Hey Everyone, back with another blog
Let’s learn something on Cloud Security, today we will see the comprehensive methodologies and steps to follow when it comes to cloud security and penetration testing.
Before getting straightly into Pen-testing Stuffs, lets give quick tour on cloud Introduction and Service Providers.
We have several Three major types of Cloud Services, they are
IaaS – Infrastructure as a Service
PaaS – Platform as a Service
SaaS – Software as a Service
Percentage of Consumers on various Cloud Service Providers (CSP)
Oracle Cloud – 4%
IBM Softlayer – 7%
VMWare vCloud Air – 7%
Google – 13%
Azure – 30%
Amazon AWS – 75%
Cloud Penetration Testing should be done both on Applications and also in Infrastructure Levels too.
Concerns on Cloud Security
Security Controls and Compliance
Data Security is the major concern
Risks totally depends on models employed, operation models and technology used.
Cloud Security Risks
Cloud Services face certain other risks added up also with IT Security Risks, they are
Account or Service Hijacking
Data Loss
Virtualization and Sharing Vulnerabilities
Malicious Insiders
Insecure Interfaces
Improper Usage
What Penetration Testers need to keep it in mind is to ensure CSP are securing consumers and clients by performing periodic pen tests on implementations of security controls as well as compliance assessment.
Cloud Penetration Testing will not be totally different one from Traditional Penetration Testing. We need to do this traditionally along with cloud specific attack vectors.
SCOPE
1) Web Application and Web Service – Web Application and Web Services
2) Network Penetration Testing – Firewalls, databases, Systems
3)Cloud Penetration Testing – Cloud Specific Threats and risks with compliance.
To Perform Cloud Security Testing Co-Ordination of Cloud Security Provider(CSP) is Very Important.
PaaS and IaaS clouds allow pen-testing with CSP co-ordination, but SaaS doesn’t allow due to difference in levels of impact on their infrastructure
What we need to look for
Unlike Traditional Penetration Testing we need to gather information on
Publicly Accessible Resources
Security Groups
Routing Tables
Network ACL
Subnets
permissions
Identify and Access Management Policies.
Identify type of Cloud to be Tested (Iaas, Paas, Saas)
Identify the Instance and applications that client wants to test
Identify what to do and don’t
Some CSP will not allow you to carry out penetration testing on their instances for Example Amazon don’t allow pen-testing on Micro RD5 Instance types.
You can get the instances to attack from your Rules of Engagement(ROE) Letter.
CSPs don’t allow DOS attacks on their instances that may affect their productivity zone.
CSPs Do not appreciate Unannounced Testing.
We need to get proper Permission from CSPs.
Example:
1) Amazon has provision for pen-testing permissions to submit applications. For filling up the form we should possess root account credentials. If we don’t have we can submit a request for that first by dropping a mail to test@amazon.com with information such as
Account Name, Account Number, Email Address, Account Owner, IPs to be scanned.
2) Google don’t need pre-approval from google cloud to conduct penetration test.
Limitations:
1) Need to look for lock-in Problems.
2) Check for Governance Issues
3) Check for Compliance Issues
4) Implementations of Security Management
Checklist needs to be filled
Resource Isolation
Anti-Malware
Firewalls on Entry Points
Strong Authentication
SSL Certificates
Encryption of Stored Files.
Whatever we do for the sake of Cloud Security, Safe internet practices only keep us away from security threats apart from cloud infrastructure and application vulnerabilities.
It’s Important and responsibility of CSP to keep us(Consumers) to safe. It’s our responsibility to keep ourselves safe and secure from the prying eyes.
Several Cloud Certifications are available from Azure, AWS, CCSP, you can go on with any of them to build your career on cloud Security.
Thank you, See you again in another Blog.
AUTHOR
SAM NIVETHAN V J
SECURITY ANALYST & TRAINER
