Guidelines vs. Certifications: Understanding CIS, SOC, ISO, and PCI DSS in AWS Environments

In the rapidly evolving landscape of cybersecurity and compliance, a common challenge faced by organisations is deciphering the myriad of standards and frameworks available. This confusion often extends to understanding how these standards apply within cloud environments, particularly with Amazon Web Services (AWS) . A frequent point of confusion among customers is the assumption of AWS's certification for CIS (Center for Internet Security) Benchmarks, which, in reality, does not exist.

The CIS Benchmarks provide detailed, technical guidelines for securely configuring technology systems. While AWS offers robust security and compliance capabilities, it's important to note that CIS Benchmarks are configuration standards intended for individual systems and are not covered by a blanket certification. Consequently, while AWS managed services can cover most of the CIS Benchmarks, they may not fully adhere to all benchmarks. This aspect is crucial for customers who mandate the complete application of CIS guidelines.

For such customers, self-managed options on AWS often present a more suitable solution. These allow for greater control and customisation of the environment to fully comply with CIS Benchmarks. This flexibility is essential for organisations that require stringent adherence to these specific security configurations. Understanding this distinction helps in making informed decisions about leveraging AWS services in alignment with specific compliance and security needs.

In this context, we will explore and compare a few key cybersecurity and compliance frameworks, including CIS Benchmarks, SOC (System and Organization Controls) , ISO (International Organization for Standardisation) standards, and PCI DSS (Payment Card Industry Data Security Standard) . Each of these plays a unique role in the broader spectrum of cybersecurity, and grasping their differences is key to implementing the most effective and compliant solutions for organisations.

CIS (Center for Internet Security) Benchmarks:

• Focus: Provide detailed, technical guidelines for the secure configuration of various technology systems, including operating systems, middleware, and software applications.
• Nature: Configuration standards for hardening systems against cyber threats.
• Usage: Widely used by IT professionals for ensuring the security of technology systems.
• Evaluation: Does not involve a formal certification process. - Organizations typically use CIS Benchmarks for internal assessments and to guide their security practices.

SOC (System and Organization Controls):

• Focus: Primarily focused on the controls and processes within an organisation, especially as they relate to handling and securing data.
• Nature: Different types of SOC reports (e.g., SOC 1, SOC 2, SOC 3), each serving different purposes. For example, SOC 2 is focused on the security, availability, processing integrity, confidentiality, and privacy of a system.
• Usage: Often used by service organisations to demonstrate their commitment to security and data integrity to clients and stakeholders.
• Evaluation: Involves an audit by a third-party CPA (Certified Public Accountant) and results in a formal report that can be shared with customers and stakeholders.

ISO Standards (e.g., ISO 27001):

• Focus: Provide a framework for managing an organisation’s information security management system (ISMS).
• Nature: ISO 27001 is a comprehensive standard that includes requirements for establishing, implementing, maintaining, and continually improving an ISMS.
• Usage: Adopted by organisations worldwide to demonstrate their commitment to information security.
• Evaluation: Involves a formal certification process conducted by accredited certification bodies.

PCI DSS (Payment Card Industry Data Security Standard):

• Focus: Establishes security standards for organisations that handle branded credit cards from the major card schemes.
• Nature: A set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
• Usage: Mandatory for all entities that handle credit card transactions, including merchants, processors, acquirers, issuers, and service providers.
• Evaluation: Requires regular validation of compliance, which can be either an external audit or a self-assessment, depending on the size and nature of the business.

Comparison:

• Scope: CIS Benchmarks are very technical and specific to system configurations. SOC and ISO provide broader frameworks for organizational processes and controls, with ISO being more comprehensive. PCI DSS is specifically focused on payment card data security.
• Certification: CIS does not involve a formal certification. SOC and ISO involve audits and can result in certifications. PCI DSS requires compliance validation, either through self-assessment or external audits.
• Focus: CIS is about security configurations. SOC is about internal controls over financial reporting and data handling. ISO is about the broader management of information security. PCI DSS is dedicated to securing payment card data.
• Applicability: CIS is often used by technical teams for configuring systems securely. SOC is crucial for service organizations needing to demonstrate control effectiveness to clients. ISO is a comprehensive framework useful for organisation's seeking a holistic approach to managing information security. PCI DSS is mandatory for entities involved in payment card processing.

