CLOUD PENETRATION TESTING
As Nettitude continues to see more services migrating to the cloud, the need for cloud security testing increases. Nettitude delivers cloud-based penetration testing for cloud service providers as well for the clients that use these services as a core part of our penetration testing offerings.
Nettitude has extensive experience in working with all major cloud service providers. Whether it is Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (Saas), Nettitude’s information security and penetration testing consultants are experienced in testing and security for all types of environments.
How Can You Benefit from Cloud Penetration Testing?
The benefits of a cloud penetration test are increased technical assurance, and better understanding of the attack surface that your systems are exposed to. Cloud services, whether they are infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS), are prone to security misconfigurations, weaknesses, and security threats just as traditional systems are.
By performing a cloud penetration test you will get:
- A better understanding of your cloud estate. What services do you have in the cloud? What systems do you expose to the public?
- A detailed report on any common security misconfigurations along with our recommendations for how to secure your cloud configuration.
The increased assurance will come from the fact that you will gain visibility of the security weaknesses of your cloud estate. You will be able to verify what services and data are publicly accessible, what cloud security controls are in effect, and how effectively these are mitigating your security risk.
The Cloud Security Problem
Although cloud providers offer increasingly robust security controls, you are ultimately responsible for securing your company’s workloads in the cloud. According to the 2019 Cloud Security Report, the top cloud security challenges highlighted are about data loss and data privacy. This is followed by compliance concerns, tied with concerns about accidental exposure of credentials.
Operational Security Headaches
- 34% Compliance
- 33% Lack of Visibility into infrastructure security
- 31% Lack of qualified staff
Biggest Cloud Security Threats
- Unauthorized Access
- Insecure Interfaces/APIs
- Misconfiguration of the cloud platform
- Hijacking of accounts services or traffic
- External sharing of data
- Malicious insiders
Cloud Penetration Testing and Configuration Review Services
Cloud Configuration Review is an assessment of your Cloud configuration against the accepted best practice of industry benchmarks. A report is produced with a summary table showing the benchmarks and whether you are following the best practice, with individual technical findings breaking the findings down in more detail, as well as detailed explanations and remediation advice.
Cloud Penetration Testing (cloud pen testing for short) involves a mixture of external and internal penetration testing techniques to examine the external posture of the organisation. Examples of vulnerabilities determined by this type of active testing can include unprotected storage blobs and S3 buckets, servers with management ports open to the internet and poor egress controls.
Cloud Testing, whether a configuration review, a penetration test, or both, focuses primarily around examining the protection on these key areas:
- Enumeration of external attack surface – Identify all possible entry points into the environment – O365, Web Applications, Storage Blobs, S3 Buckets, SQL/RDS Databases, Azure Automation APIs, AWS APIs, Remote Desktops, VPNs, etc.
- Authentication and Authorization Testing – Ensure the users within the environment operate on a Principle of Least Privilege, and that they are protected by robust multi factor authentication policies, as well as that known ‘bad passwords’ are prohibited from being used.
- Virtual Machines / EC2 – Azure supports two types of virtual machines – Classic and v2. Testing will ensure that these virtual machines are protected via Network Security Groups (NSGs – analogous to firewalls) and their data is encrypted at rest. Where possible, audits of missing patches and their effects are included. Where virtual machines are publicly accessible, this will lead on to the examination of their external interfaces.
- Storage and Databases – This area of testing will examine storage blob permissions and those of subfolders, ensuring that only authenticated and authorised users can access the data within. Examination of databases (either on virtual machines running SQL Server, or running via Azure SQL) for security best practices is also covered.
Cloud Penetration Testing Authorization and Policies
Microsoft (Azure) and Amazon (AWS) used to require testing authorization before commencing a penetration test. This is no longer the case, and barring a few exceptions within AWS, you are no longer required to request authorization for a cloud penetration test for Azure, AWS, or GCP.
Our team consists of AWS Security and Microsoft certified experts. Our experienced consultants frequently publish white papers and research on Cloud security and Cloud Penetration Testing.
Do I need permission from my cloud provider in order to perform a penetration test?
In most cases (AWS/Azure/GCP) the answer is no. There are some exceptions, but for the majority of testing authorization is not required.