Cloud-based application security testing –Challenges
In the last article, we discussed objectives and key facts cloud-based application security testing. Apart from the general information security challenges that the cloud services face on a daily basis, we will be discussing various challenges which act as major obstacles in the mass adoption of cloud-based security testing.
Figure 1: Challenges
Challenge 1: Distributed Computing Risks
Cloud is often interpreted as an unlimited resource pool for utilization and sharing of data. The general perception is that once an application is deployed in the cloud, an organization will benefit from leveraging distributed computing capabilities. However, they often miss the point that with distributed computing, they also inherit associated security risks. With various service providers offering multi-tenancy service wherein the clients, i.e., the cloud users do not have access to internal operations, the risk likelihood further increases significantly. Such risks include –
- On the cloud, single storage space is shared by multiple clients. So, this is a possibility that one client’s data is stored with another client’s data and if the cloud service provider fails to maintain logical isolation between data or misconfigures logical isolation, it leads to exposure of confidential information and information leakage.
- At times, the decision-making process of organizations often leans in favor of costs, as compared to security considerations. It is also possible that security controls implemented by a cloud service provider may not have been deliberated upon. An attacker with malicious intent may try to get access to a client’s data by getting through security policies. Encryption must be a mandatory requirement, but it is definitely not a bulletproof solution. To prevent unauthorized access to data, data must be protected while it is in transit as well as at rest.
- If the cloud service provider has not built a highly available cloud architecture, the clients are bound to experience loss of service due to attacks such as DoS or DDoS attacks. Back in 2011, Amazon’s EC2 cloud service went down along with taking down Reddit, Foursquare, TheNextWeb, Quora, and many more.
- Consider that an attacker with malicious intent has availed the services of the same cloud service provider as yours. The attacker uploads a malware on his cloud instance, and if the cloud service has not been hardened to protect against either vertical or horizontal propagation of malware, the results will be catastrophic.
Challenge 2: On-demand Services
Cloud services are expected to be easily reachable, capable of integration with other components while maintaining the confidentiality of data. At the same time, they are also expected to be available promptly. While choosing a particular cloud service provider, an organization should ensure that the service provider offers support for the integration of other tools as well as it complies with various information security standards and frameworks. This makes the compliance process easier for the client, and accordingly, they can run the required tests.
Challenge 3: Lack of Standards
We have many internationally recognized standards and frameworks like ISO 27001:2013, PCI DSS, NIST’s frameworks, OWASP Top 10, and many more. When it comes to security in a cloud environment, we are yet to have a global framework that brings together the services of a service provider and the client requirements on a single platform.
How can we minimize the impact and cost?
By applying the evergreen CIA triad of confidentiality, integrity, and availability, we can start with the basic components of a cloud-based security testing application. Moving forward, it must be kept in mind that security must be offered cost-effectively. If security comes at a cost, then an organization’s motive behind moving to the cloud environment is negated. Backup plans must be put in place along with a disaster recovery site. Security at the network level, as well as at the data level, must be included.
Strong technical controls should be backed by clearly defined policies and procedures so that they can be implemented hassle free. Security–related best practices can be derived from existing standards and frameworks. Simultaneously, they can be improvised to meet the needs of the cloud computing environment.
Penetration Testing for ISO 27001 Control A.12.6.110 Sep, 2019