Crystal-Box Cloud (CBC) Assessment for Cloud Service Customers (CSCs)

In our security assessments for Cloud Service Customers (CSC) we focus on what lies within the sphere of control of the CSC. Analogous to a crystal-box (or white-box) application security assessment, the Crystal-box Cloud assessment (CBC) is performed with as much information available to the testers as possible. This enables the most in-depth testing to take place, and provides insight into detailed configuration settings and authorizations. In a purely application-focused assessment, this usually means that the source code is available to the testers so that complex and hard-to-find vulnerabilities can be identified. In the cloud, in addition to the source code of an application, Xpentest can identify weakness by examining the actual cloud configuration settings.



The following topics will be addressed in such an assessment:

Data Protection

  • Unintended exposure of data
  • Encryption of data storage (S3 buckets or otherwise)
  • Key Management (such as CloudHSM or Keyvault)
  • Credential management
  • Data Loss Prevention (DLP) settings
about
shape

Identity and Access Management

  • User groups and permissions
  • Service authentication settings
  • Account Policies
  • Synchronization and Identity Federation settings
about
shape

Logging and Monitoring

  • Log service usage
  • Regional settings
  • Log file encryption
  • Workload monitoring
about
shape

Network Security

  • API Management
  • VPNs
  • Network access controls such as VPC, SG, NSG and VNet security settings
  • TLS certificate and Public Key Infrastructure usage
about
shape
dots
video

Why Us

Our strength lies in understanding out client's business processes, culture, vision and goals across the industry segments and offering reliable client-oriented solutions. We commenced our operations in 2018 to provide cyber security consulting services to clients globally as partners and conceptualize, realize and lead technology driven business transformation initiative to completion.

500+

Pentest Delivered

80+

Trainings Delivered

20+

Continuous Vulnerability Monitoring