stormy clouds with lightning
29 June 2022

Pentesting for Cloud Systems: What You Need to Know

Synack

Why You Need to Pentest Your Cloud Implementation and What’s Different From Normal Pentesting

Security Breaches in Cloud Systems

Most businesses today perform at least some of their compute functions in the cloud. For good reason. Processing in the cloud can lead to increased productivity while reducing capital and operational costs. But, as with any computer system, there can be holes in security that hackers can exploit. In 2021, the average cost was $4.8 million for a public cloud breach, $4.55 million for a private cloud breach, and $3.61 million for a hybrid cloud breach

Breaches can also lead to the exposure of customer records. In May 2021, a Cognyte breach exposed 5 billion customer records. Perhaps the most high profile breach was at Facebook. In April of that year, hundreds of millions of customer records were exposed. Cloud customers need to be mindful of cloud security and take necessary steps to protect themselves.

What is Pentesting?

Penetration testing, or pentesting, is a well-proven and critical component of any organization’s cybersecurity program. In a pentest, a trusted team of cybersecurity researchers probes your IT systems for vulnerabilities that could allow them to breach your defenses, just as a cybercriminal would do. The result of the pentest is a report on your cybersecurity posture, including vulnerabilities that need to be remediated.

Pentesting methods and practices were primarily developed with on-premises systems in mind. But today, organizations are moving more of their compute processing and data storage to the cloud. So you might ask – Is pentesting necessary for my cloud implementation?  Can you even do pentesting in the cloud? The answer to both questions is a definite yes.

Why You Need to Pentest the Cloud

Whether you are using the cloud for IaaS (Infrastructure as a Service), Paas (Platform as a Service) or SaaS (Software as a Service) cloud usage is essentially a shared responsibility model where both the Cloud Service Provider (CSP) and the tenant share certain responsibilities, including cybersecurity. There are several potential risks and vulnerabilities that are inherent in using cloud services, such as the extensive use of APIs for communication, the potential for misconfiguration of servers and the use of outdated software or software with insecure code. If not remediated these vulnerabilities could lead to a breach. The top concerns of cloud operation are data loss, data privacy, compliance violations and exposure of credentials.

Pentesting in the Cloud

The big difference in pentesting your own system and pentesting in the cloud is that you are actually testing someone else’s system. In public and hybrid cloud implementations, in addition to shared responsibility considerations, you also have shared resources considerations. You don’t own the cloud resources, so you need to create your testing process to operate within the CSP environment.

Challenges Specific to Cloud Pentesting

While offloading work to the cloud has broad benefits, it also has some drawbacks. One is the lack of transparency. You don’t know exactly what hardware is being used or where your data is stored. This can make thorough pentesting more difficult.  And since you are working with a resource sharing model, there is the potential for cross-account contamination if the CSP has not taken adequate steps to segment users. Most important from a testing perspective, each CSP has its own policy regarding pentesting on their systems.

Working With CSPs for Pentesting

Most CSPs will allow pentesting on their systems…as long as you adhere to their guidelines and restrictions. If you have a multi-cloud implementation, involving two or more CSPs, you need to ensure that you understand the pentesting policies of each. Here are a few of the considerations when pentesting in the cloud.

  • CSP Notification: The first thing you need to do is inform your CSP that you will be conducting a test. Otherwise, your efforts could look like a cyberattack. 
  • CSP testing restrictions: Often CSPs will have a policy describing which tests you can perform, what tools you can use, and which endpoints can and cannot be tested. 
  • The Shared Responsibility Model: Depending if you have an IaaS, PaaS, or SaaS model, you are responsible for security of some cloud components and the CSP is responsible for some. 
  • Server-Side Vulnerabilities: Conducting a thorough penetration test might discover vulnerabilities that are on the server side and therefore the CSP’s responsibility. 

Pentest for a More Secure Cloud

Not only can you pentest in the cloud, you need it to be part of your cybersecurity process. Remediating vulnerabilities discovered by pentesting will improve the security of your cloud implementation. It can also help you achieve compliance and give you a more comprehensive understanding of your cloud system. Synack’s approach to pentesting for the cloud addresses the concerns relayed here—you can set up a pentest for your cloud environment in minutes with some of the world’s top cloud security experts.