Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

What is Cloud Penetration Testing?

Home
Industry Insights
What is Cloud Penetration Testing?

Blog Article Published: 02/12/2022

Written by the CSA Top Threats Working Group.

Also known as ethical hacking, cloud penetration testing evaluates security and discovers vulnerabilities by utilizing hacker tools and techniques. Security testing in general is crucial to the security assurance of cloud environments, systems and devices. In this blog, learn about penetration testing, when it is performed, and its application to cloud security.

Penetration Testing: The Definition

As defined by NIST, penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. This could be used to either identify vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints.

As cloud services continue to enable new technologies and see massive adoption, there is a need to extend the scope of penetration testing into public cloud systems and components.

When Does Cloud Penetration Testing Occur?

Penetration testing is commonly performed after code has been developed and deployed. It’s critical to remember that it’s not always the best or most efficient form of testing. Its appropriateness can be determined based on context and purpose:

  • When security assurance of a live cloud-based product or feature is required, penetration testing is advised.
  • When the feature is just being designed, threat modeling is advised.

Penetration testing can also be carried out as part of a security program. The CREST program aims to assist with effectively managing penetration testing carried out in or delivered for a consumer organization. In this methodology, penetration testing is carried out in three steps:

  1. Preparation phase. Consider the drivers for testing, the purpose of testing, the suitable target environments, and appoint suitable suppliers to perform the tests.
  2. Testing phase. Manage the testing process and carry out the tests effectively, while identifying and remediating vulnerabilities.
  3. Follow-up phase. Remediate weaknesses, maintain an improvement plan, and deliver an agreed upon action plan.

What is the Objective?

Traditionally, the objective of penetration testing is to identify technical security weaknesses and systems resilience. However, a broader application of security testing serves to identify vulnerabilities in code, configuration and otherwise insecure implementation and to advise on effective mitigation strategies.

The STRIDE threat model (developed by Microsoft) serves to identify computer security test cases for which to consider cloud penetration testing. This model categorizes different types of threats in order to provide a better security understanding. These test cases consider only unique cases and flaws, where there are still many possible deployments and uses that will require their own testing guidelines. The types of threats in the STRIDE model include:

  • Spoofing - Takes the form of stealing cloud environment credentials to leverage their identity's privilege.
  • Tampering - Altering cloud logs, changing hosted images, and tampering with API, repositories or data to sabotage in a harmful way.
  • Repudiation - Deleting or turning off cloud logs or leveraging cloud services to mask an action or occurrence.
  • Information disclosure - Leaking data from misconfigured public cloud data stores.
  • Denial of service - Destroying or encrypting cloud resources, disablement of accounts, credentials or users.
  • Elevation of privileges - Leveraging misconfigured IAM permissions that allow escalation or permissions employed by compromised or targeted services and systems.

To learn more about cloud penetration testing, check out our Cloud Penetration Testing Playbook.

Penetration TestingRisk ManagementTop Threats

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Level up with Cloud Infrastructure Security Training
Related Articles:
Do You Know These 7 Terms About Cyber Threats and Vulnerabilities?

Published: 04/19/2024

The Data Security Risks of Adopting Copilot for Microsoft 365

Published: 04/16/2024

From Gatekeeper to Guardian: Why CISOs Must Embrace Their Inner Business Superhero

Published: 04/15/2024

Remote Code Execution (RCE) Lateral Movement Tactics in Cloud Exploitation

Published: 04/12/2024