Cloud environments experience - at a high level - the same threats as traditional data center environments. That is, cloud computing runs software on systems in the cloud, system sm, and software has vulnerabilities, and adversaries try to exploit those vulnerabilities. The difference is the risk mitigation is shared between Cloud Service Provider and the cloud consumer.
NIST identifies the following characteristics and models for cloud computing:
- Essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service
- Service Models: software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS)
- Deployment Models: private cloud, community cloud, public cloud, and hybrid cloud
e-InnoSec cloud security team is experienced with implementing FedRAMP, NIST 800-53, DOD requirements and have integrated FedRAMP Penetration Test practices in vulnerability and pen test for both public and private cloud.
The following are the few example of cloud-unique and shared cloud/on-premise vulnerabilities and threats:
- Credentials are Stolen
- Separation Among Multiple Tenants Fails
- Internet-Accessible Management APIs can be Compromised.
- Data Deletion is Incomplete
- Reduced Visibility and Control
- Insider abuse
Attack Vectors
The types of attacks include both internal/external and trusted/untrusted.
Attack Vector Summary.
The pen test methodology:
- Web Application/Application Program Interface (API) Information Gathering/Discovery
- Mobile Application Information Gathering/Discovery
- Network Information Gathering/Discovery
- Social Engineering Information Gathering/Discovery
- Simulated Internal Attack Information Gathering/Discovery
- Exploitation - Web Application/API, Mobile Application, Network, Social Engineering, and Simulated Internal Attack
- Post-exploitation
- Reporting
Services
- Cloud pen test
- Cloud vulnerability assessments
- Specific Pen Test for FedRAMP compliance