As more and more companies move to the cloud, the relevant public cloud environments should not be left out of scope when penetration tests are carried out. In this article, I will give an introduction to cloud computing, clarify your specific security responsibilities in the public cloud and explain the key aspects of penetration testing in the cloud.
Introduction to Cloud Computing
Cloud computing is the use of IT infrastructures and services over the Internet. Cloud users have access to a large number of interlinked external servers. Typically, there is no overview of the individual computer resources provided by the cloud provider.
Almost everyone now uses cloud services. Whether you have an account on a social network such as Facebook or LinkedIn or use a storage service such as iCloud, Dropbox or OneDrive, you are already a user of cloud computing. Companies are also using more cloud services every year.
Cloud computing has many different characteristics. These include various delivery models that describe how cloud services are provided to users. The best known are probably the public cloud platforms of the major providers Amazon, Microsoft and Google. All users of these platforms can easily and flexibly rent IT infrastructure and pay according to their usage. By contrast, there is also the option of using your own cloud environment, which is operated exclusively for your own company (so-called private cloud). In addition, there is a hybrid model which combines private and public cloud (so-called hybrid cloud), as well as other special forms.
The different Cloud Service Models (IaaS, PaaS, SaaS)
In the context of cloud computing, a distinction is also made between different service models that describe what type of service is made available to the user by a cloud service provider. The service model has a significant influence on the approach and scope of penetration tests. There are three basic service models:
Infrastructure-as-a-Service (IaaS)
With this service model, the cloud service provider offers data centre infrastructure for use. The components of the infrastructure provided include servers, computing and network capacities, routers, switches, firewalls, storage space and systems for archiving and back-up of data.
Platform-as-a-Service (PaaS)
This service model is based on the Infrastructure-as-a-Service Model and adds a developer environment to the infrastructure. This provides developers with the tools they need to develop applications quickly and cost-effectively.
Software-as-a-Service (SaaS)
Furthermore, cloud providers can also take over the complete provision of software applications to end-users. With this service model, not only the software is provided, but also the configuration, maintenance and constant updating of the software.
Advantages of Cloud Computing
Cloud computing offers a whole range of advantages over locally managed infrastructure and locally installed software. On the one hand, there are cost advantages because no hardware has to be purchased and maintained or software has to be purchased and updated on all computers. Cloud services, whether IaaS, PaaS or SaaS, offer a high degree of flexibility and grow with your needs. Location-independent access to data is another point that has led to the growth of cloud services in recent years. The data security offered by cloud service providers is also significantly better than most companies can provide themselves. This is especially true for small and medium businesses. Despite the many benefits, there are some companies that are sceptical about cloud adaptation. The security aspect, in particular, prevents companies from moving to the cloud. However, companies should not overestimate the security of their on-premise data centres. The best way to dispel security concerns is to be aware of your own role in the cloud.
Model for Shared Responsibility in the Public Cloud
In the public cloud, cloud providers and users share responsibility for data security. This shared responsibility model applies regardless of the service model (IaaS, PaaS or SaaS). However, the scope of responsibility shifts depending on the service model. With IaaS, the user’s area of responsibility is the largest. The infographic below illustrates this:
Keeping data secure is a core task of cloud service providers and all major providers invest a lot of money to ensure a very high level of security. From strict physical access control to the data centres to strict controls of every change to the hardware, software and network and ensuring compliance with legal requirements and compliance standards, public cloud providers take care of all basic security aspects. They also provide users with all kinds of tools to ensure security in the cloud. Since the user has security responsibilities with any type of cloud service model, it is advisable to use penetration tests to check whether this responsibility has been adequately fulfilled. Especially immediately after migration, it is advisable to carry out a penetration test of the cloud-based infrastructure.
Cloud Pentesting Challenges
In cloud penetration testing, white box or grey box testing is the norm. The penetration tester has a full or at least partial overview of the IT of the company to be tested. This information base is important for the penetration tester because otherwise, he could run the risk of accessing data from uninvolved cloud tenants because cloud resources are usually shared. From a legal point of view, a penetration test is, therefore, more demanding, since with the cloud provider another party is involved whose interests must be safeguarded. In any case, the general terms of use of the cloud provider must be observed ( -> AWS, Microsoft Azure, Google Cloud Platform). There, the services available for pentesting are designated and the framework conditions are defined. In particular, inadmissible actions, test tools and services are listed here. If necessary, the provider’s consent must be obtained prior to the penetration test. However, the three major providers Amazon, Microsoft and Google now do not require such consent. Nevertheless, it is advisable to inform the provider about the upcoming penetration test in your cloud environment.
The individual phases of the cloud penetration test do not differ from a penetration test in which the company itself is the sole owner of the infrastructure. The differences lie in the details. Many traditional attack methods would cause an immediate warning due to the ever-improving security provided by cloud providers. Therefore, a cloud penetration tester must know detours and indirect attack methods in order to gain unnoticed access to the cloud environment. Last but not least, he must also have the right tools at hand.
Conclusion on Cloud Penetration Testing
If you have migrated or are considering migrating data and applications to the public cloud, you should always periodically perform a security audit of your cloud environment. Important fundamentals are that you must strictly adhere to the cloud provider’s terms of use and that your penetration test should only extend to the layers of the cloud that you are responsible for under the shared responsibility model.
Please contact us if you need a penetration test of your cloud environment.
