As part of a Cloud Configuration Review, we conduct interviews with application stakeholders (business analysts, developers, testers, program and product managers, etc.) to understand your application’s business context and security criteria. Following this, we execute a manual and automated tool analysis of your cloud environment. The following are some of the security concerns we review during a Cloud Configuration Review:
The methodology used to develop and execute these reviews is an amalgam of techniques, manual and automated, that factor in best practices from cloud service providers and security standards from reputable sources (including hardening guides such as the Centre for Internet Security [CIS] Benchmarks). We periodically align our methodology to the compliance and regulatory standards that many organizations have to adhere to when implementing computing services (HIPAA/HITEC, ISO/IEC 27001, ISO/IEC 27017, PCI DSS 3.x, etc.).
At the end of a configuration review, we deliver a summary of your implemented security controls, our opinion on the effectiveness of these controls, and remediation guidance detailing how to improve poorly implemented controls. We can provide a sample of a configuration review deliverable on request.
Cloud Configuration Review focuses primarily on the application’s supporting cloud infrastructure. It provides insight into how effective the cloud application is at using a cloud provider’s security controls to protect workloads. Traditional penetration testing cannot answer this question.
Customers who are familiar with the shared responsibility model of the Cloud can use a configuration review as a litmus test: How well are you using the security features offered by your cloud provider? Are there any mistakes you should correct quickly before your application starts receiving production traffic?
An alternative way of understanding a configuration review is to assess the infrastructure supporting the cloud application. Because most cloud providers expose infrastructure configuration programmatically, much of this configuration is now the responsibility of development teams and DevOps responsible stakeholders. Cloud Configuration Review assures stakeholders that the infrastructure has been properly configured to follow best practice guidelines and compliance/regulatory standards.