CLOUD C

OMPUTI

NG

SE

CU

RI T

Y –

PE

NT

ES

TI N

G T

HE

CL O

UD

Diogenes S. De JesusCEH, Security+

AGENDA

• Cloud Computing Intro

• Pentesting the Cloud

• Advices

• Q&A

CLOUD CHARACTERISTICS

• On-demand self-service

• Broad network access

• Resource pooling (multi-tenant model)

• Rapid elasticity

• Measured Service

NIST - National Institute of Standards and Technology

SERVICE MODELS

• Cloud Software as a Service (SaaS)

• Cloud Platform as a Service (PaaS)

• Cloud Infrastructure as a Service (IaaS)

NIST - National Institute of Standards and Technology

WHAT SECURITY SEES IN ALL THIS?

Cloud computing will move slices of organizational data outside the company’s

perimeter – out of company’s controls.

SECURITY CONTROL IN THE CLOUD

PaaS SaaSIaaS

Customer CSP

VULNERABILITY TREND

Source: SANS

TYPICAL NETWORK PENTEST

Reconnaissance

Vulnerability Mapping

Exploitatio

n

IAAS: AMAZONAWS Vulnerability / Penetration Testing Request Form

IAAS: AMAZON

IAAS: AMAZON

IAAS: AMAZON

(Source)

DoS

IAAS: SPECIFICS

• TOS explicitly excludes some tests we would normally do

• The tests are more analytical and less ./execute

• Some CSPs exclude some tests, others may not• Tests tend to be more customized to meet CSP demands

PAAS: WINDOWS AZURE

Cloud OS as a Service (OSaaS)

Source: MSDN

PAAS: SPECIFICS

• Check the contract and TOS for specific backend tests

• Testing one platform doesn’t necessary give you right to test other APIs • Windows platform and SQL backend

• Frontend and backend are different infraestructures for the CSP• Particularly bad for WebApp vulnerability assessment

SAAS: PENTEST?

• Most likely no test

• Availability depends on CSP

ADVICE

ADVICE

23

4

eShop

Customer

Payment Gateway

Merchant

Issuing Bank

1

5

ADVICE

23

4

Customer

Payment Gateway

Cloud Provider Issuing Bank

1

5

ADVICE

1) Am I allowed to run tests throught third-parties?

2) What are the tests I can run on CSP?

3) How flexible is the customization of contracts?

ADVICE

4) Where is your cloud placed, where is our data phisically stored? Compliance with regional laws;

5) The data can be exported to another CSP? Risk of Vendor / Data Lock-In;

6) Virtualization through instance-level isolation? Data leakage; Application conflicts;

ADVICE

Some other questions the Cloud Provider should be asked:

7. Is there a DoS mitigation system in place?

8. What about packet sniffing by other tenants?

9. Is your cloud designed to be a disaster-tolerant solution?

10.How is your backup made? How long it takes for a full system restore?

11.Do you have a security policy and related standards?

12.When was the last time you tested your BCP and DRP?

13.How quickly you can increase the performance of your cloud? How quickly we get the required resources?

14.How many security incidents have you had in the past and which kind?

15.What's your downtime per year?

WRAP UP

• The cloud is a reality and pentesting isn’t much different

• Pentest / vuln. assessment will still exist to meet compliance requirements

• Specifics to cloud• Work with the CSP: good SLA will help doing good tests• Multi-tenant model brings its own limitation and risk to

CSP• Attacks must be carried out carefully to mitigate impact

issues• Watch out for compartmentalized architectures (PaaS)• SaaS limitation

• Future• Separation of duties – third-party testers

Q&A

?