Cloud Security Audit
Cloud Security Audit consists of an audit that analyzes the cloud infrastructure configurations from a security point of view to ensure the necessary protection standards in these platforms and put in the spotlight the configurations that could represent a risk for the client, describing the problem, pointing out the affected resources and offering solutions for its mitigation.
To do this, we review the configuration of hundreds of elements that form the infrastructure, including access controls, roles and permissions, storage systems, network components or deployed instances, among others.
Careful, cyber security in the cloud is your responsibility
Cloud providers work under a “shared responsibility model”, where companies must take responsibility for cybersecurity. The responsibility is different depending on whether you have an IaaS, PaaS and SaaS model, below we show the responsibilities of each party when what you hire is the Cloud infrastructure, as is the case with AWS, Microsoft Azure, Google Cloud, etc:
Responsibility of your Cloud provider
Physical part of the infrastructure
- Device failures
- Physical access
- Network failures
- Other physical aspects of the infrastructure
* These responsibilities apply to “Infrastructure as a Service IaaS” services. In this link you can see the responsibilities that apply to PaaS and SaaS infrastructures.
Your responsibility as a Cloud customer
Virtual part of the infrastructure
- Identity and access control
- Operating system, network and firewall configurations
- Data stored by the customer
- Encryption of information in transit or at rest
- Other aspects concerning the use of the Cloud
* These responsibilities apply to “Infrastructure as a Service IaaS” services. In this link you can see the responsibilities that apply to PaaS and SaaS infrastructures..
How does a Cloud security audit differ from an infrastructure pentest?
The focus between the two cases is different, while the infrastructure pentest focuses on externally visible assets, exposed resources and how they can pose a risk to the infrastructure, the cloud security audit is based on the review of all configurations, security measures, open ports, permissions, etc.
The latter also reports on the risks to the cloud infrastructure, it doesn’t attack the infrastructure, although in neither case does it pose a real risk.
The hundreds of options for configuring Cloud environments mean that a small mistake in any option can trigger latent threats.
What do you get by analyzing your platform with Cloud Security Audit?
Identify risks and vulnerabilities
Knowing the impact of exploitable vulnerabilities
Obtain clear and actionable remediation information.
Determine how to take advantage of any access obtained through exploitation.
Obtain best practices for maintaining security
On which platforms do we analyze cloud security?
Cloud security analysis for certifications
Cloud Security Audit has specific versions to adapt to the following certifications:
What is the Cloud provider's responsibility for each type of infrastructure (IaaS, PaaS, SaaS)?
In each type of cloud service the provider has certain responsibilities regarding cybersecurity or other, below we indicate the different cases that exist:
- Infrastructure as a Service (IaaS):The supplier is responsible for the equivalent of the physical layer.
- Platform as a Service (PaaS): It also includes the Operating System and runtime environment.
- Software as a Service (SaaS):The supplier is responsible for all levels covered by the application, including data.
What is not covered by the Cloud platform and is it the company's responsibility?
As a general rule, in none of the cases, the different Cloud platforms cover:
- Identity and access control.
- Operating system, network and firewall configurations.
- Data stored by the client.
- Encryption of information in transit or at rest.
After performing a Cloud security audit, am I protected against future threats?
The structure of companies is not usually fixed, but evolves continuously with updates, system changes, new processes and protocols. Because of this, new security breaches may arise that did not exist at the time of the audit, so we recommend performing audits on a regular basis.
How often is it advisable to perform a cloud security audit?
The recommended period varies depending on the frequency with which changes are made to the platform; if updates and improvements or user modifications are constantly applied to the development hosted on the platform, a much higher frequency is required than if the development is static and receives practically no modifications.
From the beginning of the Cloud Security Audit project, how soon will I receive the report?
The time varies depending on the scope of the audit, but generally the client receives the report within approximately one week from the start of the audit.
Is there any risk in performing security auditing in the cloud?
No, we only have read permissions on the customer’s infrastructure, so any action we take does not affect the service.
If vulnerabilities are found, will that information be made public?
No, Sofistic always guarantees the confidentiality of the data and treats them with rigorous privacy policies, so only the client will be able to have the data obtained in the cloud security audit.
I have a small business, should I perform a security audit of my cloud services?
Cyber-attacks affect large and small companies alike, and small companies tend to have fewer resources to deal with cyber-attacks once they have occurred, so it is advisable to implement preventive measures as soon as possible. What usually happens is that small companies make fewer changes to the development hosted in the cloud, in which case they will need to perform the Pentest Cloud less frequently.
If I don't have a cybersecurity team in the company, how can I fix the vulnerabilities detected?
In the report, in addition to the vulnerabilities classified by criticality and the explanation of these, we also indicate how they should be solved. We also have a technical team available to assist in the resolution of the vulnerabilities.
What is the price of a Cloud Security Audit?
The price varies depending on the scope of the project, since both the parameters and the infrastructure deployed are very different in each project (even being on the same platform). If you want to get a free quote you can contact our specialists.
What will the client receive?
Our technicians will perform a wide range of tests on the different services configured in the cloud provider to try to identify possible risks for the customer.
Among all the identified failures, filtering and discrimination of false positives will be performed and a report will be delivered to the customer consisting of an executive summary, a list of failures with their respective risks, marked from “Low” to “Critical” for the highest risk.
In addition, for each incident, a detailed description of the problem will be provided to help visualize the impact, solutions will be offered to mitigate the risk and the affected resources will be identified.
Other types of Security Audits
A pentest consists of an IT security audit in which the company’s systems are attacked through the different breaches detected, analyzing how far a real attacker could gain access.
In a Source Code Audit we evaluate the degree of security of the source code of the applications used or developed by your company in search of vulnerabilities that could be exploited by attackers.