1

Cloud Security and Zero Trust Architecture: Information Security Risk Assessment

Report

Student Name

Module Name: Information Security

Module Code: 402IT

Assignment Title: Coursework 1

Assignment Due: 28th March 2025 18:00

Assignment Credits: 10 Credits

Assignment Type: Portfolio

 2

Table of Contents

1.0. Task 1: Information Security Risk Assessment Report........................................................3

1.1. Introduction.......................................................................................................................3

1.2. Risk Identification.............................................................................................................3

Asset Register...........................................................................................................................3

Vulnerabilities..........................................................................................................................4

1.3. Risk Analysis and Evaluation...........................................................................................5

Analysis of Risks......................................................................................................................5

Evaluation Using Industry Standards.......................................................................................5

2.0. Task 2: Perform Penetration Testing and Report.................................................................6

2.1. Penetration Testing...........................................................................................................6

2.2. Penetration Test Report.....................................................................................................8

Methodology: Steps Taken During Testing.................................................................................8

Findings: List of Security Flaws..............................................................................................9

Risk Severity: Categorization (Critical, High, Medium, Low)................................................9

Recommendations: Suggested Mitigations for Identified Vulnerabilities.............................10

3.0. Task 3: Security Policies for a Zero Trust Cloud Environment.........................................11

Reference List................................................................................................................................13
3
 4

1.0. Task 1: Information Security Risk Assessment Report

1.1. Introduction

Protecting sensitive data and risk assessment for security, cyber threat control, and

regulatory compliance are essential for modern digital structures. Cloud Security adapts to

hazards like unauthorized access, data breaches, and system misconfigurations (Laptev and

Feyzrakhmanova, 2024). Zero Trust Architecture (ZTA) security relies on exact access control,

continual verification, and minimum privilege authorization protocols (Teerakanok, Uehara, and

Inomata, 2021). ISO 27001 standards and NIST SP 800-207 recommendations give thorough

methodical guidance to evaluate and eliminate information security and Zero Trust

implementation risks in cloud settings.

1.2. Risk Identification

Running an effective security program in cloud-based setups demands asset identification

and protection as the base for reducing security threats and protecting operational continuity. The

vital assets consist of cloud infrastructure with servers and databases and networking

components together with Identity and Access Management (IAM) authentication controls and

data storage applications that contain sensitive information according to Teerakanok, Uehara and

Inomata (2021). The exposure of these assets exists due to cloud security set-up errors,

insufficient access controls, and unauthorized data access (Ahmadi, 2024).

Asset Register

The security of organization data depends heavily on different assets that operate in

cloud-based environments. Cloud infrastructure operates as the basic structure of these

environments that consists of virtual servers along with databases and networking elements and
 5

containerized applications (Teerakanok, Uehara and Inomata, 2021). Cloud data infrastructure

components deliver operational power and storage functions but remain at risk from security

faults and protection breaches and may experience serviços interruptions (Edo et al., 2023).

Minimization of security risks depends strongly on establishing appropriate encryption measures

and implementing proper access controls and proper security configuration for cloud

infrastructure.

The network relies on Identity and Access Management (IAM), which controls user

authorization as well as authentication procedures. IAM systems control cloud resource

accessibility through the implementation of MFA as well as RBAC and least privilege security

principles (Ahmadi, 2024). Cloud-based data storage together with applications contain valuable

business information as well as customer data, which makes them major targets for cyberattacks.

Unguarded data in the cloud requires robust security strategies because unauthorized access and

inadequate encryption together with insufficient backup practices create vulnerability conditions

for breaches.

Vulnerabilities

Cloud security settings produce one of the biggest security risks because of their

misconfigurations. Cloud resources become vulnerable to cyber threats because of invalid

storage permission setups coupled with unrestricted public access and weak encryption rules and

default authentication credentials (Edo et al., 2023). These misconfigured systems serve as entry

points that hacking groups use to conduct unauthorized access procedures which allow them to

both manipulate data and execute ransomware attacks along with data extraction events.
 6

The critical weakness within cloud computing systems stems from both internal risks

through employees along with faulty authentication security protocols. Excessive or mismanaged

privileges of employees and contractors together with third-party vendors pose intentional or

inadvertent risks toward cloud security (Ahmadi, 2025). The combination of weak authentication

procedures and single-factor authentication creates additional threats for unauthorized system

access. The vulnerability of data breaches persists because cybercriminals detect weak points in

identity management protocols and API security pathways to steal sensitive information

according to Edo et al. (2023). The organization can minimize insider threats together with data

breaches through Zero Trust principles and multi-factor authentication and strict access rules.

