Cloud 101

How to Perform a Cloud Security Assessment

The cloud is a ubiquitous driver of business efficiency, as evidenced by 94% of enterprises utilizing public cloud platforms. However, it can be challenging to manage your cloud security posture as the shared responsibility model may cause confusion over who is responsible for various aspects of security. Trends like remote access and bring your own device (BYOD) potentially compound the challenge.

What can be done to mitigate cloud security risks? A variety of controls, best practices, and cloud security measures can help, but it’s essential to know how to select and prioritize their implementation. This strategy requires knowledge of where an organization’s cloud estate is most exposed. A cloud security assessment provides this knowledge.   

What is a cloud security assessment? 

A cloud security assessment comprises an in-depth examination of security risks affecting an organization’s cloud environment. The process identifies threats, vulnerabilities, and gaps cloud security controls for public, private, and hybrid cloud infrastructure. It discovers the cloud attack surfance and analyzes cloud-facing networks for signs that malicious actors have exploited detectable weaknesses. The assessment follows this analysis with suggestions for mitigating risks and preventing future attacks.

Core aspects of a cloud security assessment 

There are different ways to conduct a cloud security assessment. It can be a relatively light internal review or an intensive effort, perhaps involving external resources, that results in detailed findings and recommendations. However, the process generally combines data collection from relevant systems, interviews with stakeholders, including your security team, and reviews of policies and procedures. The goal is to be able to answer the foundational cloud security questions: Where are we most vulnerable in the cloud, and what are the best ways to defend our cloud assets?

To get a sense for overall security, the assessment gauges an organization’s complete cloud security situation and capabilities based on the following core aspects of cloud security:

  • Current cloud security posture — How well security measures defend an organization’s cloud environment from cyber threats. The cloud security posture review should evaluate risk management practices, incident response, security training and education, cloud security controls, cloud security monitoring, and access controls. 

  • Cloud risk prioritization — Discovering risks affecting cloud assets and determining which should have the highest priority for mitigation. 

  • Compliance Compliance requirements affect the cloud, but mapping regulatory requirements to cloud computing platforms is not always simple. For example, data privacy laws may mandate storing data about citizens of certain countries in those countries, but if the cloud service providers do not share the geographic location of data in the cloud architecture, compliance will be difficult.  

  • Data security — Data in the cloud is at risk, often because security managers don’t know that someone is storing sensitive information on cloud volumes. Or it’s there, but not well protected, so there is the risk of data loss and data breaches. 

Additional aspects that factor into a cloud security assessment include:

Access control features

Access control, the foundation of cloud security, is the ability to authenticate users and control their access based on granular policies. Therefore, the cloud security assessment process should take the following access control features into account:  

  • Identity and access management (IAM) — Examining IAM policies and controls affecting cloud assets, such as the extent of multi-factor authentication (MFA) deployment. The assessment should also look at the extent of IAM integration with cloud platforms. For instance, not all SaaS apps integrate with IAM, creating gaps in access control that create risk exposure.  

  • Role-based access controls (RBAC) — Measuring how well the organization has implemented RBAC, which grants access to cloud assets by role, not individually.  

  • Multi-User Authentication — Identifying opportunities to implement a control that requires multiple users to approve access to sensitive cloud assets. This unique feature is available only with Wasabi Hot Cloud Storage. 

Data storage protection

The responsibility of protecting data in cloud storage is shared between the cloud provider and the customer. The cloud provider is responsible for securing the cloud infrastructure itself. However, the customer has to protect its data on the platform as part of its cyber resilience strategy, which means arranging backup and redundancy, among other cyber resilience measures, such as: 

  • Backup and disaster recovery protection — Assessing the quality of backup and data recovery processes. For example, what are the recovery time objective (RTO) and recovery point objective (RPO) for various cloud data repositories? Is there failover to mirror sites, and if so, how fast is it? And, have these processes been tested? 

  • Data encryption strategies — Protecting data in cloud storage requires encryption. The cloud security assessment should look at data encryption strategies, including the use of cryptography to render cloud data immutable. This step makes data impervious to ransomware attacks. 

Workload security

The cloud security assessment should evaluate security controls and countermeasures protecting cloud virtual servers, serverless workloads, and hosted containers. 

Key benefits of a cloud security assessment 

The benefits of cloud security assessments come to life when security and IT teams translate their findings into action. A cloud security assessment is a vital first step to realizing gains in strengthening an organization’s security posture and cyber resilience. 

