Cloud Security Assessment – Why?

Cloud Security Assessment – Why?

The use of cloud technologies has been a true game changer for companies across all verticals and industries. The benefits of the cloud are numerous: fast integration, flexibility, device diversity, etc.  This allows organizations to speed up their time to market and enhance capabilities in existing products and solutions.

Ease does not come without risk though.  From a security perspective, the cloud can introduce unique and specialized threats requiring a unique and specialized approach to its usage.

This is not an area where one size fits all or a generalized solution will apply to every situation.  The wise corporation therefore needs to continuously evaluate cloud risk, deployment policies and practices, and align a cyber security strategy with business objectives and emerging trends. In our opinion, the best way to begin this process is with a Cloud Security Assessment.  Basically, these assessments leverage expert evaluations to discover vulnerabilities in a cloud architecture that could potentially be exploited and lead to a data breach. 

To explain it further, let’s look at security as a whole.

The basic tenants of sound security do not change as organizations move to the cloud. Most security professionals are familiar with the Center for Internet Security’s Top 20 and how they can apply them to their on-prem systems. These basic security controls also apply to cloud platforms.

Each of the 20 controls have sub-controls that support the top-level controls. As an example, the first control in CIS is the Inventory and Control of Hardware Assets. Obviously, the customer is not dealing with hardware in the cloud.  However, the first sub-control is to utilize an active discovery tool to identify devices connected to the organization’s network and update the hardware asset inventory. We can apply this control to the cloud by ensuring that we have an ACTIVE discovery tool that identifies our assets deployed in the cloud. This applies to IaaS and PaaS inventories and tends to drift when a company is utilizing SaaS. (More on SaaS security in a later post).

The first five controls in the CIS are said to mitigate 85% of the current threats. Let us break it down further and summarize the first three. As a refresher, these are:

  1. Inventory and Control of Hardware Assets
  2. Inventory and Control of Software Assets
  3. Continuous Vulnerability Management

How do these controls relate to Cloud Security? In many cases, most of the breaches we are seeing are a result of either misconfigurations, human error, or a combination of both.

In January 2019, an online casino inadvertently left an Elasticsearch database exposed to the Internet without a password. This resulted in approximately 108 million records being exposed. Understanding what assets they had, what state they were in, and conducting continuous discovery could have potentially prevented this.

Most cloud providers have the tools BUILT-IN to do what many would consider basic security hygiene, but many clients are either not knowledgeable of those tools, or lack the skill sets internal to their organization to implement and (more importantly) manage after implementation.

As an example of built-in tooling, AWS has two service offerings that mitigate the three controls listed above. They are AWS Config and AWS Inspector. In a future post we will cover how to enable and deploy these services and automate some of the responses to findings (The Real Juice from the Squeeze).  AWS Config assists organizations in inventory and audit of most of their assets and AWS Inspector identifies vulnerabilities in the services that customers have deployed. Yes, there are costs associated with deploying these, but we would offer, they are less than the cost of recovery from a breach.

This is where our assessments come into the picture. 

We advocate for this control based, commonsense approach when conducting our Cloud Security Assessments. We build our offerings of not only best practices, but of current emerging threats, and modify our tools, techniques and procedures as we see them changing.

The most common reasons given for our clients to engage with us for a Cloud Security Architecture Assessment include:

  • To identify key areas of technology and processes where they have gaps.
  • To identify where their cloud solution has risks that are not being addressed by current controls.
  • To validate Security Architecture before, during, and after migrating resources to the cloud.

If this something that interests you, please connect with us to develop a solution tailored to your needs. 

About Invicta Solutions Group

Invicta Solutions Group is a leading Cyber Security, Systems Engineering Professional Services and Talent Management firm headquartered in Nashville, TN.  The company is a Veteran Owned Small Business that supports commercial and federal clients throughout the US.

 We help companies expand their cloud adoption, enhance systems and platforms through world class engineering and support, and reduce vulnerabilities of their business applications, critical data, and intellectual property. ISG consultants have expertise with many emerging technologies and have experience with both private sector companies and the DoD Cyber Command.

 As a highly specialized talent management partner, Invicta Solutions Group provides both project-based and full-time placement services.  We utilize “best in industry” tools and processes, along with unique candidate pools of cleared and non-cleared resources to support the recruiting needs of our clients. ISG can recruit non-cleared and cleared (Public Trust, Secret, TS/SCI) resources through our Talent management offering.

 Cyber Security and systems engineering projects require the right mix of internal staff, tools, strategy, and consulting partners.  Service providers often over-promise on capabilities or deliver individual’s or teams that do not fit the for the business challenge at hand. Invicta Solutions Group provides cloud and cyber security services, simply.  You will not always get our team; you get the right team for your specific need.