Cloud Security Assessment

Cloud Security Assessment

With organisations increasingly moving services into cloud offerings to improve scalability, agility and reduce costs, assessing the security risk of cloud computing has become ever more important.

Context has extensive experience identifying exploitable weaknesses in our clients‘ cloud environments. Our cloud penetration testing services can assess configuration, permissions models as well as hybrid and multi-cloud environments to determine which avenues of attack are plausible within your estate. 

To help understand your own exposure to various attacks, Context offers the following cloud vulnerability assessment services: 

  • Baseline account configuration review 
    This can be done in AWS, Azure, and Google Cloud Platform and assesses the configuration of a cloud account itself, its access permissions, and any resources deployed within the account. What resources are users able to access? How could resources be mis-configured? And how might a potential attacker leverage these mis-configurations? 
  • Assumed compromise breakout assessment 
    This involves starting from an assumed compromise position on a compute instance and assessing what the blast radius is, and what an attacker can achieve from that position. Can other instances be accessed? Or worse, can they achieve privilege escalation within the account and gain full control of the cloud account? 
  • Egress assessment – breaking out 
    For private hybrid cloud environments, where a public cloud provider is not being used for any public-facing services but purely as an extension of an on-premise environment, we can offer an extensive egress assessment. This serves to determine if any services have not been locked down sufficiently and therefore allow data to flow out from the VPC to the Internet, or worse, out from an on-premise instance, through the VPC and out to the Internet. 
  • Bespoke scenario assessment
    This can be tailored specifically to your estate, assessing the extent at which specific scenarios can or cannot be achieved by each threat actor in your threat model.

These are in addition to our usual service offerings which can all also be performed inside cloud environments (e.g. web application assessments, build reviews, internal and external infrastructure assessments and others). 

Why Context? 

Context has previously assessed many cloud environments for clients, across AWS, Azue, Google Cloud, and more, including multiple clients with cloud spend of over £1 million per year. Our research, experience, and attack-focused mindset allow us to repeatedly identify vulnerabilities in our clients‘ cloud environments which would have real-world consequences if exploited by an attacker. 

Download our cloud security assessment flyer, to read examples of some of the exploitable vulnerabilities we’ve been able to make clients aware of. 

Read our three-part series of blog posts about our experiences of hybrid cloud environments and of containerisation

Book a consultation

Contact us to discuss your cloud security concerns and challenges.

CREST
CREST STAR
CHECK IT Health Check Service
CBEST
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor
NCSC CCSC - Assured Service Provider