IT security professionals, these controls represent best practices for implementing a secure IT system and environment and are the basis of evidence of security controls for auditors. CIS also publishes configuration benchmarks for operating systems, databases, cloud environments, and so on. If you are interested in those, you can read a Oracle Cloud Infrastructure blog on CIS benchmarks. DevSecOps ‘sandwiches’ security between software development and operations (and maintenance), so this blog examines the relationship between the CIS critical security controls and DevSecOps.

The 20 controls are grouped into three types: Basic, Foundational, and Organizational (see Figure 1). CIS provides guidance on which controls should be implemented depending on the size of your organization and data sensitivity:

1. An organization where data sensitivity is low
2. An organization where security teams are managing sensitive data such as customer information
3. A global organization with dedicated security teams and financial resources

Each control has sub-controls, with their own titles and detailed descriptions. The controls are also mapped to the closest NIST CSF framework functional areas: Identity, Detect, Protect, Respond, and Recover. (For more about those, see my earlier blog relating to NIST CSF and DevSecOps).  

Figure 1. CIS Basic, foundational and organizational controls 

Operational Controls (17-20) are Unique

Controls 17-20, the Organizational controls, are different from the other controls because they are more focused on people and processes, not technology. As noted in the CIS top-20 controls document:

“All of these topics are a critical, foundational part of any cyber defense program, but they are different in character than CIS Controls 1-16. While they have many technical elements, these are less focused on technical controls and more focused on people and processes. They are pervasive in that they must be considered across the entire enterprise, and across all of CIS Controls 1-16.” Because controls 17-20 apply across the other controls, this makes relating them to DevSecOps stages more challenging, but also allows for a broader interpretation of their descriptions.

In the rest of this blog, we consider all 20 controls and their sub-controls. SaaS Cloud Security (SCS) requires all of the controls because they are all relevant for SaaS cloud environments.

Using CIS Controls with DevSecOps
In the DevSecOps diagram below, Development stages are shown on the left, and Operations on the right. Security is shown in grey in two ways:
1. Next to all development and operations stages on the inside.
2. As a wrap-around to all stages on the outside. 

For each CIS sub-control, there is a sub-control description, which provides great context when we associate a sub-control with a DevSecOps stage. In addition, the CIS document maps each CIS sub-control to a National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) functional area, which helped with the mapping below. For example:

  • Sub-controls that map to the CSF Identify area also are a good match to the DevSecOps Plan stage.
  • Sub-controls that map to the CSF Protect area also are a good match to the DevSecOps Deploy or Operate stage.
  • Sub controls that map to the CSF Detect area also are a good match to the DevSecOps Monitor stage.

This table shows the mapping that we completed between DevSecOps stages and CIS controls and sub-controls.

DevSecOps Stage

CIS Control

Sub-Control Title

Plan

CIS Control 1: Inventory and Control of Hardware Assets

1.1 Utilize an Active Discovery Tool
1.2 Use a Passive Asset Discovery Tool
1.3 Use DHCP Logging to Update Asset Inventory
1.4 Maintain Detailed Asset Inventory
1.5 Maintain Asset Inventory Information

CIS Control 2: Inventory and Control of Software Assets

 

 

2.1 Maintain Inventory of Authorized Software
2.2 Ensure Software Is Supported by Vendor
2.3 Utilize Software Inventory Tools
2.4 Track Software Inventory Information
2.5 Integrate Software and Hardware Asset Inventories
2.6 Address Unapproved Software

CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

5.1 Establish Secure Configurations

 

CIS Control 9:
Limitation and Control of Network Ports, Protocols, and Services

9.1 Associate Active Ports, Services, and Protocols to Asset Inventory

 

CIS Control 11:
Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

11.1 Maintain Standard Security Configurations for Network Devices
11.2 Document Traffic Configuration Rules

 

CIS Control 12: Boundary Defense

12.1 Maintain an Inventory of Network Boundaries

 

CIS Control 13: Data Protection

13.1 Maintain an Inventory of Sensitive Information

 

CIS Control 14:
Controlled Access Based on the Need to Know

14.4 Encrypt All Sensitive Information in Transit
14.8 Encrypt Sensitive Information at Rest
14.9 Enforce Detail Logging for Access or Changes to Sensitive Data

 

CIS Control 15: Wireless Access Control

15.1 Maintain an Inventory of Authorized Wireless Access Points

 

CIS Control 16:
Account Monitoring and Control

16.1 Maintain an Inventory of Authentication Systems
16.6 Maintain an Inventory of Accounts

CIS Control 18: Application Software Security

18.1 Establish Secure Coding Practices
18.3 Verify That Acquired Software Is Still Supported
18.4 Only Use Up-to-Date and Trusted Third-Party Components
18.5 Use only Standardized and Extensively Reviewed Encryption Algorithms
18.6 Ensure Software Development Personnel Are Trained in Secure Coding
18.8 Establish a Process to Accept and Address Reports of Software Vulnerabilities
18.9 Separate Production and Non-Production Systems

