For many organizations, on premise infrastructure has historically offered security, customization, and control of the software. Today, that’s changing, as 92% of IT professionals use cloud solutions for some or all of their organization’s tooling needs. That shift to the cloud has accelerated, with even cybersecurity concerned companies like Wells Fargo announcing plans to shift to Microsoft and Google Clouds. That adoption is in part because customers increasingly demand services and deliverables over the Internet. And, once you shift to delivering content online, the concern becomes not keeping data off the internet but rather keeping it there in the most secure way possible.
That trend is affecting pentesting as well, where the shift is increasingly towards pentest-as-a-service. On-demand pentesting with findings delivered not just as a large PDF report but also as tickets, which developers, IT staff, and compliance leads can directly access and work on, while communicating and collaborating with pentesters involved. That trend necessitates pentest management platforms like Cyver Core, which essentially offer a plug and play solution for pentest-as-a-service, using a cloud model.
That naturally results in security concerns, especially for pentesters who specialize in testing online infrastructure. You need your pentest management platform to be secure, because you’re handling extremely sensitive data for clients.
On Prem is More Secure, If You Stay Offline
“Our SaaS model means users subscribe for access to a tenant in our cloud. That means deployment is all virtual, you don’t have to worry about setup, on-premises installation, or on-premises security.” says Luis Abreu, CEO of Cyver, “That enables cloud pentest management, so you can let clients access your pentest portal in the cloud, you can’t connect to customers in the cloud without it, but it also allows us to take advantage of significant security infrastructure.”
“When you implement on-premises, you have to build the full security stack yourself. That’s handled by Cyver as well as our third-party suppliers. For example, we are SOC2 compliant, meaning we can show third party proof of how we secure data. We also rely on Azure, which has significant security standards in place”
“For example, Cyver Core uses logically separated backups in Azure, with a 7-day point in time restore. That’s extremely difficult to maintain on-premises”
“Cloud also offers significant improvements in data protection and disaster recovery”, says Mike Terhaar, co-founder of Cyver, “It’s difficult and expensive to create security infrastructure in-house with the same level of digital and physical security measures as Microsoft does for Azure. If something goes wrong, you restore from a logically separated backup – reducing the impact of major threats like ransomware.”
“Once you engage with customers, collaborate with them, and give them access to your platform, you lose the security of an on-premises implementation. You’re still sharing data over the public internet. So, moving to the cloud, with enterprise-scale security makes sense if you want to engage with clients online.”
On Premises Creates Risks
“It’s also often the case that you can’t maintain the security of your platform with an on-premises implementation. Even if you were to install a local version of Cyver Core, you’d still have to update it.” Luis adds, “Cyver Core has a continuous update cycle, with updates, bug fixes, vulnerability fixes, security features, etc., several times a week. If you’d host on-prem, it’s either a lot of work to update at the same pace – or your software would quickly be out of date, meaning there would be security risks.”
Security in Cloud Platforms
Cyver Core is a pentest management platform designed for pentesters by pentesters and SaaS experts. We understand the risks of moving to the cloud and we took steps to mitigate them.
For example, Cyver Core is secure-by-design. In January of 2023, we officially proved that with SOC2 certification.
We also offer custom solutions for pentesters in need of extra security:
Privacy – Cyver Core is fully white label. You can hide the Cyver Core brand so that, externally, the platform looks like your own application.
Deployment Options: Cyver Core offers custom deployment options as an add-on to our subscription. You can increase isolation by having your own database or your own application to further isolate from other tenants in our cloud solution. That further guarantees there will be no disruption from other clients.
“We understand that cloud is a risk, but any type of networked solution is, we thought about it, and we took measures to mitigate those risks.” says Luis, “We have security (SOC2), we have whitelabeling, and we have deployment options. That offers better security than most on premise installations will be able to achieve, but deployed faster, for less money, and with fewer maintenance costs for you, the user.”