Many of our customers use cloud IaS/PaS/SaS solutions or connect their on-premise infrastructures to the cloud through federation and other means. This poses a new challenges to their IT staff as they may not be aware about all new risks and security features of cloud systems. We addressing these risks by conducting a technical audits of cloud/hybrid infrastructures and establishing a cloud IT governance practices. We have in-depth competence of auditing and operating the following cloud solutions:
- Azure cloud. Intune managed devices security configuration and compliance. Microsoft Defender ATP threat hunting. Azure log analytics/monitoring/Sentinel SIEM.
- Google Cloud Platform (GCP) stack and managed Kubernetes.
- AWS and managed Kubernetes (EKS)
- Kubernetes security, including ingress-objects, deployment, service and other objects security audit.
- Docker image security.
Project case: GCP infrastructure security audit
The project goal was to assess the security level of the customer’s cloud infrastructure. The penetration test was conducted in a white-box mode, which means that the auditor had full access to the infrastructure. The governance practices were assessed according to COBIT, ISO/IEC 20000, NIST CSF, and CSA Cloud Controls Matrix. Also, some controls were taken from the ISO/IEC 27001, to provide the customer with the full picture of their infrastructure security. As a result, the detailed pentest and governance audit reports along with recommendations were provided to the customer. After some time, the retest was conducted to verify if the HIGH-rated vulnerabilities and process weaknesses were fixed. Some of them included:
- Public access to storage buckets with confidential data.
- Out of date software in Docker images.
- Wide access rights on the cloud project for the service accounts.
- Multiple admin rights in the development team (without MFA as well).
- Hardcoded passwords in Kubernetes objects.
- Hardcoded cloud API access keys in the source code.
- Not applied firewall rules for the No-SQL database which had public IP and password-less interface.
Project case: AWS infrastructure security audit
Project goal was to assess the information security level in the AWS infrastructure and supporting practices.
The AWS Config Rules were used to audit the Customer’s use of AWS resources for compliance with external compliance framework such as CIS AWS Foundations Benchmark and with security policies related to the US Health Insurance Portability and Accountability Act (HIPAA), the Federal Risk and Authorization Management Program (FedRAMP), and other regimes.
The audit consisted of two parts: technical verifications and interviews. During the project, 75 vulnerabilities were found in the AWS infrastructure with detailed recommendations on how to mitigate them. The audit included the following architecture layers:
- AWS services
- Kubernetes clusters and objects
- Docker images
- Terraform configs