CLoud security Assessment

Cloud computing poses new challenges to IT security within a company. The transformation from traditional data centers to cloud-based on-demand services and infrastructure does not only fundamentally change a company's IT landscape, it also yields new attack vectors. In particular, it is no longer possible to clearly identify the network perimeter, as internal IT systems are increasingly operated in the cloud. On-premise and cloud are increasingly converging.

This is also reflected in the configuration of trust levels from the corporate network into the cloud, which represent a shift from traditional IT architectures. As a result, established IT security concepts are weakened with new risks for the company's IT landscape.

In addition to the changed business environment, the rapid functional development of the cloud also poses special challenges. Monitoring these innovations represents a new area of responsibility for the IT department of a company that was not previously available in this form.

With our cloud assessment, we offer you a comprehensive analysis of your cloud environment with regard to security vulnerabilities and misconfigurations. In contrast to procedures e.g. within a penetration test (risk-based procedure), the focus of the cloud assessment is on a comprehensive examination of the cloud environment and the connection to the corporate network or other cloud services.

We usually begin the cloud assessment with a threat analysis workshop with the aim of understanding the "big picture" and deriving, evaluating specific threat scenarios. Based on these results, automated and manual analyses are carried out to identify possible weak points. A gray- or white-box approach is recommended. You can choose between the following perspectives:

  • External perspective (from the Internet)
  • Internal perspective (from the cloud or corporate network)
  • Authenticated (with valid credentials)
  • Unauthenticated (without credentials)
In principle, the following points are examined in a cloud assessment:

  • Access permissions
  • IT systems, services and resources
  • Interfaces and connections to the company's IT landscape
  • Communication flows/relationships
  • Network segmentation and filtering
  • Data encryption
  • Key management
  • etc.

Leading providers of cloud solutions in the corporate environment are currently Microsoft (Azure) and Amazon (AWS - Amazon Web Services). Below you will find a list of the specific technologies that are examined within the scope of the Cloud assessments for Azure and/or AWS:

Azure:
  • Express route
  • NSGs and VNets
  • VNet peering
  • Resource groups
  • Storage accounts
  • Azure Active Directories (AAD)
  • Role-based Access Control (RBAC) - Built-in Roles + Custom Roles
  • Virtual Machine Scale Sets
  • Availability groups
  • SaaS Services
  • PaaS Services
  • etc.

AWS
  • Server Instances in EC2
  • Applications via Serverless Execution (Lambda)
  • Access to information via Amazon API Gateway
  • Virtual Private Cloud (VPC) environments in multiple availability zones
  • Storage like S3 buckets and databases (RDS, Aurora)
  • AWS Identity and Access Management (permissions for AWS Services), AWS MFA and S3 ACLs
  • etc.

As a result of the assessment, in addition to an explanation and risk evaluation of the identified security vulnerabilities, you will receive a well-founded evaluation of the security level of your cloud environment. An essential part of the final report is a detailed description of the issues found and a concrete recommendation for a solution.