CLOUD PENETRATION TESTING
Cloud adoption – there’s no two ways about it. The question remains – Whether a cloud service model (IaaS, PaaS, SaaS) provides safe and secure environment to its users? Identify vulnerability, insecure configurations, controls within your cloud systems.
Get In Touch
What is Cloud Penetration Testing?
An authorised cyber attack simulation exercise against cloud assets hosted on a cloud provider environment.
The main objective of the cloud pentesting is to identify and mitigate security risks in cloud computing.
Cloud security is everyone’s business. Gartner predicts that, through 2020, 95 percent of cloud security failures will be the customer’s fault.

What can't be tested in the Cloud?
Cloud environment that belongs to the cloud management such as underlying infrastructure, cloud provider facilities, other partners or vendors cannot be tested either. Apart from major public cloud provider offerings, cloud models for a beginner can be fuzzy concept, especially shared responsibility models. This simply means:
Cloud provider is responsible for security of the cloud
Tenant or organisation client is responsible for security in the cloud
The following diagram demonstrates differences between shared responsibility models in the cloud. Whether it’s an Azure pentest, AWS Security Assessment or cloud risk assessment, the following principles are pillars to almost every cloud implementation.

What are the security risks of cloud computing?
In order to easily understand the different security risks, this section provides examples with each risk mentioned below. Security risk areas remain same, the underlying attack vector may change based on the cloud model and/or vendor (Azure, AWS, others). For instance, Amazon buckets have a history of security misconfiguration linked to S3 bucket data leakage. Azure blob storage has been abused more than AWS, and subject to Identity based attacks. Office 365 tenancy security configuration not in line with good security practices.
Intellectual Property Theft
Compliance Violations and/or Regulatory Actions
Loss of compliance such as PCI DSS, ISO 27001, GDPR. For instance, In health industry, there are set NHS Data Security Standards defined in the Data Security and Protection Toolkit.
Data Breaches
Insider Threats
For example, a leaving employee uploading CRM data to online space (a cloud storage or a website) to be used later when employed on a new job with a competitor. Insider attacks may include examples related to supply chain risks similar to Capital One data breach.
Credential Attacks
Insecure APIs
APIs or Application Programming Interfaces usage is evolving at exponential rate to provide better experience for users. Without doubt, this raises risk profile of APIs to ensure security features are in place against API specific attacks such as authentication, parameter tampering, content manipulation attacks and session cookie tampering.
DDoS Attacks
Cloud Security Assessment Services
Azure Penetration Testing
Cyphere audits your Azure network consisting of portal, instances and underlying components to uncover any risks to the organisation. These could be misconfiguration, inherent vulnerabilities, or lack of good security practices. Azure pen test would help the security teams to learn, analyse and remediate vulnerabilities before they are exploited.
AWS Penetration Testing
AWS security reviews covers multiple areas from security perspective. AWS pen tests are mainly around Data Leakages/permissions, misconfiguration, Identity & Access Management, Networking, Logging & Monitoring areas. Unauthenticated checks include leaked credentials, email addresses and cloud resources information disclosure.
Office 365 Tenancy Security Review
Office 365 security offers a good set of security features. We review your current setup against security risks and ensure that your setup follows controls around Device Management, Account Policies, Application Permissions, Security Controls around authentication, exchange, auditing & storage.
Secure Configuration Review
If a cloud-based server is unhardened or weakly configured, this leaves the underlying business vulnerable, leaving itself open to loss of reputation and other implications. The news has been full of data breaches due to leaky S3 buckets or general misconfigurations.
Cloud Services Risk Assessment
We perform security reviews for Cloud services and/or solutions offered by cloud service vendors. These solutions may cover different service models such as SaaS Security Testing or checking PaaS security risks.
Cloud Security Testing
Cyphere have the skill-set and extensive experience of working with all the major cloud service providers. As shared services concept is gaining more traction, risks of data leakage are increasing with more blind spots than ever.
Benefits of Cloud Penetration Testing
- Better visibility on cloud process aligning
- Secure validation of internal and third party integrations
- Support ever changing regulatory/compliance requirements
- Ensure strong authentication, authorisation, encryption mechanisms
- Demonstrate data security commitment
- Less is more - reduced costs, servers and staff
How to approach Cloud Pen Testing?
1. Understanding Cloud Provider
2. Creating a Pen Test Plan
3. Vulnerability Identification Process
Constantly identifying vulnerabilities in your cloud assets is very important. This ensures that no blind spots are present in your environment. Right toolset is an important component just like on-premises applications. Both cloud and on-premises tools are available, and a thorough requirements analysis should be performed to finalise the correct approach.
4. Resource Risk Analysis
5. Risk Remediation

