More and more companies are choosing to place their services with public cloud providers. There can be many reasons, but the most common is that it is easy to get started with, it simplifies scalability and operational reliability.
The cloud provider is responsible for the overall IT security according to their Shared Responsibility Model, and it is up to the administrator to what areas are under their care. It is in the latter case that it can be valuable to perform a cloud security audit by having a security provider like Shelltrail to assist with the expertise.
How is a cloud security audit conducted?
The most common starting point for a cloud security audit is to examine the resources in the cloud environment through a Read-only or Security Audit account and analyze the security posture of the infrastructure.
Some of the areas reviewed in a cloud security audit include:
- Permission assignments
- Management of privileged accounts
- Exposed resources
- Best practices
- Segmentation
- Data encryption
Shelltrail’s security testers have several years of experience in reviewing the major cloud providers on the market, and with certifications issued by both Amazon AWS and Microsoft Azure, Shelltrail also has proven knowledge within the domain.
Usually, an analysis of the cloud environment is included during a web application test when it is deployed in a public cloud environment. The reason for the combination of web and cloud auditing is that it provides more in-depth protection. Typically, the test takes a couple of days to perform, but this depends on the size of the cloud infrastructure.
Shelltrail’s habit of working with different cloud providers means that we have the experience to perform tests and follow each cloud provider’s Rules of Engagement for security audits.
Why should the cloud environment be audited?
The so-called Shared Responsibility Model among the different cloud providers, for instance at Microsoft Azure and Amazon AWS explains that the responsibility for certain security aspects lies with the administrator, depending on the type of deployment (SaaS, PaaS, IaaS).
Additional reasons might include: requirements from customers or suppliers, customer trust and reputation, regulatory requirements (GDPR, PCI DSS, ISO 27001) or verification of the current security posture.
Upon completion of the assignment
At the completion of the assignment, a debriefing takes place where Shelltrail’s security experts go through the entire report, which includes a full presentation of all security issues. The report begins with a high-level summary where the emphasis on risks is prioritized over technical analyses. Normally, within a few days after the completion of the assignment, the report is delivered in its final format.