15 November 2022
KA2 was delighted to be engaged by a market data technology consultancy and service provider for global financial markets, to provide an independent review and make recommendations on their cloud security controls implementation in Azure and Microsoft 365.
The client had also been implementing a Zero Trust Architecture (ZTA) approach to their security requiring a proactive approach to all layers of security across their digital estate to explicitly and continuously verify every transaction and assert the least privilege.
ZTA relies upon intelligence, advanced detection, and real-time response to threats to:
Verify explicitly: Always authenticate and authorise based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
Use least-privileged access: Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive policies, and data protection to help secure both data and productivity.
Assume breach: Minimise blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defences.
By adopting these principles our client can achieve this goal by following a Zero Trust Framework covering these six key risk areas addressed by Zero Trust: Identity, Endpoints, Network, Data, Applications, and Infrastructure.
KA2 assessed current cloud security control sets, reviewed current Microsoft licensing to evaluate the use of cloud-native capability, advised on improvements, and made recommendations. The delivery included status, findings, an Improvement plan and a final report for the Information Security team and C-Level Stakeholders.
The engagement was carried out over five weeks using the KA2 Smarter Security Controls Framework to measure the current state. A final Report on Cloud Security Controls defining improvement recommendations and further opportunities for improvement (OFIs) to include in their ISO 27001 program.
The Discovery Phase of the project commenced with workshops with the client to understand their business and operations environment, then an assessment of their cloud services portals, reviewing cloud platform security policy and controls, and extracting reports. Then analysing the security data sets to input, a weekly check-in with the client on findings. Into an initial report ready for playback to the client for clarification of assumptions and issuance of the final report.
The outcome meant that we could provide our client with an independent assessment of their Microsoft Cloud Services Platform security controls, implementation status of ZTA, cloud security recommendations and strategic direction. We continue to support their security journey and provide ongoing practical, expert advice as their organisation grows both domestically and globally.
KA2 provides Cyber Security expertise for all Cloud Service Provider platforms, this includes Security Control Foundations for AWS, Azure, GCP, IBM and Oracle Cloud Services. We can also provide peer review and product-agnostic guidance.
For more information or to speak to a member of the team please get in touch