What is a cloud audit? Getting a safer and cheaper cloud
21.09.2023 | 4 min read
There is no doubt that cloud computing is virtually a synonym of digital business. It's now everywhere. Google Cloud rules your workplace, Azure runs your LinkedIn and AWS runs your Netflix (among other things). Since you are here, your company, too, might be using one of the above cloud platforms. But with such great popularity comes great responsibility. Today, outages in cloud infrastructure or security flaws mean ultimate money loss. We explain what cloud audit is and how it can rescue your digital business, ensuring safety, cost-optimization, and compliance.
Cloud audit explained
A cloud audit is a comprehensive process of evaluating and assessing the effectiveness of safety measures, infrastructure, costs incurred, used resources, and various components of the company's cloud environment. Organizations can order it on-demand to enable compliance with industry regulations, integrity, security posture, among other things.
When auditing the cloud, the auditor typically follows a checklist or a framework that outlines the specific security controls and measures that need to be evaluated. This checklist serves as a guide to ensure that all necessary areas are covered during the audit. How does this process go?
» We are 10Clouds: Can AWS cloud services put you on cloud nine?
Cloud audit process
It usually takes from a couple of days to a couple of weeks. During a cloud audit, an auditor will define the scope of the audit, which includes identifying the assets, systems, and data used within the cloud environment. They will also review the cloud provider's security policies, procedures, and documentation to ensure that they align with industry standards and best practices.
But it can become more comprehensive. Auditors may also perform vulnerability assessments and penetration testing to identify any potential security vulnerabilities within the cloud infrastructure. This helps to identify areas that need improvement and allows for the implementation of appropriate security measures.
Ultimately, the goal of a cloud audit is to provide assurance to the customer that their data and systems are secure within a given cloud environment. It helps to identify any potential risks or weaknesses and provides guidance on improving security measures to mitigate those risks. However, ultimately cloud audit is not only about security.
Here's how this process looks like specifically at 10Clouds:
- Identifying the cloud services being used, including the provider, type of service (IaaS, PaaS, SaaS), and any specific services.
- Assessing the security posture, including the security configuration, access control, data encryption, and audit logging.
- Verifying compliance with regulations, including GDPR, HIPAA, and other industry-specific requirements.
- Reviewing user access to the cloud services to ensure that user access is appropriate and secure.
- Monitoring and auditing for changes in configuration, access, or usage.
- Testing for vulnerabilities, including application and network security testing.
- Reporting and remediating any issues found during the audit.
Why my company needs a cloud audit - 3 reasons
The cloud offers businesses the ability to access applications and services from anywhere, at any time, and with minimal hardware and software investments. But with the increased use of cloud technology come increased risks. That is why it is essential for businesses to have a cloud service provider by their side, who can host their project on a public cloud and provide an audit which focuses on security, cost optimization and compliance.
1. Cloud security
No doubt, security is one of the most important aspects of any cloud computing environment. Once again, a cloud infrastructure audit will help to identify any potential security risks and provide recommendations for improvement. This includes evaluating the security settings of the cloud environment, reviewing access controls, and assessing the security of the applications and services hosted on the cloud.
2. Cloud cost optimization
Cost optimization is another important aspect of cloud computing. An audit can help to identify areas where costs can be reduced or even eliminated. This can include evaluating the cloud infrastructure for opportunities to minimize costs, such as cutting off unused services or scaling back on them.
We’ve helped our clients reduce the costs of different cloud resources substantially - in some instances even severalfold. Let's have a look at the examples of four of 10Clouds' clients. Using AWS? See how you can save money on your AWS cloud infrastructure.
- introducing environments based on EC2 Spots
- planning reservations for EC2 and RDS
- spotting architecture places where unnecessary resources were operating
- constant cost-related monitoring and alerting
- EC2 Spot instances to save around 70% of EC2 costs
- Karpenter auto-scaler for optimized EC2 utilization
- analysis of the internal AWS network traffic and cutting the costs of data transfer
- moving the dev infrastructure to SPOT instances
- using reserved instances on prod and in RDS
- lowering the database usage and size, resulting in using a 4x smaller (and 4x cheaper) database instance, database storage was lowered over 2x after removing unused resources.
3. Cloud compliance
Compliance is a crucial factor when it comes to cloud computing. The goal of the audit is to ensure that the cloud environment works in accordance with applicable laws and regulations. These can be GDPR, industry-specific regulations such as PCI DSS for payment card data, HIPAA for medical information, and FedRAMP for government data. Furthermore, the audit can evaluate business continuity and disaster recovery strategies to ensure operational resiliency. By conducting a cloud compliance audit, businesses can establish trust, mitigate risks, protect sensitive data, and maintain regulatory compliance.
Cloud audit case study
Our anonymous client was involved in a leak of numerous instances of personal data from an unsecured database. At the time the event happened, the company had used the below configuration.
- General company VPN
- Elements of DevSecOps - SAST in CI/CD, focus on solving issues according to the pipeline
- SIEM based on AWS SecurityHub, AWS Config, AWS GuardDuty, etc.
- Monitoring based on Prometheus and AWS CloudWatch
- Extensive logging of security incidents, i.a. A centralized log of all the calls to API through CloudTrail and network activity (VPC flow logs)
During the leak, we played a supportive role but soon a decision was made to involve 10Clouds on all security counts.
- Introduce SSO in the AWS access, clear role assignments that followed the minimum privilege principle
- Further expansion of DevSecOps pipelines, e.g. integration with GitLeaks (that searches secrets committed to the repo)
- Further expansion of SIEM, including Slack alerts for better visibility
- Introduction of periodic scans of object storage for leaks (e.g. accidentally uploaded keys) with alerts
- Introduce redundant network security measures based on 4C model https://kubernetes.io/docs/concepts/security/overview/
- Other numerous security improvements, e.g. rotation of old API keys, introducing a safer access to application by CDN
- Implementation works of HashiCorp Vault as a centralized system of managing the secrets
Currently, many months after the leak, we are working on introducing DAST to our client.
A cloud audit will help to identify any potential security risks and compliance issues, and provide recommendations for improving security and reducing costs. Having a firm that can host a project on a public cloud and provide an audit which can ensure the above is essential for businesses.
10Clouds will gladly help manage your cloud environment as an experienced and process-savvy provider of cybersecurity services.