How to Perform a Cloud Risk Assessment

Audit & Compliance CISO Cloud Security
Reading Time: 7 minutes

A cloud security risk assessment is an analysis of an organization’s cloud infrastructure to determine its security posture. This is a critical process for any organization operating out of the cloud to better understand present risks and determine gaps in security coverage. The result is finding potential points of entry, finding evidence of potential compromise, and establishing future controls to better protect critical assets. 

We will explore what can be expected in a cloud security assessment, the benefits of conducting one, and process steps to follow.

Why You Need a Cloud Risk Assessment

The transition to enterprise cloud computing is growing rapidly, potentially outgrowing security processes and practices. With cloud estates spanning across multiple clouds, accounts, workloads, and applications, the sheer scale of the cloud makes proper security a challenge.

Malicious actors are not only able to enter environments via improper network configurations, workload vulnerabilities, and compromised identity credentials, but also execute recon once in an environment. Attackers exploit overprivileged identities to move laterally through an environment in search of an accumulation of power or the right high-value asset.

With breaches costing on average $4.45M, the stakes are high and proper assessment and improved security controls are critical to business continuity, revenue, and data privacy.

Cloud Security Risk Assessment Benefits

Prevent Misconfigurations

Cloud misconfigurations are a leading cause of attacker entry. These misconfigurations are improper or insufficient usage of controls within the cloud environment. Examples are not enabling logging, leaving ports open to the internet, or leaving default access settings open. These configurations are the foundation to strong cloud security and are often low-hanging fruit. An assessment of network controls, access controls, datastores, and workloads can help reveal improper configurations, allowing your teams to remediate before an attacker can exploit them.

Reveal Risky Identities and Permissions

The cloud is largely run via microservices and a proliferation of machine identities like APIs, roles, service accounts, serverless functions, and more. It is very common for these entities to be overprivileged by developers for the sake of ease and flexibility. The danger is attackers will jump from one identity to the next to accumulate a toxic combination of permissions that can give them the power to disrupt applications, delete infrastructure, or wipe your cloud clean. A risk assessment should find identity risks like overprivileging, unused identities, insecure access keys, lateral movement opportunities and more.

Sonrai’s Cloud Identity Diagnostic assesses risks related to unused identities, overprivilege, lateral movement, access keys, trust relationships, and admin identities.

Detect Compromise

Performing a cloud risk assessment is not the same as auditing your cloud for signs of compromise, but it is an opportunity to come across variances from what the normal baseline looks like. This could be logging revealing that access controls were changed on an object storage service or an identity accessing an asset from a location they never have before. These are signs of potential compromise and may help you catch onto an attacker’s activity.

Better Secure Assets

Protecting company assets like sensitive data or applications is a top priority. There are a lot of efforts that ultimately help better protect assets – a large one being identity and access controls. A risk assessment is an opportunity to start at the core of your business – the data itself, and work outwards to determine every entity that can access this information. It is common there are routes to sensitive assets that your team’s never intended to make. This is the result of the complexity of permissions in the cloud. Organizational guidelines, permissions assigned at the identity level, and permissions assigned at the resource level can create a confusing web of privilege. 

Remain Compliant

A lot of compliance standards require audits or assessments of cloud environments to ensure risks are accounted for. Cloud Service Providers follow requirements like ISO/IEC 27001, ISO/IEC 27002, and NIST SP 800-53, which all require risk assessments – not to mention an organization’s own internal standards or industry requirements.

Key Steps for a Cloud Risk Security Assessment

Identifying Cloud Security Risks

Asset Identification and Classification

This is a preliminary step in an assessment – gathering a proper inventory of all assets present in your estate. Data classification and tagging processes help by establishing what the asset is, where it is, and how valuable it is to the organization. Past this is a proper inventory of all workloads and applications as well.

Vulnerability Identification

When you’ve discovered all workloads and applications, the next step is performing vulnerability testing to reveal any potential points of entry an attacker could exploit.

