Cloud Security Assessment

Cloud Security Assessment

Cloud services – like AWS, Azure, GCP and Microsoft 365 are powerful, large and complex and provides many ways to shoot yourself in the foot – from a security point of view. In many ways, you are just a few clicks away from publishing your private database to the world.

All these platforms have a shared responsibility model for security. They protect the services they provide, but it is up to the consumer to protect the operating system images and use them securely. Our security review aims to search for and identify common misconfigurations and poor design practices that can expose more than you intended.

Cloud Penetration Testing

Testing of Cloud services can be different to your traditional on-premise pen-test.

What we do, is we assess your AWS account, Microsoft 365 tenancy or Azure subscriptions using a combination of automated tools and manual testing, assessing the configuration against the security best practices from the Center for Information Security and the NCSC. We will also check whether good security hygiene practices, such as managing user accounts, are in place.

We usually recommend performing cloud reviews in conjunction with external pen-tests.  In these cases, we’ll use data on the resources and IP addresses we have discovered within your cloud environment to guide the scope of the external penetration test – helping to minimise cost and maximise coverage.

All testing we will perform falls within the penetration testing activities these platforms permit without prior notification.

Services we commonly test include:

Before we start any testing, we’ll agree on a formal testing Scope document with you. In this, we’ll agree on the accounts or tenancies in scope and how to access your accounts’ configuration.

Due to the complex and varied nature of people’s usage of Iaas, following the testing, we will explore some of the findings with you in a meeting to provide us with the situational awareness to provide recommendations relevant to your specific use of the cloud provider.

Once our testing is complete, we’ll provide you with a report with detailed findings, their impact and how to fix them. We can also provide consultancy to help fix these if that is useful to you.