A Bloomberg Intelligence report forecasts cybersecurity spend to exceed $200 billion a year by 2024, driven by “faster-than-expected adoption of cloud-based security.” Further, Gartner says that the proportion of IT spend moving to the cloud will increase in the aftermath of the pandemic. Not to mention spending on cloud infrastructure such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud, and others reached $39.9 billion in the fourth quarter of 2020 – up $10 billion from 2019.  

Simply put, cloud is top of mind for all security professionals today as it is a natural way to increase capacity or deploy projects in this new realm. The increased emphasis on cloud can be attributed to the pandemic-driven demand to support remote working and learning, ecommerce, content streaming, online gaming, and collaboration, according to Canalys

As cloud adoption accelerates (and shows no signs of slowing), there is no better time to take a deeper look at common cloud security challenges and learn how to modernize your cloud penetration testing efforts to mature your cloud security program effectively and efficiently.

5 common cloud security challenges and risks

  1. Managing cloud workloads deployed outside traditional security governance processes. Access to entire technology stacks is available to anyone with only a credit card swipe. This access to technology outside of your security governance processes, or Shadow IT, depends solely on the awareness of that business unit of the security needs of those projects. If you can identify workloads that were deployed outside of your IT environment, you can test the disparate environment to gain some level of assurance that it was deployed securely while supporting a business unit with unique needs that may not be available from the traditional IT programs. 
  2. Resource asymmetry between attackers and defenders. Attackers are limited to only their persistence when attacking your cloud environment. On the other hand, security teams are constrained by budget limitations, resource constraints, and the myriad of other challenges. Cloud configuration assessments informing a penetration test gives you the ability to identify issues that an attacker could identify but in an efficient way that maximizes your investments
  3. A simple error can have a catastrophic impact. Traditional IT infrastructures are notoriously slow to adapt to innovation but have the benefit of several layers of defense. Infrastructure-as-Code delivers entire data center capabilities in a Python script but one minor error in the deployment can provide direct, internet-facing access to your environments. 
  4. The cloud is evolving, and attackers are identifying novel attacks faster than the security industry is able to protect the attack surface. Cloud environments can be very complex and providers like AWSAzure, and Google Cloud release new capabilities so often it’s difficult for security to keep up. For example, in April 2021, AWS posted nearly 200 announcements about new capabilities, services, features, and region expansions. 200 announcements in a single month. There are not enough people with tenured, seasoned experience in deploying cloud workloads to do it securely. It’s no surprise that cloud security topped ISC2’s list of most important skills needed to pursue a cybersecurity career.
  5. Lack of awareness that cloud security follows the shared responsibility model. It is right to trust cloud providers to secure aspects of your workloads, however, your security team also maintains significant responsibility for security as you migrate to the cloud. This concept is the shared responsibility model, and it varies by provider and service type. Defining you and your providers’ responsibilities is imperative for reducing the number of, and criticality of, vulnerabilities introduced into your cloud environments. You can review the shared responsibility models for MicrosoftAmazon, and Google Cloud online. 
Graphic of Responsibility for Security 'in' the Cloud for the Customer and 'of' the Cloud for the Software, AWS
AWS shared responsibility model

How to modernize your cloud penetration testing efforts with configuration review

It can be difficult to understand the difference between testing an application that is hosted in a cloud environment and testing the environment in which an application is hosted. Both are vital.

While network penetration testing and application penetration testing focus on identifying vulnerabilities on a particular series of assets within an environment, cloud penetration testing requires a different approach. Because the cloud is an environment itself, it is important to also look at the infrastructure supporting the environment, not solely the applications and assets deployed as a part of the workload. Not only are you testing workloads; you need to also identify issues inherited from parent subscriptions such as elevated IAM privileges or privileged access to sensitive systems and/or data.

Most organizations are testing cloud environments the same way they’ve been testing for years, resulting in a massive gap in attack surface visibility. If an organization truly wants comprehensive testing, a focus on cloud configuration should be a large component of your cloud penetration testing strategy.

Find, validate, and fix vulnerabilities on your AWS, Azure, Google, and Oracle cloud infrastructures. Learn more about how NetSPI’s Cloud Penetration Testing evaluates the configuration of your cloud services.

A configuration review is used to inform a penetration test. If you were to approach cloud penetration testing the way you approach traditional application or network penetration testing, you would be blind to the configuration of the platform. 

An analogy that works well to explain configuration review is a doctor’s visit. If you want a doctor to identify what is wrong with you in an hour-long visit, you’d have to inform them of your symptoms, medical history, recent activity, etc. Without the background information on your health, it would require excessive time and resources to run blood tests, x-rays, etc. to get the information needed to identify what the potential issue is. A configuration review is similar in that it gives pentesters the ability to identify root issues in an efficient way, the same way a malicious attacker would over the course of months – or years. It allows pentesters to act as closely to an attacker as they can within the parameters of your security budget.

Configuration reviews also allow testing teams to provide context to penetration test findings. Say you misconfigured a storage bucket. With a greater understanding of the configuration issues, you gain insight into the root cause of critical vulnerabilities caused by the misconfiguration. For example, “we found an issue with this storage bucket which allowed us to exploit _____ during the penetration test.”

Another emerging concept within modern cloud penetration testing is continuous testing and monitoring. Cloud environments are ephemeral (have a short lifecycles) – so, we often hear the question: how helpful is the information from a cloud penetration test if the environment keeps changing? If you are reviewing the configuration of your cloud platform to support penetration testing efforts, you’ve set the foundation for cloud security success. To address the ephemeral nature of the cloud, more frequent tests and continuous monitoring of the attack surface is a key tactic to stay on top of newly introduced vulnerabilities. 

Final thoughts

Now is a better time than any to rally your security testing and cloud teams together to talk about what cloud testing means for your organization. When configuration review is included, cloud penetration testing allows you to not only test for vulnerabilities, but also develop an inventory of your cloud workloads, understand what data is in those workloads, and develop your testing plan for cloud-based applications.