The document discusses various methods for assessing cloud security, emphasizing the need for a unique approach tailored to cloud environments. It details strategies such as cloud security posture management, configuration reviews, and architecture assessments to identify vulnerabilities and improve security measures. Key tools and practices are highlighted, including the importance of continuous monitoring and compliance checks to mitigate risks associated with cloud deployments.

1. CloudSecurity
Assessment
Methods
By Aditya Sanjay Chawan

2. whoami
 Cybersecurity Analyst at Network Intelligence
 1+ year at NII
 Swimming, reading, football and volleyball
 CEH, CCP

4. Cloudisnotfully
secure!!!
 Despite the various benefits cloud has its drawbacks
 Famous companies like Uber, Sony, Target, Capital
One, Marriott, Dropbox, Equifax have ben hacked
 Attackers are already ahead, what can we do?
 Traditional security approach works??
 Cloud security should come with a different approach

5. CloudSecurity
Assessment
Methods
 Methods that are used to check the security of your
cloud environment, identify any weaknesses and
vulnerabilities, and provide suggestions to fix those
issues.
 End goal is to identify potential security risks,
vulnerabilities, and misconfigurations and to provide
actionable recommendations.

6. CloudSecurity
Assessment
Methodsinclude
 Cloud Security Posture Review & Management
 Cloud Configuration Review
 Cloud Architecture Review
 Container Security Assessment
 Infrastructure as a Code Security

7. CloudSecurity
PostureReview
andManagement
 Assess various security measures, policies, and
processes that an organization has in place to secure
its cloud environment
 Misconfigurations and poor management are to be
blamed, initial stages/lifecycle of cloud deployment
 It is all about Monitoring, Policy, Remediation
 Threat Intelligence teams, compliance and risk
management teams, business leaders and SMEs can
benefit
 DevSecOps Integration possible

8. Discover
• Define the Scope
• Upon deployment, cloud resources and information are
immediately identified
Assess
• Evaluate platform misconfigurations
• To maintain an organization’s compliance by continuously
checking existing security configurations and measuring
them against a given compliance standard.
Monitor
• Detect suspicious activities across workloads.
• It will constantly monitor the environment for malicious
activity, unauthorized activity and access to cloud resources
helping to flag policy violations and other concerns in real-
time.
Protect
• Automate protection and policy enforcement of resources in
real time.
• Policy based enforcement (who can access what data)
• Remediation (resolve violations)
1
2
3
4

9. CloudSecurity
PostureReview
andManagement
 Vulnerabilities include misconfigured S3 bucket, wrong
provisioning of infrastructure due to IaC, lack of good
cloud architects
 Tools include Azure Security Center, DivvyCloud by
Rapid7, CrowdStrike Falcon Horizon, Cloudsploit,
Scoutsuite

10. Cloud
Configuration
Review
 Configuration is the process of setting minute settings
for elements of a cloud environment to ensure that
they can interoperate and communicate.
 Complexities of cloud environment make configuration
more challenging than on premise
 CIS Benchmarks, PCI DSS, NIST followed (level1 and
level2)
 Everything is an API call

11. Define Scope
•Clearly define the scope of the configuration review,
including the specific cloud services and resources that will
be evaluated.
Identify the Assets
•Identify all the assets in the cloud environment and their
configurations, such as virtual machines, storage accounts,
and network resources.
Evaluate the configuration settings
Evaluate the configuration settings of the cloud environment
against industry best practices and regulatory requirements.
Reporting
•Document the findings of the configuration review, including any
vulnerabilities or non-compliances identified.

12. Cloud
Configuration
Review
 Vulnerabilities include insecure key management,
inadequate access control through IAM settings,
overprivileged accounts, inadequate logging and
monitoring, non-compliance
 Tools include AWS Config, Prowler, Microsoft Cloud
App Security, Scoutsuite

13. Cloud
Architecture
Review
 Aims to pinpoint weaknesses and flaws to develop a
more mature and secure cloud environment.
 Manual and logical approach, looks at things from a
higher perspective
 Aims to develop security at each layer, centralized
management of components, infrastructure design and
best practices
 Review varies on the service model being used (SaaS,
PaaS, IaaS)

