Professional Documents
Culture Documents
Assessment
Cloud Security
Assessment
1
Cloud Security Assessment
Accedere shall not be responsible for any loss sustained by any person who
relies on this publication. As used in this document, “Accedere" means
Accedere Inc. Please see https://accedere.io and email us at
info@accedere.io for any specific services that you may be looking for.
Table of Contents
5.Contents
VAPT Phases
7.Colorado
OurLicensed CPA Firm
Comprehensive Assessment Methodology
Focusing on Cyber Security Audits
8. OWASP Top 10 Cloud Challenges and Resolution
Cloud and Data Privacy Experts
The worldwide public cloud services market is forecast to grow 17% in 2020
to total $266.4 billion, up from $227.8 billion in 2019. According to some
estimates there are about 20,000 SaaS providers globally. SaaS Software
as a service (SaaS) will remain the largest market segment, which is
forecast to grow to $116 billion next year due to the scalability of
subscription-based software. The second-largest market segment is cloud
system infrastructure services, or infrastructure as a service (IaaS), which
will reach $50 billion in 2020. IaaS is forecast to grow 24% year over year,
which is the highest growth rate across all market segments. This growth is
attributed to the demands of modern applications and workloads, which
require infrastructure that traditional data centers cannot meet. (according
to Gartner, Inc.)
For most businesses, the cloud simply works better than so-called on-
premises. And it isn’t just about money. While any organization is
interested in cutting costs, the main drivers of cloud migration are disaster
recovery, ease of management, and archival. According to the 2019 Thales
1996
Cloud Security Study, organizations are failing to protect sensitive data in
the cloud. Businesses are taking advantage of the cloud, but not applying
adequate security.
Transport Layer Segment Uses the protocols SYN Flood, Smurf attack. Reach bandwidth or
TCP & UDP. connection limits of
hosts or networking
equipment.
Network Layer Packet Uses the protocols ICMP Flooding - A Layer 3 It can affect available
IP, ICMP, ARP, RARP, infrastructure DDoS Attack network bandwidth
& RIP and uses method that uses ICMP and impose extra load
Routers as its messages to overload the on the firewall.
device. targeted network's bandwidth.
Datalink Layer Frame Uses the Protocols MAC flooding - inundates the Disrupts the usual
802.3 & 802.5 and its network switch with data sender to recipient
devices are NICs, packets. flow of data - blasting
switches bridges & across all ports.
WAPs.
Physical Layer Bits Uses the Protocols Physical destruction, Physical assets will
100Base-T & 1000 obstruction, manipulation, or become unresponsive
Base-X and uses malfunction of physical assets. and may need to be
Hubs, patch panels, repaired to increase
& RJ45 Jacks as availability.
devices.
Cloud Security Assessment
Reconnaissance:
Also known as foot printing. It’s a process of gathering data or preliminary
inspection of an area of interest over a short period of time.
Scanning:
Collect more detailed information based on the previous phase. Also known
as enumeration.
Gaining access:
This is the actual attack phase; so, the risk level is considered highest.
Maintaining access:
If the intentions of the hacker will not be satisfied by acquiring access, then
maintaining that access is also important.
Covering tracks:
It is in the best interest of the hacker to erase his fingerprints from the scene.
Rootkits to an extent does the job, but a hacker can modify log files to hide
all those programs or applications that he has installed, from the view of the
computer system.
Gathering logs:
Keeping a record of the scans or reports gathered from the attack/scan
performed. Testing outcomes:
Detailed technical report
Executive summary
High-level fixation solutions
7
Cloud Security Assessment
1 2 3 4
Insufficient
Lack of Cloud Identity,
Misconfiguration
Security Credential,
and Inadequate Insider Threat
Architecture Access
Change Control
and Strategy And Key
Management
5 6 7 8
Abuse and
Insecure
Weak Control Nefarious Use Account
Interfaces and
Planes of Cloud Hijacking
APIs
Services
8
Cloud Security Assessment
9
Cloud Security Assessment
We assess other services you may have implemented to support your cloud
workload, including database services (SQL or NoSQL based), server-less
functions (e.g., AWS Lambda and Azure Functions), logging and monitoring
services, and backup and disaster recovery infrastructure. In each case, we
review the service’s configuration, identify security misconfiguration
scenarios, and determine whether these exist on your infrastructure.
