E-infrastructures are large computer systems with considerable processing and storage capacity and in some cases, holding valuable or sensitive data. They are therefore likely to be attractive targets for attackers with a wide range of motivations. However, to support international research, e-infrastructures must be accessible to users located anywhere on the Internet. In many cases users will upload and run their own software or virtual machines and exchange large volumes of data over high-speed networks. Operators of e-infrastructures are therefore challenged both to provide the open and flexible computing platform that is inherent to the e-infrastructure concept and to protect against the consequences of attacks on that platform over the Internet. To help them, the e-infrastructure model offers many different ways to implement security controls. This paper reviews the security measures used by e-infrastructures against a widely-used model – the Cyber-Security Council’s Top 20 Controls – to assess what is being done and where improvements may be possible.