Analysis of Methods for Conducting Cloud Security Audits According to International Standards
Abstract
Purpose: Comparison of cloud security audit methods (manual, automated, embedded) to determine their effectiveness in accordance with international standards, in particular, taking into account the specifics of cloud platforms and risk minimization.
Method: The empirical study used three methods: manual auditing against security standards, automated tools for rapid configuration verification, and built-in real-time monitoring. The sample for analysis was a test environment with minimal configurations, including a few users and basic resources.
Findings: Automated tools provide speed and cost-effectiveness, but manual auditing, while laborious, reveals the depth of analysis of non-standard configurations. Built-in tools provide an instant security overview but have limited flexibility, while standards integration, while increasing the overall level of security, reveals gaps in adapting requirements to the specific needs of organizations.
Theoretical implications (if applicable): The study confirms the relevance of existing theoretical frameworks, namely international standards for security assessment, but points to the need to adapt them to dynamic cloud environments. The results highlight the role of adaptive models in improving compliance with standards.
Practical implications (if applicable): System administrators and security engineers can combine automated tools, manual auditing, and built-in tools to optimize costs and improve the accuracy of security assessments. Integrating machine learning for risk prediction and standards adaptation will allow for proactive cloud security strategies, including filtering false positives and prioritizing vulnerabilities.
Originality/Value: A comparative analysis of three methods, taking into account their interaction, cost, and compliance with standards. Practical criteria for choosing security strategies under limited resources are provided.
Research limitations/Future research: The test environment may not fully replicate the complexity of real infrastructures. Adaptive algorithms that take into account the specific requirements of organizations are needed to improve analysis. Further research may include integrating artificial intelligence to automate anomaly detection, predict risks, and increase audit scalability.
Paper type: Empirical research with elements of theoretical analysis.
Downloads
References
HIPA Journal. IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million. Retrieved from : https://www.hipaajournal.com/2023-cost-healthcare-data-breach/
ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Retrieved from : https://www.iso.org/standard/27001
GDPR (General Data Protection Regulation). General Data Protection Regulation. Retrieved from :https://gdpr-info.eu/
CIS Security. Center for Internet Security. Retrieved from : https://www.cisecurity.org/controls/v8
CIS Microsoft 365 Foundations Benchmark v3.1.0. Center for Internet Security, Benchmarks. Retrieved from :https://www.cisecurity.org/cis-benchmarks
Cybersecurity and Infrastructure Security Agency (CISA). Cybersecurity and Infrastructure Security Agency. Retrieved from : https://en.wikipedia.org/wiki/Cybersecurity_and_Infrastructure_Security_Agency
CISA – Official Website. Cybersecurity and Infrastructure Security Agency: Official Site. Retrieved from : https://www.cisa.gov/about
CISA Secure Cloud Business Applications. SCuBA project by CISA. Retrieved from : https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
Prowler. AWS Security Tool. Retrieved from : https://prowler.com/
GitHub: Prowler. Prowler repository on GitHub. Retrieved from : https://github.com/prowler-cloud/prowler
GitHub: ScubaGoggles. ScubaGoggles repository. Retrieved from : https://github.com/cisagov/ScubaGoggles
AWS Security Hub User Guide. AWS Security Hub: User Guide. Retrieved from : https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html
AWS Security Hub. AWS Security Hub. Retrieved from : https://aws.amazon.com/ru/security-hub/
Microsoft Secure Score. Microsoft Secure Score. Retrieved from : https://learn.microsoft.com/en-us/defender-xdr/microsoft-secure-score
Microsoft Compliance Manager. Microsoft Compliance Manager. Retrieved from : https://learn.microsoft.com/en-us/purview/compliance-manager
GitHub: ScubaGear. ScubaGear repository. Retrieved from : https://github.com/cisagov/ScubaGear
Work.ua. Information security specialist: average salary in Ukraine. Retrieved from : https://www.work.ua/en/salary-information+security+specialist/
Abstract views: 38 PDF Downloads: 20
Copyright (c) 2025 Vladyslav Frankevych, Solomiia Dolishnia, Viktoriia Savchuk, Yevhenii Kurii, Vitalii Susukailo
This work is licensed under a Creative Commons Attribution 4.0 International License.
The authors agree with the following conditions:
1. Authors retain copyright and grant the journal right of first publication (Download agreement) with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.
2. Authors have the right to complete individual additional agreements for the non-exclusive spreading of the journal’s published version of the work (for example, to post work in the electronic repository of the institution or to publish it as part of a monograph), with the reference to the first publication of the work in this journal.
3. Journal’s politics allows and encourages the placement on the Internet (for example, in the repositories of institutions, personal websites, SSRN, ResearchGate, MPRA, SSOAR, etc.) manuscript of the work by the authors, before and during the process of viewing it by this journal, because it can lead to a productive research discussion and positively affect the efficiency and dynamics of citing the published work (see The Effect of Open Access).
