Security Assessment of Cloud and On-Premises Infrastructure

cloud

Security assessment of infrastructure, whether cloud or on-premise, is a key component of strategic cyber risk management. While cloud environments offer flexibility, scalability, and shared responsibility models, on-premise infrastructure remains a frequent target of advanced attacks. Verifying the security of these environments helps protect an organization’s important assets, services, and data.

Benefits of Security Testing for Cloud and On-Premise Environments

  • Identification of weaknesses in configuration, access rights, and network segmentation.
  • Verification of the correct settings of security policies, firewalls, and the IAM model.
  • Detection of misconfigured services, access tokens, or shadow IT.
  • Testing of connections between the cloud and on-premises (e.g., hybrid VPN, SSO, AD Sync).
  • Validation of compliance with DORA and support for NIS2 and GDPR data protection requirements.

Main objectives of infrastructure security assessment

  • Verify the correct configuration of identity and Access Management (IAM).
  • Vereify the hardening and segmentation of the network architecture.
  • Identify exposed services and interfaces (e.g., public IPs, ports, APIs).
  • Simulate real threats and attacks in red-team scenarios.
  • Evaluate security parameters inshared responsibility (cloud models).

Typical vulnerabilities and differences between cloud and on-premises environments

Vulnerability/Attack Environment Type Category Description
Overprivileged IAM roles Cloud Identity (IAM) The account has access to services beyond its role
Public S3 buckets / Azure Blob Cloud Configuration Data leakage through publicly accessible objects
Default credentials on the hypervisor On-Premise Configuration, processes Default passwords left unchanged on servers or VMs
Unsecured VPN / RDP exposure Cloud and on-premise Network vulnerability Internet access without MFA or segmentation
Misconfigured logging and alerting Cloud and on-premise Configuration Non-functional or incorrectly configured audit log or SIEM

What are the requirements for testing teams?

  • Experience with hybrid architectures (Azure, AWS, GCP, and traditional on-premises)
  • Ability to identify risks at the network, identity management, encryption, and application levels
  • DORA does not impose specific certifications, but requires appropriatte team expertise
  • Knowledge of regulatory expectations and audit requirements
  • Independence – the testing team (internal or external) must not have a conflict of interest with the operations and development teams

What requirements does DORA set in relation to infrastructure assessment?

DORA requires a risk-managed testing program for ICT systems supporting critical or important business functions - regardless of whether they run in the cloud, on-premise, or in a hybrid environment.
DORA also requires:

01

Evaluation of configurations and security controls in all cloud services used (IaaS, PaaS, SaaS).

02

Involvement of qualified and independent testing teams.

03

Assessment of technical and organizational weaknesses and ensuring compliance with requirements.

04

Documentation of findings, proposal of corrective measures and their verification (retest).

05

Evaluation of third parties (e.g. cloud providers, outsourcing partners).

Why work with BDO?

BDO provides comprehensive security assessments for cloud and on-premises infrastructures in accordance with regulatory requirements and proven frameworks (e.g., CIS Benchmarks, NIST CSF, ISO 27001). Our tests help organizations identify vulnerabilities, assess resilience, and prepare for audits

01 Technical expertise and experience

BDO has expert teams that test the infrastructure of leading banks, insurance companies, industrial enterprises, and digital platforms. We perform tests of access policies, network boundaries, segmentation, data encryption, and detection mechanisms in environments such as Microsoft Azure, AWS, GCP, and VMware.

02  Knowledge of the regulatory framework

We have detailed knowladge of the requirements of DORA, NIS2, and GDPR, and we can tailor security assessments to the expectations of supervisory authorities (e.g., the CNB, ECB, and CNIL). We help organizations integrate test results into their cyber resilience strategy.

03  Independence and credibility

As an independent consulting firm, we are not tied to any technology vendor. We provide an objective view of infrastructure security and are a trusted partner for both clients and regulators. The results of our work support decision-making at the board and operational management levels.

04  A certified team with expert experience

Our team consists of certified professionals with experience in infrastructure and cloud environments. We hold recognized certifications such as OSCP, CRTP, CEH, CCISO, CompTIA PenTest+, and CREST CPSA, which attest to our technical expertise in conducting advanced infrastructure security audits.

Main contact persons

Martin Hořický

Martin Hořický

Partner • Digital Services
View bio
kovalcik

Marek Kovalčík

Chief Information Security Officer • Digital Services
View bio