Uncovering Cloud Risks
In our previous article, we touched upon risks related to cloud computing, cultural transformation, and compensating controls. This article is written with examples for Microsoft Azure and seeks to educate on what an accurate Cloud Security Assessment should offer to provide value. In reality, most organizations we engage with that have moved to the cloud are operating with risks, often introduced in the early stages before knowledge of the best practice and pitfalls. How can we help organizations identify these risks and provide actionable remediation guidance?
Our value statement for the Cloud Security Assessment is that we can uncover risks that are intricate to discover while trivial for a threat actor to abuse. Our assessment produces various findings, often related to the following:
- Architectural flaws
- Risks related to misconfiguration that are less trivial to uncover.
While organizations utilize tools such as Azure Policies to scan for CIS Benchmark Compliance or the AWS Prowler tool, our assessments examine for flaws that require in-depth knowledge of cloud risks and how a sound architecture can eliminate attack paths or increase the likelihood of detection.
The customer provides a read-only role in the environment, allowing us to extract metadata relevant for further processing.
We leverage numerous open-source tools with slight modifications and custom scripts to fit our purpose. Some of the open-source tools we use:
- AzureHound and BloodHound for mapping the relationship between identities and resources, where we apply custom queries to identify relevant risks for each scenario.
- ScoutSuite to create an overview of the assets.
- MicroBurst to conduct reconnaissance activities.
We have contributed to these tools and will continue to when we identify improvements.
In addition to the tools, we leverage the Azure REST API, Az CLI, and Azure PowerShell with custom queries to programmatically identify flaws during the assessment for the Azure assessments.
Typical metadata we extract for further processing:
- Assets/resources from Azure Resource Graph to map their relation to other assets/resources in the environment.
- Service Principals, Users, and Managed Identities to analyze its adherence to the Principle of Least Privilege.
- Azure Policies and any other guardrails.
Additionally, to see the full picture and provide an accurate assessment we sometimes need:
- Documentation of the core platform’s architecture.
- Understanding of the setup between deployment pipeline(s) and Azure subscriptions.
Once we have the data, we proceed with the most time-consuming phase, where we thoroughly analyze the data gathered to identify any risks posed to their environment and apply the customer's context to exclude inapplicable risks from the output. The processing phase is often peer-reviewed to reduce the risk of inaccuracies or something that went overlooked.
When performing a Cloud Security Assessment, it's important to have a methodology that uncovers risks beyond CIS controls and not report on obvious findings such as storage being unencrypted, but rather focus on architectural flaws that result in lack of visibility, lack of segmentation and other design decisions that may pose a risk. This methodology can only be applied by an assessor with in-depth knowledge of cloud security architecture.
Communicating the results
Our reports must be accurate and actionable and provide a prioritized effort for risk reduction. We write guidance that applies our knowledge of architectural best practices to building a secure cloud platform specific to the customer and their goals. Our advice will vary based on customers' security maturity goals and the nature of the data processed.
To summarize our engagement, we provide a written report with detailed recommendations, and an executive briefing and host technical workshops to discuss the results in greater detail.
Customer testimonial - Nordic Brain Tech
A Cloud Security assessment from O3 Cyber assured us that our platform is built robust and meets our current needs for security and scalability. It helped us define the path for continued resilience while scaling our Azure environment through recommendations and expert guidance.
- Marcus, Chief Technology Officer, Nordic Brain Tech
A cloud security assessment can be seen as similar to a penetration test, it is not something you do on a weekly or monthly basis, that’s where other controls are important, it should be run when the platform has undergone major changes through either the sum of many small changes or a decision to build a new platform. It is also helpful early in cloud migration, to validate that the architecture is sound and robust, even if you follow well-known frameworks.
We have found that our Cloud Security Assessment offering has proven useful for a company seeking to uncover cloud-related risks and improve its security posture.