Cloud Pentesting
... > Vulnerability Assessment / Penetration Testing (VAPT) > Cloud Pentesting
Cloud Pentesting
A Cloud penetration test (or pentest) assesses the strong and weak points in cloud-based systems to improve the overall cloud security level. It exposes vulnerabilities, risks and possible gaps between the actual level of digital security and the assumed, desired or required level.
Cloud computing is so pervasive these days that we often don’t even realize we use it anymore. However, due to the shared responsibility of the cloud customer and the cloud service provider, there are new risks that need to be assessed that deal with how the cloud provider and the customer have configured the services.
Secura offers detailed assessments on the Cloud Service Provider configuration (Azure/AWS/Google and others) that allow the Cloud service customers to deploy in the cloud with the confidence that all security configurations are set correctly. Also, when using container technologies such as Kubernetes and Docker, Secura can provide assessment services. We have experience in all deployment models (SaaS, IaaS, PaaS or FaaS).
From On-Premise to SaaS
Cloud Security Scheme
Crystal-Box Cloud (CBC) Assessment for Cloud Service Customers (CSCs)
In our security assessments for Cloud Service Customers (CSC) we focus on what lies within the sphere of control of the CSC. Analogous to a crystal-box (or white-box) application security assessment, the Crystal-box Cloud assessment (CBC) is performed with as much information available to the testers as possible.
This enables the most in-depth testing to take place, and provides insight in detailed configuration settings and authorizations. In a purely application-focused assessment, this usually means that the source code is available to the testers so that complex and hard-to-find vulnerabilities can be identified. In the cloud, in addition to the source code of an application, Secura can identify weakness by examining the actual cloud configuration settings.
CCM Compliance Audits for Cloud Service Providers (CSPs)
Whereas Secura’s CBC assessment services focus on directly helping customers of cloud service providers, Secura also assists Cloud Service Providers (CSPs) with providing assurance and guidance to their customers. While larger vendors have already gained the trust of the industries and markets, smaller vendors or CSPs that offer cloud-based SaaS and PaaS services are often asked to provide assurance on their control of data security for their customers.
An ISO27001 certification is of course a good starting point but fails to include cloud-specific controls and compliance aspects. For this reason, there exists an extension to the ISO27002 standard, specifically for cloud providers (ISO27017), and also an extension for personally identifiable information (PII) in the cloud (ISO27018).
Furthermore, the Cloud Security Alliance (CSA) specifically developed the Cloud Controls Matrix (CCM) framework as a stand-alone framework addressing a full gamut of controls with regards to cloud security.
While the CCM standard is positioned to be used by cloud consumers, it is clear from the standard that a significant number of controls cannot be directly checked by a CSP. Instead, what is needed is for an auditor to audit the CSP against this framework, for instance using the International Standard on Audit Engagements 3000 (ISAE 3000) assurance standard. This then enables the CSP to prove to the (prospective) customer that an independent auditor has verified adherence to the CCM.
Secura provides such ISAE3000 assurance audits for CSPs and their customers. Our certified and registered IT-Auditors (Register EDP-auditor, or RE in Dutch) are qualified and Secura’s audit process is efficient and modern, supported by various tools and fully compliant with modern audit standards. What’s more, they can build on the knowledge and experience of our technical experts who perform cloud security assessments for our customers.
DOWNLOAD FACT SHEET
I'd like to know more about Cloud Pentesting
Why choose Secura | Bureau Veritas
At Secura/Bureau Veritas, we are dedicated to being your trusted partner in cybersecurity. We go beyond quick fixes and isolated services. Our integrated approach makes sure that every aspect of your company or organization is cyber resilient, from your technology to your processes and your people.
Secura is the cybersecurity division of Bureau Veritas, specialized in testing, inspection and certification. Bureau Veritas was founded in 1828, has over 80.000 employees and is active in 140 countries.