Shared Responsibility Model

An essential aspect to understand within the AWS framework is the shared responsibility model , especially concerning compliance with standards such as ISO and SOC. While AWS ensures that its cloud services are compliant with these global standards, it is ultimately the responsibility of the customer to ensure that their applications leveraging these AWS services are also compliant. This means that while AWS provides the secure infrastructure and services, customers must manage the security and compliance of their applications, data, and content processed and stored in AWS. This model requires customers to be proactive and knowledgeable about the specific compliance requirements of their applications and to implement appropriate measures to meet these standards. Understanding and adhering to this shared responsibility model is vital for customers to effectively achieve and maintain compliance within the AWS ecosystem.

AWS Artifact

it's important to note the accessibility of relevant certifications and compliance reports through AWS Artifact . AWS Artifact is a comprehensive resource provided by AWS, offering on-demand access to security and compliance documentation. This tool is invaluable for customers looking to validate the compliance of AWS services with various standards like SOC, ISO, and PCI DSS. By leveraging AWS Artifact, customers can easily obtain the necessary reports and certifications, streamlining the process of ensuring and demonstrating compliance.

AWS Audit Manager

Another powerful tool in the AWS suite that greatly aids in compliance and risk management is AWS Audit Manager . This service simplifies the process of auditing your AWS usage, helping you efficiently manage risk and adhere to various regulations and industry standards. AWS Audit Manager automates the evidence collection process, allowing you to effectively assess the operational effectiveness of your controls – policies, procedures, and activities. It streamlines the preparation for audits by managing stakeholder reviews and enabling the creation of audit-ready reports with reduced manual effort.

Significantly, Audit Manager offers prebuilt frameworks tailored to specific compliance standards or regulations. These frameworks consist of a collection of controls, complete with descriptions and testing procedures, organised to meet the requirements of the specified standard or regulation. You can also customise these frameworks and controls to cater to your unique internal audit requirements. When you create an assessment, Audit Manager automatically conducts resource assessments, gathering data and transforming it into audit-friendly evidence. This evidence is then attached to the relevant controls, supporting compliance demonstration in areas like security, change management, business continuity, and software licensing. Importantly, the evidence collection is ongoing from the moment you create your assessment, but can be halted by setting the assessment status to inactive once the audit needs are met. AWS Audit Manager is thus an indispensable tool for organisation's looking to streamline their compliance processes within AWS.

Other Useful Tools & Resources

• Security and Compliance Quick Start Guides – These deployment guides discuss architectural considerations and provide steps for deploying baseline environments on AWS that are security and compliance focused.
• AWS Compliance Resources – This collection of workbooks and guides might apply to your industry and location.
• AWS Customer Compliance Guides – Understand the shared responsibility model through the lens of compliance. The guides summarize the best practices for securing AWS services and map the guidance to security controls across multiple frameworks (including National Institute of Standards and Technology (NIST), Payment Card Industry Security Standards Council (PCI), and International Organization for Standardization (ISO)).
• Evaluating Resources with Rules in the AWS Config Developer Guide – The AWS Config service assesses how well your resource configurations comply with internal practices, industry guidelines, and regulations.
• AWS Security Hub – This AWS service provides a comprehensive view of your security state within AWS. Security Hub uses security controls to evaluate your AWS resources and to check your compliance against security industry standards and best practices. For a list of supported services and controls, see Security Hub controls reference .

Summary

In summary, the distinct focuses, processes, and applicability of CIS Benchmarks, SOC, ISO, and PCI DSS are crucial in the realm of cybersecurity and compliance. It's essential for organizations to understand these differences and specific requirements to ensure compliance with relevant standards and regulations. Additionally, the shared responsibility model within AWS underscores the importance of customer involvement in compliance, especially when leveraging tools like AWS Artifact and AWS Audit Manager. AWS Artifact provides on-demand access to compliance documentation, while AWS Audit Manager simplifies the audit process and risk management, enhancing the ability to meet compliance standards effectively in AWS environments. These tools and insights are vital for organizations navigating the complex landscape of cybersecurity standards and regulations in cloud computing.

Disclaimer: The views and opinions expressed in this article are my own and do not necessarily reflect the official policy or position of Amazon Web Services (AWS). This content is provided for informational purposes only.