a3kconsultancy.com: Cloud Security Audit Process

Phase I - Conduct As-Is Analysis

· Technology Assessment

o Hardware

§ On premise server

§ Router/Switch/Firewall

§ Encryption

o Software

§ OS

§ DB

§ Application (Fuzz testing)

o Cloud

§ Existing

· Cloudfare (All services being purchased and used)

o CDN (Cloud Delivery Network)

o PWA (Progessive Web App)

· Radware (All services being purchased and used)

o (CWAF) Cloud Web Application Firewall

o Bot Management

§ Capabilities

· Secure Web Gateways (SWG)

· Cloud Access Security Broker (CASB)

· Zero Trust Network Access (ZTNA)

· Firewall-as-a-service (FWaaS)

· Data Assessment

o Company Data

o Customer Data

· Communication Assessment

o Data in transit cryptography

· Documentation Assessment

o Incident Response Plan (IRP)

o Information System Contingency Plan (IRP)

o System Security Plan (SSP)

o Vulnerability Management Plan (VMP)

o Concept of Operations (CONOPS)

· Threat Landscape

o Threat surface

o Threat vector

o Threat actor

§ Nation State

§ Insider Threat

§ Competitors

· Compliance Requirements

o PCI

o GBLA

o Privacy Act

o FISMA 2002

o GDPR (Europe)

o DISA STIG

o CIS Benchmark

Phase II - To-Be Recommendation

· Technology

o Hardware Recommendation

§ Router/Switch/Firewall Architecture

§ Encryption (AES 256 or higher)

o Software Hardening Recommendation

§ OS Hardening

§ DB Hardening

§ Application Hardening

§ Data at Rest Encryption

§ Data in Transit Encryption

§ RBAC

o Cloud Cybersecurity Recommendation

§ Multi Vendor

§ Single Vendor

o Testing Recommendation

§ Based on compliance requirements

· Documentation

o System Architecture

o Security Boundary

o Incident Response Plan (IRP)

o Information System Contingency Plan (IRP)

o System Security Plan (SSP)

o Vulnerability Management Plan (VMP)

o Concept of Operations (CONOPS)

a3kconsultancy.com

POKE ME for any consultancy

Thursday, December 7, 2023

Cloud Security Audit Process

No comments:

Post a Comment