In recent years there has been a combination of internal computing environments (On Premise) and Cloud in companies. Several cloud companies provide Cloud computing platforms and services, such as:
Infrastructure as a Service: Customers rent the infrastructure (servers, databases) and are responsible for its maintenance.
Platform as a Service: Customers receive a development environment for their use, and the cloud company is responsible for the overall maintenance of the development environment.
Software as a service: The cloud company handles the backend, and the developers concentrate on the frontend.
The leading Cloud service providers are:
- Amazon (AWS)-Their cloud services are called Amazon Web Services. They provide a comprehensive solution for the customer. The main advantage of AWS lies in the large user community and the platform’s maturity, which helps large organizations because of the abundance of services and business partners.
- Google (GCP)- The cloud services are called the Google Cloud Platform. Most people who choose this platform do so because of the integration and support for open source systems. In addition, the system has strengths in the field of machine learning as well as applications initially written for the cloud.
- Microsoft (Azure) – Microsoft’s cloud services are widespread because they integrate with the rest of the company’s development services. In addition, they enable a hybrid work environment thanks to the ability to set up a Domain Controller in Azure. This advantage allows for effortless synergy in organizations that also use On-Premise servers.
- To all these, we must add the Nimbus project to provide cloud services to Israeli government ministries. Nimbus will be subject to the laws of the State of Israel and will inevitably cause the migration of many systems to the cloud within the territory of Israel.
Who would be likely candidates for Cloud Systems Risk Assessment?
- Companies that have moved some or all of the computer systems to a public cloud and want to test their system in terms of information security.
- Companies that are required by their clients or regulations to have a professional survey regarding the information security level of their cloud-based systems.
What are the advantages of conducting a Cloud Systems Risk Assessment?
- A professional examination of various information security aspects of the systems on the cloud performed by cloud-infrastructure-certified experts.
- A professional analysis of information security architecture.
What are the highlights of the test?
The tests are carried out in accordance with the NIST methodology, which constitutes the international standard in the field as well as the best practice of cloud providers, and include the following topics:
- Checking the configuration of the authentication services.
- Architecture.
- Reviewing user and group accounts’ creation protocols.
- Analysis of authentication procedures for access to resources.
- Checking the level of adherence to providing the required minimum permissions.
- How servers, disks, and databases are encrypted.
- Examining the Firewall’s settings.
- Backups and Disaster Recovery.
The transition of infrastructures to the cloud is complex and involves many skills. That complexity presents multiple challenges when planning the architecture regarding information security and during the actual implementation. A professional risk assessment for Cloud systems ensures that security layers are optimally applied.
