Many organizations moving resources into the cloud require vulnerability assessments and penetration tests of critical assets to determine whether vulnerabilities are present and what risks they pose. In many cases, compliance requirements may also be driving the need for pen tests as well. However, performing scans and
First, the type of cloud will dictate whether pen testing is even possible. For the most part, Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) clouds will permit pen testing. However, Software as a Service (SaaS) providers are not likely to allow customers to pen test their applications and infrastructure, with the exception of third parties performing the cloud providers’ own pen tests for compliance or security best practices. Assuming pen testing is permitted, the next step is to coordinate with the cloud service provider (CSP) in two ways. The first is via contractual language that states pen testing is allowed, what kind of testing, and how often. If no language exists explicitly in a customer contract or per the CSP’s published policies (on its website, for example), then testing will need to be negotiated, if possible.
Once the legal and contractual hurdles are overcome, the next step relates to coordination -- how do you to coordinate with the CSP for scheduling and performing the test? Each CSP has different processes and requirements related to pen test scheduling. Some, like Amazon, make it somewhat simple by coordinating tests through an online form on their site. Others will require a phone call and explicit contact by the customer being tested. One other point warrants mention here: Pen testing the cloud may take slightly more time for coordination and project kickoff. Padding in an extra week on the front end is a good general practice when performing most tests on CSP environments.
The second aspect to consider when performing cloud pen tests is the type of tests you are allowed to perform per the CSP’s policies. As cloud resources are usually hosted on multitenant platforms, many attacks will cause an increase in resource consumption, including bandwidth and system memory. With a multitenant environment, this could negatively impact other customers’ resources, so most CSPs will explicitly forbid any DoS attacks or other exploits or scans that are known to impact local resource availability.
In many more advanced pen tests, testers will also exploit one system or application and then use that system as a staging point for additional attacks against other systems or applications, a technique commonly known as “pivoting.” With resources hosted within a CSP environment, pivoting is usually allowed. However, pivoting back out of the cloud to attack resources in other environments -- with the cloud environment as the new attack source -- is usually not permitted.
One last consideration in cloud testing is specific to PaaS environments. In a PaaS cloud, the presentation tier of applications (Web servers and application front ends) is often hosted separately from the persistent tier (databases and storage components). In fact, these may not be housed with the same CSP at all! This means application tests for PaaS clouds may require additional coordination, and some tests may be severely restricted. For example, Web server and application logic attacks might be allowed, but not SQL injection..
In addition, the tools available for cloud-focused pen testing are evolving. Core Security Technologies, a well-known provider of professional pen testing products, recently released Core CloudInspect, a cloud-based pen testing platform that natively integrates with Amazon’s EC2 cloud environment, simplifying scheduling and coordination enormously. As Amazon has endorsed CloudInspect as a convenient and effective way to schedule and perform pen tests against Amazon-hosted cloud resources, many Amazon customers may adopt CloudInspect for convenience, if nothing else.
Pen testing the cloud takes more coordination, and may have new considerations and restrictions that traditional pen testers are unaccustomed to. Testers should work to understand the best way to coordinate with the CSPs, what their requirements and policies are, and the cloud architecture in place in order to ensure scans and tests are effective and produce the best results possible.
About the author:
Dave Shackleford is a founder and principal consultant with Voodoo Security and also a certified SANS instructor.
This was first published in June 2011