Security assessment of cloud and on-premises infrastructure

Security assessment of cloud and on-premises infrastructure

Security assessment of infrastructure—whether cloud-based or on-premises—is a key component of strategic cyber risk management. While cloud environments offer flexibility, scalability, and shared responsibility models, on-premises infrastructure often remains a target of advanced attacks. Evaluating the security of these environments helps protect your organization’s critical assets, services, and data.



Benefits of Cloud and On-Premises Security Testing

  • Identification of weaknesses in configuration, access permissions, and network segmentation.

  • Verification that security policies, firewalls, and IAM models are correctly configured.

  • Detection of misconfigured services, access tokens, or shadow IT.

  • Testing connectivity between cloud and on-premises environments (e.g. hybrid VPN, SSO, AD Sync).

  • Verification of compliance with DORA and support for data protection requirements under NIS2 or GDPR.


Key Objectives of Infrastructure Security Assessment

  • Verification of proper identity and access management (IAM) configurations.

  • Review of network architecture hardening and segmentation.

  • Identification of exposed services and interfaces (e.g. public IPs, open ports, APIs).

  • Simulation of real-world threats and attack scenarios through red team exercises.

  • Evaluation of security responsibilities within the shared responsibility model (cloud environments).

Typical vulnerabilities and differences between cloud and on-premises environments

Vulnerability / Attack Environment Type Category Description
Over-privileged IAM roles Cloud Identity (IAM) An account has access to services beyond its intended role
Public S3 buckets / Azure Blob Cloud Configuration Data leakage through publicly accessible storage objects
Default credentials on hypervisors On-Premises Configuration, Processes Default passwords on servers or virtual machines remain unchanged
Unsecured VPN/RDP exposure Cloud and On-Premises Network vulnerability Internet access without MFA or proper segmentation
Misconfigured logging and alerts Cloud and On-Premises Configuration Broken or improperly configured audit logs or SIEM


What Requirements Does DORA Set for Infrastructure Security Assessment?

DORA requires a risk-based testing program for ICT systems supporting critical or business functions, regardless of whether they operate in cloud, on-premises, or hybrid environments.

DORA also requires:

  • Assessment of configurations and security controls across all cloud services in use (IaaS, PaaS, SaaS).

  • Involvement of qualified and independent testing teams.

  • Evaluation of technical and organizational weaknesses and verification of regulatory compliance.

  • Documentation of findings, proposals for remediation measures, and verification of their implementation.

  • Assessment involving third parties, such as cloud providers or outsourced service providers.


What Are the Requirements for Testing Teams?

  • Experience with hybrid architectures (Azure, AWS, GCP and traditional on-premises environments).

  • Ability to identify risks at the network, identity management, encryption, and application levels. While DORA does not mandate specific certifications, it requires appropriate team expertise.

  • Understanding of regulatory expectations and audit requirements.

  • Independence – the testing team (internal or external) must not have conflicts of interest with operational or development teams.


Why Work with BDO?

BDO provides comprehensive security assessments for both cloud and on-premises infrastructures in line with regulatory requirements and established frameworks (e.g. CIS Benchmarks, NIST CSF, ISO 27001). Our testing helps organizations identify vulnerabilities, evaluate resilience, and prepare for audits.

  • Technical expertise and experience

BDO has expert teams that test the infrastructure of leading banks, insurance companies, industrial organizations, and digital platforms. We conduct testing of access policies, network boundaries, segmentation, data encryption, and detection mechanisms in environments such as Microsoft Azure, AWS, GCP, and VMware.

  • Knowledge of the regulatory framework

We have deep knowledge of DORA, NIS2, and GDPR requirements and can adapt security assessments to the expectations of supervisory authorities (e.g. CNB, ECB, CNIL). We help organizations integrate testing results into their cyber resilience strategy.

  • Certified team with professional experience

Our team consists of certified experts with experience in infrastructure and cloud environments. We hold recognized certifications such as OSCP, CRTP, CEH, CCISO, CompTIA PenTest+, and CREST CPSA, confirming our technical capability to perform advanced infrastructure security audits.

OSCP eCPPT RedTest PenTest CEH CREST CISO CISSP

Main contacts

Martin Hořický
Martin Hořický
Partner • Digital Services
i View bio
Marek Kovalčík
Chief Information Security Officer • Digital Services
i View bio