Cloud Provider provides resources, securing it is your responsibility.
Cloud Penetration Testing Methodology
Our cloud security offerings are based on extensive methodlogy we have developed with years of experience working across different sectors. It’s very important that a cyber security consultancy follows an approach that delivers right returns on your investment. At a high level, our approach towards cloud security assessments is as follows:
Identity and Access Management
This phase involves reviewing identity and access management related controls. Generally, these include checks on the use of higher privilege accounts, use of MFA, password policy, IAM policies, access keys and credentials usage policies
Review Authentication Architectures
Authentication and authorization problems are prevalent security vulnerabilities. Most mobile apps implement user authentication. Even though part of the authentication and state management logic is performed by the back end service, authentication is such an integral part of most mobile app architectures that understanding its common implementations is important
Network Security
This area involves checks around network security controls such as ingress, egress rulesets, flow logging, traffic restrictions, and least access privileges.
Logging API Calls, Events
All major cloud service providers offer web services that record API calls for tenant account. This information contains various parameters such as API source, calls details, requests/response elements. This phase includes a review of API calls for an account, log file validation, encryption at rest, access checks if logs are restricted from public view and access logging, configuration management and monitoring options.
Monitoring
The monitoring phase is one of the critical tasks responsible for alerting relevant contacts during an incident. This involves reliance on the logging and related configuration parameters to ensure right metric filters are in place. These reviews include checks for real-time monitoring configuration, alarms for any changes made to access control lists, security policy/groups, routing tables, and related parameters.
Recent Blog Entries
3 Principles of Information Security (Threats & Policies)
Read about 3 principles of information security and difference between information and cyber security. Further details include basics around security policies and their importance.
Top 7 API Security Risks (including prevention tips)
With APIs meteoric rise, most of our important data is consumed by API endpoints. It is important to ensure security is not an after thought. Read about top API security risks, attack examples and prevention measures.
Brexit and Data Protection | UK GDPR Law
Explaining the differences between DPA vs GDPR, for those wondering the differences between DPA and the newest GDPR legislation.
Top 6 Healthcare Cyber Security Threats and Best Practices (2021)
Healthcare troubles have worsened in 2020, facing two-pronged attack – Pandemic and Cyber Threats. Read our article detailing cyber security threats and best practices to follow in the healthcare sector in 2021. Discover more.
Facts About Computer Viruses & Malware (including 6 Virus Myths)
Read about interesting fun facts about computer viruses, their history and types. A fun read to beat your post lunch blues.
eCommerce Security : Cyber Threats & Best Practices (2021)
eCommerce platforms such as BigCommerce, Magento, Shopify are an attractive target for attackers. Learn what are the cyber threats facing eCommerce sector and best security practices to secure these businesses.
OWASP API Security Top 10 (With examples & fixes)
OWASP API Security Top 10 are the go to standard for API security. This article presents attacks, examples and how to prevent API security attacks. Discover more on thecyphere.com.
OWASP Top 10 Application Security Risks (With Examples & Recommendations)
OWASP Top 10 Web Application Security Risks are the go to benchmark against web application attacks. This article presents attacks, examples and how to prevent these web application attacks. Discover more on thecyphere.com.
Top 7 Office 365 Security Best Practices (includes Actionable Tips)
Office 365 security best practices with actionable tips to improve your organisations’ security posture. We highly believe that with products, it’s more important to get the best out of product features first before investing into high end consultancies or shopping new products. We hope this article offers a useful advice for your organisation.
Red Team vs Penetration Testing – Which one is the right choice for your business?
With cyber threats increasing at exponential rate, defensive techniques must evolve at the same rate. Red Team vs Penetration Testing – Which one is the right choice for your business? Both have pros and cons, but what’s best for your environment. Whether you should do it, when not to do it, benefits, costs and vendor selections.