CIS Controls Map for Axcient x360Cloud
The Center for Internet Security (CIS) is filling a regulatory gap in the channel with its CIS Controls, hailed as the latest holy grail for one-to-one security for MSPs. Despite being at the helm of cybersecurity, there isn’t a standardized set of regulations tailored to MSPs, the channel, and its business continuity and disaster recovery (BCDR) services. This gap in solidified standards creates vulnerabilities as MSPs piece together best practices from various data protection agencies, local regulations, cyber insurance requirements, and compliance demands.
This article explores CIS Controls specifically for Axcient x360Cloud, which protects Microsoft 365 and Google Workspace data with backup and restore. (You can get the full map of CIS Controls for all Axcient products, too.) We’re looking at the recommendations and how x360Cloud satisfies them for reinforced cybersecurity using tried-and-true best practices in a comprehensive framework. Keep reading to see how your MSP can leverage CIS Controls to ensure business continuity and protection in the event of a breach while also gaining a new sales strategy.
Table of Contents
What Is the Center for Internet Security?
The Center for Internet Security (CIS) is a nonprofit organization dedicated to improving cybersecurity for public and private sectors through best practices, tools, and resources. For MSPs, CIS is a critical partner in enhancing the security posture of client environments. CIS is widely known for its globally recognized standards for securing IT systems and data against cyber threats. CIS’s mission is to make the connected world safer by developing, validating, and promoting timely best-practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.
What Are CIS Critical Security Controls?
CIS Controls are a set of prioritized actions that businesses like MSPs can implement to defend against common cyberattacks. They are designed to be actionable, measurable, and scalable, making them ideal for MSPs managing multiple client networks with varying security needs. Thousands of cybersecurity practitioners worldwide use CIS Controls and contribute to their development via a community consensus process.
Why Should MSPs Care About CIS Controls?
Many U.S. States require governmental agencies and other entities that work with them to implement cybersecurity best practices. Several of them specifically cite CIS Controls as a framework well suited to demonstrate a “reasonable” commitment to security. It has become increasingly complex to confidently define what is reasonable for an MSP. This guide will illustrate how our products map to CIS Controls and provide insight into how to implement Reasonable Cybersecurity in the face of breaches and cyber-attacks.
By leveraging CIS resources, MSPs can offer clients standardized, high-quality security services, reduce vulnerabilities, and ensure compliance with industry regulations. Partnering with CIS strengthens your security offerings and builds trust with clients by aligning their systems with industry-leading cybersecurity standards. With CIS Controls, MSPs can…
- Simplify your approach to threat protection with straightforward Safeguards requiring you to do only one thing per Safeguard.
- Comply with industry regulations like HIPAA and GDPR.
- Improve cyber resilience with foundational security measures that account for the most likely attack vectors, such as unpatched software, poor configuration management, and outdated solutions.
- Demonstrate a “reasonable” level of security identified by multiple states requiring businesses to implement cybersecurity best practices.
- Sell your commitment to cybersecurity best practices to strengthen client trust and attract security-minded leads.
How Does Axcient Satisfy CIS Controls for x360Cloud?
To understand how Axcient x360Cloud meets CIS Controls, we’ll review the following three relevant Controls for data protection, recovery, and incident response management.
CIS Critical Security Control 3: Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
3.4 Enforce Data Retention
Objective: Retain data according to the enterprise’s documented data management process. Data retention must include both minimum and maximum timelines.
- Features and functionalities: Long-term data retention for cloud backups.
- How it satisfies the control: Long-term data retention ensures cloud-stored data adheres to the business’s data retention policies, facilitating regulatory compliance.
3.5 Securely Dispose of Data
Objective: Securely dispose of data as outlined in the enterprise’s documented data management process. Ensure the disposal process and method are commensurate with the data sensitivity.
- Features and functionalities: Secure deletion tools for cloud-based data.
- How it satisfies the control: Allows for secure and permanent removal of cloud-stored data, adhering to security and compliance requirements.
3.10 Encrypt Sensitive Data in Transit
Objective: Encrypt sensitive data in transit to protect it from unauthorized access during transfer.
- Features and functionalities: End-to-end encryption for cloud data transfers via TLS/SSL.
- How it satisfies the control: Protects sensitive data during upload and download processes, ensuring it remains secure during transit.
3.11 Encrypt Sensitive Data at Rest
Objective: Encrypt sensitive data at rest on servers, applications, and databases to protect it from unauthorized access.
- Features and functionalities: Cloud storage encryption using robust encryption algorithms.
- How it satisfies the control: Secures sensitive data stored in the cloud, protecting it from unauthorized access and breaches.
