Luiz - Fotolia
Many enterprise IT shops use cloud penetration testing to identify and address potential security weaknesses in their cloud computing environment. But, before performing a penetration test on a public cloud platform, it's important to understand your cloud provider's unique testing requirements.
Penetration tests simulate an actual attack, so coordinate with cloud providers before performing one. Here's what to know before performing a cloud penetration test on Amazon Web Services (AWS), Google Compute Engine and Microsoft Azure.
For AWS, customers have to submit a request form prior to conducting the test. The approval form collects information about who will conduct the test, third-party contact information, IP addresses of servers scanned, as well as the scanning source and the proposed date and time of the test. Customers cannot perform penetration tests or other scans on m1.small or t1.micro instances. This is to avoid adverse impacts on other customers sharing the same server.
Users of Google Compute Engine and App Engine should consult with the Terms of Service and Acceptable Use Policy before conducting cloud penetration testing. Google explicitly states that tests should only affect the tester's application, not other users or services. Google also has a Vulnerability Rewards Program to recognize the help of security researchers and professionals who find weaknesses in Google applications or services; it does not, however, apply to third-party applications.
Microsoft has a formal procedure for approving cloud penetration testing requests. The cloud provider asks customers to submit their request at least seven days in advance of the penetration test. If you find a potential vulnerability in Azure, you should report it to Microsoft. Microsoft offers expedited approvals for three common types of vulnerability tests: testing for OWASP top 10 Web vulnerabilities, fuzz testing endpoints and port scanning. Microsoft does not allow denial-of-service tests.
Cloud penetration testing is a valuable tool that has its place in cloud computing. The shared security model of cloud introduces some additional coordination challenges, but it is worth the effort.
Comparing penetration testing for cloud vs. on-premises systems
How to perform a penetration test for cloud
Strategies for AWS penetration testing
A penetration testing plan remains critical for cloud
Dig Deeper on Cloud development and testing
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading