The benefits of cloud computing are hard to ignore – the speed, flexibility and cost savings make it a worthwhile investment for many enterprises, but cloud migration security risks still exist. What’s written in fine print is that while cloud providers do maintain many security certifications (i.e. Microsoft Azure), a large number of security roles and responsibilities will continue to fall on your team. Additionally, if you have a database or application that was secure on premise, it may not be in the cloud.
The cloud is simply distributed servers that are accessed over the internet. A key thing to keep in mind is that the server exists in a physical location somewhere, but not one that the asset owner controls. During a cloud migration, a company’s digital assets, services, databases and applications either wholly or partially move into the cloud. This is true of cloud-to-cloud migrations between cloud providers.
As your organization ramps up its efforts for digital transformation, there should be a security testing plan in place with security and risk management leaders. This may lead to additional questions like what should be tested and what the organization’s responsibility for security is. While you usually can’t test assets you don’t own (i.e. the cloud’s on premise physical data centers), you are able to test things that you fully control such as your websites, databases and other items. If your company wrote the code, or maintains it, you can probably test it.
A strategic security testing plan for the cloud could look like testing continuously on critical assets you own and less important assets being tested quarterly or annually. What risks should you be looking for when testing? Typically, there are a few risks that are top of mind for security practitioners:
1. Sensitive data exposure
Data loss or leaks can, and often do, occur. By the nature of the cloud, everything can be reached from the internet or remotely. That means anyone, anywhere, with the right information can access it. A common risk vector is storage buckets, which are frequently exposed due to misconfiguration challenges. Recently, an Amazon S3 bucket containing 3TB of data, including airport employee records across Columbia and Peru, was left unprotected and exposed over one million files online.
The transfer of data that occurs during a cloud migration increases risk by its nature. Role-based authorization controls (RBAC) are normally quite detailed to work within your organization. RBAC designed by the cloud provider may be significantly different and lead to a violation of best practices where someone can get access to files that they shouldn’t. Testing the infrastructure for data leakage and access control issues is critical. At Synack, we have included these vulnerabilities in our cloud specific checklists for providers such as Microsoft Azure.
2. Application program interface (API) security
APIs are “a critical part of modern mobile, SaaS, and web applications and can be found in customer-facing, partner-facing, and internal applications,” as stated in the recently published OWASP API Top 10. It is important to test APIs for common vulnerabilities like broken authentication mechanisms or excessive data exposure.
An API breach can be near devastating with the right conditions. For example, in September 2022 the Australian network service provider Optus had a breach that exposed the data of 10 million customers due to an exposed API endpoint.
With digital transformation, there are more applications to manage than ever and that includes APIs contributing to cloud migration security risks. Hackers increasingly target APIs hosted in the cloud as they are exposed to the internet and provide potential points of ingress into applications. An API that doesn’t require proper authentication can put your business and customers at risk. It would be the equivalent of leaving your computer open and unattended at DefCON.
3. Increased compliance fines
In 2017, Equifax failed to patch a vulnerability in an open source Apache Struts framework in one of its databases. The vulnerability was exploited and the information of 150,000 individuals was exposed. They were fined $575 million by the Federal Trade Commission.
The UK, China, the US and the EU, are increasingly passing laws that impose significant fines for security breaches. With the nature of the cloud, some security incidents are more likely to occur, and it is vital to be familiar with GDPR, CCPA, COPPA, PCI-DSS, HIPPA and other compliance frameworks.
How Synack can help secure your cloud migration and reduce risk
The cloud may be what your team and customers need for operational efficiency. A migration to the cloud also means you have to change your security suite to align with today’s threats. Traditional pentesting worked for testing a small number of on-premise solutions once a year, but companies now have to evolve to continuous testing to keep up with cloud assets.
Take a look at Synack’s cloud security testing benefits:
- Continuous testing to identify weaknesses and potential data exposure in critical assets before adversaries
- Test Web, Host, Mobile and API endpoints for vulnerabilities or exposures
- Reports to document pentesting in compliance with frameworks like GDPR, PCI, FISMA and ISO27001
- Re-testing to make sure critical vulnerabilities are successfully patched
- Synack can test API endpoints and provides proof-of-coverage reports
- Synack can test assets hosted in Azure, GCP and AWS
- Audit-ready reporting to prove that assets were thoroughly tested
- Synack recently rolled out specific testing frameworks including Microsoft Cloud Security Benchmark Campaign for web and host assets
Watch our cloud security testing demo to learn more, or request a personalized demo to see how Synack can help your organization.