This content is part of the Essential Guide: Combat the latest cloud security challenges and risks

Minimize threats through public cloud security testing

Security concerns deter many IT pros from adopting public cloud. But security testing tools and a sound strategy can help them conquer their fears.

Due to public cloud's multi-tenant environment and shared resources, many organizations are skeptical about a public cloud provider's ability to secure their data.

According to a 2014 study from analyst firm Current Analysis, which polled over 600 IT decision markers worldwide, 58% of respondents deployed private cloud because of public cloud "security" and "data privacy" concerns.

But, in reality, public cloud providers are not responsible for securing your data -- you are. Providers are, however, responsible for supplying the necessary mechanisms to meet your security requirements.

There is no one-size-fits-all approach to public cloud security. Organizations must determine their specific security requirements, and map those to the appropriate technology. In some cases, the cloud providers offer that technology. But in other cases, organizations will require third-party services.

However, there are ways to identify and fix holes in public cloud security. The most effective way is to test.

Strategies for public cloud security testing

Public cloud security testing begins with selecting a portion of the cloud environment to test. Anything that can be isolated, such as a single database, container cluster or application instance, will work.

From there, create a cloud security testing strategy. One method is to try to penetrate the part of the system being tested with any exposed access mechanism -- such as a user interface, set of APIs, or primitive access points that lead directly to the infrastructure.

To simulate attacks, use automated security testing tools, such as Core Security Technologies' CloudInspect or Trustwave's Managed Security Testing. Many of these tools can also gather information on response times and defense methods. While these tools vary greatly, they're typically designed to test specific cloud security components. As a result, organizations are likely to use between three and five different tools.

Beware of side-channel attacks

One threat to guard against is a side-channel attack, a method that one virtual machine can use against another within the cloud to comprise the target VM's encryption key.

Public cloud providers pay special attention to side-channel attacks, which makes it unlikely to experience one. However, as public cloud providers constantly release new versions of their cloud services, it's important to check whether a new vulnerability is introduced.

Finally, determine which employee will perform cloud security testing. As a rule of thumb, never let developers take on that role. Because they're so close to the cloud, developers are unlikely to spot issues. Instead, use a separate group that is dedicated to security and security testing. These people could be in your company, or third-party consulting firms that focus exclusively on cloud security and penetration testing.

Despite many users' concerns, public cloud security is solid if approached and tested carefully. Security testing validates whether an organization has chosen the right security technology, as well as identifies and fixes vulnerabilities before they become real issues.

About the author:
David "Dave" S. Linthicum is senior vice president of Cloud Technology Partners and an internationally recognized cloud industry expert and thought leader. He is the author or co-author of 13 books on computing, including the best-selling
Enterprise Application Integration. Linthicum keynotes at many leading technology conferences on cloud computing, SOA, enterprise application integration and enterprise architecture.

His latest book is Cloud Computing and SOA Convergence in Your Enterprise: A Step-by-Step Guide. His industry experience includes tenures as chief technology officer and CEO of several successful software companies and upper-level management positions in Fortune 100 companies. In addition, he was an associate professor of computer science for eight years and continues to lecture at major technical colleges and universities, including the University of Virginia, Arizona State University and the University of Wisconsin.

Next Steps

How to achieve zero trust security in cloud

Security a growing concern with IoT

Cloud security, governance keep hackers away

How to avoid the most feared cloud security issues

Dig Deeper on Cloud security tools