Cloud Pentesting

Crystal-Box Cloud (CBC) Assessment for Cloud Service Customers (CSCs)

In our security assessments for Cloud Service Customers (CSC) we focus on what lies within the sphere of control of the CSC. Analogous to a crystal-box (or white-box) application security assessment, the Crystal-box Cloud assessment (CBC) is performed with as much information available to the testers as possible.

This enables the most in-depth testing to take place, and provides insight in detailed configuration settings and authorizations. In a purely application-focused assessment, this usually means that the source code is available to the testers so that complex and hard-to-find vulnerabilities can be identified. In the cloud, in addition to the source code of an application, Secura can identify weakness by examining the actual cloud configuration settings.

CCM Compliance Audits for Cloud Service Providers (CSPs)

Whereas Secura’s CBC assessment services focus on directly helping customers of cloud service providers, Secura also assists Cloud Service Providers (CSPs) with providing assurance and guidance to their customers. While larger vendors have already gained the trust of the industries and markets, smaller vendors or CSPs that offer cloud-based SaaS and PaaS services are often asked to provide assurance on their control of data security for their customers.

An ISO27001 certification is of course a good starting point but fails to include cloud-specific controls and compliance aspects. For this reason, there exists an extension to the ISO27002 standard, specifically for cloud providers (ISO27017), and also an extension for personally identifiable information (PII) in the cloud (ISO27018).

Furthermore, the Cloud Security Alliance (CSA) specifically developed the Cloud Controls Matrix (CCM) framework as a stand-alone framework addressing a full gamut of controls with regards to cloud security.

While the CCM standard is positioned to be used by cloud consumers, it is clear from the standard that a significant number of controls cannot be directly checked by a CSP. Instead, what is needed is for an auditor to audit the CSP against this framework, for instance using the International Standard on Audit Engagements 3000 (ISAE 3000) assurance standard. This then enables the CSP to prove to the (prospective) customer that an independent auditor has verified adherence to the CCM.

Secura provides such ISAE3000 assurance audits for CSPs and their customers. Our certified and registered IT-Auditors (Register EDP-auditor, or RE in Dutch) are qualified and Secura’s audit process is efficient and modern, supported by various tools and fully compliant with modern audit standards. What’s more, they can build on the knowledge and experience of our technical experts who perform cloud security assessments for our customers.

ABOUT SECURA

Secura is a leading cybersecurity expert. Our customers range from government and healthcare to finance and industry worldwide. Secura offers technical services, such as vulnerability assessments, penetration testing and red teaming. We also provide certification for IoT and industrial environments, as well as audits, forensic services and awareness training. Our goal is to raise your cyber resilience.

Secura is a Bureau Veritas company. Bureau Veritas (BV) is a publicly listed company specialized in testing, inspection and certification. BV was founded in 1828, has over 80.000 employees and is active in 140 countries. Secura is the cornerstone of the cybersecurity strategy of Bureau Veritas.