Cloud Pentesting

Crystal-Box Cloud (CBC) Assessment for Cloud Service Customers (CSCs)

In our security assessments for Cloud Service Customers (CSC) we focus on what lies within the sphere of control of the CSC. Analogous to a crystal-box (or white-box) application security assessment, the Crystal-box Cloud assessment (CBC) is performed with as much information available to the testers as possible.

This enables the most in-depth testing to take place, and provides insight in detailed configuration settings and authorizations. In a purely application-focused assessment, this usually means that the source code is available to the testers so that complex and hard-to-find vulnerabilities can be identified. In the cloud, in addition to the source code of an application, Secura can identify weakness by examining the actual cloud configuration settings.

CCM Compliance Audits for Cloud Service Providers (CSPs)

Whereas Secura’s CBC assessment services focus on directly helping customers of cloud service providers, Secura also assists Cloud Service Providers (CSPs) with providing assurance and guidance to their customers. While larger vendors have already gained the trust of the industries and markets, smaller vendors or CSPs that offer cloud-based SaaS and PaaS services are often asked to provide assurance on their control of data security for their customers.

An ISO27001 certification is of course a good starting point but fails to include cloud-specific controls and compliance aspects. For this reason, there exists an extension to the ISO27002 standard, specifically for cloud providers (ISO27017), and also an extension for personally identifiable information (PII) in the cloud (ISO27018).

Furthermore, the Cloud Security Alliance (CSA) specifically developed the Cloud Controls Matrix (CCM) framework as a stand-alone framework addressing a full gamut of controls with regards to cloud security.

While the CCM standard is positioned to be used by cloud consumers, it is clear from the standard that a significant number of controls cannot be directly checked by a CSP. Instead, what is needed is for an auditor to audit the CSP against this framework, for instance using the International Standard on Audit Engagements 3000 (ISAE 3000) assurance standard. This then enables the CSP to prove to the (prospective) customer that an independent auditor has verified adherence to the CCM.

Secura provides such ISAE3000 assurance audits for CSPs and their customers. Our certified and registered IT-Auditors (Register EDP-auditor, or RE in Dutch) are qualified and Secura’s audit process is efficient and modern, supported by various tools and fully compliant with modern audit standards. What’s more, they can build on the knowledge and experience of our technical experts who perform cloud security assessments for our customers.