Service Overview
The Azure Cloud Security Assessment is a data-driven evaluation of an Azure tenant, designed to uncover potential attack paths, misconfigurations, and weaknesses. The assessment filters out non-critical findings and highlights only the actions that are critical to block in order to prevent active exploitation routes.
Methodology
This is a hands-on, manual penetration test that follows a proprietary methodology combining technical analysis of Azure components with supporting interviews. The infrastructure evaluation is based on the NIST Cybersecurity Framework, and risk ratings follow the CVSS standard. A white-box approach is used to deliver in-depth visibility into cloud management resources and architecture.
The activity includes, but is not limited to, the following components:
Organizational policies
Users and service principals
Third-party enterprise applications
Storage accounts
Internet-facing Azure assets
Automation accounts
Role assignments
Logic apps
Dynamic group membership conditions
The collected data is analyzed to identify vulnerabilities and risky conditions that may expose the tenant to threats.
CYE will not perform the following activities:
Application penetration tests for applications hosted in the environment
Configuration changes in the environment being assessed
Analysis or classification of the data stored in storage accounts
Deliverables
All discovered findings are shown in Hyver, CYE’s Continuous Threat Exposure Management (CTEM) platform
Identified attack routes from threat sources to business-critical assets are mapped and visualized on a mitigation graph and indicate risk
A maturity level reflecting the organization's security posture is determined, based on NIST Cybersecurity Framework and organizational context and insights
Customers can use the risk and maturity evaluations to design and manage optimized mitigation plans independently, including timeline, ownership, and cost-effort considerations
Prerequisites
CYE’s user must be assigned the following permissions:
Global Reader (in Entra ID) Microsoft Entra built-in roles - Microsoft Entra ID - Users with this role can read everything that a Global Administrator can, without edit/delete permissions. Required for reading users, groups, applications, and their permissions in Azure Active Directory.
Reader (RBAC role) to all Azure subscriptions Azure built-in roles - Azure RBAC - Users with this role have read access to all resources but are not allowed to make any changes. This role grants read access to most of the metadata and configurations of recourses, but it does not grant the ability to read the data itself (for example to read blob files or DB content).
"Microsoft.Web/sites/config/list/Action" permission to all Azure subscriptions - For accessing Configuration settings of Azure App Service and Azure Function apps (the Reader RBAC role lacks this permission).
Customer Engagement
A 1–2 hour scoping meeting with a customer representative is required to plan the assessment, identify critical business assets, and define relevant attack scenarios
Weekly one-hour meetings with a network architect are typically held during the engagement to address questions related to hosted assets and user group configurations
Relevant Standards
The proprietary methodology is derived from:
MITRE ATT&CK knowledge base of adversary tactics and techniques.
NIST Cybersecurity Framework
Center for Internet Security (CIS) Critical Security Controls
Security Domains Covered
Cross-organization policies, procedures, and governance
Security operations, monitoring, and incident response
Network level security
Servers, network equipment, and endpoints security
Application-level security
Sensitive data and information management
Identity management and remote access