CLOUD PENETRATION TESTING
Cloud adoption – there’s no two ways about it. The question remains – Whether a cloud service model (IaaS, PaaS, SaaS) provides safe and secure environment to its users? Identify vulnerability, insecure configurations, controls within your cloud systems.
What is Cloud Penetration Testing?
An authorised cyber attack simulation exercise against cloud assets hosted on a cloud provider environment.
The main objective of the cloud pentesting is to identify and mitigate security risks in cloud computing.
Cloud security is everyone’s business. Gartner predicts that, through 2020, 95 percent of cloud security failures will be the customer’s fault.
What can't be tested in the Cloud?
Cloud environment that belongs to the cloud management such as underlying infrastructure, cloud provider facilities, other partners or vendors cannot be tested either. Apart from major public cloud provider offerings, cloud models for a beginner can be fuzzy concept, especially shared responsibility models. This simply means:
Cloud provider is responsible for security of the cloud
Tenant or organisation client is responsible for security in the cloud
The following diagram demonstrates differences between shared responsibility models in the cloud. Whether it’s an Azure pentest, AWS Security Assessment or cloud risk assessment, the following principles are pillars to almost every cloud implementation.
What are the security risks of cloud computing?
In order to easily understand the different security risks, this section provides examples with each risk mentioned below. Security risk areas remain same, the underlying attack vector may change based on the cloud model and/or vendor (Azure, AWS, others). For instance, Amazon buckets have a history of security misconfiguration linked to S3 bucket data leakage. Azure blob storage has been abused more than AWS, and subject to Identity based attacks. Office 365 tenancy security configuration not in line with good security practices.
Loss of compliance such as PCI DSS, ISO 27001, GDPR. For instance, In health industry, there are set NHS Data Security Standards defined in the Data Security and Protection Toolkit.
APIs or Application Programming Interfaces usage is evolving at exponential rate to provide better experience for users. Without doubt, this raises risk profile of APIs to ensure security features are in place against API specific attacks such as authentication, parameter tampering, content manipulation attacks and session cookie tampering.
Cloud Security Assessment Services
Azure Penetration Testing
Whether you are utilising classic Azure portal or Azure Resource Manager (ARM),
Our Azure pentests and security reviews can help you assess and remediate the security vulnerabilities and insecure misconfiguration in Azure services and products.
AWS Penetration Testing
AWS pentests include three different service areas, targeted at SaaS, Infrastrucutre and internal cloud components. Data Leakages/permissions, misconfiguration, Identity & Access Management, Networking, Logging & Monitoring areas are some of the pillars behind your AWS security strategy.
Office 365 Security Audit
Cyphere Office 365 Security Audit includes a thorough review of your current setup against Office 365 security risks and ensure that your setup follows controls around Device Management, Account Policies, Application Permissions, Security Controls around authentication, exchange, auditing & storage.
Secure Configuration Review
If a cloud-based server is unhardened or weakly configured, this leaves the underlying business vulnerable, leaving itself open to loss of reputation and other implications. The news has been full of data breaches due to leaky S3 buckets or general misconfigurations
Cloud Services Risk Assessment
We perform security reviews for Cloud services and/or solutions offered by cloud service vendors. These solutions may cover different service models such as SaaS Security Testing or checking PaaS security risks.
SaaS Security Testing
Cyphere have the skill-set and extensive experience of working with all the major cloud service providers. As shared services concept is gaining more traction, risks of data leakage are increasing with more blind spots than ever.
Benefits of Cloud Penetration Testing
How to approach Cloud Pen Testing?
Constantly identifying vulnerabilities in your cloud assets is very important. This ensures that no blind spots are present in your environment. Right toolset is an important component just like on-premises applications. Both cloud and on-premises tools are available, and a thorough requirements analysis should be performed to finalise the correct approach.
Cloud Provider provides resources, securing it is your responsibility.
Cloud Penetration Testing Methodology
Our cloud security offerings are based on extensive methodlogy we have developed with years of experience working across different sectors. It’s very important that a cyber security consultancy follows an approach that delivers right returns on your investment. At a high level, our approach towards cloud security assessments is as follows: