Cloud Penetration Testing - The Complete Guide

Cloud Penetration Testing

Cloud computing helps you use computing resources such as cloud storage without having to actually install and maintain them. It constitutes the use of physical and virtual servers, networking capabilities and development tools stored remotely via the internet.

A Cloud Service Provider (CSP) offers these services for a fee either as a monthly / yearly subscription or bills them as per usage as a pay-as-you-use service. Some of the popular cloud computing providers are AWS, Google, Oracle, and Microsoft Azure. Due to the many benefits these cloud providers offer, the CSPs and their customers are often targeted by attackers. In order to ensure these services are secure, companies need to conduct cloud penetration testing.

Cloud penetration testing is a form of simulated attack to check the viability of the system and trace out its vulnerabilities. It helps identify the strengths and weaknesses in the cloud system. It differs vastly from the traditional penetration testing methodologies in that these were used to only service on-premise environments whereas the cloud penetration testing systems checked the cloud applications, cloud storage access, database, and cloud-related configurations.

Benefits of Cloud Penetration Testing

It helps in strengthening the overall security posture of the cloud-based systems. It helps avoid attacks/breaches and also helps in adhering to compliance. Some other major advantages are:

1. It finds vulnerabilities, loopholes and potentially weak areas in the system
2. It determines the impact that the vulnerabilities can have on the system
3. It helps in security optimization
4. It helps in formulating remedial plans
5. It provides the ideal practices in maintaining visibility

What is the shared responsibility model of Cloud Penetration Testing?

The depth and frequency of cloud penetration testing is often defined by the type of service level agreement (SLA) a company has with the Cloud Service Provider (CSP). Thus, the security of the cloud rests with both CSP and the company. Control of certain components remains with the CSP whereas other components are governed by the company.

There are three types of services available:

• Infrastructure as a Service (IaaS) - User access / Identity, Data, Application and Operating System are taken care of by the customer / client
• Platform as a Service (PaaS) - User access / Identity, Data, and Application are taken care of by the customer / client
• Software as a Service (SaaS) - User access / Identity and Data are taken care of by the customer / client Other components such as virtualization, network, infrastructure, and physical components are taken care of by the CSP.

What are the different types of cloud penetration testing?

Cloud penetration testing takes care of attacks, breaches, operability, and recovery. Types of penetration testing are:

• Black Box Penetration Testing In this type of testing, testers have no prior knowledge or access to the company’s cloud systems.
• Grey Box Penetration Testing In this type, testers have limited knowledge and access to users and systems. They may be granted some administrative privileges.
• White Box Penetration Testing In this case, the testers are granted full access and administrative privileges of the cloud systems.

What are the steps involved in Cloud Penetration Testing?

1. Knowing the policy of the cloud service provider - The policies of the cloud providers are different. They vary in the prohibited and permissible services to test or access. Before beginning testing, one must gather knowledge about the company and the cloud service provider it uses.

2. Develop a cloud penetration testing plan - First understand from the customer the beginning and end dates of the penetration testing. Get information about the cloud platform, the URLs that will be tested, architecture, and functions of the platform. Secondly, check the customer’s system for access points, source code, software versions, leaked keys, if any exist etc. The more the data that is gathered, the easier to identify the loopholes in the system.

3. Choose appropriate penetration testing tools - Simulation is a big part of testing, hence use automation to guess passwords or use API to access data directly to identify vulnerabilities. If the pen test tools are not matching the requirements, then systems, tools, and scripts must be customised accordingly.

4. Analyse the responses - Once the tests are performed, analysis must be done to determine whether they were false positives or real cloud responses. If they are not what was expected then they must be reported. Furthermore, these responses should also be documented for further understanding.

5. Eliminate vulnerabilities - Once the analysis is complete, the loopholes must be removed and gaps must be patched. Seriousness of each vulnerability must be discussed and if need be, further investigations must be carried out.

6. Prepare report - Once all the above steps are completed, then a final report is generated that suggests possible remedial measures and recommendations which can be used in the future.

What are the challenges faced by cloud penetration testing?

• There is no fixed format to perform cloud penetration testing. It depends on the client and their needs.
• Different cloud providers use different technologies that usually depend on the clients. It is important to understand these cloud services, their vulnerabilities, and other possible misconfigurations. It is difficult to know all the different cloud service configurations.
• Each cloud service provider will have a different policy for testing. Thus the testing process is largely depending on the provider. Some providers will need to be notified before testing.

What are the best practices for Cloud Penetration Testing?

• Choose an experienced cloud service provider - As companies use various cloud service providers depending on their requirement, it is important for the provider to be updated on the latest knowledge and have the right information and experience.

• Choose between the various types of the Shared Responsibility Model - The company and cloud service provider share responsibility of different components under the Shared Responsibility Model. Understand the difference between the various types such as IaaS, PaaS, and SaaS (detailed above) and choose depending on your requirements.

• Understand the Service Level Agreements - Otherwise known as “Rules of Engagement”, it provides details of all cloud related services including penetration testing.

• Determine the scope of the cloud - Understand the depth of cloud testing that is to be done, which components are to be tested etc.

• Identify the type of testing - Black Box, Grey Box, and White Box are the different types of testing that can be chosen. The decision is decided based on the level of access and permissions granted to the cloud penetration testers.

• Determine time frame - A timeline for the testing and the outcomes expected should be decided in advance, including report generation, remedial measures, follow-up testing etc.

• Prepare a contingency plan - A protocol should be established beforehand in case the testers find that a breach has occurred or is imminent.