Identity and Privilege Audits

One very common assessment of whether identities hold proper privileges or not is by following the Principle of Least Privilege. This states identities should hold only the permissions absolutely necessary to their job function. If your organization evaluates logging and sees X identity did not use an assigned permission in over 60 days, it is fair to assume it is an unnecessary risk and strip it. Further potential identity and access risks include: toxic combinations, privilege escalation capabilities, and insecure access keys.

Cloud Security Risk Analysis

Risk Likelihood and Impact

When you’ve evaluated the entire landscape including assets, identities, workloads, and platform controls, the next step is determining the likelihood of potential for incidents. On top of that, is determining a blast radius for said incidents. This refers to how far and wide the incident would affect your environment. It is a way to understand how severe a security incident is.

Risk Rating and Prioritization

Many assessments offer a clear risk score dependent on how many concerns were found or compared against an industry standard. A great way to better prioritize and understand risks is through asset classification. If your organization knows what all workloads, applications, and data stores are, what data they hold access to, and how serious that information is, it can help inform what top priorities should be.

Cloud Security Risk Mitigation Strategies

Preventative Controls

When your risks are identified the next step is implementing some controls to prevent future concerns. Some examples include Separation of Duties – a security principle that ensures any given identity does not have an accumulation of privilege that gives them excessive power; IP restricting; security groups within VPCs to protect instances; role-based access controls to help distribute privilege amongst roles for specific functions.

Detective Controls

Detective controls can be implementing practices to ensure future detection of cloud risks. A great example is continuous monitoring features in security tools. This is a way to review logging and activity in the environment so you never miss an incident. Additionally, semi frequent audits are a great way to do a larger overhaul of the cloud estate and ensure everything is up-to-par.

Corrective Controls

Corrective controls are practices like policy updates, patching vulnerabilities, rotating access keys, or cleaning up unused or orphaned identities. Anything your organization implements to fix concerns raised in cloud risk assessments.

Ongoing Cloud Security Assessments

Cloud security is an ongoing effort, not a one-off process. Ideally your organization implements policies and practices that offer continuous security. This will in turn make any audit or assessment far less of a burden when the time comes around.

Organizations can implement security policies to help offload manual work and ensure best practices are upkept. The best way to achieve this is by leveraging a cloud security tool with prebuilt or customizable frameworks and policies. Policies can be compliance related to ensure mandates like HIPAA or PCI-DSS are maintained or can be best practices like implementing Least Privilege or Least Access.

Cloud Security Assessment for Identity and Access

Conducting cloud security risk assessments are critical to revealing risks, gaps in your current security procedures, and implementing new controls to fix issues. Aside from sufficient controls around platform configurations, workload security, and network access, a major priority in risk assessment should be around identity and access. 

Identities and their permissions are the new stepping stones attackers leverage to find unintended pathways to critical assets or accumulate dangerous privilege. Currently, about 1 in 10 identities in the typical enterprise cloud have access to enough privilege they can entirely delete their organization’s cloud.

Proper permission and access control is a defense-in-depth strategy that considers what an attacker can do once the perimeter is breached. Organizations want to strip actors of any possible lateral movement.

Sonrai Security offers a free Cloud Identity Diagnostic to assess an enterprise’s cloud identity access and permission risks and output a security score, what and where the specific risks are, and what an organization can do to fix them – plus, two weeks in the Sonrai tenant to actually address the security findings.

Interested in benefiting from this amazing opportunity? Anyone and everyone can request a Diagnostic today – no installations required.

Cloud risk assessment

FAQs

What’s a cloud security risk assessment?

A cloud security risk assessment is an analysis of an organization’s cloud infrastructure to determine its security posture or potential security risks.

Why do I need a cloud security risk assessment?

Cloud security risk assessments are a critical process that reveals present risks and identifies gaps in security coverage. The result is finding potential points of entry, finding evidence of potential compromise, and future controls to better protect critical assets. 

What key components should be considered during one?

Cloud security risk assessments should consider access controls, misconfigurations, vulnerability management, identity and access permissions, and compliance standards.

How often should an assessment be conducted?

How often Cloud risk assessments should be conducted depends on industry and internal standards or relevant compliance frameworks. It is recommended at least annually or every 2 years.