Avoid the Common Pitfalls Pen Testing Cloud Based Systems
The Cloud – advantages and pitfalls
‘The cloud’ is the term given to the provision of services and applications hosted on the Internet, instead of traditionally on business premises.
Cloud computing gives individuals and businesses the ability to store and process their information in third-party data centres with the much advertised benefits of getting their applications up and running quickly, as well as improved manageability and reduced downtime. This enables businesses to rapidly fine-tune resources in response to fluctuating business requirements.
However, the conveniences of cloud computing come with complications when conducting security engagements. For example, the annual Payment Card Industry (PCI) compliance test (1), CHECK IT Health Check (ITHC) (2) or Cyber Essentials Assessment (3).
The majority of these issues are a result of the configuration that provides the convenience afforded by cloud computing, namely the fact that businesses are not wholly managing or hosting their own backend servers or network infrastructure.
Testing Pitfalls of Cloud-based Engagements
Perspective Risk conducts numerous cloud-based engagements on behalf of our clients. Here we discuss some of the common issues we encounter during testing and how to prevent them.
The timeframe for granting of a Certificate of Authority – the document giving permission to conduct testing against cloud environments, can have long lead times. Timeframes vary greatly between cloud providers.
If this documentation is not submitted in good time, permission to conduct the assessment may not be granted. Consquently, it might not be possible to utilise expensive technical assets procured for the assessment.
Understanding the environment is an essential component of any cloud based security assessment. If the test team does not have an appropriate level of knowledge of the environment, the testing may be unfit for purpose or won’t be completed.
While some cloud assessments can be conducted from the perspective of a traditional Penetration Test engagement i.e. on-site at a cloud provider’s datacentre, for the vast majority of cloud providers connecting locally to network assets is not an option. In such advanced scenarios, prerequisites and special arrangements may need to be agreed with the cloud provider’s technical personnel.
Where the provision of customised testing images is an option – and can be made available to the cloud provider prior to the assessment, there is the potential pitfall of providing images in an unsupported virtual file format or deploying them to the wrong network or network location.
Depending on the cloud provider in question, the provision of customised test images may not be possible. Where a generic virtual server is available, extra time could be needed for the installation of the test team’s toolset and the provisioning of licensed software onto the new installations.
Connectivity to cloud provisioned test virtual machines, target virtual servers, web applications and web services can also be complex and time-consuming to set up. It’s likely that source IP addresses will require to be white-listed, the use of proxies employed and the port forwarding of connections over numerous network hops before conducting any meaningful testing.
Effective Cloud-based Testing
In conjunction with their test providers, clients should submit Certificate of Authority requests to cloud providers well within specified lead times.
It’s essential that early dialogue takes place between clients, the test provider and the cloud provider to support the provision of customised test images in the correct virtual file format and that images are deployed to the correct network location.
Where the provision of test images is unavailable, the type and version of virtual servers that can be facilitated as a test platform should be agreed, along with any package prerequisites and enough configuration time for the newly built systems.
To ensure they have sufficient knowledge to conduct meaningful testing of the target environment and can cope with any of the solution’s inherent complexities, test teams should be given sufficient details through the provision of network documentation, network diagrams and technical team discussions.
Cloud-based Testing Advice Summary
- Submit Certificate of Authority requests well within the cloud provider’s specified lead time
- Effective, early dialogue between clients, test providers and cloud providers is vital for ensuring that all parties understand their responsibilities
- Give your test team sufficient technical information regarding the operation and configuration of the solution to be assessed
- A technical point-of-contact should be available to the test team throughout the engagement in the event that unexpected issues are encountered
If you would like Perspective Risk’s cyber-security experts to conduct your security engagement, or if you just want some sound, friendly advice, please click here to contact us.