Manage Learn to apply best practices and optimize your operations.

Lock down your cloud with a penetration testing plan

Performing an end-to-end penetration test for public cloud is a must to prevent malicious attacks from both internal and external sources.

Penetration testing is an IT security practice designed to identify -- and address -- any vulnerabilities a hacker...

could exploit. And just as they would with a traditional data center, many IT shops perform penetration tests on their public cloud environments. Whether testing for AWS, Google or Microsoft Azure clouds, here are some best practices to formulate a penetration testing plan for public cloud.

First, since penetration testing looks a lot like an attack, it is important to coordinate with cloud providers before performing such tests.

Next, create an inventory of what to test, including servers, endpoints, applications, Web services and persistent data stores. You can conduct penetration tests using a tool like Metasploit or a third-party service such as Tinfoil Security's security scanning tool. But in either case, you need a well-defined list of components to test.

Then, determine which security tests to perform. The Open Web Application Security Project (OWASP) maintains a list of their top 10 security vulnerabilities in Web applications. This is a good starting point, and is considered the minimal set of vulnerabilities for which organizations should test. The list includes injection attacks, broken session management and authentication, cross site scripting and security misconfiguration.

Be sure to test all points of potential attack. You might expect customers to always use the Web interface you have provided, but attackers can exploit Web services or database servers directly. Test all public-facing access points in your application stack, including API functions and application interfaces.

If you have the time and resources, also test services that should not be accessible from the Internet. For example, you might configure your database server to accept connections only from your application server. Someone might think the database is inaccessible from the Web, and therefore protected, but that is not necessarily true.

Security controls can fail. If the application server has access to the database server and is compromised, attackers can use the application server as a host for an attack on the database server. Without compromising needed functionality, harden the security of your database server as much as possible. Follow defense in depth practices and put multiple controls in place to protect data and system resources. Database server security shouldn't depend on a well-secured application server.

Lastly, remember that not all attacks will originate from outside your organization. An insider may have legitimate access to a number of systems that can be exploited for malicious purposes. Review logs to determine if you are capturing sufficient information to respond to an actual attack. Also, test the capabilities of security information and event management software. Make sure alerts are generated as expected, and present security testing data in a way that allows experts to quickly determine the cause of the alerts.

Next Steps

Cloud governance strategies to prevent attacks

How to decide which security test to use

Test your public cloud for weaknesses

Best practices to test your SaaS cloud

How to use the free penetration testing framework, BeEF

This was last published in October 2015

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What penetration testing tool has worked best for you and why?
Cancel
Firebug worked great for me when doing quick risk-based exploration. As for the broad "brute force" scanning, Dev team used various tools - but struggled with "noise". It still requires a human to put a technical finding into a context of business threat.
Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchVMware

SearchVirtualDesktop

SearchAWS

SearchDataCenter

SearchWindowsServer

SearchCRM

Close