According to the Shared Responsibility Model, you are and will always be responsible for protecting the data and access to the respective environment. This applies to both Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS - public cloud) platforms. You are also responsible for correctly configuring settings to protect the data and environment. With the Public Cloud Security Audit, the current security settings and configurations of the public cloud environment will be analyzed, scanned, qualified, and provided with advice. For this various available cloud bourne tooling is used such as Securotuy Posture managemements. The results, recommendations, and cost estimates will be delivered through a report. The Public Cloud Security Audit is a snapshot and can serve as a periodic security audit or as part of the acceptance process for the public cloud environment before it is formally put into production. The entire process takes an average of four weeks from the start of the scan to the delivery of the final report.

Components The Public Cloud Security Audit consists of the following components:

• Questionnaire: A questionnaire with a few questions about the external security solutions used in conjunction with the current Public Cloud environment and relevant applied security policies.
• Automatic Advanced Security Scan: An automatic advanced security scan of the configurations and efficient use of public cloud resources. (Cloud Security Posture Management)
• Reporting: A report with findings and actionable recommendations. Process Public Cloud Security Audit

Phase-1: preparations

You will receive:

• A (short) questionnaire.
• A preparation document to create the necessary accounts for conducting the advanced security scan with a Cloud Security Posture Management (CSPM). Additionally, the following will be discussed:
• Provision and secure use of login credentials.
• Contact person responsible for filling out the questionnaire and available before and during the Public Cloud Security Audit.
• Other factors that may impact the proceedings.

Phase-2: execution

Questionnaire The questionnaire will be sent and should be completed and returned. Advanced security scan On a pre-agreed date, the security consultant will access and read the security settings and configurations using the advanced security scanner. The security scan of the AWS CSPM will be conducted through an API integration with an advanced security scanner provided by a market leader in this specific domain. This scan will be performed in "detection mode," meaning it will only report findings without making any changes to the environment. The scan will not negatively impact the processing speed of the public cloud environment. However, any adjustments made by you after this date must be well-documented and shared to explain potential discrepancies with the report later on.

Phase3: Delivery and Closure

Once the CSPM scan and analysis of the information are completed, the results will be communicated back to you, allowing the organization to remove or deactivate the created accounts from Phase 1 on their own.

Report

All the findings of the Public Cloud Security Audit will then be compiled by the security consultant. The result is a detailed advisory report with a management summary primarily in the English language. This report will include a comprehensive assessment of the current settings, scored across approximately twohundred or more components, distributed over approximately twentytwo categories. Additionally, specific advice will be provided for aligning with best practices and security standards for each component. The recommendations will be categorized as short-term (= quick wins) and long-term advice. Where possible, advice will be given on reducing costs related to inefficiently used resources. This documentation offers insights into how your public cloud environment operates, identifies organizational risks, and suggests technical optimizations for public cloud security. It will also serve as a definitive report, shared with the contact person via email. Subsequently, the organization can decide which recommendations to implement or not. If additional actions are desired after the Public Cloud Security Audit, a new consultancy support assignment (Phase 4) can be requested.

Phase-4: implementation of recommendations (optional)

You can decide to execute the recommendations from the Public Cloud Security Audit on your own or opt for additional support from Amitron's consultants. Engaging additional consultants is not an integral part of the Public Cloud Security Audit.

Phase-5: Support or Service Contract (optional)

If you wish to continue benefiting from Amitron's technical assistance, you have the option to choose from one of Amitron's support or service contracts. Servicedesk support is not an integral part of the Public Cloud Security Audit.