1.3. Risk Analysis and Evaluation

Analysis of Risks

Security breaches from unauthorized access remain an essential threat in cloud

environments because of wrong Identity and Access Management (IAM) configurations. The

failure to properly configure Identity and Access Management delivers access to cloud resources

by permitting unauthorized access when users retain expansive privileges while MFA lacks

implementation and access control policies operate inadequately regarding authorization

management (Ojo 2025). Such conditions produce breaks in security that enable attackers to

carry out data breaches together with service interruptions and account takeovers.

Cloud security becomes jeopardized when APIs fail to protect data because such

vulnerabilities create vulnerabilities that permit attackers to gain unauthorized access. Cloud-

based apps rely on APIs for operation yet these become vulnerable targets for data theft and

unauthorized control when security measures such as authentication and rate restricting as well
 7

as encryption are missing (He et al., 2022). Cloud storage has become exposed to increasing

ransomware threats that demand ransom to obtain access to encrypted data. Alevizos, Ta and

Eiza (2021) explain that organizations remain exposed because of inadequate backup plans

combined with insufficient endpoint protection and no real-time system monitoring.

Evaluation Using Industry Standards

The NIST Risk Management Framework (RMF) provides organized security risk

detection, assessment, and risk reduction methodologies for cloud platforms (Seymour, 2023).

The framework uses an asset-based lifecycle approach to identify properties, choose protections,

detect errors, and monitor operations. The Risk Management Framework helps organizations

meet security standards and handle vulnerabilities including unauthorized access and unprotected

APIs (Alevizos, Ta and Eiza, 2021). RMF security risk assessments must be done regularly to

help firms adapt to new cloud-based threats and vulnerabilities.

Cloud Security Alliance provides implementation best practices. The Cloud Controls

Matrix (CCM) from CSA helps enterprises identify security risks by analyzing data protection,

identity and access management, and incident response (Sarkar et al., 2022). Through technical

enforcement of robust identity authentication, precise access determination, and

compartmentalized network segmentation, CSA guidelines help businesses improve Zero Trust

Architecture (ZTA) and reduce risk (Aiello, 2024). Unifying NIST RMF and CSA best practices

helps enterprises construct resilient security defenses, reducing data breaches, ransomware

attacks, and cloud configuration problems.

2.0. Task 2: Perform Penetration Testing and Report

2.1. Penetration Testing

 8

To prevent malicious actors from exploiting a cloud system’s vulnerabilities, penetration

testing is a proactive security measure that simulates cyberattacks on a cloud based system in

order to identify such vulnerabilities before they are exploited. This test is designed to look at

unpatched cloud instances, weak Identity and Access Management (IAM) configuration, etc.

misconfiguring APIs with sensitive data (Alevizos, Ta and Eiza, 2021). The tools of such an

assessment include established tools like Kali Linux, Metasploit, Burp Suite and OWASP ZAP

scanning for insecure entries and build a picture of system’s resilience (Aiello, 2024). The focus

is on finding and assessing the severity of such a flaw, working on creating the mitigation

solution and thus improving security posture of the cloud environment.

Scope of the Test

Penetration tests imitate real-world cyberattacks on cloud-based systems to identify

security weaknesses and measure their resilience. Critical cloud assets including virtual servers,

databases, APIs, and IAM setups are tested for misconfiguration, vulnerability, and exploitable

entry points (Alevizos, Ta & Eiza, 2021). First comes reconnaissance to understand the cloud

infrastructure, then vulnerability scanning to find security issues (Fernandez & Brazhuk, 2024).

After that, controlled exploitation is utilized to validate vulnerabilities without system impact. It

follows ethical hacking principles without testing on companies or unauthorized targets

(Ramezanpour and Jagannath, 2022). The penetration test follows OWASP and NIST standard

practices and provides insights into cloud security gaps and risk reduction recommendations.

