Penetration Testing for Cloud-Services and Cloud-Infrastructure
While the use of cloud services reduces work, it also increases effort and complexity elsewhere. Depending on the service model used (IaaS / PaaS / SaaS), more responsibility for security lies with the cloud service provider or the service user he. Irrespective of this, there is however an additional component that should not be overlooked: While it used to be considered preposterous in in-house IT infrastructures to expose management interfaces to infrastructure (e.g., to switches, firewall or VPN gateways) on the Internet, this is now the norm with cloud providers.
Management interfaces, such as the Azure Portal or Amazon’s AWS Console, allow much more than just configuring firewalls or switches and are accessible to anyone on the Internet. Therefore, other key risk factors exist for the security of cloud services: identity, the user account with which users log in, and the conditions under which this is possible and to what extent.
We offer a cloud security audit to check the security of identities or their access options in the cloud,. This is not a penetration test in the true sense, but rather a check whether recommendations for securing identities and their access restrictions have been complied with. Cloud penetration testing is therefore a whitebox test whereby we check the configuration of the central cloud services to secure the cloud service itself.
External penetration testing
For services with a service model such as IaaS, where the themselves are responsible for securing the operating system and „everything above it”, The situation with penetration tests is similar to that for on-premise IT systems. Services that are accessible on the Internet should definitely be tested with an external penetration test.
PaaS services are comparable, although here the customer’s responsibility is already significantly lower. But here, too, misconfiguration and unnecessary exposure of the applications can already cause security vulnerabilities that can be discovered in a penetration test. In general, (web) applications operated on these platforms should however also be subjected to a (web) application penetration test just like any other application operated elsewhere.
Cloud Security Audit
The cloud provider in the SaaS model is already responsible for performing penetration tests on the infrastructure and application. In some cases it can even provide the relevant reports on request. Irrespective of this, any cloud service can however become insecure due to errors in the configuration, even if it has already been subjected to multiple penetration tests. That is why NSIDE ATTACK LOGIC GmbH offers checking the configuration of your cloud applications in order to identify precisely such security problems at an early stage.
Cloud penetration testing for services & infrastructure
We adapt the test parameters such as scope and procedure to your individual needs. Simply contact us and we will revert to you shortly.