Cloud Computing Security Risk Assessment Pdf Download
Sibyl Piccuillo
The transition to enterprise cloud computing is growing rapidly, potentially outgrowing security processes and practices. With cloud estates spanning across multiple clouds, accounts, workloads, and applications, the sheer scale of the cloud makes proper security a challenge.
Malicious actors are not only able to enter environments via improper network configurations, workload vulnerabilities, and compromised identity credentials, but also execute recon once in an environment. Attackers exploit overprivileged identities to move laterally through an environment in search of an accumulation of power or the right high-value asset.
Cloud misconfigurations are a leading cause of attacker entry. These misconfigurations are improper or insufficient usage of controls within the cloud environment. Examples are not enabling logging, leaving ports open to the internet, or leaving default access settings open. These configurations are the foundation to strong cloud security and are often low-hanging fruit.
The cloud is largely run via microservices and a proliferation of machine identities like APIs, roles, service accounts, serverless functions, and more. It is very common for these entities to be overprivileged by developers for the sake of ease and flexibility. The danger is attackers will jump from one identity to the next to accumulate a toxic combination of permissions that can give them the power to disrupt applications, delete infrastructure, or wipe your cloud clean.
One very common assessment of whether identities hold proper privileges or not is by following the Principle of Least Privilege. This states identities should hold only the permissions absolutely necessary to their job function. If your organization evaluates logging and sees X identity did not use an assigned permission in over 60 days, it is fair to assume it is an unnecessary risk and strip it. Further potential identity and access risks include: toxic combinations, privilege escalation capabilities, and insecure access keys.
Many assessments offer a clear risk score dependent on how many concerns were found or compared against an industry standard. A great way to better prioritize and understand risks is through asset classification. If your organization knows what all workloads, applications, and data stores are, what data they hold access to, and how serious that information is, it can help inform what top priorities should be.
Detective controls can be implementing practices to ensure future detection of cloud risks. A great example is continuous monitoring features in security tools. This is a way to review logging and activity in the environment so you never miss an incident. Additionally, semi frequent audits are a great way to do a larger overhaul of the cloud estate and ensure everything is up-to-par.
Corrective controls are practices like policy updates, patching vulnerabilities, rotating access keys, or cleaning up unused or orphaned identities. Anything your organization implements to fix concerns raised in cloud risk assessments.
Cloud security is an ongoing effort, not a one-off process. Ideally your organization implements policies and practices that offer continuous security. This will in turn make any audit or assessment far less of a burden when the time comes around.
Organizations can implement security policies to help offload manual work and ensure best practices are upkept. The best way to achieve this is by leveraging a cloud security tool with prebuilt or customizable frameworks and policies. Policies can be compliance related to ensure mandates like HIPAA or PCI-DSS are maintained or can be best practices like implementing Least Privilege or Least Access.
Conducting cloud security risk assessments are critical to overall cloud risk management. They find gaps in your current security procedures and allow teams to implement new controls to fix issues. Aside from sufficient controls around platform configurations, workload security, and network access, a major priority in risk assessment should be around identity and access.
Proper permission and access control is a defense-in-depth strategy that considers what an attacker can do once the perimeter is breached. Organizations want to strip actors of any possible lateral movement.
The assessment can cover various aspects of cloud security, including data privacy, data integrity, access control, identity and access management (IAM), network security, and compliance with relevant laws and regulations. It can be performed by internal security teams or by third-party security experts who are specialized in cloud security. The results of the assessment can help identify areas where improvements in cloud security are necessary and to create a plan to remediate any identified issues or vulnerabilities.
ENISA is carrying out a risk assessment of cloud computing with input from 30 experts from major companies and academic institutions. The paper should provide an assessment of key risks and their mitigation strategies in cloud computing which will allow:
ENISA contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow.
The goal of a cloud risk assessment is to ensure that the system and data that exists in or is considered for migration to the cloud don't introduce any new or unidentified risk into the organization. The focus is to ensure confidentiality, integrity, availability, and privacy of information processing and to keep identified risks below the accepted internal risk threshold.
In a shared responsibility model, the Cloud Service Provider (CSP) is responsible for managing security and compliance of the cloud as the provider. The customer remains responsible for managing and configuring security and compliance in the cloud in accordance with their needs and risk tolerance.
Cloud deployments can be categorized as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS). Depending upon the applicable cloud service model, the level of responsibility over the security controls for the solution shift between the CSP and the customer. In a traditional on-premises model, the customer is responsible for the whole stack. When moving to the cloud, all physical security responsibilities transfer to the CSP. Depending on the cloud service model for your organization, additional responsibilities shift over to the CSP. However, in most cloud service models, your organization remains responsible for the devices used to access the cloud, network connectivity, your accounts and identities, and your data. Microsoft invests heavily in creating services that allow customers to stay in control of their data across the entire lifecycle.
Microsoft Cloud operates at a hyperscale, relying on a combination of DevSecOps and automation to standardize operating models. Microsoft operating model changes the way risk is approached compared to traditional on-premises operating models, leading to the implementation of different and sometimes unfamiliar controls to manage risks. When conducting your cloud risk assessment, keep in mind that Microsoft's goal is to ensure all risks are addressed, but not necessarily to implement the same controls your organization does. Microsoft may address the same risks with a different set of controls and that should be reflected in the cloud risk assessment. Additionally, some risks in a traditional on-prem design are of lower severity in a cloud environment, and vice versa. Designing and implementing strong preventive controls can reduce much of the work required by the detective and corrective controls. An example of this is Microsoft's implementation of Zero Standing Access (ZSA).
Microsoft recommends that customers map their internal risk and controls framework to an independent framework that addresses cloud risks in a standardized way. If your existing internal risk assessment models don't address the specific challenges that come with cloud computing, you'll benefit from these broadly adopted and standardized frameworks. Your internal control framework may already be a conglomeration of multiple standardized frameworks, having these controls mapped to their corresponding frameworks will help during your assessment.
A secondary benefit is that Microsoft provides mappings against these frameworks in documentation and tools that will accelerate your risk assessments. Examples of these frameworks include the ISO 27001 Information security standard, CIS Benchmark, and NIST SP 800-53. Microsoft offers the most comprehensive set of compliance offerings of any CSP. For more information, see Microsoft compliance offerings.
Use Microsoft Purview Compliance Manager to create your own assessments that evaluate compliance with the industry and regional regulations that apply to your organization. Assessments are built upon the framework of assessment templates, which contain the necessary controls, improvement actions, and where applicable, Microsoft actions for completing the assessment. For Microsoft actions, detailed implementation plans and recent audit results are provided. This way, time can be saved on fact finding, mapping, and researching how specific controls are implemented by Microsoft. For more information, see the Microsoft Purview Compliance Manager article.
While the customer is responsible for managing and configuring security and compliance in the cloud, the CSP is responsible for managing security and compliance of the cloud. One way to validate that the CSP is effectively addressing their responsibilities and upholding their promises is to review their external audit reports such as ISO and SOC. Microsoft makes external audit reports available to authenticated audiences on the Service Trust Portal (STP).
On-demand learning path: Microsoft Learn offers hundreds of learning paths and modules on different topics. Amongst them, take Learn how Microsoft safeguards customer data to understand Microsoft's fundamental security and privacy practices.
7fc3f7cf58