bptu - Fotolia

Traditional vs. cloud pen testing: What's the difference?

Penetration testing in the cloud differs from on-premises testing. Expert Dan Sullivan discusses cloud pen testing and whether cloud providers or in-house security teams are best suited for the job.

What are the differences between traditional penetration testing and cloud pen testing? Do most major cloud service...

providers offer pen testing, and if so, is it a responsibility that should be left to the cloud provider or managed by our security team?

The cloud requires shared responsibility for security; this includes Penetration testing. Cloud vendors that achieve compliance with security regulations will likely have robust security testing in place. For example, Amazon Web Services (AWS) has achieved ISO 27001 certification and Payment Card Industry Data Security Standard (PCI DSS Level 1) as well as federal government certifications. Both ISO 27001 and PCI DSS include penetration testing requirements.

Cloud providers will perform some level of penetration testing, but unless you have details of exactly what systems were tested and which tools were used to perform the test, you cannot know for sure that vulnerabilities in your application stack have been detected. And, of course, you will be responsible for penetration testing your enterprise's custom applications. For example, one of your user interface applications with a connection to a relational database may be vulnerable to a SQL injection attack; it is prudent to assume a cloud vendor would not detect that.

Also be sure to consider whether you are using a service supported by the cloud vendor or running your own instance of an application stack component. For example, if you use MySQL under Amazon's Relational Database Service, the vendor is responsible for configuring and patching the database. If you are administering your own MySQL database, assume that you are responsible for proper configuration, patching and monitoring.

Cloud vendors do allow penetration testing, but you must often get permission first and coordinate tests with the vendor. A cloud pen test may look like an attack on your servers, so vendors need to know when you will be testing. If you plan to perform cloud pen testing on Microsoft Azure, check the requirements here. Details about penetration testing on AWS are here. Google does not seem to require prior notification, but it has a rewards program for those who find vulnerabilities in its systems; information is here. If you are using Google App Engine, you can use the new Google Cloud Security Scanner for your testing.

Ask the Expert:
Want to ask Dan Sullivan a question about cloud security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Don't miss SearchITChannel's guide to effective pen tests

Find out how to conduct proper vulnerability scanning in AWS

Dig Deeper on Cloud Network Security Trends and Tactics