Mitigating risk 

A cloud security assessment identifies risks affecting cloud assets and establishes a priority for their mitigation, including misconfigurations of virtual machines and cloud storage. By following recommended changes, the organization reduces risk from accidental misconfigurations. The process also discovers vulnerabilities and threat vectors, along with evidence of previous, undetected compromises. Fixing vulnerabilities with patches and hardening reduces the risk of data breaches, service disruptions, and insider threats.  

The assessment process also supports proactive planning and budgeting. It shifts managers and teams away from a reactive “fire drill” mode of working and enables organizations to anticipate problems and resolve underlying issues before they create trouble.  

Compliance 

Regular cloud security assessments help organizations comply with regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). GDPR requires an evaluation of security controls as part of the compliance process, and System and Organization Controls 2 (SOC2) audits have the same requirement. The cloud security assessment can support this requirement for cloud assets relevant to the regulations.  

The assessment process can also contribute to compliance outcomes through evidence gathering and documentation that compliance managers and auditors need. For example, GDPR requires records of processing activities (ROPA), which is best realized through a data inventory. The cloud security assessment can include building the data inventory, so it doesn’t have to be repeated for GDPR compliance.  

Going further, cloud security assessments demonstrate that an organization takes its compliance obligations seriously. It’s a type of due diligence that makes a favorable impression on stakeholders, auditors, and regulators. The process also contributes to a vital but intangible quality known as “the tone at the top,” referring to how seriously senior management takes compliance, and establishes that they are creating a positive “ethical climate” in the organization.  

Data protection 

A cloud security assessment can reinforce data protection efforts, including: 

  • Establishing how well the organization encrypts its data in the cloud and where there may be deficiencies in encryption that need to be remediated. Typically relying on automated data discovery tools, this process often results in surprising “finds” of unencrypted data sitting in poorly secured repositories, and in some cases, publicly accessible data stores. 

  • Assessing data handling practices, including replication and backup for cyber resilience.  

  • Evaluating the security of data in transit and at rest, and confirming encryption is occurring in both phases of data management. 

  • Discovering and assessing cloud IAM policy enforcement. The assessment validates access controls and checks whether or not only authorized users can access data.  

Cloud security assessment checklist 

Cloud security assessments vary in scope, but the process follows a similar pattern regardless of the depth of the work. The following checklist describes the task categories required to conduct a successful assessment. 

1. Setting clear objectives for your assessment 

It is a good practice to think carefully about a cloud security assessment’s goals and scope before starting the work. The cloud is large and complex enough that it’s possible to create an assessment project that will consume too many resources and too much time. The cost may outweigh the benefit. There’s also the potential for scope creep, based on discoveries made during the process. To avoid these negative outcomes, develop a clear, manageable set of goals. For example, the focus could be on compliance or threat detection.  

It pays to be thorough, however, when figuring out which cloud platforms to cover in the assessment. Ideally, the process will include relevant cloud platforms, SaaS providers, hybrid cloud infrastructure, and co-located private clouds across all regions. The goal should be to avoid a gap in assessment coverage. 

The assessment process also necessarily brings together people and teams from across the organization. Not everyone will need (or want) to have the same level of involvement, but it makes business sense to involve stakeholders from departments beyond security teams. IT managers, compliance managers, line of business managers, and people from the legal team should engage with the cloud security assessment.  

2. Identifying and classifying your cloud assets 

After defining goals and scope, the next step is to create a comprehensive inventory of cloud assets. This inventory should include compute, such as cloud-hosted virtual machines (VMs), cloud storage, databases, cloud networking, and SaaS platforms. It will probably be a long list. At that point, it’s necessary to categorize the assets by criticality. Not every VM requires the same level of attention. For some, an outage will have a serious impact on the business. Others may contain sensitive information. They deserve prioritization.  

Mapping dependencies and data flows is a related process. Once the inventory is complete, determine the connections between assets, such as dependencies between software applications. This process often uncovers hidden risks. For example, if multiple applications invoke the same application programming interface (API), and there is only one instance of that API, that is a single point of failure—and cyber risk—that can affect multiple systems.  

3. Comprehensive evaluation of cloud security controls and policies 

Evaluating controls and policies comes next. This process should also be subject to prioritization. Highlights include: 

  • Reviewing cloud IAM policies, verifying enforcement, and noting where enforcement is deficient. 

  • Measuring the percentage of users subject to MFA and RBAC for cloud access. 

