Organizations that develop their applications in the cloud face the question of security at some point. Is the data well secured? The answer to the question along with recommendations on how to improve security is brought by Cloud Security Assessment – a comprehensive analysis of cloud environment in terms of security.
The cloud services market is growing dynamically: according to IDC, cloud expenses in 2021 were 8.8% higher than they were in 2020. While startups practically grow in a cloud environment from day one, companies with a longer history on the market often have on-premise environments. For mature organizations, transformation to the cloud rarely involves migration of their IT resources to a public cloud provider all at once. Evolution is preferred to revolution: either new applications in the organization are deployed in the cloud, or individual existing on-premise applications are migrated to the new environment. These initial projects often serve as an opportunity to become more familiar with the technology, terminology or interface. If such pilot projects are successful, subsequent systems are migrated to the cloud over time.
The advantage of such an approach is how quickly you can step into the cloud. Moreover, it is easier to migrate smaller workloads and make sure they are stable. However, there is also another side to this process: if successive cloud projects are deployed hastily, without coordination or consideration of the appropriate security configuration, the security level of the entire IT environment is affected. This may result from, for example, the lack of expertise in the IT team, who have previously worked with on-premise systems and are unfamiliar with cloud-based security tools. Cloud Security Assessment: a comprehensive security analysis of the IT environment is a solution to the problem.
What is Cloud Security Assessment?
Cloud Security Assessment evaluates the security of cloud environment configurations. CSA covers a number of areas:
Sectoral regulations
Cloud environments of the leading providers of such services are mature enough to have a range of standards that define how they should be configured to ensure security. These include, for example, CIS Benchmark, known in the security sector for its standards applicable to operating systems or applications. Now, the organization has also developed standards for cloud environments.
In addition, some regulators or government authorities have introduced their own standards for specific sectors. Among others, these are “Recommendation D” of the Polish Financial Supervision Authority, or the PCI DSS for corresponding institutions in the U.S. market. The first thing in Cloud Security Assessment is therefore to verify the configuration of the cloud environment in terms of compliance with all the norms and standards that apply to the organization.
An example of such configuration arising from regulatory guidelines is the obligation to use cryptographic keys managed by the company rather than by the cloud provider. To meet the requirements of the Polish Financial Supervisory Authority, the key must be located outside the cloud environment so that the provider cannot access it. For example: if the environment is located in Google Cloud, the key should be kept in another provider’s cloud, e.g., Microsoft Azure or in an on-premise environment.
Certifications
Entities that have reached organizational maturity have many internal process regulations. Having them in place organizes many processes, and their existence is often related to the maintenance of certifications held by the enterprise. Some provisions from external standards are transposed to regulations that apply internally, as in the case of ISO 27001, for example. This should be preceded by a risk analysis so that only those provisions that apply to the organization are transposed. CSA involves an analysis of the configuration of the organization’s environment: whether it meets internal and external regulations. An experienced auditor can shorten the time of the process because he or she knows where different standards overlap. When analyzing an area, the auditor can do so concurrently for several standards applicable to the organization.
Landing zone
Ensuring an adequate security level is significantly facilitated by the landing zone. If the landing zone is developed following a properly conducted Cloud Security Assessment, then correctly configured security mechanisms will be automatically implemented throughout the IT environment. If the landing zone already exists, CSA verifies not only the actual implementation, but also the code implementing the structure of the environment, namely the IaC mechanisms. It may turn out that the code underlying the cloud environment does not implement the requirements verified in the previous two steps. If this is the case, and if you correct both the configuration of the environment itself and the code that builds the environment, you can rest assured that the new cloud resources will meet all the security requirements.
Cloud environment security
The last step involves verification of the security level of the cloud environment as a whole. All aspects of the visibility of cloud services online, the distribution of privileges and accessibility, and the completeness of security measures in terms of market standards are verified. The analysis includes interfaces between the various services we use in the cloud environment in order to verify the dependencies between them and make sure they do not affect each other.
This step requires understanding which services are provided by the cloud environment, which data are processed, and the potential impact of security incidents, including unavailability, on the business. This enables to better select security mechanisms to minimize the risks associated with information security, ICT systems, or their availability.
Why conduct a CSA?
The simplest answer to this question is: “to enhance safety and minimize risk.” Cloud Security Assessment enables to enhance the security of cloud infrastructure as a whole. Some of its elements, such as the change to the IaC code, increase the level of security not only for the existing infrastructure, but also for the one that is yet to be built. Those who have had to put security on the back burner due to business pressures and limited time are provided by the CSA with an up-to-date picture (often referred to as Cloud Security Posture) and a range of flags as to what else can be improved and how to ensure relative security.
Another advantage of conducting the Cloud Security Assessment is making sure that our cloud infrastructure is compliant with all the applicable regulations, both internal and external. If any non-compliance is detected, you can respond quickly, or modify the values resulting from the risk estimation or alternatively develop a plan to reach compliance. It is better to verify compliance yourself than to find out about errors during a regulatory or certification audit.
There are additional benefits to performing such an exercise periodically. It enables to achieve two extremely important goals. The first one is to verify whether all the previous audit findings have actually been corrected. Have the plans we developed at the time been implemented? The second one is to verify whether in the face of ever-changing laws and regulations, we are still compliant with internal and external regulations.
All of the above adds up to an informed and responsible security management of the cloud environment. This reflects the corresponding efforts we had undertaken in the on-premise model.
Can I do it myself?
Although theoretically possible, it is not so easy in practice. First of all, under no circumstances is (are) the same individual(s) to be given responsibility for the security of the cloud environment, and responsibility for the verification of that security. Should this rule not be observed, security gaps might go unattended or unnoticed: either deliberately (“there are gaps here but since no one has noticed so far, it’s better not to report it”) or unknowingly, i.e., due to incompetence or lack of expertise (“we’ve always done things this way so I suppose this is fine”). As you can see, you need to have the right resources, knowledge, and experience in order to conduct a reliable CSA.
However, if the organization has the proper resources, the Cloud Security Assessment should include the following steps:
-
Inventory of existing regulations;
-
Adaptation of regulations to specific technical requirements;
-
Inventory of cloud-based resources;
-
Verification of security of individual components;
-
Verification of security of the cloud environment as a whole;
-
Drafting the work report;
-
Verification of the results with the previous report.
It is worth to know that leading public cloud providers offer many embedded tools, including Cloud Security Posture class solutions. In the case of Google Cloud, it is Security Command Center, and for Azure, it is called Security Center. Both tools allow for basic security verifications of environment configurations in terms of best practices or standards, such as ISO 27001 or CIS Benchmark, for example. It should be noted, however, that these tools cannot verify whether the organization is compliant with internal and some external regulatory requirements. You still need an analyst, but Security Command Center and Security Center can speed up the process.
Outsourcing Cloud Security Assessment to third party consultants comes with yet another advantage, namely a fresh perspective. A person who is unfamiliar with the organization may notice many more imperfections in security configurations or procedures, given that they analyze businesses from various sectors and can compare your organization to other entities.
OChK experts, who boast experience in auditing and configuring cloud environments in various organizations, including those operating in regulated sectors (finance, healthcare), offer Cloud Security Assessment services for organizations of all sizes.