Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

Why Do A Cloud Security Assessment?
You are here: Home \ Cloud Security \ Why Do A Cloud Security Assessment?
Posted on Friday, January 10th, 2020 by

As cyber-attacks targeting cloud infrastructures increase, using a cloud security assessment can help you determine how best to reduce your organization’s risk.

Indeed, cloud computing has become firmly established by organizations of all sizes and across all sectors. A cloud-based infrastructure facilitates digital transformation, offering opportunities to use best-of-breed cloud apps to help improve productivity. It also offers remote working, and in doing so, helps your organization maintain a competitive edge. However, cloud computing also offers opportunities for cybercriminals. In the first half of 2019, 4.1 billion data records were breached, a 54% increase on the previous year.

Cloud-based cyber-attacks are now a common occurrence , and big names and small, are at risk. In 2019, cloud security attacks were successful at companies including Capital One, Facebook, MS Azure (Elasticsearch) and countless others. Many of these attacks were caused by vulnerabilities and/or misconfigurations in the organization’s cloud infrastructure. For example, when an organization uses a third-party to host IT resources, they face this question: just who is responsible for security and where are security gaps and weaknesses? This is why carrying out a Cloud Security Assessment is so critical to reducing risks to your organization cloud infrastructure.

What is a Cloud Security Assessment?

As organizations across the globe moved to cloud computing, the idea of an on-premise, network perimeter to protect data, became no longer relevant. Cloud providers, like Amazon Web Services (AWS), Microsoft Azure and many others worked to provide assurances that they could offer secure environments to replace the old network perimeter. However, there is a point at which cloud provisioning and the responsibility for data security, become somewhat fuzzy. This has led to the concept of the “shared responsibility model”. Shared responsibility is described as:

 

  • Security of the cloud – the responsibility of the cloud provider
  • Security in the cloud – the responsibility of the customer (organization client)

In other words, the cloud vendor must provide the security of the infrastructure pieces, such as the Operating System (OS), the virtualization layer, physical security, etc.

What does it mean for your organization?

  1. You, the customer, i.e. the organization using the cloud, are responsible for cloud apps and data. This includes security controls such as encryption for data-in-transit and at-rest.
  2. Shared responsibility for data security means that an organization must ensure that they uphold their side of the equation. This is where a cloud security assessment comes in.
  3. A cloud security assessment is a process that allows you to test out the security of cloud-based data. The result is a view of your ‘Cloud Security Posture” that can be used to improve the security of data and cloud apps.

The industry body, OWASP provides a number of areas in their “Top Ten” cloud security risks. These areas can be used as a basis for identifying any potential issues in your cloud-based apps and data. The assessment will target these areas to identify and reduce risks like misconfigurations and vulnerabilities, etc. However, a cloud assessment will go further, looking across all areas of cloud use, including user behavior, access control policies, and your cloud architecture. The assessment will also provide recommendations and action items if any area falls short of secure.

What Happens During a Cloud Security Assessment?

To perform a cloud security assessment, security experts will analyze an organization’s cloud infrastructure, data governance, and security policies. The process of assessment follows a sequence of events, that cover the following.

1-   Data access, use of data

The assessment will explore how your organization uses data. This will include the handling and processing of personal data and other sensitive information. This will also include identifying data movement and access.

2-   Assessment of security gaps and recommendations

The assessment team will look at your current security posture to locate any security issues and gaps. Areas that expose assets or vulnerabilities will be identified. If you plan to migrate to a new cloud environment or update an existing cloud infrastructure, this will also be analyzed.

3-   Map security policies to business and identify gaps

Your current security policies will be reviewed. They will be updated as required to reflect your business needs in line with your cloud strategy. One of the goals of this phase is to build a bridge between enterprise risk management and operational security efficiency. It can also be part of a general data protection compliance analysis, offering recommendations.

4-   Generate audit and report

The result is a full audit of your systems; this involves generating a full cloud cybersecurity posture evaluation report. This report will include recommended changes to your security posture.

Benefits of Doing a Cloud Security Assessment

Carrying out a cloud security assessment is a practical and strategic exercise to improve your cloud security health. Here are five major benefits to your organization that an assessment offers.

1-   Locate gaps in security

Finding security gaps before a cybercriminal does so your business can close them.

2-   Provide data for risk analysis

Enterprise risk management is a process that requires information to evaluate risk. A cloud security assessment provides these data.

3-   Improve visibility of data and assets

Knowing what data, you have, and its full lifecycle, is vital for not only cybersecurity analysis but also for ensuring your organization can meet the stringent needs of data protection regulations. Data visibility also provides the knowledge needed to apply the right security measure at the right part of a data lifecycle.

4-   Help with data protection regulation

Many data protection regulations require that you have full visibility of your data. Data mapping exercises as well as Data Privacy Impact Assessments (DPIA) can be helped by going through the process of a cloud security assessment.

5-   Understand where to improve security

A cloud security assessment will show you where there are gaps in your security posture. This exploration will include looking at your access control measures. One area of security that is of increasing importance is that of Identity and Access Management (IAM). A cloud security assessment will help you identify where to apply the principle of least privilege to ensure that you set access on a need to know basis.

Conclusion

A cloud security assessment helps you reduce your risk and it is a practical process that offers many benefits. Enterprises of all sizes embrace cloud computing. You are ultimately responsible to make sure you do not leave the door open to cybercrime.  To do so, an enterprise requires a methodology that drills down into the areas where an organization is most at risk. A cloud security assessment teases apart, any areas within a cloud computing model that increase risk. In doing so, it also improves the visibility of the data lifecycle.

In an era where cybercrime is now commonplace, having an analytical approach to security is vital. Cyber-threats are complex and multi-faceted. We need to use a cloud security assessment to counterbalance these gross threats.

New call-to-action

Avatar
About author:

Latest Webinars | Watch Now

Cybersecurity, Cyber Crime and Your Business — How to Strengthen Your Cybersecurity Posture – In collaboration with Cytelligence

Watch Now

Cybersecurity 101 for Credit Unions – In collaboration with the Caribbean Confederation of Credit Unions (CCCU)

Watch Now

Introduction to Technical Security Testing for Credit Unions – In collaboration with the Caribbean Confederation of Credit Unions (CCCU)

Watch Now