Addressing security in a public cloud environment is different than in your on-premises data centers. When you move systems and data to the cloud, security responsibilities become shared between you and your cloud service provider. Infrastructure-as-a-Service (IaaS) providers, such as AWS, Google etc. are responsible for securing the underlying infrastructure that supports the cloud, and you are responsible for anything you put on the cloud or connect to the cloud.
Under the public cloud shared responsibility model, your provider enables infrastructure and foundation compute, storage, networking and database services, as well as other higher-level services. These providers enable a range of security services and features to secure your connections, access controls, databases, credentials etc.
Amazon Web Services (AWS)
Elevate also has experience assessing your security configurations and container orchestration platforms and technologies (Mesos, Docker, Kubernetes etc.).
Elevate’s goal during the Cloud Security Assessment is to ensure that our assessment identifies and help you improve your overall security posture.
The following are some of the examples of items reviewed as part of the assessment:
- Security responsibilities shared between your cloud provider and you, the customer of the cloud provider.
- How you define and categorize your assets and which modules/ tools are you using from your cloud provider.
- Review of architecture and data flow diagrams to understand how you are configured.
- Review of network segmentation and ACL and firewall setting.
- Review DDoS layered defense solution.
- How to manage user access to your data using privileged accounts and groups.
- Best practices for securing your data, operating systems, and network.
- How you leverage monitoring and alerting to achieve your security objectives.
- Use of regions, availability zones, end points etc.
- Verify you have a procedure for granting remote, Internet or VPN access to employees.
- VPN connectivity (e.g. VPN to customer in any VPCs owned, Direct Connect Private Connections etc.).
- Assess the implementation and management of antimalware for cloud instances.
Review of penetration testing results.
Review documented process for configuration and patching.
Review API calls for in-scope services for delete calls to ensure IT assets have been properly disposed of.
Review of encryption methods used.
Training of employees on cloud technologies chosen.
Our assessment process is simple, yet thorough to ensure we cover all of the areas and security threats that are possible to your environment based on what you are using and how you are configured.
We have standardized methodologies for the different cloud providers’ capabilities and we assess your current designs and configuration to the best practices. When we see an area with a possible deficiency we seek to understand the use of mitigating controls and/or other practices. At times, our clients provide us with re-only access to the environment in order to perform more throughout assessments and other times the Black Box approach is used. We work with you based on your needs and specific requirements.