Pentesting in Cloud and Hybrid Environments

Today, companies are no longer just migrating to the cloud – the cloud has become an integral part of everyday business. Public cloud, hybrid, and multi-cloud environments each embody their own unique set of advantages and challenges, and deciding between them has a profound impact on an organization’s scalability, agility, and security. In this era of cloud-driven innovation, understanding the distinctions between these cloud platforms and services will help you align your business needs and priorities.

Public Cloud, Hybrid, and Multi-Cloud Environments – What’s the Difference?

A public cloud is hosted entirely by a third-party cloud service provider (CSP) like AWS and Microsoft Azure, offering scalability and cost-efficiency. In contrast, a hybrid cloud combines on-premises infrastructure with public or private cloud resources, providing flexibility and control but requires careful integration. Multi-cloud, on the other hand, involves using multiple cloud providers for various services or applications, reducing vendor lock-in but necessitating complex management. Each environment has distinct advantages and trade-offs, making it crucial for businesses to evaluate their specific needs and goals when choosing the most suitable cloud strategy.

Benefits and Risks of Operating in a Cloud Environment

The benefits of operating in a cloud environment are seemingly endless for modern organizations. They enable global accessibility, continuity, centralized data storage, lower operational costs, and more. While the benefits are vast, there are still many cybersecurity risks that security leaders must be aware of when operating in a cloud environment including misconfigurations, access-control vulnerabilities, and other issues.

Many enterprises have fallen victim to cloud security breaches in recent years, including Facebook and Toyota. Both breaches resulted from the exploitation of cloud misconfigurations that could have, in hindsight, been discovered and patched proactively.

Although it’s easy to point fingers in the event of a breach, cloud security is a shared responsibility between an organization and the cloud service provider (CSP). In general, the CSP is responsible for the security of the underlying infrastructure, physical security, network, and foundational cloud services. The customer is responsible for the security of their data, applications, configurations, and user access stored within the cloud environment. Understanding where your organization’s data and security responsibility starts and ends versus the cloud provider’s is an important step to ensure overall cyber resiliency. Despite this, the benefits seem to outweigh the risks and the rapid adoption and migration to cloud and hybrid technologies shows no sign of slowing down. Therefore, it is critical that organizations proactively implement continuous testing of the effectiveness of their cloud security controls and configurations.

In this blog post, we will explore the importance of securing cloud infrastructure and how tools like penetration testing and ongoing security control validation for cloud environments can provide organizations with better visibility and control over their security ecosystem.

Why is Cloud Security Important?

According to IBM, the global average cost of a data breach in 2023 is $4.45 million, 45% of which occurred in the cloud. To fully understand the importance of cloud security and the significant role that tools like penetration testing can play in the bigger picture, we must first understand the implications of poor cloud security. With that said, there are many precautions that security leaders can take to minimize the risk of a cloud data breach. Take the Capital One breach that took place in 2019 for example. As one of the largest banks in the United States, Capital One suffered a massive data breach that compromised the personal information of over 100 million customers. How did it happen? A misconfigured application firewall on an AWS server was exploited by an attacker to gain unauthorized access to Capital One customers’ data.

Prioritizing cloud security is a cornerstone of maintaining operational efficiency, reputability, and innovation.

What is Cloud Penetration Testing?

Cloud penetration testing is an offensive security exercise conducted to identify and evaluate vulnerabilities, weaknesses, and security risks within a cloud environment. Pentesting is conducted differently within different environments depending on the CSP and the services utilized by an organization.

These penetesting exercises consist of highly skilled ethical hackers who tactfully simulate a controlled cyber-attack to identify exposed assets in the cloud and associated vulnerabilities that could lead to a potential exploit or stolen data. Vulnerabilities are then prioritized based on highest risk and assessed by a security team for remediation. Not only will a cloud pentest indicate where an attacker could gain unauthorized access, but also the potential attack path. Cloud penetration testing plays an integral role in ensuring the security of data, applications, and resources hosted in the cloud. Here are the key components of cloud penetration testing.

Guidelines for Pentesting in AWS, Microsoft Azure, and Google Cloud Platform

CSPs like AWS, Microsoft Azure, and Google Cloud Platform (GCP) have specific rules and guidelines regarding penetration testing on their platforms. These rules ensure the security and stability of their cloud environments while allowing customers to assess the security of their own applications and services hosted within.

AWS Penetration Testing

AWS provides a well-defined penetration testing policy that outlines how its customers are permitted to perform pentests on their AWS-hosted applications and infrastructure, subject to specific conditions.

Customers must notify AWS of their intent to conduct penetration tests by submitting a request through the AWS Support Center. Penetration tests must only be conducted on the customer’s resources – not on AWS-owned infrastructure or third-party applications hosted on AWS. AWS prohibits certain activities, including but not limited to DNS hijacking via Route 53, request flooding, and protocol flooding.

