Cloud Pentesting
... > Pentesting Services > Cloud Pentesting
Cloud Pentesting
A Cloud penetration test (or pentest) assesses the strong and weak points in cloud-based systems to improve the overall cloud security level. It exposes vulnerabilities, risks and possible gaps between the actual level of digital security and the assumed, desired or required level.
Cloud computing is so pervasive these days that we often don’t even realize we use it anymore. However, due to the shared responsibility of the cloud customer and the cloud service provider, there are new risks that need to be assessed that deal with how the cloud provider and the customer have configured the services.
Bureau Veritas Cybersecurity offers detailed assessments on the Cloud Service Provider configuration (Azure/AWS/Google and others) that allow the Cloud service customers to deploy in the cloud with the confidence that all security configurations are set correctly. Also, when using container technologies such as Kubernetes and Docker, Bureau Veritas Cybersecurity can provide assessment services. We have experience in all deployment models (SaaS, IaaS, PaaS or FaaS).
From On-Premise to SaaS
Cloud Security Scheme
Crystal-Box Cloud (CBC) Assessment for Cloud Service Customers (CSCs)
In our security assessments for Cloud Service Customers (CSC) we focus on what lies within the sphere of control of the CSC. Analogous to a crystal-box (or white-box) application security assessment, the Crystal-box Cloud assessment (CBC) is performed with as much information available to the testers as possible.
This enables the most in-depth testing to take place, and provides insight in detailed configuration settings and authorizations. In a purely application-focused assessment, this usually means that the source code is available to the testers so that complex and hard-to-find vulnerabilities can be identified. In the cloud, in addition to the source code of an application, Bureau Veritas Cybersecurity can identify weakness by examining the actual cloud configuration settings.
CCM Compliance Audits for Cloud Service Providers (CSPs)
Whereas our CBC assessment services focus on directly helping customers of cloud service providers, Bureau Veritas Cybersecurity also assists Cloud Service Providers (CSPs) with providing assurance and guidance to their customers. While larger vendors have already gained the trust of the industries and industries, smaller vendors or CSPs that offer cloud-based SaaS and PaaS services are often asked to provide assurance on their control of data security for their customers.
An ISO27001 certification is of course a good starting point but fails to include cloud-specific controls and compliance aspects. For this reason, there exists an extension to the ISO27002 standard, specifically for cloud providers (ISO27017), and also an extension for personally identifiable information (PII) in the cloud (ISO27018).
Furthermore, the Cloud Security Alliance (CSA) specifically developed the Cloud Controls Matrix (CCM) framework as a stand-alone framework addressing a full gamut of controls with regards to cloud security.
While the CCM standard is positioned to be used by cloud consumers, it is clear from the standard that a significant number of controls cannot be directly checked by a CSP. Instead, what is needed is for an auditor to audit the CSP against this framework, for instance using the International Standard on Audit Engagements 3000 (ISAE 3000) assurance standard. This then enables the CSP to prove to the (prospective) customer that an independent auditor has verified adherence to the CCM.
Bureau Veritas Cybersecurity provides such ISAE3000 assurance audits for CSPs and their customers. Our certified and registered IT-Auditors (Register EDP-auditor, or RE in Dutch) are qualified and Bureau Veritas Cybersecurity’s audit process is efficient and modern, supported by various tools and fully compliant with modern audit standards. What’s more, they can build on the knowledge and experience of our technical experts who perform cloud security assessments for our customers.
I'd like to know more about Cloud Pentesting
Why choose Bureau Veritas Cybersecurity
Bureau Veritas Cybersecurity is your expert partner in cybersecurity. We help organizations identify risks, strengthen defenses and comply with cybersecurity standards and regulations. Our services cover people, processes and technology, ranging from awareness training and social engineering to security advice, compliance and penetration testing.
We operate across IT, OT and IoT environments, supporting both digital systems and connected products. With over 300 cybersecurity professionals worldwide, we combine deep technical expertise with a global presence. Bureau Veritas Cybersecurity is part of the Bureau Veritas Group, a global leader in testing, inspection and certification.