According to a recent report by Fugue, cloud misconfigurations are the leading cause of data breaches in the cloud. Between 2018 and 2019, cloud misconfigurations cost companies an estimated $5 trillion worldwide.
With this in mind, cybersecurity measures for cloud computing must account for the kinds of cloud misconfigurations that would occur as a result of user error. Penetration testing, or pen testing for short, must be able to attack and correct these cloud misconfigurations.
In this piece, I provide recommendations for ways to approach pen testing in a cloud infrastructure.
Pen Testing in the Cloud is a Different Ball Game
Back when things were managed in data centers, pen testing would be typically isolated to probing TCP/IP endpoints, utilizing various phishing and social engineering techniques, and testing physical security.
The age of cloud computing, however, has made cloud service providers responsible for the physical security of data centers. This means you need to be wary about a larger potential attack surface, depending on the kind of cloud services you use.
Pen Testing a Cloud Environment
Before letting a dedicated team perform a penetration test on your cloud infrastructure, you should ensure they have the expertise to do the job correctly.
To evaluate the team’s skills in accordance with the attack vectors on the cloud services you use, you need to ask them some important questions. Here’s a list of inquiries you need to ask:
- Describe the common attack vectors for service A (the ones you use).
- Provide details on an attack vector that works over more than one cloud service at any given time.
- What did you recommend to a previous customer regarding preventing known misconfigurations?
Before you pull the trigger on a pen test for your cloud-based system, make sure to perform tests and analyses for cloud security to get a head start on getting a major chunk of the vulnerabilities out of the way, before involving external vendors.
This will not only reduce costs if you’re funding bounties but also has the added benefit of helping your team work on their own cloud-specific skills.
If you’re looking to hire a professional cybersecurity consultant to help develop pen testing strategies, get in touch with me for more information on my services.
I’m a certified information security manager who’s committed to helping organizations from various industries devise cybersecurity protocols for cloud-based infrastructures. I have extensive experience in cloud computing system security.