Microsoft Azure Penetration Testing

Microsoft Azure also has its own policy outlining the rules and guidelines for pentesting on Microsoft Azure-hosted assets. Similar to the guidelines of AWS, Microsoft Azure affirms that penetration tests should strictly focus on the customer’s assets and should not target Microsoft-owned assets or services. Microsoft’s guidelines also include a list of prohibited activities, which includes phishing against Microsoft employees, denial of service (DoS) testing, and deliberately accessing another customer’s data. Unlike AWS customers, Microsoft Azure customers don’t need to notify Microsoft or submit a request prior to conducting a penetration test.

Google Cloud Platform (GCP) Penetration Testing

Google Cloud allows customers to conduct security testing on their GCP-hosted resources while adhering to specific rules listed in Google’s Vulnerability Testing Guidelines. GCP customers do not need to notify Google of their intent to conduct a Google cloud penetration test. GCP, like both AWS and Microsoft Azure, only permits customers to conduct penetration testing on customer-owned resources.

It is important to note that CSPs may update their policies, so it’s critical to seek the latest information from your CSP directly before planning a penetration test.

Identifying, Assessing, and Validating Vulnerabilities in Cloud and Hybrid Environments

Vulnerabilities can be identified in cloud environments using both automated and manual penetration testing techniques. With the expansiveness of modern cloud environments, automated tools can scan large networks and applications quickly, making them more suitable for organizations with extensive IT infrastructure while reducing human error. However, automated tools can often lack the ability to understand the boarder context of an organization’s security landscape, which is why human pentesters can identify vulnerabilities that automated tools might miss. Together, they can provide more comprehensive penetration testing results across the attack surface than human-delivered pentesting.

While automated scanners can be used to identify known vulnerabilities, they often return a relatively large number of false positives for security teams to sort through and prioritize. This can impact the efficiency and time needed to prioritize the most critical vulnerabilities. When an organization leverages both manual and automated techniques, accuracy improves, false positives are reduced or eliminated quickly, and remediation is accelerated.

What Vulnerabilities Are Identified During a Cloud Penetration Test?

As cloud environments increase in complexity and the reliance on cloud services continues to grow, risks are evolving simultaneously. Not only are risks evolving, but cloud compliance and security requirements also make cloud security challenging. According to recent research conducted by BreachLock, the top 10 most common cloud misconfigurations identified during penetration testing in alignment with OWASP are:

1. Multi-factor authentication (MFA) not enabled for the root account
2. MFA not enabled for all users
3. Database Instances have public access
4. Privilege accounts not monitored
5. Misconfigured IAM policies
6. Weaker access control
7. Misconfigured password policies
8. Lack of network access control list
9. Sensitive data not encrypted
10. Data storage doesn’t have versioning enabled

When you consider that most of the common cloud vulnerabilities are access control-related issues, there are some simple, yet impactful steps that security professionals can take to reduce the likelihood of a breach. For example, enforcing strong Identity and Access Management (IAM) policies and assigning privileges on a need-to-know basis is key to staying secure from access control-related vulnerabilities. More specifically, ensuring that Multi-factor Authentication (MFA) is enabled for all users, especially super admins, is a highly effective way to ensure that only authorized individuals have access to designated accounts and least privilege is implemented.

The OWASP Cloud-Native Security Top 10

While OWASP has not officially published a list of the OWASP Top 10 for Cloud-Native Security, its leaders recognize the importance of educating the community on cloud vulnerabilities. Since cloud-native applications are still relatively new in the grand scheme of things, cloud security has only recently gained attention from OWASP. To aid and educate organizations looking to adopt cloud-native applications securely, OWASP has published an interim list of the OWASP Top 10 for Cloud-Native Security, which is currently under review. The top 10 vulnerabilities are as follows:

• CNAS-1: Insecure cloud, container or orchestration configuration
• CNAS-2: Injection flaws (app layer, cloud events, cloud services)
• CNAS-3: Improper authentication & authorization
• CNAS-4: CI/CD pipeline & software supply chain flaws
• CNAS-5: Insecure secrets storage
• CNAS-6: Over-permissive or insecure network policies
• CNAS-7: Using components with known vulnerabilities
• CNAS-8: Improper assets management
• CNAS-9: Inadequate ‘compute’ resource quota limits
• CNAS-10: Ineffective logging & monitoring (e.g. runtime activity)

This list of vulnerabilities is still an active project for OWASP and will continue to be revised based on data from participating organizations on vulnerability prevalence and other factors.

About BreachLock

BreachLock is a global leader in PTaaS and penetration testing services. BreachLock offers automated, AI-powered, and human-delivered solutions in one integrated platform based on a standardized built-in framework that enables consistent and regular benchmarks of attack tactics, techniques, and procedures (TTPs), security controls, and processes. By creating a standardized framework, BreachLock can deliver enhanced predictability, consistency, and accurate results in real-time, every time.