CIS Control 17: Implement a Security Awareness and Training Program

17.1 Perform a Skills Gap Analysis
17.2 Deliver Training to Fill the Skills Gap
17.3 Implement a Security Awareness Program
17.4. Update Awareness Content Frequently
17.5 Train Workforce on Secure Authentication
17.6 Train Workforce on Identifying Social Engineering Attacks
17.7. Train Workforce on Sensitive Data Handling
17.8 Train Workforce on Causes of Unintentional Data Exposure
17.9 Train Workforce Members on Identifying and Reporting Incidents

CIS Control 19:
Incident Response and Management

19.1 Document Incident Response Procedures
19.2 Assign Job Titles and Duties for Incident Response
19.3 Designate Management Personnel to Support Incident Handling
19.4 Devise Organization- wide Standards For Reporting Incidents
19.5 Maintain Contact Information For Reporting Security Incidents
19.6 Publish Information Regarding Reporting Computer Anomalies and Incidents
19.7 Conduct Periodic Incident Scenario Sessions for Personnel
19.8 Create Incident Scoring and Prioritization Schema

CIS Control 20:
Penetration Tests and Red Team Exercises

20.1 Establish a Penetration Testing Program
20.5 Create a Test Bed for Elements Not Typically Tested in Production
20.7 Ensure Results From Penetration Test Are Documented Using Open, Machine-Readable Standards

Code

CIS Control 18: Application Software Security

18.7 Apply Static and Dynamic Code Analysis Tools
(Oracle uses OSSA for this, see more below this table.)

Build

CIS Control 18: Application Software Security

18.7 Apply Static and Dynamic Code Analysis Tools  (Oracle uses OSSA for this, see more below this table.)

 

Test

CIS Control 14:
Controlled Access Based on the Need to Know

14.5 Utilize an Active Discovery Tool to Identify Sensitive Data

 

CIS Control 18: Application Software Security

18.2 Ensure That Explicit Error Checking Is Performed for All In-House Developed Software

 

Release

CIS Control 18: Application Software Security

18.11 Use Standard Hardening Configuration Templates for Databases

 

Deploy

CIS Control 2: Inventory and Control of Software Assets

2.7  Utilize Application Whitelisting
2.8 Implement Application Whitelisting of Libraries
2.9 Implement Application Whitelisting of Scripts
2.10 Physically or Logically Segregate High Risk Applications

CIS Control 3: Continuous Vulnerability Management

3.3 Protect Dedicated Assessment Accounts
3.4 Deploy Automated Operating System Patch Management Tools
3.5 Deploy Automated Software Patch Management Tools

CIS Control 12: Boundary Defense

 

12.7 Deploy Network-Based Intrusion Prevention Systems
12.8 Deploy NetFlow Collection on Networking Boundary Devices
12.9 Deploy Application Layer Filtering Proxy Server

 

CIS Control 18: Application Software Security

18.10 Deploy Web Application Firewalls

Operate

CIS Control 1: Inventory and Control of Hardware Assets

1.7 Deploy Port Level Access Control
1.8 Utilize Client Certificates to Authenticate Hardware Assets

CIS Control 4: Controlled Use of Administrative Privileges

4.2 Change Default Passwords
4.3 Ensure the Use of Dedicated Administrative Accounts
4.4 Use Unique Passwords
4.5 Use Multi-Factor Authentication for All Administrative Access
4.6 Use Dedicated Workstations For All Administrative Tasks
4.7 Limit Access to Scripting Tools to only administrative or development users with the need to access those capabilities.

CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

5.2 Maintain Secure Images
5.3 Securely Store Master Images
5.4 Deploy System Configuration Management Tools

CIS Control 7: Email and Web Browser Protections

7.1 Ensure Use of Only Fully Supported Browsers and Email Clients
7.2 Disable Unnecessary or Unauthorized Browser or Email Client Plugins
7.3 Limit Use of Scripting Languages in Web Browsers and Email Clients
7.4 Maintain and Enforce Network-Based URL Filters
7.5 Subscribe to URL-Categorization Service
7.7 Use of DNS Filtering Services (Use Domain Name System (DNS) filtering services to help block access to known malicious domains)
7.8 Implement DMARC and Enable Receiver-Side Verification
7.9 Block Unnecessary File Types
7.10 Sandbox All Email Attachments

