Migrating from an on-premise paradigm to a cloud-based paradigm can be confusing and fraught with unconsidered risks. When you adopt cloud-based solutions – be they Platform as a Service, Software as a Service or Infrastructure as a Service – you will inevitably outsource much of the management and administration of the service to a cloud provider. Responsibilities that you previously held yourselves may now be the province of the cloud service provider rather than yourself. In this environment, you need to understand what your responsibilities are, and what you have delegated externally.
Configuration is key when understanding your exposure in relation to cloud services, and we can help you understand whether your configurations and setups are helping you securely achieve what you need to enable your business goals.
Our cloud configuration reviews are led by your security requirements, informed by your threat environment and therefore focus on the risks which are of interest. Our approach and methodology will depend on your needs and your requirements, which components you are using and how you have combined these to create functionality. Though each cloud environment is unique, there are some important areas which will probably be of interest in most assessments.
Identity and Access Management (IAM) is a key review point for most cloud service deployments: Who is accessing your systems, how are they doing it, and what permissions do they have when they do? As well as the configurations themselves, we consider practical factors in these reviews, such as how your development, deployment and configuration teams work operationally. We also need to understand and review areas such as integrations with other parties, your delegation models, your collaboration patterns and management processes. We use this understanding of your business to identify areas where you are granting excessive or unnecessary privileges, where your roles may not be configured correctly, or where you might have some drift away from your expected secure baselines.
Logging, reporting and monitoring are also critical for cloud environments. You rely heavily upon the integrity and availability of components managed by your cloud provider, but you need to have a comprehensive picture of what is happening across your cloud estate so that, if a breach occurs, you’re able to respond effectively.
Perhaps most importantly, we look to help you understand whether your cloud estate is working in the way you expect and require it to from a security perspective. Configuration review is an important part of our methodology, but we also use approaches from objective-led penetration testing and red teaming to supplement these assessments and make sure we assess the end-to-end risk.
Our goal is to understand where your exposure is and whether you have the right mix of controls in place to manage your risk appropriately.