What’s your cloud benchmark?

Building compliant platforms with code

Businesses need to strike a balance between speed, flexibility, and control. This means technology infrastructure teams providing developers and application teams with rapid access to the rich array of cloud services and innovations so they can develop and build at pace in sandbox & dev environments and also preparing the production equivalent environments with the right governance, security and controls for when those new applications and business services are promoted into production. Part of the answer here is to be clear on what good practice looks like when it comes to well-governed production-grade cloud environments. By understanding this, those target production environments can be built and managed with code, ultimately reducing business risk and cost.

As a technology partner providing services in this area, it's important to us that we hold ourselves to account for maintaining high standards across everything we do from design through to operations. A key part of that is ensuring that our production designs and operational processes adhere to good standards and benchmarks for the key technologies that are strategic to us, our partners, and our customers.

A standard part of our design cycle when building and configuring solutions using technologies like Azure, Kubernetes, docker, rancher, terraform is to make sure of the following:

• The build and configuration of production-grade platforms are compliant with key elements of the CIS benchmarks and Azure cloud adoption frameworks. By having these standards in place and a deployment codebase already tested we know we are starting from solid foundations.

• Platforms are built and upgraded using code. In our own lab we rebuild our environments daily and treat them as immutable, so we are confident that we have the desired configuration state we planned for.

We made a decision early to invest in CIS, so we are in a strong position to help customers:

• Quickly ascertain their CIS benchmark compliance levels for existing Azure deployments so that gaps in production deployments can be closed quickly if needed.

• Easily and systematically track CIS benchmarks and Azure CAF compliance on an on-going basis. We would advocate periodic checks to ensure that cloud deployments continue to be benefit from all the good standards you envisaged during the design phase.

• Understand how CIS benchmarks can help customers with compliance that is specific to their regulated industry. Having a posture you can be confident in and can easily report against, is always a good position to be in.

There has been a monumental shift towards doing business digitally and online in recent years and that direction of travel has been accelerated throughout 2020 because of the global pandemic we are all currently living through. Businesses are embracing systems that host business services and data across a wide variety of technology platforms that includes on-premises, multiple cloud environments and many SaaS technologies, and we believe its important that all businesses develop their own good standards and controls with an operational framework they can trust that ensures that those standards are upheld. At BlakYaks we will always do our bit to help by making sure any Azure-based platforms we build and manage with and for customers already benefits from good design standards and are measured against our chosen benchmarks, so customers know that the responsibility placed in our hands is already taken care of.

Helping customers tune deployments for control and speed

When building or configuring production-grade cloud platforms our preference is to plan for a secure and CIS benchmark compliant state right from the start. Then we will work with customers to tune the configuration to fit their own individual needs. Customers may choose to reach level 1 or level 2 compliance depending on the nature of the services the platform is hosting. If a customer is building an internal-only Azure container sandbox environment, the policies and controls applied will be different from those required for a public-facing platform that is hosting private and sensitive data or your most critical business services. By using elegant automation, we can fine-tune the platforms security and compliance posture quickly and iteratively to get it just right for a given business or deployment scenario.

We create our own secure, compliant designs for the technologies we major in such as Azure, AKS, Kubernetes, Docker then test and tune the configurations in our labs to find a configuration state that we would regard as optimal and ready to host business services. We also bake in a number of technologies that help us report, manage, operate and control the platform so there is a complete working system that forms a solid baseline that some customers may consider a good V1.0 release ahead of any adjustments and integrations required for their deployment scenarios.

From a benchmark perspective, much of our focus centres around key technologies such as Azure, AKS and Docker and we measure these configurations against the benchmark. However, the CIS toolkit is much wider in scope and customers may also want to measure other parts of their deployment (e.g. Cloud IaaS) against other benchmarks such as Linux and Windows operating system build hardening. The CIS benchmark suite is a rich suite of tools, wide in scope. The screenshots below give a flavour of the scope of some technology benchmarks covered but there are hundreds of others.

Microsoft Azure Foundations:

Azure Kubernetes Service:

RedHat Enterprise Linux 8:

We would never advocate the use of these benchmarks across all environments (obviously) but when you are setting out to build secure, compliant, robust, stable cloud hosted-platforms that give you the right blend of controls and speed then the combination of good standards/benchmarks along with high levels of automation becomes important, especially when planning for scale deployments.