3.12 Segment Data Processing and Storage Based on Sensitivity
Objective: Segment data processing and storage based on the sensitivity of the data to prevent unauthorized access.
- Features and functionalities: Logical segmentation of backup data.
- How it satisfies the control: Ensures that sensitive data is stored and processed in isolated environments, protecting it from unauthorized access and breaches.
3.14 Log Sensitive Data Access
Objective: Log sensitive data access, including modification and disposal, to maintain an audit trail.
- Features and functionalities: Cloud-based logging of access and modifications and logging and monitoring of backup access and modifications.
- How it satisfies the control: Ensures all interactions with backup data are recorded, providing an audit trail for security and compliance purposes.
CIS Critical Security Control 11: Data Recovery
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
11.1 Establish and Maintain a Data Recovery Process
Objective: Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and backup data security. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Features and functionalities: Offers detailed recovery options for Microsoft 365 and Google Workspace, including item-level recovery for emails, documents, and other data. Supports tracking and managing recovery operations through the user dashboard.
- How it satisfies the control: Establishes a documented recovery process tailored to cloud applications, ensuring detailed and manageable recovery steps for various data types.
11.2 Perform Automated Backups
Objective: Perform automated backups of in-scope enterprise assets. Run backups weekly or more frequently, based on the sensitivity of the data.
- Features and functionalities: Automates backups for cloud applications like Microsoft 365 and Google Workspace, capturing data at least once a day.
- How it satisfies the control: Guarantees regular, automated cloud data backups, ensuring continuous protection and compliance with backup policies.
11.3 Protect Recovery Data
Objective: Protect recovery data with equivalent controls to the original data. Reference encryption or data separation based on requirements.
- Features and functionalities: Employs TLS/SSL for data in transit and 256-bit AES for data at rest.
- How it satisfies the control: Ensures that recovery data is protected with strong encryption, maintaining the same security level as the original data.
11.4 Establish and Maintain an Isolated Instance of Recovery Data
Objective: Establish and maintain an isolated instance of recovery data. Example implementations include version-controlling backup destinations through offline, cloud, or off-site systems or services.
- Features and functionalities: Allows for recovery of data to different user accounts, maintaining separation or restored data through defined recovery procedures.
- How it satisfies the control: Provides isolated recovery instances for cloud application data, ensuring data integrity and compliance with isolation requirements.
11.5 Test Data Recovery
Objective: Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.
- Features and functionalities: Enables administrators to perform restore tests by recovering data to different user accounts and tracking the restoration process.
- How it satisfies the control: Ensures the reliability of cloud data recovery through regular testing and validation of backup integrity.
CIS Critical Security Control 17: Incident Response Management
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
17.7 Conduct Routine Incident Response Exercises
Objective: Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum.
- Features and functionalities: Efficient cloud data backup and recovery. Logs all backup and recovery activities.
- How it satisfies the control: Facilitates testing of data recovery processes during incident response exercises, providing thorough analysis.
Next Steps for CIS-Protected Microsoft 365 and Google Workspace BCDR
As you probably know, Microsoft 365 and Google Workspace are not backing up your data with the robust protections needed for rapid and reliable recovery. Axcient’s BCDR solution for Microsoft 365 and Google Workspace, x360Cloud, safeguards against the number one cause of data loss: human error. Unlike the data protection, these big names offer, x360Cloud offers long-term retention without configuration and helps MSPs avoid complete downtime if Microsoft or Google experience an outage. With the third-party BCDR recommended by Microsoft and Google, MSPs and your clients can rest assured that no matter how data is lost – accidentally, maliciously, or in the event of a natural disaster – it can be recovered quickly with minimal downtime.
Furthermore, because x360Cloud adheres to CIS Controls, you can trust it. By following these regulations, you’re showcasing your commitment to a security-first approach, which is what SMBs want. Highlight why and how these regulations help to protect both clients and your MSP during discussions with prospects and quarterly business reviews with clients. It’s an added selling point that can put you above the competition.
Critical capabilities include:
- SmartSearch instant full-text search and filtering across users and services.
- Multiple backups each day with detailed monitoring and activity verification.
- Pooled storage and long-term retention at a flat fee per device or server for Microsoft or Google data.
- Helps MSPs meet requirements for HIPAA and GDPR compliance.
- SOC 2 certified
- Quick and easy setup – start backing up in under 10 minutes.
See how Axcient’s CIS-compliant x360Cloud solution can fuel your MSP’s cybersecurity posture.
Author
How well could you sleep with reliable cloud-based backups and recovery?
Take a deep dive into Axcient’s proprietary, automated security features to see how we’re ensuring uninterrupted business continuity — no matter what:
