How to Get the Most from Your Cloud Security Assessment
Published 08/20/2024
Originally published by Bell.
Written by Jack Mann, Senior Technical Product Manager, Cyber Security, Bell.
A cloud security assessment can provide great insight into how well you’re protecting your cloud-based data and workloads. However, the actual value of that assessment to your organization will come down to the vendor who delivers it.
In this article, I cover what to look for when searching for a cloud security assessment vendor and share tips for evaluating possible candidates to make the best choice for your business and its security.
So, what makes for an ideal cloud security assessment partner? It boils down to having the right tools, expertise and approach.
1. The right tools
There are many different cloud security assessment tools out there. Some have strengths in specific areas, but are weak in others. Your ideal partner will use the tools that sufficiently cover everything that your business does in the cloud. Otherwise, those tools won’t provide the visibility needed to identify all the security gaps and configuration issues potentially present within your cloud environment.
To make sure that your partner’s tools are suitable for the areas most relevant to your organization, you need to be aware of all the ways that your business uses the cloud. Take inventory across your organization by asking questions like:
- What cloud-based services are teams using and for what purposes?
- Are any teams developing applications in the cloud?
- Is your organization doing any kind of serverless computing or using container technology?
To make sure you get a comprehensive picture of how your organization uses the cloud, security partners may offer tools that can automatically scan your environment and generate a detailed inventory of all the cloud services that you’re currently using. With those insights, the next step is to ensure that the tools and systems used by the vendor are robust and broad enough in their capabilities. Favour those that cover many security areas because these are more likely to be able to expose and protect all the cloud services that your business uses. At the very least, confirm that the vendor’s tools assess cloud network security (which includes critical elements like infrastructure entitlement management, and identity and access management) as well as computing and development areas within the cloud, including:
- Visibility
- Compliance
- Governance
- Threat detection
- Identity and access management
- Infrastructure as code
- Hosts
- Containers and serverless computing
- Web application and API security (WAAS)
- Software composition analysis
2. The right expertise
Tools are only one element of a cloud security assessment. What really makes the difference are the people who assess the output of those tools. It’s just as important to evaluate the skills and experience of the vendor’s team, as well as whether the vendor is certified in all areas that matter to your business.
Your ideal partner will have hands-on experience assessing the cloud security of other organizations within your particular sector or industry, and will assign a person or team who has that experience and knowledge to conduct your assessment. This ensures that they’re aware of any specific standards and frameworks that apply to your company, and know how businesses should comply with them.
On the certification side, look for certifications tied to compliance standards or government regulations that apply to your business or the cloud services that you use. Additionally, be sure to confirm that the vendor is certified in the tools that they would use for the assessment, if such certifications are available.
3. The right approach
Each organization and every cloud environment is different. A good vendor will take the time to get to know yours from the very start of the engagement, then tailor their assessment to your unique needs. Through close consultation with your teams, the ideal cloud security assessment provider will come to understand the specifics of your cloud environment and determine what security framework best applies to your business. Using these insights, they’ll assign someone to the assessment who has the right experience, certifications and knowledge of compliance standards.
Because there’s no such thing as one-size-fits-all when it comes to cloud security, a good vendor will offer multiple levels of assessment to meet varying organizational needs – and recommend the best option based on a deep understanding of yours. For instance, a vendor might offer a basic infrastructure assessment that focuses on your cloud-based assets, as well as a broader, enterprise-wide assessment that looks at the policies, processes and people across your company. The latter can ensure that nothing is in place at the organizational level that is inadvertently contributing to security issues in your cloud environment. A good vendor will also ask questions throughout the assessment process and may use what they learn to change course if necessary, such as by deprioritizing temporary environments or going deeper into high-importance areas.
Crucially, the right vendor won’t merely grant you access to a cloud security assessment tool and leave it to you to use. That approach isn’t uncommon in the industry, but it never leads to a good outcome because you need to know the tool inside and out to get any useful results. Similarly, they won’t just hand you a report at the end of the process and be on their way. Instead, they’ll walk you through the findings to explain their recommendations and the remediation available to improve your cloud security posture.
About the Author
Jack Mann is the Senior Technical Product Manager for the Bell Cybersecurity practice.In this role Jack drives the development of products and solutions that helps organizations to solve security problems, enhance productivity and improve their security posture. Jack started his career at Bell in 2021 as a Product Manager. Prior to joining Bell, Jack spent 16 years at CGI where he led Cloud Computing and Business Solutions.
Related Articles:
How to Maximize Alignment Between Security and Compliance Teams
Published: 10/04/2024
Secure by Design: Implementing Zero Trust Principles in Cloud-Native Architectures
Published: 10/03/2024
AI Legal Risks Could Increase Due to Loper Decision
Published: 10/03/2024