Cloud Security

  • Cerberus Labs can offer detailed assessments of the security posture of AWS and Azure environments. Depending on your requirements, testing can cover your deployed services such as Virtual Machines or serverless functions or databases etc, your identity plane such as Entra or AWS IAM, and your control plane to provide insights into your current risk posture.

  • Cloud architecture reviews are a great way to foster a security-first strategy for solutions hosted with Azure, AWS GCP etc. Identifying potential issues or bottlenecks to your security posture before they are implemented is a cost-effective and efficient way to transform your business’s risk strategy.

  • With native DevOps services offered in cloud providers like Azure, they often differ in their features, configurations, and therefore attack surface.

  • The ability to programmatically deploy resources to the cloud is a popular solution in any organisation as it allows consistency, replicability, and version control for all your infrastructure templates. However, misconfigured templates can have serious consequences for a business, potentially leaving all infrastructure deployed vulnerable.

  • Container orchestration platforms by nature provide a more robust and compartmentalized infrastructure solution compared to legacy alternatives. However, if not appropriately controlled an attacker can abuse weaknesses in these platforms to control your nodes and clusters, causing Denial of Service activities or pivoting further into your internal network.

What is Cloud Security Testing?

With a multitude of services and solutions hosted in cloud environments including web applications, microservices, containers, infrastructure, or even Identity and Access Management solutions, it is becoming ever increasingly difficult to manage the configurations of these services while meeting the needs of your business.

Our approach when reviewing cloud environments is to assess the configuration of these services (also known as a cloud configuration review) while understanding the business context of the implemented solutions to provide targeted and tailored recommendations to be implemented.

Configuration Reviews.

 

A cloud configuration review is a comprehensive review of the settings and configurations within your cloud infrastructure. This process ensures adherence to security best practices and minimises operational risks. The review encompasses a thorough analysis of access controls, encryption settings, network security parameters, firewall rules, logging and monitoring configurations, and resource tagging practices across various cloud services. The objective is to identify misconfigurations, vulnerabilities, and areas for improvement. Subsequently, actionable recommendations are provided to enhance security posture, operational efficiency, and cost-effectiveness. The overarching goal is to maintain robust security, comply with regulatory requirements, and optimize cloud resources for optimal performance and resilience.

A typical assessment will aim to cover the following high-level areas:

  • Identity and Access Management (IAM)

  • Logging and Monitoring

  • Encryption

  • Networking

  • Storage

  • Secrets Management

Architecture Review.

 

Cloud security architecture reviews are a holistic assessment of security layers across infrastructure, application, people, and processes. As part of our review proces we analyze architecture diagrams, service configurations, network topologies, and any integrations with third-party services. Architecture reviews tend to be collaborative in nature and often takes place over several meetings to discuss the purpose of the solution and reasons for the design. Business decisions are taken into condsideration to find an effective balance between security and usability.

Scope

The scope of such a review typically consists of the following items, however, should not be considered exhaustive:

  • Cloud infrastructure and services

  • Network Communications

  • Data encryption in transit/ at rest

  • Systems:

    • Storage solutions

    • Virtual machines

    • Key Vaults

    • Deployment solutions

    • Public Key Infrastructure (PKI)

    • Authentication

  • Integrity and Redundancy

  • Application

    • Third-party (integrations, APIs, data transfers

  • Logging and Monitoring

Devops.

 

Technologies

There are several cloud-native DevOps solutions. Each has its own specific configurations that can be configured to reduce their overall attack surface and exploitability.

  • Azure DevOps

  • Cloudformation

  • Github/ Gitlab

  • Hashicorp

DevOps Configuration review

Cloud-based DevOps solutions such as Azure DevOps (ADO) offer a comprehensive set of services to create and manage complex development and Infrastructure as Code (IaC) pipelines and repositories. There are several areas covered when conducting a review of DevOps solutions such as ADO, including:

  • RBAC (Role Based Access Control)

  • Organizational Settings

  • Project Level Settings

  • Pipelines

    • Logs

    • YAML Definitions

    • Logic

    • Secret handling

    • Argument Injection

  • Agents/ Agent Pools

  • Repositories

  • Service Connections

  • IaC templates

Pipelines are a sensitive asset within DevOps; if an adversary were to compromise a misconfigured pipeline it could provide them access to:

  • Sensitive source code repositories

  • The internal network

  • Compromise of the underlying Azure environment or container registry

As a result, reviewing pipeline configurations is critical to understanding the attack surface within a DevOps environment.

Agents are often an overlooked aspect in regard to an evironments security posture. For example, if an agent is provisioned with overly permissive roles, they could be leveraged for privilege escalation or lateral movement activities. Alternatively, if an agent is running on shared infrastructure between project teams or between development and production environments. An attacker could gain access to more sensitive code repositories pushing malicious code into business-critical applications, compromising third parties in a supply chain attack. Alternatively, if an attacker was able to get a foothold into a development environment, the use of misconfigured agents could allow for access into production.

Infrastructure as Code (IaC).

IaC is the ability to define and deploy infrastructure components through the use of code instead. A review of IaC templates seeks to identify and review:

  • Insecurely stored sensitive data

  • Misconfigured resources or connections

  • Secrets management

  • Privilege escalation vectors

  • Configuration drift

  • Insecure state files

  • Containers running outdated or vulnerable images.

FAQs

What is the process for conducting a penetration test?

A high-level methodology for conducting a security assessment can be found here.

How long does a typical engagement take?

The duration of an engagement depends on the size and complexity of your solution, the scope of the testing, and the specific objectives of the assessment. On average, an engagement can last anywhere from a few days to several weeks. Our team will provide you with a detailed timeline and schedule to ensure minimal disruption to your business operations during the testing process.

What deliverables can we expect from a penetration testing engagement?

At the conclusion of the penetration testing engagement, you will receive a comprehensive PDF report detailing the findings, vulnerabilities discovered, and recommended remediation steps. The report will include an executive summary, technical details of the vulnerabilities identified, risk prioritisation, and actionable recommendations to strengthen your security posture. Our team will also be available to provide guidance and support in implementing the recommended remediation measures.

What is a security assessment, and why do we need it?

Security assessments (Penetration tests) are a method of evaluating the security of computer systems, networks, or applications by simulating real-world attacks. It helps identify vulnerabilities and weaknesses that malicious actors could exploit. By conducting security assessments, businesses can proactively strengthen their security measures and protect their sensitive data from potential cyber threats.

How can I carry out a security assessment with you?

Get in touch! Use our contact form here and provide us with background and context on the project and we will get back to you to arrange a call.

How often should we conduct penetration testing?

The frequency of testing depends on various factors such as changes in your network infrastructure, the introduction of new systems or applications, regulatory requirements, and the level of risk tolerance within your organization. Typically, it's recommended to conduct testing at least once a year, but more frequent testing may be necessary for high-risk environments or industries.

Security assessments are flexible and can often benefit from the shift left approach to software development. Conducting smaller, more regular assessments as part of the development lifecycle. This can help catch vulnerabilities early in their lifetime before they make it into products or services.