  • Inspecting logging, auditing, and anomaly detection capabilities in the cloud. 

  • Assessing workload security, encryption protocols, and firewall configurations for cloud assets. 

4. Risk identification, management, and remediation in the cloud 

The assessment now goes into active testing and scanning mode. By performing vulnerability scans, vulnerabilities that were not evident before can be revealed. The best practice is to map vulnerabilities to MITRE’s Common Vulnerabilities and Exposures (CVE) identifiers. This approach allows security teams to find solutions and patches for known vulnerabilities. It also lets them clarify each vulnerability’s seriousness and potential impact if left unremediated.  

Penetration testing and equivalent processes, such as continuous automated red teaming, can reveal security gaps that are difficult to spot otherwise. The process should be enriched with security ratings and threat intelligence data. Threat scenario threat modeling is a further step that provides the assessment with information about where the organization is most exposed to cloud risk and guides the prioritization of remediation efforts.   

The prioritization process should be driven by quantitative metrics. Assign risk scores to the various issues picked up by the assessment. Risk scores should reflect business impact. Prioritize remediation for those with higher scores. That way, the cloud risks that can cause the greatest harm to the business, such as reputational damage, disruptions to operations, loss of customers, and so forth, get fixed sooner. 

5. Developing a proactive incident response plan 

It’s likely that incident response plans already exist, but the cloud security assessment should examine them for applicability to the cloud. For example, a cloud data breach may require a different incident response “playbook” from one that occurs on-prem. Additionally, cloud assets might not integrate easily—or at all—with security orchestration, automation, and response (SOAR) solutions, which handle incident response workflows at many enterprises. Automated alerting and escalation processes may not work in this case. The assessment should call out such gaps in connectivity.  

Cloud incident response may also require people to take different actions from what they do in an on-prem security incident. For instance, it may be necessary to contact the cloud provider, or for the organization’s legal department to be notified quickly, so they can review contracts with the cloud provider. All participants should understand their roles and responsibilities well.  

6. Testing and improving your incident response strategy 

It is essential to test cloud incident response plans. Organizations that invest resources in such testing benefit from discovering where the plan is strong and where it needs work. Outside vendors specialize in response plan testing, and their process often reveals striking problems, such as plans requiring contact with people who have long left the organization, out-of-date phone numbers and email addresses, and so forth. 

If resources permit, a tabletop exercise or simulated attack can be a valuable tool for testing the strength of an incident response plan. The cloud security assessment could suggest a response timeframe, including RTO and RPO objectives. If the exercise does not meet the time allowed for response, that should trigger a reworking of the plan.  

Testing will ideally be a recurring process. Stakeholders should apply lessons learned, updating plans and policies accordingly. Future testing cycles will evaluate how well changes have been implemented.   

7. Continuous monitoring and compliance checks 

A thorough cloud security assessment should contain recommendations for continuous monitoring and compliance with security policies and regulations, which may involve implementing a cloud security posture management (CSPM) solution or a cloud workload protection platform (CWPP). These solutions provide continuous security monitoring and more for the overall cloud environment and specific workloads, respectively.  

A more informal approach to monitoring security and compliance can also be effective. Either way, the process calls for regular reviews of logs, alerts, and system configurations. Periodic compliance audits and gap analyses also need to be factored in.  

Conclusion 

The cloud offers agility and economic benefits, but the technology has the potential to expose organizations to cyber risks that are beyond the reach of traditional security countermeasures. The process of conducting a cloud security assessment reveals vulnerabilities and security gaps in the cloud—enabling teams in IT, security, and compliance to address the problems before they result in breaches and other disruptions. The assessment establishes a priority for remediation, too. It gives stakeholders an overview of cloud risk and drives actions intended to avert future attacks. The assessment process will ideally be ongoing, with periodic cycles of assessment, review, and action.  

Wasabi has a vital role to play in cloud security assessments and can recommend steps to take to protect data storage and create cyber resilience. Wasabi is serious about security and data resilience. Learn how cloud object storage with Wasabi enables rapid and affordable recovery from cybersecurity incidents or accidental data loss.  

solution

Safeguard your data and your budget

See how Wasabi's cyber resilience solutions help companies quickly and affordably bounce back from cybersecurity incidents or accidental data loss.

Learn more
  • Overview
  • Core Aspects
  • Key Benefits
  • Cloud Security Assessment Checklist
  • Conclusion