Pentesting a cloud environment

Why would you technically audit cloud environments?

In addition to the financial and technical advantages they can offer, cloud assistance has become mature and well-developed, offering a range of services that can meet any need. As a result, companies of all sizes are increasingly turning to these solutions. Whether it is all, or part of the information system, there will inevitably be sensitive information and critical processing on cloud services. Access through the cloud means greater exposure. It is essential to ensure that this passage does not degrade the overall level of security.

What are the specificities of a pentest conducted within a cloud environment?

Unlike a “classic” pentest for which the environment is clearly defined (web, internal network, etc.), an intrusion test in a cloud environment will very often combine an external web intrusion (services exposed on the internet) and an internal intrusion, i.e., within the cloud itself. This is due to the same way public cloud hosting offers have been designed: information systems are placed, totally or partially, within a cloud accessible through an internet connection. Thus, the test will consist, in general, in a first step, in performing an external (web) intrusion test during which we will try to infiltrate into the customer’s cloud through the various elements exposed on the internet (servers, storage spaces, etc.). If we succeed, we will perform an internal intrusion test to audit the cloud and detect the various existing vulnerabilities.

Do you use the same methodologies and attack tools as in a “classic” pentest?

Typically, the first part of the penetration test consists of searching for and exploiting common vulnerabilities using conventional tools. Only when we can penetrate the customer’s cloud, we use more specific tools specific to each CSP (Cloud Service Provider).

Are the techniques you use different from one CSP to another?

If we only deal with attack techniques specific to cloud environments, then yes, the approaches change entirely from one CSP to another. This is notable because the foundation on which the solutions proposed by CSPs are based differs significantly, whether it is Amazon, Google, or Microsoft, to name a few.

What vulnerabilities do you manage to exploit the most?

The majority of vulnerabilities exploited during a penetration test are usually caused by the negligence of the people in charge of the cloud configuration. Indeed, customers who subscribe to a public cloud offer often mistakenly assume that everything they configure inside the cloud will be protected from external attacks. This is a common misconception. As a result, we’re seeing a decline in customer vigilance about anything to do with IT security applied to cloud environments. As a result, it’s not uncommon to find during our audits that configuration errors create breaches in the customer’s cloud, leading to partial or even total compromise of the customer’s cloud.

What is your advice?

To secure their cloud environments, companies can act on several levels. First of all, it is essential for those in charge of the infrastructure to step back from the need to have all or part of the IS in the cloud. We see a “fashion effect” to adhere to cloud solutions for more excellent elasticity, availability, or even, wrongly, to offload IT security. This choice is not necessarily justified, and can even have the opposite effect: making the IS more vulnerable than before. Suppose the IS has been partially or migrated, and the customer is keen to make its infrastructure more secure. In that case, it must configure all its services in line with acceptable security practices, such as the principle of least privilege for everything concerning access and identities.

What configurations do you recommend to set up?

It is difficult to give a precise answer because each IS is different, and the necessary configurations from one area to another can change completely. Nevertheless, certain common principles must be respected, such as the application of the least privilege principle (mentioned above), good management of the incoming flow (whitelisting of IP sources, closing unnecessary ports, real-time traffic monitoring, etc.), or the installation of protection solutions at the service level (WAF for example) or the level of user machines (HIDS/HIPS). These recommendations are just a few examples among many, and many CSP-specific solutions are available to customers through marketplaces.

How can CSPs further secure their cloud environments?

Cloud environments made available by CSPs to their customers are globally secure by default. There are, of course, public vulnerabilities that are regularly detected by IT security researchers, but these are very quickly taken care of and corrected by the CSPs. Today, the cloud services available to customers all incorporate security by design elements. However, customers need to know how to configure them correctly by integrating the right security principles.

What best practices would you advise end-users?

Best practices that apply to users of an on-premise IS also apply to cloud users, such as using strong passwords, installing required updates, etc. Thus, if an attacker manages to compromise a cloud user’s workstation, its propagation will be slowed down by applying these practices.