Organizations continue migrating to the cloud at an extremely fast pace overall. With the advances in scalability, security, and flexibility, the cloud is more or less a known quantity now, and even the most resistant sectors (looking at you government and financial) are starting to embrace this paradigm shift in technology. With the shift in technology comes a shift in security to support the use of that new technology in a secure manner. And while the cloud offers a lot of security tools, secure configuration options, and “secure-by-default” settings many times, the companies that jump into using the cloud may not have the resources to be an expert on day one. That’s where third party security firms can help out with those move to the cloud, and Triaxiom offers a Cloud Security Configuration Review in this vein.
This type of assessment is focused on your people, processes, and technology associated with your cloud assets. We’ve talked previously about penetration testing in the cloud and the similarities/differences to a more traditional network assessment, but a Cloud Security Configuration Review is a much more low-level and collaborative type of assessment. The assessment includes a full configuration review of your cloud environment, comparing it to any compliance drivers your organization needs to adhere to (i.e. PCI DSS or NIST) and security best practices. A Triaxiom engineer will log into your cloud environment console and assess the security of your assets from the accounts used to administer the cloud environment to the firewall rules/security groups applied to the individual servers to the logging and security controls in place to monitor this environment. The output will be a line-by-line listing of the security-related weaknesses along with the risk and potential improvements that can be made in each area.
In addition to the technical configuration review, a Triaxiom engineer will also sit down with your cloud administrator(s) for a one to two hour interview. During this interview, we’ll touch on the management of your cloud assets, discuss the policies/procedures associated with these environments, review asset management/deployment/destruction, and talk through the personnel responsibilities in this cloud environment. This interview process helps to augment the purely technical console configuration review in order to gain a better business-level understanding of how the environment is used (to better inform our recommendations) and to gain a more holistic view of the administrative processes that might augment your organization’s overall risk as it relates to the cloud. Strong technical configurations are great but it’s important that there are other controls in place to support that secure configuration over time, like documentation, hardening checklists, assigned responsibilities, and monitoring.
Why is a Cloud Security Configuration Review Important?
Now that we’ve talked about what a Cloud Security Configuration Review is, let’s shift more to why should you care? In much the same way you should be concerned about the security of your on-premise assets, your cloud assets should be equally concerning. The big difference is that many times, a company doesn’t have cloud experts when they start their shift to the cloud and they probably don’t have cloud security experts either. To exacerbate this knowledge gap, it’s much faster and easier to deploy assets in the cloud with just a small team. But this also means that team can more quickly and unknowingly open and close security holes in your perimeter that are harder to monitor and address. In addition, cloud assets aren’t fully integrated into an organization’s security monitoring program right away, either due to that same knowledge gap or technological gaps with the technical solution currently implemented.
So with all those challenges, let’s summarize with the types of questions that you should be able to answer about your cloud environment. If you can’t answer these questions, a Cloud Security Configuration Review might be for you to help close these knowledge gaps and better understand your risk posture:
- Are my cloud assets configured securely?
- Are my cloud assets configured according to my applicable compliance drivers?
- Are my cloud assets be managed safely and securely according to the principle of least privilege and organizational access control standards?
- Do I have any network-level security holes in my cloud environment that is unnecessarily increasing my attack surface?
- What is my cloud monitoring strategy and do I have adequate logging enabled?
- Are my cloud assets configured to support my business continuity and disaster recovery goals?
- Do I have the necessary policies/procedures to support secure operations in the cloud?
- Are my deployment and destruction procedures based upon security best practice?