Tools Used

The industry standard tools are used to perform penetration test to identify and exploit

vulnerabilities within the cloud-based system. Ethical hacking and vulnerability assessment are
 9

widely covered using a Kali Linux, a popular penetration testing distribution that offers a suite of

security tools (Ramezanpour and Jagannath, 2022). To simulate attacks and test for system

weakness, Metasploit is put to use testing unpatched cloud instances and weak IAM

configurations. A powerful web vulnerability scanner like Burp Suite is used to analyze API

security, scan for misconfigurations and find out vulnerabilities that may result in data exposure

risks (Ahmadi, 2024). In addition, OWASP ZAP (Zed Attack Proxy) supports automated

scanning and manual test of web applications and APIs on the cloud to find vulnerabilities as

SQL injection, XSS and insecurity in the authentication mechanism.

Identified Vulnerabilities

Unpatched cloud instances are one of the primary vulnerabilities that were identified in

the penetration test, and thus very much a security risk. Patches to address these newly

discovered threats are commonly released by cloud service providers, but as Dakić et al. (2024)

have demonstrated they are often never applied by organizations. Known vulnerabilities exist

within these instances that attackers can leverage to gain unauthorized access, remote code

execution, and compromise sensitive data (Jaiswal, 2024). This is a great reason why proper

implementation of automated patch management and continuous scanning are crucial in the

reduction of threats to cyber threats like ransomware and privilege escalation exploits.

Weak IAM configurations are also another critical vulnerability that exhibits as

unauthorised access and privilege misuse. Some such common issues are overly permissive

access controls, lack of MFA and affluence of user privileges (Jaiswal, 2024). Exposed or

improperly secured APIs can expose the API to a severe risk, they cannot intercept or manipulate
 10

the sensitive data. APIs are a primary damage of data breaches (Verma et al., 2024) due to

injection attacks, insecure authentication mechanisms, and miscencrypted data.

2.2. Penetration Test Report

Methodology: Steps Taken During Testing

Reconnaissance and information gathering started the penetration testing process

according to OWASP and NIST methodologies. This step involved finding, with the help of

public APIs, public cloud assets, API and IAM configurations that are potentially leveragable as

attack surface (Verma, et al., 2024). After vulnerabilities were found, the exploitation techniques

were applied on controlled environment to determine the severity of individual security flaws.

One of the things included were attempts to unauthorized access by failing IAM configurations,

simulating API endpoint injection attacks as well as their attempts at privilege escalation

(Ahmadi, 2024). In the last phase, reporting and documentation was done where identified risks

were categorized as per the severity and the mitigation strategies were recommended to improve

cloud security. The test complied with the ethical hacking principles and no real world testing

was done for which unauthorized.

Findings: List of Security Flaws

The cloud environment got penetrated successfully, and several critical vulnerabilities

were found during the penetration test. Another critical piece of information that these findings

offer is unpatched cloud instances, which contain known exploits to gain remote access or

execute malicious code (Hilbig et al., 2023). In addition, weak IAM configurations those can be

noted as excessive user permissions, no MFA or combinations of both increased risk of

unauthorized access to sensitive resources.

 11

The second main concern was set of misconfigured APIs that leaked out the sensitive

data as a result of weakness in the authentication model and not in use of proper encryption. On

the specific end, there have been various API endpoints that have been identified to be

susceptible to injection attacks (SQL injection for instance and XML External Entity (XXE)

attacks), and inappropriate accessibility controls that allowed unrelated assortment customers to

retrieve or manipulate essential information (Dakić et al., 2024). These results confirm the

necessity to implement stronger controls of these cloud services such as increased access rights,

best practices in API securing and real-time monitoring to remove the risks they pose.

Risk Severity: Categorization (Critical, High, Medium, Low)

Unpatched cloud instances were a critical risk as an attacker that could remotely take

control of a cloud infrastructure could perform data breach or ransomware attack. Likewise,

critical as their exploitation was highly likely because of misconfigured APIs that exposed

sensitive data were (Aiello, 2024b). They were immediate vulnerabilities that were all in need of

remediation if unauthorized access could occur and cause financial or reputational damage.

