Pentesting in the cloud is becoming a significant area for research and is quickly becoming a hot topic in the cybersecurity space. With companies continually moving their services to the cloud, checks, and balances in the cloud keep ramping up at a reasonably fast rate. However, what does it mean to conduct a penetration test on the cloud? Is it really a penetration test? Let’s take a look at these two terms:
Image by BugRaptors
Pentesting for compliance ensures that 2 things:
Ensures that your network falls within compliance guidelines, and gives recommendations on pain points that need to be fixed to avoid falling out of compliance.
If cloud penetration testing is something that interests you, I urge you to go set up some accounts with popular cloud providers such as AWS, Azure, and GCP. Also, check out my working copy, Pentesting in the Cloud for Diamonds, for resources on pentesting cloud technology.
Terms
- Penetration Testing on the Cloud: Testing on the cloud generally targets the applications and other services being built on the cloud platform. It could involve testing a Web Application being hosted on a server in the cloud, are perhaps another type of application being utilized by the cloud provider. You will test on the cloud with some formal pentest methodology and referencing the OWASP 10 ten.
- Penetration Testing in the Cloud: Testing in the cloud typically involves testing the services associated with that particular cloud provider. For example, you may test the EC2 instances and the servers in those instances. You may also examine the storage file systems, such as S3, for issues configured by the administrators.
Image by BugRaptors
Why Cloud Testing?
Why do we need cloud testing? For many different reasons that are fairly similar to the reason we have traditional penetration testing!Compliance
The checks and balances are typically maintained by compliance levels such as PCI-DSS or HIPAA. Auditors assess cloud networks for these types of compliance levels and can either pass or a fail a network based on the security of their infrastructure. A fail can result in more issues than one — such as not being able to operate that network which can lead to loss of revenue.Pentesting for compliance ensures that 2 things:
1.
Ensures that your network falls within compliance guidelines, and gives recommendations on pain points that need to be fixed to avoid falling out of compliance.2.
A penetration test gives you peace of mind on what an attacker could do with your network and a penetration test report highlights areas of weakness. At times, depending on your network, a penetration test report shows critical issues that can result in immediate damage to your company — and shows ways on how to fix it!Functional Testing
I like to think of this as a White Box approach. Functional testing ensures that everything is set up correctly and doesn’t have any major issues. Of course, it also illustrates any critical and severe vulnerabilities that may have been overlooked.What’s Next?
Penetration Testing in the Cloud is an extremely interesting topic once you start to dive into it. Being able to apply penetration techniques to a new service that is continually upgrading keeps ya busy and will have you constantly updating your own thought process and attack techniques.If cloud penetration testing is something that interests you, I urge you to go set up some accounts with popular cloud providers such as AWS, Azure, and GCP. Also, check out my working copy, Pentesting in the Cloud for Diamonds, for resources on pentesting cloud technology.
