Cloud Services Security Review
The team at Insomnia Security have a wide array of knowledge and experience in testing AWS, Azure, GCP, Salesforce, Office365 and most other modern Cloud Services that are in use by enterprises.
Security testing of cloud-based environments differs from traditional penetration testing depending on the service itself, any integration with on-premise systems, and the services deployed or exposed. In addition to the standard testing that would occur against any hosted application or exposed network layer, further specialised testing that targets the specifics of the cloud service is also necessary.
Some of this testing includes a review of:
- Controls for data access, such as S3 Buckets and RDS
- Dangling domains or obsolete system references
- Default accessibility or page overrides
- Global Apex methods and SOQL Injection
- Identity and Access management
- Internal security groups or virtual network controls
- Logging and auditing
- Policy and service configuration
- Privilege escalation through account impersonation
The security review may include a mixture of both passive (via service console access) and active (through access to a hosted system within the environment). Insomnia Security is always open to discussing an approach around the important things to consider when conducting an effective review of cloud services.