Securing tech and IT infrastructures has become a top priority for both CIOs and CISOs. Driven by regulatory pressure, internal requirements, or simply the will to structure their security approach, organizations are increasingly relying on recognized benchmarks. Serving as a guide to best practices for securing a system ‒ from browsers to databases to entire operating systems ‒ benchmarks contain specific parameters that can be applied to reduce risks.
Covering categories like authentication and logging, network or cloud services, the Center for Internet Security (CIS) Benchmarks have become the universal language of security standards. As a not-for-profit organization, CIS publishes these widely recognized secure configuration guides, which have even been incorporated into some NIST or ANSSI (French National Cybersecurity Agency) standards.
Compliance and audits shouldn’t weigh down on maintaining operational condition
Implementing benchmarks without any particular method or the right tool can soon turn into a headache. As any ops team will tell you, just thinking about taking this on is enough to make them break into a cold sweat. And they are not exaggerating… taking on this colossal project often means:
- Managing heterogeneous infrastructures requiring multiple benchmarks (Linux, Windows and its various versions, etc.)
- Working through 300 to 500 control points for each benchmark
- Going through thousands of machines manually, while trying to get your head around all those exceptions
- Trying to prioritize a massive flow of non-compliance issues reported simultaneously by tools like CIS-CAT can quickly become overwhelming. When you run scans across large numbers of systems, the reports generated can be huge, and sorting through them to prioritize what really matters is often time-consuming.
In the meantime, teams have to maintain operational conditions without risking downtime. Compliance then becomes another burden, and your team ends up seeing benchmarks as a constraint rather than a catalyst for progress. All too often, teams implement these benchmarks and trigger an avalanche of support tickets. They spend hours in meetings to justify those compliance drifts, rather than strengthening security.
Ensuring CIS Benchmarks compliance starts with the right implementation method
The strategy you choose to implement benchmarks will determine which tool your team will use and whether your infrastructure will ultimately be compliant. So, before you start configuring CIS Benchmarks, you need a methodology in place to make sure the process remains manageable.
We have put together five key principles to ensure a personalized and controlled CIS Benchmarks implementation. These principles are the foundation of a new solution coming soon in Rudder: our Policy and benchmark compliance solution. Be ready to deploy CIS Benchmarks™ iteratively for RHEL 9, with flexibility and granularity. And no worries, it won’t clash with your methodology, it will support it.
1. Adapt to your specific infrastructure
Security policies must be specific to a group of similar machines with the same life cycles, uses, criticality, OS, update constraints, and so on.
Applying the same rules to critical servers and machines with very different uses is risky and often counterproductive.
2. Always start with an overview in Audit
Be cautious when rolling out your CIS Benchmarks, and always implement policies in Audit mode first. Audit mode allows you to evaluate your policies first without making any changes, and to fine-tune them without putting your operational teams at risk.
This way, you can assess the impact of the changes before applying corrections in production.
3. No Big Bang: progress iteratively, tackle one category at a time and scale up gradually
Thinking of deploying 400 control points at once? Not a good idea. It is much better to start on a small group of test machines and then work through them category by category: authentication, permissions, network services, and so on. This allows you to isolate and identify the effects of each rule, and apply changes without any overall impact if a problem occurs. The focus here is on prioritizing according to the infrastructure: firewall management will be critical in an exposed network area, and logs will take precedence on machines that process sensitive data. The other rules can wait.
Once validated on the test machines, the rules can be gradually rolled out to other groups of machines.
4. Document your decisions to stay in control
Everyone’s infrastructure is different. Each team has its own way of working. But to ensure compliance remains aligned with your operational reality, it is essential to document your decisions as the CIS Benchmark is deployed.
This documentation is essential for tracking what has been applied, adjusted, or disabled and why. It allows you to evaluate whether a given security policy is effective for your infrastructure while keeping a clear record of your decisions.
5. Allow exceptions: security should adapt to business needs
Compliance does not have to mean inflexible. It is normal to have to disable or adapt some policies for operational reasons. These exceptions aren’t unusual: they are to be expected, and often they’re indispensable for your systems to do their job. So, no need for them to cause your ops teams any worries.
In our upcoming solution, exception management is traceable, documented, and most importantly, not an obstacle. For this, you will only need to disable the security policies you want to exclude, by overriding either activation or by switching the mode at group or even machine level.
What’s next for CIS benchmark compliance? Moving towards automation
You now have the key principles, it is time to put them into action. You can, of course, continue to use your current tools to automate production; many of our users already do this with Rudder’s configuration management solution.
But to move faster and in a more controlled way, we chose to dedicate a brand-new solution to this very challenge : Policy and benchmark compliance.
Want to stay updated on the launch of our solution?
