Cloud Security Testing

OVERVIEW

Securing cloud infrastructure is important aspect of digital mobility. Most cloud migration services focus of speed rather than security. Multiple data breaches have taken place due to misconfigured cloud services and improper access controls.

Kratikal’s Cloud Security services provide a unique solution to protect your IT asset deployed over cloud. We test cloud deployments against best practices and benchmarks for data breaches, misconfigured cloud instances and insecure deployments.


ADVANTAGES

Comprehensive risk assessment of the cloud infrastructure.

Remove possibilities of data breaches and hacks due to misconfigured instances.

Improve security of the instance by integrating compatible third-party security tools.

Implement additional security modules like encryption, 2-Factor Authentication and access level separation.



HOW IT WORKS

We follow universal testing standards like OWASP, OSSTMM and SANS for comprehensive security assessments.


Information Gathering:
We understand customer requirement, working of the IT asset deployed on cloud (IaaS, SaaS, PaaS etc) and use case of the cloud deployment.

Planning and Analysis:
Based on the information collected in the previous stage, we analyse the possible attack points and devise a full scale “Red Team” approach to mimic real time attacks. To minimise impact of day-to-day activities of the IT asset, we plan the attack, either on dummy environment or during times of lowest network activity (lowest traffic).

Vulnerability Assessment:
We analyse the cloud configuration, security controls, access levels and the type of instance. Based on this, we design the attack plan and risk assessment strategy.

Penetration Testing:
Here we run exploits on the cloud to evaluate its security. We use custom scripts, open source exploits, in-house tools and third-party exploit frameworks to achieve high degree of penetration. Based on factors like vendor, type of cloud instance, requirement of IT asset, we exploit the vulnerabilities present and generate PoCs.

Reporting:
We generate concise and succinct reports of the vulnerabilities discovered along with discussion on the nature of vulnerability, its impact, threat level and recommendation to remove the vulnerability.

Discussion:
Our technical experts discuss the report, along with the bugs found, and their impact scenario with the development team of the client. Comprehensive discussions are carried out on how to remove the vulnerabilities. We also suggest third party tools to improve the security of the cloud deployment.