Cloud Security Assessment
Cloud computing poses new challenges to IT security within a company. The transformation from traditional data centers to cloud-based on-demand services and infrastructure does not only fundamentally change a company’s IT landscape, it also yields new attack vectors. In particular, it is no longer possible to clearly identify the network perimeter, as internal IT systems are increasingly operated in the cloud. On-premise and cloud are increasingly converging.
This is also reflected in the configuration of trust levels from the corporate network into the cloud, which represents a shift from traditional IT architectures. As a result, established IT security concepts are weakened with new risks for the company’s IT landscape.
In addition to the changed business environment, the rapid functional development of the cloud also poses special challenges. Monitoring these innovations represents a new area of responsibility for the IT department of a company that was not available in this form before.
Identification of vulnerabilities in cloud environments and risk assessment for specific threat scenarios
How secure is the configuration of the cloud environment and what can external attackers or malicious users and employees achieve in the worst case?
Cloud resources, interfaces and configuration of infrastructure
With our cloud assessment, we offer you a comprehensive analysis of your cloud environment with regard to security vulnerabilities and misconfigurations. In contrast to a risk-based approach, e.g. as applied within a, the focus of the cloud assessment is on a comprehensive examination of the cloud environment and the connection to the corporate network or other cloud services.
We usually begin the cloud assessment with a threat analysis workshop with the aim of understanding the “big picture” and deriving, evaluating specific threat scenarios. Based on these results, automated and manual analyses are carried out to identify possible weak points. A gray- or white-box approach is recommended.
Leading providers of cloud solutions in the corporate environment are currently Microsoft (Azure) and Amazon (AWS - Amazon Web Services). Below you will find a list of the specific technologies that are examined within the scope of the Cloud assessments for Azure and/or AWS:
Within a cloud assessment the following points are examined:
- Identity-Provider and access permissions (e.g., Role-based Access Control in Azure ADs or AWS IAM).
- IT systems, SaaS- or PaaS services and other cloud resources (e.g., storage accounts, databases, S3 buckets or virtual machine scale sets)
- Virtual private cloud (VPC)
- Interfaces and connections to the company’s IT landscape (e.g., VPN or Express routes)
- Communication flows/relationships
- Network segmentation and filtering (e.g., VNets, VNet peering, and NSGs)
- Data encryption (data at rest and in motion)
- Key management
- Availability groups
- Deployment processes (e.g., via Terraform, Cloud formation or Ansible)
- Kubernetes cluster (e.g., Pod and image security, network segmentation, protection of the cluster API, etc.)
As a result of the assessment we will provide a detailed report. Depending on the type and scope of the project, the final report will include the following parts:
- Management summary with a description of the results and the security level
- Description of the project approach, scope, schedule and methodology
- Detailed description of identified vulnerabilities in order to understand underlying issues and to enable reconstruction of possible attacks (where necessary with proof-of-concept implementation)
- Detailed description of the iterative exploitation process when using chained vulnerabilities
- Risk assessment of identified vulnerabilities taking into account the IT environment or the application context (risk classification: low, medium, high, critical)
- Description of measures to remedy the vulnerabilities
- If necessary, a description of higher-level strategy, concept and process-related measures or optimization suggestions.
If desired, the following points can be additionally integrated into the final report.
- A list of all available IT systems, services, resources (internally as well as externally)
- A detailed overview of the cloud architecture
- Overview of the communication flows/relationships
- Appropriateness of the encryption of the data at rest and data in motion
- Listing of configuration issues regarding the key management