The benefits of a cloud penetration test are increased technical assurance, and better understanding of the attack surface that your systems are exposed to. Cloud systems, whether they are infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS), are prone to security misconfigurations, weaknesses, and security threats just as traditional systems are.
The increased assurance will come from the fact that that you will gain visibility of the security weaknesses of your cloud estate. You will be able to verify what services and data are publicly accessible, what cloud security controls are in effect, and how effectively these are mitigating your security risk
The Cloud Security Problem
Although cloud providers offer increasingly robust security controls, you are ultimately responsible for securing your company’s workloads in the cloud. According to the 2019 Cloud Security Report, the top cloud security challenges highlighted are about data loss and data privacy. This is followed by compliance concerns, tied with concerns about accidental exposure of credentials.
Operational Security Headaches
● 34% Compliance
● 33% Lack of Visibility into infrastructure security
● 31% Lack of qualified staff
Biggest Cloud Security Threats
● Unauthorized Access
● Insecure Interfaces/APIs
● Misconfiguration of the cloud platform
● Hijacking of accounts services or traffic
● External sharing of data
● Malicious insiders
Cloud Configuration Review is an assessment of your Cloud configuration against the accepted best practice of industry benchmarks. A report is produced with a summary table showing the benchmarks and whether you are following the best practice, with individual technical findings breaking the findings down in more detail, as well as detailed explanations and remediation advice.
Cloud Penetration Testing involves a mixture of external and internal penetration testing techniques to examine the external posture of the organisation. Examples of vulnerabilities determined by this type of active testing can include unprotected storage blobs and S3 buckets, servers with management ports open to the internet and poor egress controls.
Cloud Penetration Testing Authorisation and Policies
Microsoft (Azure) and Amazon (AWS) used to require testing authorisation before commencing a penetration test. This is no longer the case, and barring a few exceptions within AWS, you are no longer required to request authorisation for a cloud penetration test for Azure, AWS, or GCP.