Last Updated on July 28, 2020
In recent years, businesses have found ways to cover their technology needs without internal systems and staff. On-site IT staff, hardware, and internally developed and maintained software are becoming less commonplace, and we are seeing many sectors (especially SMBs) turn to externally sourced service models.
This leads to the use of a lot of acronyms: Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Desktop as a Service (DaaS), and beyond. Most of these services can be wrapped up under the cozy blanket known as cloud services—technical offerings that are hosted and managed by an external party to varying degrees.
In a nutshell, when a business relies on a cloud service, that usually implies that some or all of their data, software, and infrastructure “live” elsewhere, on computers owned by an outside entity.
As cloud-based offerings have risen in popularity and cloud use cases have proliferated, security concerns have risen as well. These concerns also extend to other tech services, such as external IT and even external security support and auditing/testing.
How can businesses know that what they are paying for “in the cloud” is secure, and that their information stored and/or processed in the cloud is safe?
This apprehension on the part of customers is a critical consideration for businesses providing cloud-based and other tech services. In the past year alone, dozens of intense and highly advanced cyber attacks have been targeting cloud service providers.
An example is the Cloud Hopper mega attack—dubbed “one of the biggest corporate espionage efforts in history.” This nation-state sponsored attack exploited weaknesses in cloud providers’ infrastructure or stole security credentials through spear-phishing emails. From there, the hackers accessed customers’ hosted networks and applications to exfiltrate intellectual property and other sensitive data, harvest more security credentials, install malware and continue to expand their attack.
These breaches can have massive consequences, affecting not just the provider but also possibly every single one of its clients. Users and prospects have good reason to be wary and cautious, and it can be difficult for SaaS providers to assure them that security is a priority.
Fortunately, an industry standard solution is available to help SaaS providers attest to the robust security posture of their networks, applications and other technology services: CREST network penetration testing.
CREST is a UK-based nonprofit accreditation and certification body that “… provides organizations wishing to buy penetration services… with the confidence that the work will be carried out by qualified individuals with up-to-date knowledge, skill and competence of the latest vulnerabilities and techniques used by real attackers.”
A CREST accredited penetration test embodies a standardized program offering full assurance that qualified, experienced testers will employ the latest best practices to yield reliable results and consistent documentation. The goal is to deliver the greatest value for the client’s testing investment in terms of guidance, knowledge and security awareness.
So, if you are in the market for cloud services, ask (nay demand!) to see your potential vendor’s CREST accredited penetration test report. If they have one and it looks clean, you can have a lot of confidence they will keep you sensitive information secure.
For cloud service providers, a CREST Approved penetration test gives you a trusted, third-party attestation that the infrastructure your clients rely on is highly secure. This attestation can help strengthen your marketing messages and close new business. It can also help reassure and retain current customers, especially those that are ramping up their due diligence and looking to validate your network security posture in the wake of recent attacks.
To find out more about our CREST accredited penetration testing program and how it can help your business, contact Pivot Point Security.