500+ customers place their trust in us – from startups to large companies
Application area
You want to use Microsoft 365 but cannot assess the risks. Or you want to move parts of your IT to the cloud and need quality control before migration.
Objectives
Is your Microsoft 365 cloud designed and secured according to security best practices, or are there design flaws and critical security vulnerabilities.
Result
You receive a meaningful assessment of the security level of your cloud environments with a detailed report on vulnerabilities and recommendations for action.
What is the security level of your Microsoft 365, Azure or AWS Cloud?
Cloud security assessment
A cloud security assessment is a structured and in-depth review of your cloud design and configuration, supplemented by various technical tests in specific scenarios.
In interviews with the responsible persons, we learn about the desired level of protection and the intended measures for it and review this design for its viability. Alternatively, our experts independently review your cloud security settings and supplement this technical review with selected penetration test scenarios.
As a result, you receive a detailed test report that describes and evaluates all identified risks, provides meaningful recommendations and summarizes them in a management summary.
Why cloud assessments with HvS?
Our assessment approach is applicable to all cloud solutions: "Software as a Service" (SaaS), "Platform as a Service" (PaaS) or "Infrastructure as a Service" (IaaS) solutions, for Microsoft Azure, Amazon Web Services or the Google Cloud. And we have the right skills thanks to our portfolio:
Pentester
We are proficient in various types of penetration testing and know most components from cloud environments. So we know what and how to test.
Incident responder
From our numerous incident response engagements, we repeatedly experience first-hand what often goes wrong and where the greatest cloud risks are located.
Auditors
Large parts of a cloud assessment do not need to be tested, only reviewed. This reduces problems if your provider does not allow active testing. And it saves money.
Cloud assessment characteristics
Microsoft 365 / SaaS security assessments
Approach
When reviewing M365 or other "Software as a Service" (SaaS) solutions, we focus on the features selected and configured for use - in other words, what you as the customer have in your hands. We can either review the settings together with your administrators and transfer know-how in the process, or we can check them independently and carry out technical tests.
Preparation
- Coordination of the scope and the depth of testing
- Kick-off meeting
Execution
- Interviews with admins and / or
- Review of security configuration and manual tests
Evaluation
- Preparation of a detailed report
- Best practice workshop (optional)
Methods and standards used
In terms of methodology, we follow proven guidelines wherever it makes sense to do so:
In terms of content, we are mainly guided by established standards:
- Hardening guides of the manufacturers or suppliers
- CIS Benchmarks (Review of configuration)
- IT-Grundschutz (Review of configuration)
- ISO/IEC 27001:2013 (for technical audits)
In addition, we draw on our HvS vulnerability database, which is regularly fed with new attack vectors and test cases through our incident response and threat intelligence activities.
IaaS / PaaS Security Assessments
Approach
Based on how you deploy IaaS/PaaS cloud services in your organization, these and other questions usually arise:
- Are the publicly accessible services properly secured, or is there perhaps even too much accessible from the Internet?
- What protective measures have been implemented for applications or infrastructure in the cloud - also compared to on-premises?
- Could attackers penetrate your on-premises network via the cloud?
Preparation
- Coordination of the scope and the depth of testing
- Kick-off meeting
Execution
- Security configuration review
- Automatic scans for vulnerabilities
- Manual analyses and hacking
- On demand also interviews with administrators
Evaluation
Preparation of a detailed report
Methods and standards used
In terms of methodology, we follow proven guidelines wherever it makes sense to do so:
In terms of content, we are mainly guided by established standards:
- Hardening guides of the manufacturers or suppliers
- CIS Benchmarks (Review of configuration)
- IT-Grundschutz (Review of configuration)
- ISO/IEC 27001:2013 (for technical audits)
In addition, we draw on our HvS vulnerability database, which is regularly fed with new attack vectors and test cases through our incident response and threat intelligence activities.
Cloud can also be secure! Want to learn how?
Let's get to know each other in a web meeting and talk about your objectives and current status.
More HvS security assessments
Professional industrial espionage often involves physical attacks or insider attacks (social engineering), even if the target is in cyberspace. Our social engineering assessments protect your company from social engineering attacks.
The training camp for incident response teams. How quickly does your Blue Team recognize attacks? Is the severity correctly assessed and how long does it take to successfully defend against them? Send your team to training camp!
How well can you detect and defend against real cyber threats? Our Red Teaming Assessment simulates attacks to uncover vulnerabilities and improve detection.