Cloud Security checklist

Is the security team ready for the Cloud?

  • Is the security team aware of / knowledgeable about cloud?
  • Does the organization have a cloud security strategy with which its auditors would be happy?
  • Has security governance been adapted to include cloud?
  • Does the team’s structure enable cloud security?
  • Has the security team updated all security policies and procedures to incorporate cloud?
  • Has the security team provided guidance to the business on how to remain secure within a cloud environment?
Cloud Security checklist



Management

  • Is everyone aware of his or her cloud security responsibilities?
  • Is there a mechanism for assessing the security of a cloud service?
  • Does the business governance mitigate the security risks that can result from cloud-based “shadow IT”?
  • Does the organization know within which jurisdictions its data can reside?
  • Is there a mechanism for managing cloud-related risks?
  • Does the organization understand the data architecture needed to operate with appropriate security at all levels?
  • Can the organization be confident of end-to-end service continuity across several cloud service providers?
  • Can the provider comply with all relevant industry standards (e.g. the UK’s Data Protection Act)?
  • Does the compliance function understand the specific regulatory issues pertaining to the organization’s adoption of cloud services?

Operation

  • Are regulatory compliance reports, audit reports and reporting information available form the provider?
  • Does the provider have the right attitude to incident resolutions and configuration management, even when services involve multiple providers?
  • Does using a cloud provider give the organization an environmental advantage?
  • Does the organization know in which application or database each data entity is stored or mastered?
  • Is the cloud-based application maintained and disaster tolerant (i.e. would it recover from an internal or externally caused disaster)?
  • Are all personnel appropriately vetted, monitored and supervised?
  • Is the provider able to deliver a service within the required performance parameters?
  • Is it easy to securely integrate the cloud-based applications at run time and contract termination?
  • Do you know the location from which the provider will deliver support and management services?
  • Do the procurement processes contain cloud security requirements?

Technology

  • Are there appropriate access controls (e.g. federated single sign-on) that give users controlled access to cloud applications?
  • Is data separation maintained between the organization’s information and that of other customers of the provider, at run time and during backup (including data disposal)
  • Has the organization considered and addressed backup, recovery, archiving and decommissioning of data stored in a cloud environment?
  • Are mechanisms in place for identification, authorization and key management in a cloud environment?
  • Are all cloud-based systems, infrastructure and physical locations suitably protected?
  • Are the network designs suitably secure for the organization’s cloud adoption strategy?

Hardening

  • Install all security patches.
  • Have an easy way to show patches installed.
  • Scan your servers for vulnerabilities (at least quarterly).
  • Re-mediate vulnerabilities within a reasonable time frame in an automated way.
  • Bake hardening and patches into images. When servers come up, they should be security- and compliance-“ready.”
  • Build integration testing into your security if you don’t already have it, lest your regression testing be pain full.
  • Allow least privileges on ports in firewalls, network ACLs, security groups, iptables/firewall, Windows Advanced Firewalls, and the like. Use Infrastructure as Code if and whenever possible.
  • Use industry guides to help you harden
  • Don’t shoot for 100 percent up front but make reasonable progress. This is what auditors expect to see
  • Use tools to help you scan and harden.
  • Keep a compliance dashboard.

Logging 

  • Use Rsyslog, Windows Event Log Forwarding, third-party tool, etc. for log shipping, and use a method to ship logs securely for analysis, storage, and archiving.
  • Retain logs for minimum control requirements (often 1-7 years).
  • Ensure that storage of logs with sensitive data is encrypted (this includes backups!).
  • Ensure that access to sensitive data is logged.

Encryption checklist:

  • Use hardware encryption for encryption at rest. This will reduce the impact on performance. Cycle the key at least annually. If hardware encryption isn’t available, encrypt disks with software (and expect a performance hit).
  • For encryption in transit, ensure that HTTPS or SSL is used with medium-strength ciphers at a minimum (over 128 bits) and strong hashes. Only terminate encryption at the point of processing.
  • Safeguard all private keys for certificates and public keys.
  • Encrypt data in databases if you can handle the performance loss. It’s an extra layer of protection.
  • Encrypt backups with AES-256 or stronger encryption.
  • Encrypt stored files (think S3) with AES-256 or stronger encryption.
  • Use VPN tunnels with at least AES-256 or stronger encryption.
Location: Ahmedabad, Gujarat, India

Comments

  1. Priya5 October 2021 at 17:28

    Thanks for the valuable information. Here you See How Cyber Security is important for Startups?🔥🚀Learn more on Startup Cyber Security Service Plan to protect your small business TODAY!
    Cyber Security for Startups - Top 10 steps to secure your organisation from Cyber Threats🔐

    ReplyDelete
  2. Kashaf Sheikh15 November 2021 at 17:26

    When your website or blog goes live for the first time, it is exciting. That is until you realize no one but you and your. CDN

    ReplyDelete
  3. Vumetric22 April 2022 at 10:43

    Great write-up, I am a big believer in commenting on blogs to inform the blog writers know that they’ve added something worthwhile to the world wide web!..
    cloud security

    ReplyDelete
  4. Paigetom18 December 2023 at 16:26


    Thank you for compiling such a thorough and insightful checklist for Cloud security
    ! This comprehensive guide covers every essential aspect, from management and operations to technology, hardening, logging, and encryption. It not only highlights key considerations but also provides practical steps and best practices for ensuring a robust security posture in the ever-evolving landscape of cloud environments. Your attention to detail and clarity make this checklist an invaluable resource for anyone looking to enhance their organization's cloud security. Great job!"

    ReplyDelete

Post a Comment

Popular posts from this blog

Set password by default when transfering data through xender hot spot network.

Image
We are going to explain how to transfer data securely through xender app. Whenever we turn on hot spot of xender then mobile hot spot network turned on through a xender which is by default open network. In this case if our data connection is on then any one can access our network and may they perform crime through network. So always keep your network password protected. How to Set password in xender when turned on hot spot through it 1.  Go to settings menu in xender app. 2.  Under the connect phone tab click on to set connection password. 3.  At that time it will ask password give password on pop up box. 4.  Done. Now check your hot spot network is now secure with password.
Read more

Browser cache weakness

    Browser cache weakness Severity: Medium Vulnerability description Browsers can store information for purposes of caching and history. Caching is used to improve performance, so that previously displayed information doesn’t need to be downloaded again. History mechanisms are used for user convenience, so the user can see exactly what they saw at the time when the resource was retrieved. If sensitive information is displayed to the user (such as their address, credit card details, Social Security Number, or username), then this information could be stored for purposes of caching or history, and therefore retrievable through examining the browser’s cache or by simply pressing the browser’s Back button. Impact Browsers often store information in a client-side cache, which can leave behind sensitive information for other users to find and exploit, such as passwords or credit card numbers. The locations at most risk include public terminals, such as those in libraries and Inte
Read more

Email Phishing

Image
Email Phishing may get an attacker your personal information like credentials, credit card information, registered mobile number, etc PII (Personal Identifiable Information) parameters. How to perform Phishing via Email? Step 1: Create an identical working website that is appearing quite similar to the official company website. This dummy website acts as a fake verified validation to the target to gain trust over. Ex. Gmail account login page, Facebook login page or any other website. Step 2: An important part to ponder over is the URI or URL of the fake but working website that has to be changed minutely in such a way that the target person is not able to spot the changes easily in its link and fewer people are aware as well as concerned about this security threat. Ex. For 'gmail.com' one can modify it to 'gma1l.com' or for 'facebook.com' that can be modified to 'facebeok.com'. Users enter their details here on the fake login page without checking
Read more