Key Points
There are many advantages of moving to the cloud, from flexibility to cost savings. But migrating your apps and services off premises into the cloud is not without challenges too. With almost half of all data breaches already occurring in the cloud, security is one of them.
As a tried and tested security assessment, penetration tests are often the first port of call for business leaders looking to secure their cloud environment. But are they the best way to assess your cloud security?
Here we look at what’s involved, what you can expect, and their advantages and limitations.
Cloud penetration test or configuration review?
When customers or clients ask for a cloud penetration test, it’s important to check if they really want a pentest or are they actually looking for a cloud configuration review. While similar, there are some subtle but key differences.
Cloud configuration review
A cloud configuration review is a low-level and collaborative assessment where the tester will typically be given read access to the entire cloud account, or the parts they’ve been asked to audit.
They’ll then use this to pull the configurations of various services and review them to make sure they’re strong and robust. When we talk about services here, we mean cloud services such as S3, IAM, Cloud SQL, etc.
This provides great visibility into your cloud environment, and can really help you configure it securely.
Cloud penetration test
In a cloud penetration test, the tester will start with no access to the cloud environment or limited access if they’re testing an assumed breach scenario – for example assuming an attacker has compromised a server in the cloud environment, or a specific user. They’ll then try to escalate their privileges to reach other parts of the cloud environment, trying to access sensitive data.
They won’t have the same oversight of the cloud environment, and while they’ll probably be trying to enumerate cloud configurations, they're not auditing them in the same way. They’ll often be trying to chain weaknesses they've found, or pull in other information from outside the environment that might help.
This approach provides a better idea of what an attacker might be able to do from a particular perspective. The pentest will likely leave you with a few headaches to fix, and guidance to do so painlessly.
So which one is best? Well, it depends what you want to achieve, but there are a number of advantages to taking a hybrid approach. Giving a tester ‘read access’ and letting them focus on exploiting weaknesses and escalating a particular path can provide better coverage than a pentest, while more focus on exploitable issues with better context is better than just a running a config review.
When do you need a cloud penetration test?
Once you’re sure you want a cloud penetration test, it’s important to know what it can and can’t do.
For example, cloud penetration testing is designed to find security issues in your cloud service before hackers do. Different manual methods, methodology, and cloud pentesting tools may be used, depending on the type of cloud service and the provider.
However, since you don’t actually own the cloud infrastructure, platform or software as an entity but rather as a service, there are strict legal restrictions and technical challenges to cloud penetration tests.
Certain aspects of cloud security are controlled and handled by the cloud provider and the customer is responsible for the others, based on the Service Level Agreement (SLA) between you and your cloud service provider (CSP).
For instance, the cloud provider is not responsible for custom policies you’ve configured in your cloud account. Similarly, the client is not responsible for patching the underlying infrastructure used by serverless functions, or the physical security of the data centers managed by the cloud providers.
As a cloud user, your focus is on ‘security in the cloud’ and not ‘security of the cloud’. What you are responsible for, and therefore what can be included in the scope of a pentest, is dictated by the shared responsibility model.
Why is cloud penetration testing important?
Now you know what cloud pentesting is, let’s look at why you should care. In the same way you should be concerned about the security of your network and infrastructure, your cloud assets should be equally relevant.
The big difference is that a business often won’t have cloud or security experts when they start their shift to the cloud. It’s also faster and easier to deploy assets in the cloud with just a small team. But this means that they can quickly and unknowingly open and close security holes that are hard to monitor and fix.
As a result, while there are many reasons for getting a proactive pentest such as suppliers to satisfy, contractual obligations and compliance requirements, more often than not it’s reacting to the consequences of a breach – downtime, compliance violations, reputational risk, loss of business and all the associated financial ramifications.
Cloud penetration testing helps you get ahead of all these. Not just in terms of finding and fixing key vulnerabilities, but also by learning from mistakes and incorporating best practices earlier in the development cycle. And at Intruder, we see a lot of customers who simply want to check, maintain or improve their cyber hygiene.
What gets checked in a cloud penetration test?
