infoguard-cloud-penetration-testing-EN

Cloud penetration testing – Find the holes in your cloud!

Clearly, cloud platforms and infrastructures are popular because every business is looking for greater flexibility, scalability, productivity and efficiency, as well as lower costs; but however good that may sound, there are also security risks associated with cloud solutions. A recent study* even concluded that 18 percent of all companies suffered a security incident in 2018 that was directly related to the cloud. The cloud trend is only just starting! This is one of the reasons why cloud penetration tests are becoming more and more common, but they are subject to special requirements. Find out here what this means for you and if a cloud penetration test could also be beneficial for you!

A technical paradigm shift and digitalisation are making cloud services increasingly popular. According to a study, 94 percent of the companies surveyed rely on cloud solutions, with 84 percent of them using a multi-cloud strategy. Here the big players are obviously AWS, closely followed by Azure. But cloud solutions also create a challenge for many companies – not only, but to a large extent, due to security requirements, the key words being "cloud security".

Why the cloud warrants special treatment

For one thing, special attention needs to be paid to cloud security because of its inherent challenges and growing importance. On top of this, the cloud is increasingly becoming the target of cyber attacks, because cyber criminals are well aware of the weak points and the lack of expertise in the security area. There is also a variety of compliance guidelines that need to be observed, such as the GDPR and PCI DSS.

However, when it comes to security issues, cloud providers are seldom the right door to knock on, because obviously they promote the benefits of the cloud without acknowledging the dangers. This makes a cloud penetration test a good option for resolving specific vulnerabilities.

Why cloud security demands trust as well as control

One of the major differences in terms of security is that a company can set up the "rules" for its own on-premises infrastructure and act flexibly, whereas in the cloud it is the provider doing this, which reduces scope for taking action. The degree of control, including security, varies according to the cloud model, be it IaaS, PaaS or SaaS. This means that is important to thoroughly review the choice of solution or provider in advance, as well as the SLAs for emergencies. But no matter which cloud model you use, cloud security is largely down to you. This is exactly why you should include your cloud systems in penetration tests.

The small but subtle differences in the penetration testing of cloud systems

During a penetration test which incorporates cloud systems, a number of specific features need to be taken into account. As previously explained, the provider provides the guidelines. It is important that the limitations are clear for both the customer and the penetration tester. Ultimately, the provider must be able to distinguish whether the cyber attack is genuine or not. Here, both the contracts must be carefully checked and good communication must be ensured. AWS, for example, requires formal permission to perform a penetration test, which must then take place on a fixed date. The severity of the attack that the penetration testers can carry out also depends on the cloud model, as, for example with SaaS, there are a lot of clients working on the system. This means that a system failure would affect more clients than in an IaaS environment.

One of the most important points in testing penetration in cloud systems is how the architecture and configuration of the cloud systems interact with the local systems. In most cases, the gateway for cyber criminals is down to defects in the architecture and configuration errors. The problem rarely lies with the provider, as the major providers themselves invest a lot of resources in ensuring that their services are secure This makes it all the more important that the architecture and configuration are clean and seamless. This is also confirmed by a recent cyber attack on the US financial services provider Capital One. Hackers exploited a vulnerability in AWS that was caused by an error in the IAM configuration.

Cloud penetration test – yes or no?

Cloud solutions are being used in more and more areas, and rightly so. Innovative solutions are the way forward. An example is the cloud platform of our customer HOOC, whose IoT connectivity platform is fully dedicated to the digitalisation of industrial and to building control systems. As with HOOC, security is paramount – both from the client's and the provider's point of view. A cloud penetration test is recommended for everyone who has built a new cloud system and/or is new to cloud security. A comprehensive catalogue of measures, which you will receive afterwards, will also provide you with valuable information so that you can approach the issue of cloud security with confidence in the future.

Incidentally, our client HOOC also had its cloud platform tested with a penetration test in an exemplary manner. If you would like to find out more, please read our reference report: Reference Report HOOC

* State of the Cloud Report 2019, Flexera

<< >>

Cyber Risks , Cloud Security

Michelle Gehri
About the author / Michelle Gehri

InfoGuard AG - Michelle Gehri, Marketing & Communication Manager

More articles from Michelle Gehri


Related articles
(Hybrid) cloud security – what you can learn from banks
(Hybrid) cloud security – what you can learn from banks

Cloud services open up new possibilities for innovative business models and efficient processes. The [...]
Shadow IT casts a (cloud) shadow over cyber security
Shadow IT casts a (cloud) shadow over cyber security

Dropbox, Google Docs and Co. we all know and are more popular than ever. This is understandable because the [...]
Cloud security – follow these 8 tips, so that your cloud doesn’t turn into a storm cloud
Cloud security – follow these 8 tips, so that your cloud doesn’t turn into a storm cloud

By now everyone has understood that the cloud is here to stay. It is today’s reality, and tomorrow’s as well. [...]
Cyber Security Blog

The InfoGuard Cyber Security Blog informs you regularly about news and detailed reports from the world of Cyber Security and Cyber Defence.

Blog update subscription
Social Media
infoguard-cyber-security-phishing-poster-en