The cloud has radically changed many aspects of information security, but basic concepts still apply. This includes critical components of security programs, such as penetration testing.
Understanding where and how to pen test an enterprise cloud is an important aspect of risk management. Performing a pen test of all mission-critical cloud systems on a regular basis helps identify areas of improvement in an information security program. Depending on security teams’ available resources, they can conduct pen tests before a system goes live, on a live system or even during the design process.
For reference, the Cloud Security Alliance (CSA) Top Threats Working Group released its “Cloud Penetration Testing Playbook” that outlines how to pen test systems and services hosted in public cloud environments. The playbook examines aspects such as how to scope a cloud pen test, how these tests are conducted in the shared responsibility model, and cloud penetration test cases and concerns.
Unique challenges of pen testing in the cloud
Cloud penetration testing differs from ordinary pen testing. One difference is that, depending on the specific scope, cloud pen testing could include coordination with the underlying hosting provider. If the pen test identifies a vulnerability in the underlying hosting provider, the provider may need to be prevented from performing lateral movement. This can minimize the potential impact on other customers and notify the provider of the finding. In a large distributed enterprise, the team orchestrating the pen test would need to identify all of the affected groups and coordinate security processes with them.
Pen testing in the public cloud
The CSA playbook focuses on testing systems and services hosted in public cloud environments. This could include a custom virtual machine hosted in a public cloud IaaS service, for example. The pen test looks for flaws, common misconfigurations and known vulnerabilities in a cloud service supporting an application. It’s not application-level testing or testing the security of the underlying IaaS service, but both could be pen tested individually. Depending on the application hosted in the IaaS service, the application security might be the responsibility of a software vendor — whether open source or commercial. Findings that involve the underlying IaaS service or application should be evaluated to determine if they should be reported to the supporting vendor.
Pen tests for the shared responsibility model
Scoping and the shared responsibility model also influence how the operations in the cloud are organized in your enterprise. You might have an OS team responsible for certain parts, a network team responsible for the load balancers, an identity management team responsible for the identity and access management and so forth. These different groups, together with the cloud security teams or cloud security center of excellence, need to work together to ensure the necessary security controls are implemented in the IaaS environment. Given the complexity of that coordination, a pen test may help identify gaps in the coordination and technical security controls implemented.
Breaking down pen test instructions
Potentially, the most valuable contribution from the playbook is the cloud penetration test cases and concerns section. The playbook covers general pen testing steps with cloud-specific information highlighted in each step. An enterprise can use the steps as a checklist to evaluate the configuration of its public cloud environment.
The test cases include specific steps describing where to look for specific configuration settings that can be used to gain the initial foothold into an environment. Once hackers gain access, they can move laterally to eventually gain privilege escalation to completely compromise the security of the system. It may be a higher priority to implement security controls in the cloud scope before pen testing. The pen test can examine whether the security controls were implemented effectively and identify areas that need additional attention.