Migrating to the cloud or moving to a new cloud provider means a new set of security concerns and more approaches than a traditional environment. In the Crowd Research Partners’ 2018 Cloud Security Report, 84% of organisations said their traditional security tools were no longer sufficient to manage cloud based security.
This Cloud Security Assessment Checklist provides a high-level list of security areas to consider when assessing the security of your cloud environment.
Implementation of the security checklist items will vary according to your unique environment, but the principles remain the same regardless of how they are implemented.
Cloud Security Assessment Checklist
Implementing cloud security best practice covers multiple areas of your environment and business. Security needs to be an organisation-wide concern, not just the responsibility of one person or one team.
Step 1: Policies and Procedures
The responsibility for a secure system falls on both the cloud provider and you, the client.
In a worrying statistic, Gartner estimates that “through 2022, at least 95% of cloud security failures will be the customer’s fault.” Having comprehensive policies and procedures in place and followed will help eliminate this area as a threat.
- Have all security policy and procedures been updated to include the cloud?
- Are there security procedures in place for on-boarding employees?
- Are there procedures in place when employees leave or change role?
- Do you have procedures to deal with any security violations?
Step 2: Access management
Managing identity and access management is an important first step in securing your cloud environment. This controls how to identify and authenticate users, as well as who has the ability to assign access rights.
In 2016, Forrester estimated that “80% of security breaches involved privileged credentials”. It’s important to be pro-active in ensuring secure access to your environment.
- Who has access to your systems? Are they appropriately vetted?
- Do all your employees have training in security awareness?
- Are you using multi-factor authentication? Using a minimum of two forms of authentication before granting access provides assurance that the person requiring access is who they say they are.
- Is your guest access controlled? Guest access can lead to potential vulnerabilities. Ensure their permissions are limited and only set them up when needed.
Step 3: Networking
Using a cloud-based environment puts much of the responsibility for the network security on to the cloud provider. You need to ask:
- Are there gateway security measures against malware injections? Injecting malicious code into cloud services can allow hackers to intercept and steal sensitive data.
- Are there security measures in place against network-based attacks? Disabling RDP access from the internet and restricting internet SSH and SQL Server access will help prevent brute force attacks on VMs.
- Is all sensitive material encrypted over less-trusted networks?
Step 4: Backup and data recovery
Data can be lost through a variety of factors from hardware failure, natural disaster or malicious action. A recovery plan is vital to protect from devastating data loss.
- Does your cloud provider adequately address backup and data recovery with thorough plans and procedures? This must include physical storage locations, physical access to server facilities and plans for natural disasters.
- Do you undertake regular testing to ensure successful restoration? Regular checking of your backups and your restoration procedures will ensure a smooth recovery if the worst ever happens.
Step 5: Security Patches and Updates
Keeping your systems updated with the latest security patches is a vital step in maintaining a secure environment. Ask yourself:
- Are you installing the latest security patches?
- Are you able to show what patches are installed?
- Are you testing security patches on a development environment before deploying to live servers?
- Do you regularly scan your environment for system vulnerabilities?
Step 6: Logging and monitoring
It can take a company six months or more to discover a security breach. Therefore, it’s important to make sure that your system activity is being logged and saved for future analysis.
- How long are you maintaining your logs for?
- Are you logging whenever applications touch sensitive data?
- Are you logging activities such as changes in policy assignments, network security groups and security policies?
- Are you monitoring your system for suspected security breaches?
Step 7: Data encryption
Encryption ensures that even if your data is breached, as long as the keys are secure it is useless to the hacker. The more sensitive the information is, the more important it is to secure with encryption.
- Are you encrypting all sensitive information stored on servers and in transit?
- Have you safeguarded all private keys for certificates and public keys?
Azure Scaffold and Codify’s Azure Foundation make security easy
The checklist of tasks above gives important factors to consider when assessing the security of your cloud environment.
Microsoft’s Azure Scaffold provides the framework needed for a secure cloud environment. But, Codify’s Azure Foundation delivers the Scaffold platform as well as a governance solution. This combination helps organisations implement a fit-for-purpose cloud environment.
Use our Cloud Security Assessment Checklist as the first step to assessing your cloud-based environment.
Want to get rid of the stress of securing your cloud?
Connect now for a no-obligation chat.