Cloud Security
We offer a number of services to help you secure your public cloud infrastructure and software-as-a-service (SaaS) applications.
AWS, Azure, and Google Cloud
Security Standards Development
Many organizations go right to detecting configuration risks within their cloud environment without first defining security requirements. We can help you define security standards for each of the AWS or Azure services that your organization uses so that your cloud teams know exactly how to configure resources securely from the start.
Benefits of Service Security Standards
- Secure configurations upon initial resource configurations
- Consistent configurations throughout the cloud environment
- Service coverage beyond CIS and your CSPM tool’s out-of-the-box policy set
SRA’s Approach
- Work with you to identify the cloud services your teams are currently using
- Draft security requirements for each of your cloud services
- Review the draft requirements with your cloud teams and incorporate any feedback
AWS: Download PDF | Azure: Download PDF
Cloud Security Program Assessment
A secure cloud environment requires much more than just secure configurations; it takes a program. Our methodology looks beyond point-in-time configurations and instead focuses on the people, processes, and technologies in place to secure your AWS or Azure cloud environment today and tomorrow.
Cloud Security Program Assessment Overview
Our approach to cloud security goes beyond cloud security posture management (CSPM) — we firmly believe that it takes a program to secure a cloud environment. While CSPM tools can provide great insight into configuration risks within your cloud environment, they often have limited-to-no visibility into third party security tools, team structure, and/or organization processes. We have developed an assessment methodology which reviews the people, processes, and technologies that support your cloud environment and identifies gaps based on industry-recognized frameworks and general best practices.
Focus Areas
Below are the areas which we focus on during the Cloud Security Program Assessments:
- Governance
- Architecture & Networking
- Identity & Access Management
- Vulnerability Management
- Logging & Monitoring
- Incident Response
- Service Hardening
- Pipeline
- Data Protection
- Resilience
AWS: Download PDF | Azure: Download PDF
Cloud Configuration Assessment
Some AWS or Azure configuration risks are very easy to find — public resources, excessive permissions, encryption, etc. Others, such as role trusts to third-party AWS identities or virtual network peerings across environments, are much more challenging because contextual information is required. Our enumeration-based approach to configuration risk detection can help to identify risks which may have otherwise gone unnoticed.
Cloud Configuration Assessment Overview
Our configuration assessments provide a set of tactical recommendations to improve the security posture of your cloud environment based on point-in-time configurations. Our approach includes a combination of scanning your AWS or Azure accounts/subscriptions with several open-source tools, enumerating your cloud resources and configurations with custom scripts, and reviewing your cloud console. For all findings identified, we provide you with a list of affected resources making it easy for your teams to investigate and remediate risky configurations.
AWS ServicesBelow are example AWS services which are covered by our AWS Configuration Assessments:
|
Azure Services:Below are example Azure services which are covered by our Azure Configuration Assessments:
|
AWS: Download PDF | Azure: Download PDF
Don’t see one of your AWS services listed? Let us know, and we will likely be able to create custom enumeration scripts if we don’t have coverage already.
Azure
Don’t see one of your Azure services listed? Let us know, and we will likely be able to create custom enumeration scripts if we don’t have coverage already.
Get Started!
Let us know if you would like us to provide cloud security services for you by completing the contact form.