* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [DevSecOps](https://www2.paloaltonetworks.com/blog/cloud-security/category/devsecops/)
* Do You Have Enough Cloud ...

# Do You Have Enough Cloud Security? Use CIS Controls to Assess Yourself

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F08%2Fcloud-cis-controls%2F)  
[](https://twitter.com/share?text=Do+You+Have+Enough+Cloud+Security%3F+Use+CIS+Controls+to+Assess+Yourself&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F08%2Fcloud-cis-controls%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F08%2Fcloud-cis-controls%2F&title=Do+You+Have+Enough+Cloud+Security%3F+Use+CIS+Controls+to+Assess+Yourself&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2020/08/cloud-cis-controls/&ts=markdown)  
\[\](mailto:?subject=Do You Have Enough Cloud Security? Use CIS Controls to Assess Yourself)  
Link copied  
By [Matthew Chiodi](https://www.paloaltonetworks.com/blog/author/matthew-chiodi/?ts=markdown "Posts by Matthew Chiodi")  
Aug 03, 2020  
4 minutes  
[DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[CIS controls](https://www.paloaltonetworks.com/blog/tag/cis-controls/?ts=markdown)  
[Prisma Cloud](https://www.paloaltonetworks.com/blog/tag/prisma-cloud/?ts=markdown)  
[SOC](https://www.paloaltonetworks.com/blog/tag/soc/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www2.paloaltonetworks.com/blog/2021/03/cloud-cis-controls/?lang=ja "Switch to Japanese(日本語)")

Clients often ask me, "How do I know if I have 'enough' security in the cloud?" This is a great question because it shows a willingness to learn. The truth is that there is no right answer.

However, a simple place to begin is the basics. You should be sure you're covering the basics well and tracking them closely. This is why I am a huge fan of standards. While they are not the be-all and end-all for security, they give you an excellent place to start. One common set of standards are the Center for Internet Security's (CIS) [top 20 controls](https://www.cisecurity.org/controls/cis-controls-list/), a prioritized list of 20 best practices that help organizations improve cybersecurity.

## CIS Controls: Benchmarks for Cloud

[Threat research shows](https://unit42.paloaltonetworks.com/cloudy-with-a-chance-of-entropy/) that 65% of cloud security incidents are the result of customer misconfigurations. Why is this number so high? Because organizations are not getting the security basics right. This is where standards like

the CIS controls can provide an excellent benchmark for those foundations.
![This chart displays the top 20 CIS controls, divided into basic, foundational and organizational categories.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/08/CIS-controls.png)
Figure 1: CIS 20 Critical Controls  
Source: Center for Internet Security

A great exercise for your cloud program is to map these 20 controls against what you have in place today. With the exception of control 15, Wireless Access Control, these are all relevant to varying degrees across infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) platforms.

## Measure a Complete View of Cloud Security Using CIS 20

**The trick for your security program is to measure as many of the 20 controls as possible using cloud native tooling.** By cloud native, I mean platforms that integrate with multiple cloud service providers (CSPs), hybrid-cloud environments and common software development tools like CircleCI, GitHub and Jenkins.

Most security teams think of only the attack surface on the CSP, however the entire CI/CD pipeline is just as critical. This is why it's important to use [security platforms that are completely integrated](https://www.paloaltonetworks.com/blog/2020/03/cloud-native-security-platform-2/) across all the major public cloud providers and development pipelines. Otherwise, you are only seeing a part of the picture. See figure 2 below.
![This chart shows the role that a cloud native security platform plays in the full development lifecycle, providing visibility, help with compliance and governance, compute security, network protection and identity security.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/08/developer-ide.png)
Figure 2: Full lifecycle, full stack and multi-cloud coverage from cloud native tooling

We know that most security programs lack this holistic view into the development pipeline thanks to the [Spring 2020 Cloud Threat Report from Unit 42](https://unit42.paloaltonetworks.com/cloud-threat-report-intro/). Researchers analyzed hundreds of thousands of infrastructure as code (IaC) templates and came up with some interesting findings. The most pertinent: nearly 200,000 insecure templates in use, 43% of cloud databases not being encrypted and 60% of cloud storage services with logging disabled. These numbers illustrate why it's important to examine your entire cloud stack when assessing your cloud security.
![The chart displays key figures from the Spring 2020 Cloud Threat Report from Unit 42: Nearly 200K insecure templates in use, 43% of cloud databases not encrypted, 60% of cloud storage services have logging disabled.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/08/200k-1.png)
Figure 3: Lack of visibility into the development pipeline  
Source: unit42.paloaltonetworks.com/cloud

## How to Apply CIS Controls to Cloud Development

So how do you apply the CIS 20 to your entire cloud stack? The first thing I recommend is reading through the [CIS Controls Cloud Companion Guide](https://www.cisecurity.org/white-papers/cis-controls-cloud-companion-guide/). The guide will help you create metrics for each control, decide what end result you're looking for and begin to work backward to determine where and how to collect data.
![This spreadsheet shows an example of how you might translate the top 20 CIS controls into metrics you can track within your organization.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/08/spreadsheet.png)
Figure 4: Example of a spreadsheet for tracking the CIS 20 in the Cloud

Again, it's important to keep the entire cloud stack in mind. Don't just focus on the CSP but be sure to include your entire development pipeline. These 20 critical controls should evenly apply across the stack.

Don't expect to have this process perfect overnight. A great way to test this out would be to make these metrics a key requirement for any proofs of concept your team is likely running on [cloud native security platforms](https://www.paloaltonetworks.com/blog/2020/03/cloud-native-security-platform-2/) (CNSPs). **The key question is will the CNSP enable you to track these metrics over time and take corrective action when necessary?**

## How Much Is Enough Cloud Security?

In my view, you can only begin to answer the question of whether you have "enough" cloud security by first covering the basics. Step number two -- and the key to long term success in the cloud -- then comes by measuring the controls consistently over time across the entire stack. Combined, these give you a better sense of your overall posture, and can inform whether your current controls are enough.

*You can see real-world data on how thousands of other companies are securing their cloud native stacks in the* [State of Cloud Native Security 2020](https://www.paloaltonetworks.com/state-of-cloud-native-security) *survey.*

*** ** * ** ***

## Related Blogs

### [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Prisma Cloud 2.0 Just Launched: Why a Comprehensive CNSP is Essential](https://www2.paloaltonetworks.com/blog/2020/10/cloud-comprehensive-cnsp-essential/)

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Prisma Cloud 2.0: The Industry's Most Comprehensive CNSP](https://www2.paloaltonetworks.com/blog/2020/10/cloud-evolution-comprehensive-cnsp/)

### [Partner Integrations](https://www.paloaltonetworks.com/blog/sase/category/partner-integrations/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Securing Remote Work: Prisma Access and Prisma Cloud With Azure AD](https://www2.paloaltonetworks.com/blog/2020/09/sase-azure-ad/)

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Cloud Native Zero Trust: Securing Applications](https://www2.paloaltonetworks.com/blog/2020/09/cloud-native-zero-trust/)

### [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Call for Papers for Ignite 2020: Share Your Cybersecurity Expertise](https://www2.paloaltonetworks.com/blog/2020/08/call-for-papers-ignite-2020/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Zero Trust for Cloud Users and Environments](https://www2.paloaltonetworks.com/blog/2020/07/cloud-zero-trust-for-cloud/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language