About
Most organisations store some of their data or applications in the cloud. For example:
- Using Google Workspace or Microsoft 365 for email and filesharing.
- Hosting custom applications in AWS, Azure or Google Cloud Platform.
While using cloud services can have many benefits, it’s important to make sure that the environments are setup properly to protect your data, and to make sure you understand what security guarantees the platforms provide versus what is still your responsibility.
How we can help
Pākiki can review your cloud environment and work with you to:
- Ensure reasonable protections are in place to stop unauthorised users from logging into your environments.
- Check that appropriate defaults are set to prevent data being inadvertently exposed to the Internet.
- Review the resources which are exposed to the public.
- Determine what additional platform security features are available which could be beneficial.
- Ensure you understand the security guarantees of the platform, versus what is your responsibility.
Note: Pākiki does not employ any cloud architects. We can’t advise on whether your application is well architected, is making the best use of platform features, or advise on the security, performance and cost tradeoffs between different approaches.
Methodology
The particular methodology will vary depending on the particular cloud platform in use, however broadly speaking the methodology is:
- Information Gathering Understanding how you’re using the cloud, what type of data/applications you’re holding and what features of the cloud provider you’re using.
- Configuration Review Log in to the environment and check the configuration in line with industry benchmarks and/or government recommendations (EG. NZISM).
- Manual checks Review the permissions on the resources which fall outside of of the checks above.
- Provide advice Take the output of the above checks, and use our understanding of your business to provide practical, tailored advice on how you can improve your security.
The particular objectives of the engagement will be discussed during a scoping call, along with any limitations, or resources which should be explicitly in or out of scope.
What you get
At the end of the engagement, you’ll receive a written report, detailing:
- At a high level, what key issues were identified, and what they mean to the business.
- Detailed descriptions of all issues which were identified, including reproduction steps, and how you can remediate them.
Process
All of our engagements follow a similar process:
- We start by scoping the engagement, understanding what you're looking for, discuss the technologies and platforms in use, and any key concerns that you may have. From this, we produce a Statement of Work detailing the effort required, cost, any prerequisites, and our approach to the engagement.
- Once the Statement of Work is signed, we'll work with you to schedule the work.
- Prior to the engagement starting, we'll be in touch to organise any prerequisites we require and where practical will test these prior to the engagement. This will ensure the engagement commences on time.
- The consultant will start the engagement and will provide regular updates. Any high or critical severity issues will be notified when they are found.
- At the end of testing, a report will be produced and provided.
- A close-out meeting is held to provide any additional context around the business impact of what we identified, and to provide a chance for any further questions on how to remediate what was found.
- Optional Retesting can be carried out in order to ensure that any vulnerabilities have been successfully remediated.
Get in touch
To find out more: