Outsourcing applications and data to the cloud brings significant benefits for companies, but at the same time also new challenges for the corresponding IT departments. The technologies and processes of a cloud environment differ from those of local data centers.
Whereas the responsibility of the company’s own IT departments used to be to take care of all levels (hardware, virtual machines, operating systems and applications) of an on-premise solution, the move to the cloud means that only very abstracted services are purchased. The service provider and the company share responsibility for the secure operation of these services. The secure configuration of the individual services remains largely the responsibility of the company – and with it, the responsibility for regular monitoring and checking.
The growing complexity of cloud environments is presenting many IT departments and their staff with increasing challenges. Experience and knowledge to set up and maintain sufficient security measures are lacking. Appropriate security best practices must first be established in most companies. Misconfigurations creep in, which become critical security gaps and gateways for potential attackers.
Misconfigurations can be found, for example, in:
- Identity and access management (e.g. AWS IAM, Azure AD, GCP IAM)
- Storage services (e.g. AWS S3, Azure Storage Accounts, GCP Cloud Storage)
- Database services (e.g. AWS RDS, Azure SQL, GCP Cloud SQL)
- Logging, monitoring and alerting services (e.g. AWS CloudWatch, Azure Security Center, GCP Cloud Audit Logs)
The trust companies place in their cloud service providers requires regular and independent validation by a third party. Only with this validation is it possible and important at the same time for companies to obtain meaningful transparency of the IT security level of their cloud environment. A cloud security audit provides the valuable results and insights required for this purpose:
Manually and automatically, we audit against a framework of a variety of control objectives based on the CIS benchmarks for AWS, Azure, and GCP, cloud service provider best practices, and our years of experience. Through configuration reviews, document review and interviews, we audit not only the actual configuration of the cloud services, but also the security architecture and the people and processes involved.
Would you like to have the configuration of your cloud environment audited? Here you can learn more about how we proceed with a cloud security audit and what we test in the process.
As part of a cloud pentest, our security analysts also examine all relevant cloud components and identify possible gateways for attackers.
We are looking forward to supporting you.