Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Help shape the future of cloud security! Take our quick survey on SaaS Security and AI.

How to Get the Most from Your Cloud Security Assessment

Home
Industry Insights
How to Get the Most from Your Cloud Security Assessment

Blog Article Published: 08/20/2024

Originally published by Bell.

Written by Jack Mann, Senior Technical Product Manager, Cyber Security, Bell.

A cloud security assessment can provide great insight into how well you’re protecting your cloud-based data and workloads. However, the actual value of that assessment to your organization will come down to the vendor who delivers it.

In this article, I cover what to look for when searching for a cloud security assessment vendor and share tips for evaluating possible candidates to make the best choice for your business and its security.

So, what makes for an ideal cloud security assessment partner? It boils down to having the right tools, expertise and approach.


1. The right tools

There are many different cloud security assessment tools out there. Some have strengths in specific areas, but are weak in others. Your ideal partner will use the tools that sufficiently cover everything that your business does in the cloud. Otherwise, those tools won’t provide the visibility needed to identify all the security gaps and configuration issues potentially present within your cloud environment.

To make sure that your partner’s tools are suitable for the areas most relevant to your organization, you need to be aware of all the ways that your business uses the cloud. Take inventory across your organization by asking questions like:

  • What cloud-based services are teams using and for what purposes?
  • Are any teams developing applications in the cloud?
  • Is your organization doing any kind of serverless computing or using container technology?

To make sure you get a comprehensive picture of how your organization uses the cloud, security partners may offer tools that can automatically scan your environment and generate a detailed inventory of all the cloud services that you’re currently using. With those insights, the next step is to ensure that the tools and systems used by the vendor are robust and broad enough in their capabilities. Favour those that cover many security areas because these are more likely to be able to expose and protect all the cloud services that your business uses. At the very least, confirm that the vendor’s tools assess cloud network security (which includes critical elements like infrastructure entitlement management, and identity and access management) as well as computing and development areas within the cloud, including:

  • Visibility
  • Compliance
  • Governance
  • Threat detection
  • Identity and access management
  • Infrastructure as code
  • Hosts
  • Containers and serverless computing
  • Web application and API security (WAAS)
  • Software composition analysis


2. The right expertise

Tools are only one element of a cloud security assessment. What really makes the difference are the people who assess the output of those tools. It’s just as important to evaluate the skills and experience of the vendor’s team, as well as whether the vendor is certified in all areas that matter to your business.

Your ideal partner will have hands-on experience assessing the cloud security of other organizations within your particular sector or industry, and will assign a person or team who has that experience and knowledge to conduct your assessment. This ensures that they’re aware of any specific standards and frameworks that apply to your company, and know how businesses should comply with them.

On the certification side, look for certifications tied to compliance standards or government regulations that apply to your business or the cloud services that you use. Additionally, be sure to confirm that the vendor is certified in the tools that they would use for the assessment, if such certifications are available.


3. The right approach

Each organization and every cloud environment is different. A good vendor will take the time to get to know yours from the very start of the engagement, then tailor their assessment to your unique needs. Through close consultation with your teams, the ideal cloud security assessment provider will come to understand the specifics of your cloud environment and determine what security framework best applies to your business. Using these insights, they’ll assign someone to the assessment who has the right experience, certifications and knowledge of compliance standards.

Because there’s no such thing as one-size-fits-all when it comes to cloud security, a good vendor will offer multiple levels of assessment to meet varying organizational needs – and recommend the best option based on a deep understanding of yours. For instance, a vendor might offer a basic infrastructure assessment that focuses on your cloud-based assets, as well as a broader, enterprise-wide assessment that looks at the policies, processes and people across your company. The latter can ensure that nothing is in place at the organizational level that is inadvertently contributing to security issues in your cloud environment. A good vendor will also ask questions throughout the assessment process and may use what they learn to change course if necessary, such as by deprioritizing temporary environments or going deeper into high-importance areas.

Crucially, the right vendor won’t merely grant you access to a cloud security assessment tool and leave it to you to use. That approach isn’t uncommon in the industry, but it never leads to a good outcome because you need to know the tool inside and out to get any useful results. Similarly, they won’t just hand you a report at the end of the process and be on their way. Instead, they’ll walk you through the findings to explain their recommendations and the remediation available to improve your cloud security posture.


About the Author

Jack Mann is the Senior Technical Product Manager for the Bell Cybersecurity practice.

In this role Jack drives the development of products and solutions that helps organizations to solve security problems, enhance productivity and improve their security posture. Jack started his career at Bell in 2021 as a Product Manager. Prior to joining Bell, Jack spent 16 years at CGI where he led Cloud Computing and Business Solutions.

ComplianceEnhancing cloud security strategyTransitioning to the cloud

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Download the Non-Human Identity Security Report
Register for CSA's Global AI Symposium
CCZT: Now with Zero Trust Strategy
Trending This Week
#1 Top 10 Linux Server Hardening and Security Best Practices
#2 The Common Misconfigurations that Lead to Cloud Data Breaches
#3 The Implications of AI in Cybersecurity: A Transformative Journey
#4 The 6 Phases of Data Security
#5 9 Best Practices for Preventing Credential Stuffing Attacks
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
Burdens and Benefits of Shared Security Responsibility Model (SSRM) in Cloud Computing

Published: 09/13/2024

5 Key Data Privacy and Compliance Trends in 2024

Published: 09/13/2024

IDC Analyst Brief Findings: Trust Centers Can Help Organizations Save Time and Accelerate Sales

Published: 09/12/2024

As Non-Human Identity Attacks Soar, Cloud Security Alliance and Astrix Security Reveal Critical Gaps in Non-Human Identity Protection

Published: 09/12/2024