Challenge Resolution
Using a third party to store and Vendor risk management and
transmit data adds a new layer of accountability are the way to
risk. Cloud service providers often manage this issue. The Cloud vendor
also operate across geographical should have a set of security policies
jurisdictions. Data protection which you can map to your own, to
regulations such as the General ensure compatibility with your
Data Protection Regulation (GDPR) industry standards in data protection.
require that the data processors as This should include the Cloud
well as the data controllers, meet vendor's use of technologies like
the requirements of the regulation. It robust authentication, encryption,
is important to ensure accountability and disaster recovery policies.
of data protection, including
recovery and backup, with any
third-party cloud providers we use.
Challenge Resolution
Digital identity is a key part of Implement a modern identity service
cybersecurity. It controls vital areas or platform to provide robust,
such as privileged access to persistent, verified identity controls.
sensitive resources. As enterprises Use this as a basis for controlling
increase their use of cloud and have access to resources using a
data stored across cloud services, privileged access model.
control of access through identity
management is crucial.
Challenge Resolution
OWASP points out the issues of Use a cloud vendor who understands
meeting compliance across and applies solutions for the various
geographical jurisdictions. For data protection laws. They should
example, if the organization is based also know how to handle cross-
in Europe but we use a U.S. Cloud jurisdiction data protection
provider, then it might be difficult to requirements.
map the compliance requirements
of EU-centric data protection, and
vice versa.
Cloud Security Assessment
Challenge Resolution
Outsourcing IT infrastructure to a You need to make sure that your
third-party cloud provider increases Service Level Agreements (SLAs)
the risk of attaining business cover data resilience, protection,
continuity for the simple reason that privacy, and that the vendor has a
it is outside your control. An outage robust disaster recovery process in
of cloud services can have serious place. Evaluate their SOC reports.
repercussions for a business. When
Amazon went down for 13 minutes,
they lost an estimated $2,646,501.
Challenge Resolution
Once data enters the cloud realm, it Compliance frameworks like GDPR
is much more difficult to control would expect an organization to
across its life cycle. For example, perform a Data Protection Impact
social media sites can be difficult to Assessment (DPIA) which extends to
manage, often defaulting to ‘share their Cloud vendors. Data encryption
all’. Data mining of data for technologies, and multi-factor
secondary use in targeted authentication can help augment
advertisements is a privacy risks. data security and privacy risks.
Challenge Resolution
The safe transmission of data is a Transport Layer Security (TLS)
particular risk in cloud computing should be fundamental protocols
models where it is transmitted over used by the cloud vendor.
the internet Additionally data must be encrypted
in use and at rest.
Cloud Security Assessment
Challenge Resolution
Cost savings often dictate that cloud If we are in a multi-tenancy
servers are used in a multi-tenancy agreement there are some ways
setup. This means that we will share you can mitigate the risk of sharing
server resources and other services, your cloud space with others.
with one or more additional Starting with good design, your
companies. The security in multi- cloud vendor can configure the
tenancy environments is focused on server for logical separation. The
the logical rather than the physical system can also have an
segregation of resources. The aim is architecture built for isolation so
to prevent other tenants from that a quarantined virtual
impacting the confidentiality, infrastructure is created for each
integrity, and availability of data. tenant. Technologies like encryption
also help to prevent data exposure.
#8. Incident Analysis and Forensic
Support
Challenge Resolution
If a data breach occurs, we must Check out our cloud vendor policy
understand how to identify and on handling, evaluating and
manage critical vulnerabilities so as correlating event logs across
to respond to the incident as quickly jurisdictions. Check if they have
and effectively as possible. Cloud technologies in place, such as virtual
computing can make the forensic machine imaging, to help in the
analysis of security incidents more forensic analysis of security
difficult. This is because audits and incidents.
events may be logged to data .
centers across multiple jurisdictions.
.
#9. Infrastructure Security
Challenge Resolution
This covers the entire gamut of how Implement Defence in Depth
to harden the attack surface of a measures covering privileged
cloud infrastructure. It includes access management, multifactor
configuring tiers and security zones authentication, secure configuration
as well as ensuring the use of pre- of servers and services, and tiered
established network and application architecture. Periodic VAPT and
protocols. It also includes regular risk configuration reviews can surely
assessments with updates to cover help.
new issues.
Cloud Security Assessment
Identify
Protect
Detect
Respond
Recover 15
Cloud Security Assessment
SIEM
Respond Incident response Endpoint
services detect/respond
Trouble ticket systems Forensic analysis
16
Cloud Security Assessment
The following are some of the security concerns addressed during our
Cloud Assessment:
Sample Reports
17
Cloud Security Assessment