In addition, the high-risk vulnerabilities included weak IAM configuration, i.e., either

overly permissive or insecure access controls with no MFA and this heightened the risk of

account takeovers and insider threats. Insecure default configurations and lack of security

monitoring were medium risk vulnerabilities that could be used in combination with other

attacks (Edo et al., 2023). In addition, there were low risk issues, minor misconfiguration of

things in security policies that did not need to be addressed right away. It provides an order of

magnitude by which organizations will prioritize remediation efforts based on severity and the

impact that it could have.

 12

Recommendations: Suggested Mitigations for Identified Vulnerabilities

However, to reduce the possibility of unpatched cloud instances, it is essential to set up

automatic patch management and update all the resources of the cloud on time with the latest

security patches. To add to this, organizations should also be conducting continuous vulnerability

assessments and is using intrusion detection systems (IDS) in order to identify any unauthorized

activity (Manda, 2022). Furthermore, security configuration baselines such as CIS Benchmarks

for the cloud infrastructure can also be adopted to eliminate the misconfigurations where

attackers may turn.

To address weak IAM configurations, organizations should apply PoLP by allowing their

users to have access to only the necessary resources. The implementation of multi-factor

authentication (MFA) and role based access control (RBAC) will reduce the risk largely to

unauthorized access (Jaiswal, 2024). The developers should endeavour to follow loose secure

codes, make appropriate authentication techniques and cryptographic (TLS/SSL) equipment to

ensure transmission of data. In addition to that, regular API security testing, monitoring logs for

anomalies and implementing Web Application Firewalls (WAFs) are also recommended for

higher security.

3.0. Task 3: Security Policies for a Zero Trust Cloud Environment

Zero Trust Security Models are essential in cloud environments to ensure no internal or

external entities are trusted. Zero Trust's primary premise requires strong authentication before

accessing cloud resources (Sarkar et al., 2022b). MFA, which compels users to prove their

identity with multiple authentication elements like passwords and fingerprints, is a crucial

security precaution (Ferretti et al., 2021). They must also use passwordless authentication
 13

solutions like FIDO2 security keys or other means to reduce credentials theft and phishing

attempts.

Other key security policies include least privilege access control, which limits users and

programs to what they need to complete their work. We recommend Role Based Access Control

(RBAC) and Attribute Based Access Control (ABAC) to control access based on employee roles,

geography, device type, and context (Ferretti et al., 2021). Regular audits of privileged accounts

and access records are needed to identify excessive rights and security threats. This reduces the

attack surface for unauthorized access to critical data and cloud services.

SIEM technologies detect suspicious activity before it becomes a security breach through

real-time threat detection, anomaly analysis, and automated incident response (Mandal, Khan

and Jain, 2021). According to He et al. (2022), enterprises should use cloud-native security

monitoring technologies like AWS CloudTrail, Microsoft Defender for Cloud, and Google

Chronicle for continuous cloud visibility. APT and intrusion detection can be improved by

integrating AI and ML into surveillance systems.

Finally, a thorough Incident Response Plan (IRP) helps firms manage security breaches.

According to Teerakanok, Uehara, and Inomata (2021), the IRP should include cloud security

occurrences for detection, containment, eradication, recovery, and post-incidents. Regular

tabletop exercises and penetration tests help the security team respond rapidly to breaches. In

event of attack, secure cloud backups and a disaster recovery plan, reduce downtime and data

loss (Aiello, 2024). Zero Trust security rules can reduce cloud cybersecurity risks and protect

data when implemented.

 14

Reference List

Ahmadi, S. (2024) 'Zero trust Architecture in cloud networks: application, challenges and

future opportunities,' Journal of Engineering Research and Reports, 26(2), pp. 215–228.

https://doi.org/10.9734/jerr/2024/v26i21083.

Ahmadi, S. (2025) Autonomous Identity-Based threat segmentation in zero trust

architectures. https://arxiv.org/abs/2501.06281.

Aiello, S.T. (2024) Prescriptive Zero Trust: Assessing the impact of zero trust on cyber

attack prevention. https://scholar.dsu.edu/theses/466/.

Alevizos, L., Ta, V.T. and Eiza, M.H. (2021) 'Augmenting zero trust architecture to

endpoints using blockchain: A state‐of‐the‐art review,' Security and Privacy, 5(1).

https://doi.org/10.1002/spy2.191.

