Security Testing for entities hosted in cloud


For the applications that are getting migrated to cloud / planned to be hosted in the cloud will need additional security considerations. Failure to ensure proper security protection when using cloud services may potentially result in higher costs and loss to business. Organizations must consider security controls for different services viz. Infrastructures as a service(Iaas), Software as a service (SaaS) or Platform as a service.


Which applications should be moved to cloud?


    ·         Low to Medium Risk



What are the key security risks while hosting in cloud?


    ·         Isolation Failure – Multi tenancy is a key thing in cloud. Failure in controls that separate the storage, memory, identity and access control and routing between tenants is a huge risk.
    ·         Authentication and Authorization
    ·         Compliance and Legal risks
    ·         Loss of Governance
    ·         Management Interfaces for applications
    ·         Service unavailability
    ·         Insecure or incomplete data deletion
    ·         Visibility and audit



Keeping above in mind, while the traditional approaches for security testing the applications and infrastructure still applies for the hosted entities on the cloud – the following additional measures must be taken into consideration:


Ø  Understand how the isolation is provided to the hosted entity (application / infrastructure) in cloud from other tenants.

Ø  Ensure there are governance and compliances processes in place with the provider and they are happy to share the details and allow clients to perform audits.

Ø  Existence of documented business and operational processes.

Ø  Ensure IDAM solutions laid by the provider caters each tenant separately.

Ø  Ensure network connections are secure.

Ø  Evaluate security controls on physical infra and facilities.

Ø  Understand the security requirements of the exit process.


While planning for security assessments on the applications on the cloud the above measures must be kept in mind.


What do we need to plan differently while considering security assessment on the hosted entities?

Ø  In order to conduct vulnerability assessments and penetration tests – what options are available with the provider?

o   Hosting a penetration testing virtual machine in the same zone where application servers are hosted.*

o   Acquiring written permission from the provider to scan in their cloud.

o   Acquiring certificate of Penetration testing / VA conducted by the provider on the hosted entities.

o   Conducting testing from another cloud where the Security assessment systems are hosted.* (either our own or using cloud services for scanning e.g. Nessus on AWS, Qualys Cloud, Kali on AWS, Parrot cloud etc.)

Ø  Performing Paper assessment against all the controls promised by the provider.

Ø  Traffic screening

Ø  Denial of service protection

Ø  Existence of IDS and IPS

Ø  Logging and notifications

Ø  Audit - Hypervisor based filters, firewall filtering rules and VPN connections.


The above comprises of the approach towards conducting security assessment on entities hosted on the cloud.


*As far as the tools are considered – all standard tools will work however where and how to host them will differ.


Also it is not unusual to see a resistance from the cloud service provider in allowing to conduct in-depth security assessments – that is where the Security testing team needs to ensure that the provider actually walks the talk viz. assess all the security controls individually – either by testing or doing paper passed assessments to verify them.

Comments

Post a Comment

Popular posts from this blog

Change the default SSH keys in Kali Linux ......One important step post installation

All of know that we can authenticate to a box without password if you have the SSH keys. The Kali images have known ssh keys and must be changed.  Here is how you can do this:  Move the default Kali ssh keys to a new folder: cd /etc/ssh/ mkdir default_kali_keys mv ssh_host_* default_kali_keys/ This will move your default keys to the new folder... Regenerate the keys: dpkg-reconfigure openssh-server Creating SSH2 RSA key; this may take some time ... Creating SSH2 DSA key; this may take some time ... Creating SSH2 ECDSA key; this may take some time ... insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4 5). insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults (empty). Verify ssh key hashes are different: md5sum ssh_host_* Compare new key hashes to the hashes below) cd default_kali_keys/ md5sum * b9419ea3a8fff086c258740e89ca86b8 ssh_host_dsa_key f9a5b57d7004e3740d07c5b037d15730 ssh_host_dsa_key.p...
Read more

Keeping logs of your console commands during pentesting

Image
While it is very important to keep the screenshots and the results of your tools logged and recorded correctly, consistently and extensively, it is equally important to keep your console logs. This is very helpful when you are done with your penetration test and recall later during the results analysis / report writing that - what was the result of 'that' command I ran??? It is very commonly missed out by most pentesters - at least the beginners. While there are many ways in which you can do this: 1] copy paste the console logs and save it in your fav text editor 2] use a systematic approach I am sure method [1] is known to all :) Let's learn method [2] - Use script yes there is in inbuilt tool / script in linux that you can make use of: script usage: script filename.log This will start a process and it will keep logging the console output to this file. Once you are done just 'exit' Not to mention that care must be taken that you do not exit this process in between ...
Read more