“CLOUD”: CONFIGURATION & CONTAINERISATION

Our approach considers and adapts to such complexities and errors that occur with the ease of deployment and scale that gives cloud its advantage.

A New Realm of Risk: Cloud services come with so many new dimensions of risk. Where the components of an overall environment may span traditional Infrastructure and some Cloud components for specific tasks (hybrid Cloud) to full use of Cloud for both Applications and Infrastructure (and everything in-between). Unlike a contained application, the boundary of security controls and flow does not start and end with defined borders, nor can we sit it within our own DMZ and apply traditional management and monitoring to it.

Security weaknesses in the cloud itself are not the scope of review or work in this instance. Our capabilities lead us to assess the integration and the hand-off/delineation of responsibility and service and uniqueness of design in infrastructure, applications, data and integrations of an overall environment.

Beyond Basic Cloud Methodology: In terms of methodology, we use best practice plus our own methods. The Cloud Penetration Testing Handbook provides a good basis for the high-level work and approach for testing but like all great frameworks this forms the basis for expert work and this is where expertise, workflow and IP are required on top of such methods.

It is key to examine and validate the myriad of components, micro services, data flows, hand-offs of responsibility, layers of IaaS (Infrastructure as a Service), PaaS (Platform as a Service) and SaaS (Software as a Service) that give rise to so much opportunity for flaws to be expressed and inherent vulnerabilities to be exploited.

Establishing the Weak Link: Information Security has clearly become a multi-dimensional discipline and the attack surface is both one of depth (in the application stack) and breadth (across its deployment architecture). With back-end systems, infrastructure and cloud solutions as a service, the advantages for software programs are driving rapid rates of deployment. However, security as we know is all about the weakest links and we have seen over recent times exploits executed against configuration weaknesses of application, cloud and infrastructure as a service or integrations therein.

Chaleit’s capabilities include configuration reviews that are designed to be holistic in nature to identify control gaps, common threats, uncover complexities and unknown exposures. Key to any capability is to have the ability to identify all the assets in a particular environment, including service providers, stakeholders and to examine specific requirements for risk, compliance, policy and the effectiveness of existing controls. Cloud configuration review is a highly interactive consultancy process involving an eye for both detail and context in combination with our specific Cloud Security Assessment methods.