CIS Control 8: Malware Defenses

8.1 Utilize Centrally Managed Anti-Malware Software
8.2 Ensure Anti-Malware Software and Signatures Are Updated
8.5 Configure Devices to Not Auto-Run Content

CIS Control 9:
Limitation and Control of Network Ports, Protocols, and Services

9.2 Ensure Only Approved Ports, Protocols, and Services Are Running
9.4 Apply Host-Based Firewalls or Port-Filtering
9.5 Implement Application Firewalls

CIS Control 10:
Data Recovery Capabilities

10.1 Ensure Regular Automated Backups
10.2 Perform Complete System Backups
10.3 Test Data on Backup Media
10.4 Protect Backups
10.5 Ensure All Backups Have at Least One Offline Backup Destination

CIS Control 11:
Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

11.4 Install the Latest Stable Version of Any Security- Related Updates on All Network Devices
11.5 Manage Network Devices Using Multi- Factor Authentication and Encrypted Sessions
11.6 Use Dedicated Workstations for All Network Administrative Tasks
11.7 Manage Network Infrastructure Through a Dedicated Network

CIS Control 12: Boundary Defense

12.1 Maintain an Inventory of Network Boundaries
12.3 Deny Communications With Known Malicious IP Addresses 
12.4 Deny Communication Over Unauthorized Ports
12.11 Require All Remote Logins to Use Multi- Factor Authentication
12.12 Manage All Devices Remotely Logging Into Internal Network

CIS Control 13: Data Protection

13.2 Remove Sensitive Data or Systems Not Regularly Accessed by Organization
13.4 Only Allow Access to Authorized Cloud Storage or Email Providers
13.6 Encrypt Mobile Device Data
13.7 Manage USB Devices
13.8 Manage System’s External Removable Media’s Read/Write Configurations
13.9 Encrypt Data on USB Storage Devices

CIS Control 14:
Controlled Access Based on the Need to Know

14.1 Segment the Network Based on Sensitivity
14.2 Enable Firewall Filtering Between VLANs  (could also be in plan)
14.3 Disable Workstation- to-Workstation Communication
14.4 Encrypt All Sensitive Information in Transit (duplicate)
14.6 Protect Information Through Access Control Lists
14.7 Enforce Access Control to Data Through Automated Tools
14.8 Encrypt Sensitive Information at Rest (duplicate)

CIS Control 15: Wireless Access Control

15.4 Disable Wireless Access on Devices if Not Required
15.5 Limit Wireless Access on Client Devices
15.6 Disable Peer-to-Peer Wireless Network Capabilities on Wireless Clients
15.7 Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless Data
15.8 Use Wireless Authentication Protocols That Require Mutual, Multi-Factor Authentication
15.9 Disable Wireless Peripheral Access to Devices
15.10 Create Separate Wireless Network for Personal and Untrusted Devices

CIS Control 16:
Account Monitoring and Control

16.2 Configure Centralized Point of Authentication
16.3 Require Multi-Factor Authentication
16.4 Encrypt or Hash All Authentication Credentials
16.5 Encrypt or Hash All Authentication Credentials
16.7 Establish Process for Revoking Access
16.8 Disable Any Unassociated Accounts
16.9 Disable Dormant Accounts
16.10 Ensure All Accounts Have An Expiration Date
16.11 Lock Workstation Sessions After Inactivity

CIS Control 20:
Penetration Tests and Red Team Exercises

20.2 Conduct Regular External and Internal Penetration Tests
20.3 Perform Periodic Red Team Exercises
20.4 Include Tests for Presence of Unprotected System Information and Artifacts
20.6 Use Vulnerability Scanning and Penetration Testing Tools in Concert

Monitor

CIS Control 1: Inventory and Control of Hardware Assets

1.6 Address Unauthorized Assets

CIS Control 2: Inventory and Control of Software Assets

2.6 Address Unapproved Software

CIS Control 3: Continuous Vulnerability Management

3.1 Run Automated Vulnerability Scanning Tools
3.2 Perform Authenticated Vulnerability Scanning
3.6 Compare Back-to-Back Vulnerability Scans
3.7 Utilize a Risk-Rating Process to prioritize the remediation of discovered vulnerabilities.

