This tip is a part of the SearchSecurityChannel.com mini learning guide, Penetration testing tutorial: Guidance for effective pen tests
As organizations look to public cloud providers like Google Inc. and Amazon Inc. to host services and applications, they require vulnerability assessments and penetration tests (pen tests) to satisfy internal policies and compliance requirements. Penetration tests in the cloud differ from pen tests on a network maintained entirely by the organization itself. This tip explains how to penetration test a cloud service provider’s (CSP’s) environment to validate CSP security for your customers.
Are pen tests allowed in a cloud?
The type of cloud (as well as the type of cloud provider) will determine whether pen testing is
permitted. Most Software as a Service (SaaS) providers don’t allow testing, as it will likely
impact their infrastructure. Customers using Salesforce.com, for example, are not allowed to
perform pen tests. Platform as a Service (PaaS)
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to SearchSecurityChannel.com you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of SearchSecurityChannel.com is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
and Infrastructure as a Service (IaaS) providers
may allow pen testing, but coordination is required. Ideally, the contractual language the customer
has in place with the CSP states pen testing is allowed (the more explicit language, the better)
and clarifies what kinds of tests are permitted, as well as the frequency of the testing.
Some tests are explicitly prohibited across most, if not all, CSPs, including denial-of-service (DOS) and other attacks that consume bandwidth and cloud system resources.
Once it has been determined that pen testing the cloud provider’s environment is permitted, the next step is to coordinate the test details with both the customer and the CSP. Some CSPs make their coordination requirements clear, while others must be explicitly asked how they prefer the testing to be performed. Some CSPs try to facilitate the process by providing online resources that testing firms can use for coordination. Amazon, for example, has a simple form on the AWS site that can be filled out to start the process. All CSPs require explicit permission from the customer whose resources are in the cloud. This communication between the CSP, the customer and the solution provider who is performing the test may take some additional time, and it’s best to add a week on the front end of the project for project planning.
Types of pen tests for the cloud
It’s important to learn about the types of pen tests the CSP allows. Some tests are explicitly
prohibited across most, if not all, CSPs, including denial-of-service (DoS) and other attacks that
consume bandwidth and cloud system resources. The primary reason for this is because systems in
cloud environments are hosted on virtualization platforms with other customers’ systems (a
condition called multi-tenancy). Any attacks that consume bandwidth or local system resources may
impact multiple customers’ data and system performance.
CSPs are also unlikely to allow solution providers to compromise cloud resources and then use those systems to attack additional resources outside the CSP’s cloud, primarily for liability reasons. This may significantly impact the normal methods solution providers use to perform vulnerability assessments and pen tests; chaining attacks through one compromised system to attack another is a very common form of testing. For systems hosted within the same cloud, this is usually not a problem.
PaaS clouds may have specific system types hosted in their cloud, resulting in an organization’s systems being spread across multiple providers. For example, organizations may host Web servers within Amazon’s EC2 cloud, while hosting database servers with Microsoft’s Azure service. In this case, service providers need permission from both organizations, Microsoft and Amazon, for a complete penetration test of the Web application infrastructure, and there may be additional stipulations from one or both CSPs, as well.
Tools for pen testing
Luckily for solution providers, new tools are emerging that may facilitate cloud-based
penetration testing. One example is Core
Security Technology’s CloudInspect, a cloud-based penetration testing solution that is closely
aligned with Amazon EC2. CloudInspect is designed to simplify scheduling and coordination with
Amazon, and to provide more professional testing tools for the cloud. CloudInspect is easy to use.
Amazon has endorsed CloudInspect as a tool EC2 customers can leverage to satisfy compliance
requirements and meet security testing needs within the AWS cloud. Other assessment tool vendors
will likely turn their attention to CSP testing and, meanwhile, many have cloud-based platform
options, including Rapid7’s Metasploit Pro and SAINT Corporation’s WebSAINT.
Solution providers need to work with their customers to understand the kinds of systems and applications they have in the cloud, plan on additional coordination time and adjust for testing limitations when performing pen tests on cloud-based resources.
About the author:
Dave Shackleford is the founder and principal consultant with Voodoo Security, as well as a
SANS analyst, instructor, and course author and GIAC technical director. He has consulted with
hundreds of organizations in the areas of security, regulatory compliance, and network architecture
and engineering. He is a VMware vExpert and has extensive experience designing and configuring
secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the
Center for Internet Security, and as a security architect, analyst, and manager for several Fortune
500 companies. Dave is the co-author of Hands-On Information
Security from Course Technology as well as the "Managing Incident Response" chapter in
the Course Technology book Readings and Cases in the Management of Information
Security. Recently, Dave co-authored the first published course on virtualization security
for the SANS Institute. Dave currently serves on the board of directors at the Technology
Association of Georgia's Information Security Society and the SANS Technology Institute.
This was first published in October 2011