As the tech paradigm shifts and more organizations are going serverless, cloud adoption in the form of IaaS (Infrastructure as a Service), PaaS (Platform as a Service) and SaaS (Software as a Service) is increasing exponentially. With the agility and flexibility that cloud computing provides, organizations are innovating and growing at a much faster pace compared to five years ago.
But with the good of cloud computing also comes the bad. Cloud users now have more autonomy and flexibility than ever at setting up their cloud infrastructure, a skill that is still relatively new and rare in the market. How can cloud users (ie. CTOs, DevOps, Software Engineers) ensure that their cloud environments are secure as they continue to innovate in the cloud?
Aside from dedicated cloud security software to identify and fix vulnerabilities in cloud environments, organizations can consider pentesting their cloud computing environments for a more thorough assessment of their cloud security posture.
Challenges of Cloud Pentesting
In the past, testing of cloud-based applications and infrastructure was somewhat restricted because of legal and geographical complications. Security enthusiasts and professional penetration testers were not permitted to perform intrusive security scans or penetration tests on cloud-based applications and environments without the explicit permissions of Cloud Service Providers like Microsoft Azure and AliCloud.
But the growing number of cyber attacks targeting the cloud in recent years is paving the way for mainstream cloud computing penetration testing. The recent CapitalOne data breach showed that a misconfigured access control (IAM) configuration on AWS was enough for a malicious attacker to obtain adequate credentials to illegally access Amazon S3 buckets and retrieve the information stored within.
Organizations are now open to hiring third parties to conduct penetration tests on their cloud environments under controlled circumstances. But before going deep into what a cloud environment pentest entails, it pays for users to understand that security of the cloud is a shared responsibility. Cloud service providers like Amazon Web Services (AWS) inherently build security in their infrastructure. Cloud Firewalls such as Security Groups are configured by default to disallow all traffic unless otherwise specified by the user. It is this user flexibility that is ballooning the risk of human error in the cloud. If end users accidentally switch a configuration like removing a Security Group whitelist to a VPN or internal IP, they open up their cloud infrastructure and applications to a larger attack surface.
The Cloud Environment Pentesting Checklist
Technically, a penetration test on the cloud computing environment does not differ that much from any other penetration test, even an on-premise equivalent. While there may be key differences in the way that the cloud infrastructure and applications are set up, the principles remain the same. Whether we look at web servers running on the application tier with RDS service running the database tier or dockers in a Kubernetes cluster that has microservices running, both are still exposed to the same attacks on the web application and network layers.
There are various methodologies regarding how to properly pentest a cloud computing environment, but they are broadly divided into these sub phases, similar to a typical network and web application pentest:
- Planning and Threat Modelling
- Vulnerability Identification
However, what I would identify as the key differences would be that there are cloud specific vulnerabilities that can be exploited by malicious individuals. Misconfiguration of cloud services is the most exploited cloud vulnerability by attackers. According to the 2018 Gartner report Is The Cloud Secure, analysts posit that through 2022, 95% of cloud security failures will be the customer’s fault.
Cloud computing users can take advantage of both open source and commercial cloud security tools like Horangi Warden, which is a risk-based cloud defense tool for AWS environments, to build a more resilient cloud security posture. The GitHub forum also commonly showcases useful open source cloud security pentesting tools like Pacu.
Identify your security misconfigurations early so they don’t turn into security incidents. If your organization relies on the cloud for core business services and needs to develop a long-term holistic cybersecurity strategy, it pays to engage a reliable third party security vendor to conduct a cloud computing penetration test.