How to conduct a cloud security assessment

The cloud presents organizations with a security challenge. By conducting a cloud security assessment, organizations can discover vulnerabilities before adversaries do.

A cloud security assessment (CSA) evaluates the cloud infrastructure for vulnerabilities, configuration weaknesses and potential threats. It analyzes the configuration of cloud service provider accounts or subscriptions and reviews the possible threats from the internet and within the cloud infrastructure itself. The organization gets a breakdown of potential gaps in design and controls implementation, as well as the potential attackable surface area and its risks.

How to perform a cloud security assessment

Organizations should conduct CSAs regularly to stay current against evolving threats.

A cloud security assessment evaluates an organization’s cloud infrastructure for the following:

  • Overall security posture.
  • Identity and access management (IAM) policies.
  • Service provider security features.
  • Compliance.
  • Documentation.
  • Exposure to future threats.

To start, have the organization’s security team inventory all cloud accounts and subscriptions in use. Larger organizations with many accounts might selectively sample several to keep the CSA manageable. Choose accounts or subscriptions with sensitive data or a high level of exposure.

With an inventory of cloud accounts and subscriptions complete, the security team should evaluate services and assets. Start by reviewing IAM policies for the cloud account and privileges and permissions allowed within these policies. From there, look at security guardrail services, like Amazon GuardDuty or Microsoft Defender, including their configuration and running state. Scan images used to deploy containers and VM workloads for vulnerabilities, especially if exposed to the internet. Review services and objects against cybersecurity standards and frameworks, such as NIST, Cloud Security Alliance or Center for Internet Security guidelines.

If internal configuration standards are in place, consider these as part of the CSA. Ensure running workloads and storage exposed to the internet are documented. Evaluate firewalls, network segmentation and web application firewalls for potential misconfigurations.

From there, analyze cloud accounts for any infrastructure-as-code (IaC) templates in deployment. These templates often contain critical configuration items and services in use. Cloud security posture management tools capable of scanning IaC templates can improve efficiency in this process.

With assets, exposure and configuration posture documented, organizations should perform threat modeling exercises to evaluate existing trust boundaries and potential attacks against cloud assets and services. Threat modeling reviews should test against possible attacks and threats to the cloud environment, ease of attacks based on exposure and susceptibility, and the state of preventive and detective controls in place. Organizations with multi-cloud deployments should expect to conduct separate threat modeling sessions for each respective cloud service.

Optionally, organizations may perform penetration tests and live scans against cloud accounts and subscriptions for extra testing and review.

Based on the analysis, the security team should create a high-level report. Outline all audits, document risks and possible gaps in controls, and provide remediation recommendations for vulnerabilities and weaknesses.