CIS Control 4: Controlled Use of Administrative Privileges

4.1 Maintain Inventory of Administrative Accounts or development users with the need to access those capabilities.
4.8 (Configure to) Log and Alert on Changes to Administrative Group Membership
4.9 (Configure to) Log and Alert on Unsuccessful Administrative Account Login

CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

5.5 Implement Automated Configuration Monitoring Systems

CIS Control 6:
Maintenance, Monitoring and Analysis of Audit Logs

6.1 Utilize Three Synchronized Time Sources
6.2 Activate Audit Logging
6.3 Enable Detailed Logging
6.4 Ensure Adequate Storage for Logs
6.5 Central Log Management
6.6 Deploy SIEM or Log Analytic Tools
6.7 Regularly Review Logs
6.8 Regularly Tune SIEM

CIS Control 7: Email and Web Browser Protections

7.6 Log All URL Requests 

CIS Control 8: Malware Defenses

 

8.3 Enable Operating System Anti-Exploitation Features/ Deploy Anti- Exploit Technologies
8.4 Configure Anti-Malware Scanning of Removable Media
8.6 Centralize Anti-Malware Logging
8.7 Enable DNS Query Logging
8.8 Enable Command-Line Audit Logging

CIS Control 9:
Limitation and Control of Network Ports, Protocols, and Services

9.3 Perform Regular Automated Port Scans

 

CIS Control 11:
Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

11.3 Use Automated Tools to Verify Standard Device Configurations and Detect Changes

CIS Control 12: Boundary Defense

12.2 Scan for Unauthorized Connections Across Trusted Network Boundaries
12.5 Configure Monitoring Systems to Record Network Packets
12.6 Deploy Network-Based IDS Sensors
12.10 Decrypt Network Traffic at Proxy

CIS Control 13: Data Protection

13.3 Monitor and Block Unauthorized Network Traffic
13.5 Monitor and Detect Any Unauthorized Use of Encryption

CIS Control 14:
Controlled Access Based on the Need to Know

14.5 Utilize an Active Discovery Tool to Identify Sensitive Data  (duplicated)
14.9 Enforce Detail Logging for Access or Changes to Sensitive Data (duplicate)

CIS Control 15: Wireless Access Control

15.2 Detect Wireless Access Points Connected to the Wired Network
15.3 Use a Wireless Intrusion Detection System

CIS Control 16:
Account Monitoring and Control

16.12 Monitor Attempts to Access Deactivated Accounts
16.13 Alert on Account Login Behavior Deviation

CIS Control 20:
Penetration Tests and Red Team Exercises

20.8 Control and Monitor Accounts Associated With Penetration Testing

                                       Table 1: Mapping of CIS Sub-Controls to DevSecOps Stages 

Our Observations When Mapping the CIS Top 20 to DevSecOps

Table 1 shows that the focus of the CIS top 20 (like the NIST CSF) is mostly on the operations part of the DevSecOps software-service lifecycle. There are some sub controls for the Plan stage and only one relates to the Code and Build stages of DevSecOps. At Oracle, for those stages, we use Oracle software security assurance (OSSA), and the Corporate Security Solution Assurance Process (CSSAP) for security architecture review.

Given that the CIS sub-control activities outlined in the operational stages (Deploy, Operate, and Monitor) require very specialized skillsets, it does not make sense for each software development and delivery team to perform those activities. Instead, a dedicated security team can do these activities, allowing development and delivery teams to concentrate on delivering highly secure software. This follows the organizational structure we had in place before DevSecOps. 

This centralized security team and their activities map to the outer grey area that surrounds DevSecOps in Figure 2. The inner grey area represents security activities (such as secure coding) that are performed by development teams and by operations staff. 

The tools used by the centralized security team must integrate with the tools used by development teams so that two-way communication is smooth, natural, and frequent enough to support and take advantage of frequent software releases. The Plan stage is particularly important because it ensures that the development team is going to use a secure architecture and that the centralized security team can provide feedback during each new planning and development cycle.

Many of the CIS controls are relevant to more than one DevSecOps stage. For example, for a simple CIS sub-control like 14.4 Encrypt All Sensitive Information in Transit, we chose to map it to the Plan and Operate stages of DevSecOps, but it also can have relevance under the Test, Release, Deploy, and Monitor stages.

Conclusions

In Oracle SaaS Cloud Security, we have found that the CIS top 20 controls, like the NIST CSF, provide us with valuable guidance when building out a DevSecOps framework. The guidance from the CIS controls and their sub-controls remains true whether software is developed using the traditional waterfall model or using more Agile methods with frequent releases of software. Our customers have more trust and confidence in SaaS security when they know that we use industry security frameworks such as CIS, that they too are familiar with. 

For more information about building secure software,  you can refer to the SANS Top 25 Most Dangerous Software Errors and the OWASP top 10. If you are moving from traditional software development to developing and delivering software systems using DevSecOps, you need to adapt your existing security team to align with an Agile delivery model where software is delivered more frequently in smaller increments. 

As a footnote: If you are a consumer of a cloud service, you may be interested to know that CIS also provides a guidance document that discusses how the top 20 critical security controls apply to cloud services (infrastructure, platform, and function as a service). It is written from the cloud service consumer or customer perspective, and not from a cloud provider perspective.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.