Project Evaluation Approach in Cloud Security Research
Cloud security research focuses on identifying potential threats to cloud-based computing environments; however, determining the efficacy of controls designed to mitigate these threats is equally critical. Historically, the primary reason why security breaches occur when a cloud service provider such as Amazon Web Services (AWS), is the misconfiguration of the security controls provided by AWS. As such, this project will use an evaluative methodology to measure the degree to which several security controls improved the security posture of a controlled cloud computing environment.
Evaluation Methodology
The purpose of this evaluative methodology is to evaluate the extent to which the implementation of security controls available through Amazon Web Services (AWS) effectively reduces misconfiguration. An evaluative methodology is used to identify changes resulting from interventions that are made in a defined context. In this case, the “intervention” includes the deployment of identity and access management (IAM) and logging capabilities within a laboratory environment.
An evaluative methodology can be utilised to determine the impact of the deployment of security controls on an organisation’s ability to maintain secure configurations. For example, in this study, the evaluator compared the baseline configuration of a controlled test environment to the configuration of the same environment following the implementation of selected AWS security controls. Comparing the two states facilitated the identification of any reduction in misconfigured items following the deployment of the selected security controls.
Since this evaluative methodology aligns with the AWS Shared Responsibility model, where responsibility lies with the customer to configure and manage their own data and applications located in the cloud (n.d.), evaluating how each security control affects the system’s configuration provides an operational mechanism for determining how well customers meet their obligations under this shared responsibility model.
How This Applies to the Project
The evaluative methodology outlined above was utilised during this study in conjunction with an experimental AWS Laboratory Environment. The experimental environment was established with common misconfigurations existing in terms of IAM permissions and logging settings. These misconfigurations served as a measurable baseline upon which subsequent evaluations were based.
Following the establishment of the baseline, various security controls were implemented including least privileged access in IAM and enhancements to logging and monitoring configurations. The system was evaluated once again using the same evaluation criteria in order to compare the number and severity of misconfigurations prior to and after implementation of the security controls.
Using consistent evaluation criteria pre/post implementation ensures confidence that differences in misconfigurations were caused solely by the implementation of the security controls rather than external environmental variables.
Conclusion
Overall, an evaluative methodology allows researchers to systematically investigate cloud security controls. By utilising a pre-post design to compare a baseline configuration to a post-implementation configuration, researchers can collect quantifiable evidence about how IAM and logging controls may influence misconfiguration risk.
This approach supports both the practical application of cloud security practices and meets the academic expectations for carrying out research like this.
MSc student specialising in cloud security and applied cybersecurity research. My work focuses on evaluating cloud-based security controls, particularly within Amazon Web Services (AWS), with an emphasis on reducing misconfiguration risk through practical implementation and structured evaluation methods.
References
Amazon Web Services (n.d.-a) Shared responsibility model. Available at: https://aws.amazon.com/compliance/shared-responsibility-model/ (Accessed: 18 March 2026).
Urban, J.B. and van Eeden-Moorefield, B. (2017) Designing and proposing your research project. Washington, DC: American Psychological Association.