Organisations are shifting workloads to the cloud at a rapid pace to achieve faster time-to-market, increased res­po­n­siveness and cost reductions. How­ever, amid this transformation, cloud security threats remain a top concern. These threats target cloud computing providers, as or­ga­nisations have less visibility overall with res­pe­ct to data access and movement. Accor­ding to a report by Fortinet, 95 per cent of organisations are moderately to extremely concerned about their security posture in a public cloud environment.

Nonetheless, shifting workloads to cl­o­ud does not necessitate compromising on security. Modern-day businesses can mitigate these risks and benefit from the use of in­terconnected cloud technologies by in­te­grating cloud security and testing practices into their cloud strategies.

Cloud security

Cloud security is a collection of rules, procedures and technologies designed to address external and internal threats to the cloud assets of a business. Cloud security differs from traditional cybersecurity, as the data is stored in virtual or cloud storage. The main types of cloud security are application security, database security, endpoint security, network security, and web and e-mail security. Application security comprises both hardware and software procedures to minimise data threats. The different service models include infrastructure-as-a-service, platform-as-a-service and software-as-a-service, and are deployed through public, private and hy­brid cloud. These as-a-service models give organisations the ability to offload many routine and time-consuming tasks. They are being deployed in several sectors, in­clu­ding banking, financial services and insurance, healthcare, information technology, and telecom. The security features in cloud computing differ based on the cloud service model adopted and the method of deployment.

Most cloud providers follow best security practices and take active steps to protect the integrity of their servers, and third-party cloud computing providers may take on the management of this infrastructure. However, responsibility for data asset security and accountability is not necessarily guaranteed.

Challenges in cloud security

The common security challenges that aff­ect a cloud environment are:

  • Multitenancy: Public cloud environ­me­­n­ts house multiple client infrastructures un­der the same umbrella. This may lead to an enterprise’s hosted servi­ces be­ing co­mpromised as collateral damage when malicious attackers target other businesses.
  • Misconfiguration: Cloud misconfiguration is one of the most common reaso­ns for vulnerability threats in a cloud en­vironment. Misconfigurations are mostly due to human errors such as us­ing the default settings and reusing passwords. Other causes include excessive permissions, unused accounts and disabling standard security controls.
  • Lack of visibility: As many cloud services are accessed outside of corporate net­works and through third parties, it is easy for businesses to lose track of how and by whom their data is being accessed. There is a lack of visibility in cloud server management. This could lead to a loss of control over tools and resources, and consequent security problems. The lack of visibility can also create challenges su-ch as employees using unauthorised app­li­cations, or using approved applications for malicious purposes. Further, it creates a lack of governance, which may attract more cloud security threats.
  • Access management and shadow IT: Although businesses may be able to successfully manage and restrict access poi­n­ts across on-premises systems, the ad­mi­nistration of these levels of restriction can be difficult in cloud environments. This can be dangerous for organisations that do not adopt bring-your-own-devi­ce po­li­cies and allow unfiltered access to cloud services from any device or geolocation.
  • Insecure UIs and APIs: The user in­terface (UI) and application programming interface (API) are the most vuln­erable sections of the cloud infrastructure. These interfaces act as the communication platform between the enterpri­se customer and the cloud service pro­vider (CSP), though the security of the UI and API is considered the service provider’s responsibility. As the CSP can monitor and manage the interfaces used by the customer, the UI and API can be insecure and may expose sensitive user account details and admin control.
  • Data breaches: Cloud storage involves the transfer of data at high speeds over the internet, thus creating space for data breaches. A data breach can affect customer trust, regulatory compliance, revenue and the brand image of a business. Ma­jor causes of data breaches include in­efficient identity and access management, phishing attacks, and insecure data transfers.

Security testing

Cloud security testing involves the testing of cloud infrastructure for loopholes and vulnerabilities that could lead to data breaches and service disruptions. It is ma­in­ly performed to examine a cloud infrastructure provider’s security policies, controls and procedures. It can also provide a detailed analysis of the security risks of cloud infrastructure, thus assessing its risk posture. The testing is carried out us­ing va­rious manual and automated testing methodologies.

Among a host of testing methodologies such as vulnerability scans, attack surface analysis, phishing simulations, and do-it-yourself security assessment and risk analysis, penetration tests have particularly gained popularity, both among vendors and customers.

Penetration test

In layman’s terms, a cloud penetration test involves inducing a simulated cyberattack over the cloud network to identify risks, vulnerabilities and gaps present in the cloud infrastructure. It is a type of ethical hacking, where the penetration is pre-planned, and the results are analysed to find anomalies and fix them. The results of a penetration test are reliable enough for extensive decision-making related to cloud security controls. They also provide clear remediation advice for fixing vulnerabilities and mitigating the associated risks.

The CSP and the enterprise customer bear shared responsibility for the game. A customer’s service level agreement defines the type and scope of cloud penetration testing that is allowed, and how frequently it can be done.

There are three types of penetration testing:

  • Black box penetration test: Under this method, penetration testers do not have access to or knowledge of an enterprise’s cloud infrastructure.
  • Gray box penetration test: The penetration testers have limited knowledge of the cloud framework under this test, and are granted restricted admin access based on the requirement.
  • White box penetration test: Under this approach, the penetration testers are granted complete access to the cloud network, including root-level access.

Although the white box method may appear the most secure, it gives the tester the advantage of easy access to, and information about, the cloud infrastructure and environment. This prevents them from thinking or acting like a hacker. In contra­st, the black box approach forces security personnel to devise ways in which an atta­cker may enter the cloud environment with little or no information available.

As per industry estimates, the cost of a penetration test can vary, on average, from around $10,000 to as high as $100,000 an­n­ually, depending on the size and complexity of the organisation. This makes it mu­ch costlier than a vulnerability scan or an atta­ck surface analysis, which cost about $2,300 and $2,500 respectively. In addition, some companies may be small and non-complex, or have less mature security, and a penetration test may not provide the optimal re­sults for analysing the security ri­sks accurately. In such cases, executing a penetrati­on test is unviable, and other cloud security testing methods should be adopted.

The bottom line

The large-scale shift to cloud is helping enterprises unlock new levels of scalability, growth and agile development. Conse­qu­en­­tly, cloud security risks and potential attacks are also on the rise, leading to a corresponding increase in the need for cloud security best practices and testing. It has be­come essential for businesses to understand the scope of their cloud services and assets, the model of shared responsibility between CSPs and customers, and how to optimally approach cloud security testing methodologies within the context of an organisation’s risks and obligations.

Going forward, cloud security and te­sting are expected to become more intelligent and automated, driven by advances in artificial intelligence, machine learning, quantum computing and other trans­for­ma­tive innovations.