Organisations are shifting workloads to the cloud at a rapid pace to achieve faster time-to-market, increased responsiveness and cost reductions. However, amid this transformation, cloud security threats remain a top concern. These threats target cloud computing providers, as organisations have less visibility overall with respect to data access and movement. According to a report by Fortinet, 95 per cent of organisations are moderately to extremely concerned about their security posture in a public cloud environment.
Nonetheless, shifting workloads to cloud does not necessitate compromising on security. Modern-day businesses can mitigate these risks and benefit from the use of interconnected cloud technologies by integrating cloud security and testing practices into their cloud strategies.
Cloud security is a collection of rules, procedures and technologies designed to address external and internal threats to the cloud assets of a business. Cloud security differs from traditional cybersecurity, as the data is stored in virtual or cloud storage. The main types of cloud security are application security, database security, endpoint security, network security, and web and e-mail security. Application security comprises both hardware and software procedures to minimise data threats. The different service models include infrastructure-as-a-service, platform-as-a-service and software-as-a-service, and are deployed through public, private and hybrid cloud. These as-a-service models give organisations the ability to offload many routine and time-consuming tasks. They are being deployed in several sectors, including banking, financial services and insurance, healthcare, information technology, and telecom. The security features in cloud computing differ based on the cloud service model adopted and the method of deployment.
Most cloud providers follow best security practices and take active steps to protect the integrity of their servers, and third-party cloud computing providers may take on the management of this infrastructure. However, responsibility for data asset security and accountability is not necessarily guaranteed.
Challenges in cloud security
The common security challenges that affect a cloud environment are:
- Multitenancy: Public cloud environments house multiple client infrastructures under the same umbrella. This may lead to an enterprise’s hosted services being compromised as collateral damage when malicious attackers target other businesses.
- Misconfiguration: Cloud misconfiguration is one of the most common reasons for vulnerability threats in a cloud environment. Misconfigurations are mostly due to human errors such as using the default settings and reusing passwords. Other causes include excessive permissions, unused accounts and disabling standard security controls.
- Lack of visibility: As many cloud services are accessed outside of corporate networks and through third parties, it is easy for businesses to lose track of how and by whom their data is being accessed. There is a lack of visibility in cloud server management. This could lead to a loss of control over tools and resources, and consequent security problems. The lack of visibility can also create challenges su-ch as employees using unauthorised applications, or using approved applications for malicious purposes. Further, it creates a lack of governance, which may attract more cloud security threats.
- Access management and shadow IT: Although businesses may be able to successfully manage and restrict access points across on-premises systems, the administration of these levels of restriction can be difficult in cloud environments. This can be dangerous for organisations that do not adopt bring-your-own-device policies and allow unfiltered access to cloud services from any device or geolocation.
- Insecure UIs and APIs: The user interface (UI) and application programming interface (API) are the most vulnerable sections of the cloud infrastructure. These interfaces act as the communication platform between the enterprise customer and the cloud service provider (CSP), though the security of the UI and API is considered the service provider’s responsibility. As the CSP can monitor and manage the interfaces used by the customer, the UI and API can be insecure and may expose sensitive user account details and admin control.
- Data breaches: Cloud storage involves the transfer of data at high speeds over the internet, thus creating space for data breaches. A data breach can affect customer trust, regulatory compliance, revenue and the brand image of a business. Major causes of data breaches include inefficient identity and access management, phishing attacks, and insecure data transfers.
Cloud security testing involves the testing of cloud infrastructure for loopholes and vulnerabilities that could lead to data breaches and service disruptions. It is mainly performed to examine a cloud infrastructure provider’s security policies, controls and procedures. It can also provide a detailed analysis of the security risks of cloud infrastructure, thus assessing its risk posture. The testing is carried out using various manual and automated testing methodologies.
Among a host of testing methodologies such as vulnerability scans, attack surface analysis, phishing simulations, and do-it-yourself security assessment and risk analysis, penetration tests have particularly gained popularity, both among vendors and customers.
In layman’s terms, a cloud penetration test involves inducing a simulated cyberattack over the cloud network to identify risks, vulnerabilities and gaps present in the cloud infrastructure. It is a type of ethical hacking, where the penetration is pre-planned, and the results are analysed to find anomalies and fix them. The results of a penetration test are reliable enough for extensive decision-making related to cloud security controls. They also provide clear remediation advice for fixing vulnerabilities and mitigating the associated risks.
The CSP and the enterprise customer bear shared responsibility for the game. A customer’s service level agreement defines the type and scope of cloud penetration testing that is allowed, and how frequently it can be done.
There are three types of penetration testing:
- Black box penetration test: Under this method, penetration testers do not have access to or knowledge of an enterprise’s cloud infrastructure.
- Gray box penetration test: The penetration testers have limited knowledge of the cloud framework under this test, and are granted restricted admin access based on the requirement.
- White box penetration test: Under this approach, the penetration testers are granted complete access to the cloud network, including root-level access.
Although the white box method may appear the most secure, it gives the tester the advantage of easy access to, and information about, the cloud infrastructure and environment. This prevents them from thinking or acting like a hacker. In contrast, the black box approach forces security personnel to devise ways in which an attacker may enter the cloud environment with little or no information available.
As per industry estimates, the cost of a penetration test can vary, on average, from around $10,000 to as high as $100,000 annually, depending on the size and complexity of the organisation. This makes it much costlier than a vulnerability scan or an attack surface analysis, which cost about $2,300 and $2,500 respectively. In addition, some companies may be small and non-complex, or have less mature security, and a penetration test may not provide the optimal results for analysing the security risks accurately. In such cases, executing a penetration test is unviable, and other cloud security testing methods should be adopted.
The bottom line
The large-scale shift to cloud is helping enterprises unlock new levels of scalability, growth and agile development. Consequently, cloud security risks and potential attacks are also on the rise, leading to a corresponding increase in the need for cloud security best practices and testing. It has become essential for businesses to understand the scope of their cloud services and assets, the model of shared responsibility between CSPs and customers, and how to optimally approach cloud security testing methodologies within the context of an organisation’s risks and obligations.
Going forward, cloud security and testing are expected to become more intelligent and automated, driven by advances in artificial intelligence, machine learning, quantum computing and other transformative innovations.