cloud penetration testing
Overview
A Cloud Penetration test uncovers vulnerabilities residing within your cloud infrastructure and provides a detailed attack narrative to help evaluate the impacts of each finding. Pelta Cloud Penetration Testing methodology is combination of manual and automatic testing and aligned with SANS Pentest Methodology, the MITRE ATT&CK framework for enterprises, Azure Threat Research Matrix and NIST to ensure compliance with most regulatory requirements.
Why conduct a Cloud Penetration Test?
Discover security weaknesses in cloud environments:
Determine what an attacker could do with valid access keys or tokens
Compare current cloud configurations against security best practices
Identify potential paths from the internet to internal cloud environments
Protect access to sensitive information by finding weaknesses others overlook:
Go beyond a vulnerability assessment to identify the techniques attackers would take to breach sensitive information.
Strengthen your cloud infrastructure with an expert:
Cloud pentesting is new and needs a pentester with specialized training.
Pelta testers have industry experience and hold industry standard certifications.
Cloud Penetration Testing Services
-
Microsoft Azure
Whether you are migrating to Azure, developing applications in Azure, or pentesting annually for compliance, Microsoft Azure penetration testing helps you ensure your cloud infrastructure is secure. Pelta identifies high impact vulnerabilities found in your Azure cloud services, including applications exposed to the internet. Our Azure pentesting also finds credentials, excessive privileges, and misconfigurations in Azure Active Directory that can lead to the compromise of your Azure infrastructure and enable an attacker to expose sensitive data, take over Azure resources, or pivot to attack your internal network.
-
Amazon Web Services (AWS)
AWS penetration testing helps you find cloud security gaps that create exposure and risk. It is a necessary component of security if your organization is migrating to AWS, developing applications in AWS, or pentesting annually for compliance. During AWS penetration tests, Pelta identifies vulnerabilities, credentials, and misconfigurations that allow our expert cloud pentesters to access restricted resources, elevate user privileges, and expose sensitive data. Testing also identifies exposure of internet-exposed management interfaces, S3 buckets exposed to the internet, and security gaps in AWS Identity and Access Management (IAM) configurations.
-
Google Cloud Platform (GCP)
Google Cloud penetration testing helps organizations establish security as they migrate to Google Cloud, develop applications in GCP, or use Google Kubernetes Engine (GKE). During Google Cloud penetration tests, Pelta tests for vulnerabilities that adversaries can exploit. Our testing goes beyond automated scanning to manually exploit vulnerabilities and misconfigurations to identify security gaps in your Google Cloud attack surface.
Our Approach of Cloud Penetration Testing
- Understanding Cloud Provider Understanding the policies of cloud providers – Almost all public cloud providers (aws cloud, google or azure services) have cloud pen testing processes in place. This is often known as the customer support policy for penetration testing cloud. This policy defines explicitly what activities are permitted and prohibited under cloud penetration testing exercise in their environment. It is similar to other policies such as network stress testing, DDoS simulation testing. Examples of these cloud penetration test rules of engagement (such as Microsoft, Amazon Web Services, Google or Oracle Cloud Security Testing) or permission policies are available on cloud provider portals.
- Creating a Pen Test Plan – Businesses looking to conduct testing cloud penetration testing (or security assessments) should have a cloud penetration test plan in place. This plan should include information related to applications, data access, network access, laws & regulations to comply with the cloud application security testing or databases and assessment approach (white box, grey box or black box). See our in-depth article for the basics of security reviews.
- Vulnerability Identification Process – Constantly identifying vulnerabilities in cloud environments is very important. Cloud penetration testing ensures that no blind spots (such as vulnerabilities in the virtual machines facing the Internet) are present in your environment. The right toolset (whether automated tools for vulnerability scanning or manual checks) is an important component of advisory services just like on-premises for cloud application security testing or a security audit. Both cloud and on-premises tools are available, and a thorough requirements analysis should be performed to finalise the correct approach.
- Resource Risk Analysis – This phase is relevant to the previous one based on the tools and resources used. Correct tooling and security resource usage are the two most important aspects of vulnerability identification and analysis. Using in-house teams to perform cloud penetration testing may miss certain findings due to close familiarity with the cloud environment. Cloud testing with the right cloud service provider is not an option these days, it’s the surest way to prove that your cloud assets are securing the underlying data.
- Risk Remediation – Risk remediation is an important element, that feeds back into the risk management programme of an organisation. All risk advice is provided in our deliverables after cloud pentesting services and cloud environment to help the security team analyse and devise remediation plans. It includes a description of risks in the context of the environment, followed by attack probability and impact. If required, Cyphere provides additional remediation consultancy given the complexity around risk and specific skill-set required for risk remediation of cloud penetration testing findings.