Register for CSA’s SECtember conference and trainings today




Circle
Events
Blog

What is Cloud Penetration Testing?

What is Cloud Penetration Testing?

Blog Article Published: 02/12/2022

Written by the CSA Top Threats Working Group.

Also known as ethical hacking, cloud penetration testing evaluates security and discovers vulnerabilities by utilizing hacker tools and techniques. Security testing in general is crucial to the security assurance of cloud environments, systems and devices. In this blog, learn about penetration testing, when it is performed, and its application to cloud security.

Penetration Testing: The Definition

As defined by NIST, penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. This could be used to either identify vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints.

As cloud services continue to enable new technologies and see massive adoption, there is a need to extend the scope of penetration testing into public cloud systems and components.

When Does Cloud Penetration Testing Occur?

Penetration testing is commonly performed after code has been developed and deployed. It’s critical to remember that it’s not always the best or most efficient form of testing. Its appropriateness can be determined based on context and purpose:

  • When security assurance of a live cloud-based product or feature is required, penetration testing is advised.
  • When the feature is just being designed, threat modeling is advised.

Penetration testing can also be carried out as part of a security program. The CREST program aims to assist with effectively managing penetration testing carried out in or delivered for a consumer organization. In this methodology, penetration testing is carried out in three steps:

  1. Preparation phase. Consider the drivers for testing, the purpose of testing, the suitable target environments, and appoint suitable suppliers to perform the tests.
  2. Testing phase. Manage the testing process and carry out the tests effectively, while identifying and remediating vulnerabilities.
  3. Follow-up phase. Remediate weaknesses, maintain an improvement plan, and deliver an agreed upon action plan.

What is the Objective?

Traditionally, the objective of penetration testing is to identify technical security weaknesses and systems resilience. However, a broader application of security testing serves to identify vulnerabilities in code, configuration and otherwise insecure implementation and to advise on effective mitigation strategies.

The STRIDE threat model (developed by Microsoft) serves to identify computer security test cases for which to consider cloud penetration testing. This model categorizes different types of threats in order to provide a better security understanding. These test cases consider only unique cases and flaws, where there are still many possible deployments and uses that will require their own testing guidelines. The types of threats in the STRIDE model include:

  • Spoofing - Takes the form of stealing cloud environment credentials to leverage their identity's privilege.
  • Tampering - Altering cloud logs, changing hosted images, and tampering with API, repositories or data to sabotage in a harmful way.
  • Repudiation - Deleting or turning off cloud logs or leveraging cloud services to mask an action or occurrence.
  • Information disclosure - Leaking data from misconfigured public cloud data stores.
  • Denial of service - Destroying or encrypting cloud resources, disablement of accounts, credentials or users.
  • Elevation of privileges - Leveraging misconfigured IAM permissions that allow escalation or permissions employed by compromised or targeted services and systems.

To learn more about cloud penetration testing, check out our Cloud Penetration Testing Playbook.

Share this content on your favorite social network today!

Sign up to receive CSA's latest blogs

This list receives 1-2 emails a month.