Clearly, cloud platforms and infrastructures are popular because every business is looking for greater flexibility, scalability, productivity and efficiency, as well as lower costs; but however good that may sound, there are also security risks associated with cloud solutions. A recent study* even concluded that 18 percent of all companies suffered a security incident in 2018 that was directly related to the cloud. The cloud trend is only just starting! This is one of the reasons why cloud penetration tests are becoming more and more common, but they are subject to special requirements. Find out here what this means for you and if a cloud penetration test could also be beneficial for you!A technical paradigm shift and digitalisation are making cloud services increasingly popular. According to a study, 94 percent of the companies surveyed rely on cloud solutions, with 84 percent of them using a multi-cloud strategy. Here the big players are obviously AWS, closely followed by Azure. But cloud solutions also create a challenge for many companies – not only, but to a large extent, due to security requirements, the key words being "cloud security".
Why the cloud warrants special treatment
For one thing, special attention needs to be paid to cloud security because of its inherent challenges and growing importance. On top of this, the cloud is increasingly becoming the target of cyber attacks, because cyber criminals are well aware of the weak points and the lack of expertise in the security area. There is also a variety of compliance guidelines that need to be observed, such as the GDPR and PCI DSS.
However, when it comes to security issues, cloud providers are seldom the right door to knock on, because obviously they promote the benefits of the cloud without acknowledging the dangers. This makes a cloud penetration test a good option for resolving specific vulnerabilities.
Why cloud security demands trust as well as control
One of the major differences in terms of security is that a company can set up the "rules" for its own on-premises infrastructure and act flexibly, whereas in the cloud it is the provider doing this, which reduces scope for taking action. The degree of control, including security, varies according to the cloud model, be it IaaS, PaaS or SaaS. This means that is important to thoroughly review the choice of solution or provider in advance, as well as the SLAs for emergencies. But no matter which cloud model you use, cloud security is largely down to you. This is exactly why you should include your cloud systems in penetration tests.
The small but subtle differences in the penetration testing of cloud systems
During a penetration test which incorporates cloud systems, a number of specific features need to be taken into account. As previously explained, the provider provides the guidelines. It is important that the limitations are clear for both the customer and the penetration tester. Ultimately, the provider must be able to distinguish whether the cyber attack is genuine or not. Here, both the contracts must be carefully checked and good communication must be ensured. AWS, for example, requires formal permission to perform a penetration test, which must then take place on a fixed date. The severity of the attack that the penetration testers can carry out also depends on the cloud model, as, for example with SaaS, there are a lot of clients working on the system. This means that a system failure would affect more clients than in an IaaS environment.
One of the most important points in testing penetration in cloud systems is how the architecture and configuration of the cloud systems interact with the local systems. In most cases, the gateway for cyber criminals is down to defects in the architecture and configuration errors. The problem rarely lies with the provider, as the major providers themselves invest a lot of resources in ensuring that their services are secure This makes it all the more important that the architecture and configuration are clean and seamless. This is also confirmed by a recent cyber attack on the US financial services provider Capital One. Hackers exploited a vulnerability in AWS that was caused by an error in the IAM configuration.
Cloud penetration test – yes or no?
Cloud solutions are being used in more and more areas, and rightly so. Innovative solutions are the way forward. An example is the cloud platform of our customer HOOC, whose IoT connectivity platform is fully dedicated to the digitalisation of industrial and to building control systems. As with HOOC, security is paramount – both from the client's and the provider's point of view. A cloud penetration test is recommended for everyone who has built a new cloud system and/or is new to cloud security. A comprehensive catalogue of measures, which you will receive afterwards, will also provide you with valuable information so that you can approach the issue of cloud security with confidence in the future.