Misconfigurations are common in the cloud and frequently lead to the exposure of sensitive data: IBM attributes cloud misconfigurations to 15% of breaches seen in 2022.
Gartner goes further to suggest that in just two years’ time, 99% of cloud security failures will be the result of user error. Two of the most common types of misconfigurations are Identity Access Management weaknesses and data leakage.
Identity and Access Management (IAM) weaknesses
Who is the user and what are they allowed to do? These are the main tenants governing IAM.
To remain secure, cloud infrastructure needs MFA (multi-factor authentication), strong authenticators, and defined user roles with the principle of least privilege.
Logging, monitoring and revoking access when no longer needed are also key. These safeguards will particularly protect against attackers leveraging stolen credentials from past breaches.
Data leakage
News headlines are littered with examples of large companies leaking large amounts of data, so cloud pentesting aims to identify improper storage and handling of data in the cloud.
Databases, object stores, logs and repositories can all be made public inadvertently, and attackers are continually scanning the entire internet for these sorts of exposures. Our research has shown how quickly data exposed to the internet gets accessed.
Using passwords that are weak or reused frequently can make cloud accounts vulnerable to password-guessing attacks, so pentesters will also check for weak credentials.
Unpatched vulnerabilities are an easy point of entry for hackers and many use automated tools to find them, so penetration testers will also check for any out-of-date, third-party software.
Can you automate cloud penetration testing?
There are elements of cloud penetration testing that can only be carried out manually because even the best scanners struggle with the contextual understanding required to identify business logic flaws, nuanced access control weaknesses, or to determine which data is commercially sensitive.
Manual testing can also discover chained exploitation paths which are more severe than the sum of each vulnerability.
Conversely, given the increasing complexity and size of cloud deployments, there are also elements of cloud penetration testing which can and should be automated.
For some pentests, the sheer number of assets to review would be impossible to carry out manually. Automation is quick, reduces the chance of human error, and checks services, parameters and configuration settings which may otherwise be missed. Plus, automation enables continuous testing of cloud targets.
But without the manual review and attempts at exploitation, any test will be a vulnerability scan. Cloud penetration testing just can’t be fully automated yet.
Bridging the gap between a point-in-time test and vulnerability scanning, Intruder offers a unique continuous penetration testing service, where our pentesting team look for critical vulnerabilities in your systems on an ongoing basis. Learn more about it here.
What is cloud penetration testing best practice?
There are some simple steps to make sure your cloud penetration test delivers the best possible outcomes:
- Work with an experienced provider of cloud penetration testing: while many cloud pentesting methods are similar to those used in standard penetration testing, different areas of knowledge and experience are required. Check out our guide to choosing a pen testing company.
- Understand the Shared Responsibility Model: as mentioned above, cloud systems are governed by the Shared Responsibility Model which outlines the areas of responsibility owned by the customer and the cloud service provider.
- Define the scope of your cloud: understand what components are included in your cloud assets to determine the scope of the cloud penetration testing that’s needed.
- Define expectations and timelines for your security team and your external cloud pentesting company: know your business’ responsibilities and those of the external cloud penetration testing company, including reports, remediations and follow-ups.
What does Intruder bring to the table?
One of the biggest problems in vulnerability management is tracking what assets you have, what’s in use, and what isn’t. You can’t secure anything, if you don’t know it’s there.
Cloud platforms can make this worse, because it’s so easy now to spin up new services in AWS, Google Cloud or Azure. Keeping on top of any new systems that are exposed to the internet and ensuring they are continuously monitored for weaknesses can be a challenge.
As well as offering a continuous penetration testing service, Intruder is a powerful vulnerability scanner designed to work seamlessly with the three major cloud service providers.
Our integrations make securing cloud systems a breeze, providing a single transparent view into the services and security exposures across all your cloud accounts, removing any IPs no longer in use so you can’t scan someone else’s infrastructure. And when you activate CloudBot for your connected AWS, Google Cloud or Azure accounts, it’ll perform an hourly check for new IP addresses or hostnames.
Beyond your cloud assets, we also scan web apps, networks, internal systems and APIs! Get started with a free trial today or choose a time to chat with us for more information.