14. Understand the Cloud Environment
•Identify all the assets in the cloud environment,
including servers, storage, and network resources.
•This can be done by reviewing the cloud provider's
management console or using automated tools to discover
assets.
Documentation and Compliance Certifications
•Review the cloud provider's documentation and
compliance certifications to understand the security
controls they have in place.
•This includes understanding the shared responsibility
model for security in the cloud.
Evaluate the security of the network
architecture
•Review the architecture of the cloud environment,
including the network design, access controls, VPNs,
Firewall.
•This can include reviewing network topology, firewall
rules, and VPN configurations.
Review the security of the servers and storage
•Includes reviewing patching and vulnerability
management process.
•This can include reviewing server configurations, patch
management processes, and vulnerability scanning
results.
Discussion Round with the Team
•Summarize the overall findings of the review, including
any significant vulnerabilities or risks that were
identified.
•Discuss the priority of the issues and recommend the
most critical vulnerabilities to be addressed first
Reporting
•Provide detailed information about any specific issues
that were identified, including the potential impact and
likelihood of them being exploited.
•Provide clear and actionable recommendations for
addressing the identified issues, including any necessary
steps to mitigate or eliminate the vulnerabilities.

15. Cloud
Architecture
Review
 Vulnerabilities include inadequate network security
such as a lack of firewalls or IDS
 Inadequate segregation between different tenants and
lack of isolation for specific workloads
 Security risks associated with third-party vendors,
APIs, and services integrated into the cloud
environment
 Visualization tools like Cloudcraft can be used

16. Containerand
Kubernetes
Security
 Containers are closed environment that contain
individual components which will run the application
 Containers share resources with each other like shared
volumes, IP addresses and communicate with each
other
 Kubernetes “orchestrates” containers but requires
configurations to be done manually

17. Pod
Containers
1
2
Shared Volumes
Shared IP Addresses
Pod
Pod Node
Node
Node
Node
Kubernetes
Cluster

18. Defining Scope and
Understanding the
Infrastructure and
Containers
Perform the Scanning
•Container Image scanning
•Kubernetes scanning
•Scanning network interface
Manual Assessment
•Identified the common
Misconfiguration related
vulnerabilities.
•API Assessment
Auditing against CIS
Benchmarks
•Ensuring that the
containers are compliant
with regulatory and
industry standards
Reporting
•Provide the summary of
finding
•Provide the
recommendation

19. Containerand
Kubernetes
Security
 Container breakouts in which escaping the container is
possible, use of insecure image repositories can cause
vulnerabilities, insecure API Server
 Insecure pod and network policies can cause damage,
improper cluster configuration can cause platform
issues, inadequate namespace isolation
 Tools include Kube-bench, Kube-hunter, Terrascan,
Clair, Kube-audit

20. Infrastructureas
aCodeSecurity
 Infrastructure is managed and deployed using code
rather than manually.
 Declarative vs Imperative
 Chef is for imperative, Terraform and Puppet are for
declarative. Ansible has support for both
 We are looking at Code Review, Code repository
security, Access Control, Backup and Recovery,
Compliance, Encryption, Ghost Resources.

21. Understand the Infrastructure and Identify Sensitive
Data
•Understand the infrastructure that the IAC templates and
configurations will be deployed to, including the components
and their interactions
•Identify sensitive data, such as passwords and private keys,
used in the IAC templates and configurations.
Static Code Analysis
• Identify potential security vulnerabilities and misconfigurations
Perform Dynamic Testing
Deploying the IAC templates and configurations to a test
environment and testing them for security vulnerabilities and
misconfigurations.
Automated Scanning
Using Vulnerability scanners to test the
IAC templates and configurations for
known security vulnerabilities and
misconfigurations.
Compliance Review
Ensuring that the IAC templates and
configurations are compliant with
regulatory and industry standards
Documentation Review
Review the documentation of the IAC
templates and configurations to ensure
that it is accurate and up-to-date
Reporting
Provide a summary of the overall
security of the container environment
and any areas where improvements are
needed.

22. Infrastructureas
aCodeSecurity
 Vulnerabilities found include Hardcoded Secrets, use of
default templates, Lack of encryption, use of insecure
third-party dependencies, unnecessary network
exposures
 Tools include Checkov, Terrafirma, Cloudsploit,
CloudFormation.

23. Thank you for your patient
listening