Dakić, V. et al. (2024) 'Analysis of Azure Zero Trust Architecture Implementation for

Mid-Size Organizations,' Journal of Cybersecurity and Privacy, 5(1), p. 2.

https://doi.org/10.3390/jcp5010002.

Edo, O.C. et al. (2023) 'A zero trust architecture for health information systems,' Health

and Technology, 14(1), pp. 189–199. https://doi.org/10.1007/s12553-023-00809-4.

Fernandez, E.B. and Brazhuk, A. (2024) 'A critical analysis of Zero Trust Architecture

(ZTA),' Computer Standards & Interfaces, 89, p. 103832.

https://doi.org/10.1016/j.csi.2024.103832.

Ferretti, L. et al. (2021) 'Survivable zero trust for cloud computing environments,'

Computers & Security, 110, p. 102419. https://doi.org/10.1016/j.cose.2021.102419.

 15

He, Y. et al. (2022) 'A survey on Zero Trust architecture: Challenges and future trends,'

Wireless Communications and Mobile Computing, 2022, pp. 1–13.

https://doi.org/10.1155/2022/6476274.

Hilbig, T., Schreck, T. and Limmer, T. (2023) '‘State of the Union’: Evaluating open

source zero trust components,' in Lecture notes in computer science, pp. 42–61.

https://doi.org/10.1007/978-3-031-47198-8_3.

Jaiswal, S. (2024) Securing Amazon Web Services with Zero Trust Architecture.

https://aaltodoc.aalto.fi/items/fb9b649e-cd5d-40d2-afe8-089bdd8d604f.

Laptev, V.A. and Feyzrakhmanova, D.R. (2024) 'Application of Artificial intelligence in

Justice: Current trends and future prospects,' Human-Centric Intelligent Systems, 4(3), pp. 394–

405. https://doi.org/10.1007/s44230-024-00074-2.

Manda, J.K. (2022) Zero trust architecture in telecom: Implementing zero trust

architecture principles to enhance network security and mitigate insider threats in telecom

operations. https://acadexpinnara.com/index.php/JIT/article/view/372.

Mandal, S., Khan, D.A. and Jain, S. (2021) 'Cloud-Based Zero Trust Access Control

Policy: An approach to support Work-From-Home driven by COVID-19 pandemic,' New

Generation Computing, 39(3–4), pp. 599–622. https://doi.org/10.1007/s00354-021-00130-6.

Ojo, A.O. (2025) 'Adoption of Zero Trust Architecture (ZTA) in the protection of critical

infrastructure,' Path of Science, 11(1), p. 5001. https://doi.org/10.22178/pos.113-2.

Ramezanpour, K. and Jagannath, J. (2022) 'Intelligent zero trust architecture for 5G/6G

networks: Principles, challenges, and the role of machine learning in the context of O-RAN,'

Computer Networks, 217, p. 109358. https://doi.org/10.1016/j.comnet.2022.109358.

 16

Sarkar, S. et al. (2022a) 'Security of zero trust networks in Cloud Computing: A

Comparative review,' Sustainability, 14(18), p. 11213. https://doi.org/10.3390/su141811213.

Sarkar, S. et al. (2022b) 'Security of zero trust networks in Cloud Computing: A

Comparative review,' Sustainability, 14(18), p. 11213. https://doi.org/10.3390/su141811213.

Seymour, N.L. (2023) Zero Trust Architectures: A Comprehensive analysis and

Implementation guide. https://digitalcommons.memphis.edu/etd/3329/.

Teerakanok, S., Uehara, T. and Inomata, A. (2021) 'Migrating to zero Trust architecture:

Reviews and challenges,' Security and Communication Networks, 2021, pp. 1–10.

https://doi.org/10.1155/2021/9947347.

Verma, P.K. et al. (2024) 'Evaluating the effectiveness of zero trust architecture in

protecting against advanced persistent threats,' ADCAIJ ADVANCES IN DISTRIBUTED

COMPUTING AND ARTIFICIAL INTELLIGENCE JOURNAL, 13, p. e31611.

https://doi.org/10.14201/adcaij.31611.