Cloud computing has grown in popularity in the past few years.
Large global companies Amazon (AWS) and Microsoft (Azure) offer their own cloud solutions. These cloud services have a lot of advantages over on-premises solutions.
Deploying a particular service on the cloud can save a lot of time and money for businesses. Cloud solutions can significantly improve the agility and scalability of installing, configuring and managing a particular component of infrastructure, web service, or database.
Who’s responsible for cloud Security?
It is important to note that just because a company decides to move its infrastructure, web sites, APIs and other business critical IT systems to the cloud it doesn’t mean everything hosted on the cloud is 100% secure.
Microsoft (Azure) and Amazon (AWS) offer a subscription to their cloud solution, which offer a myriad of cloud services and features that companies can utilise. These services are normally installed and configured by the company and not by the cloud provider. It is therefore the responsibility of the company to ensure their cloud-based IT systems are installed and configured with security in mind.
Unfortunately, due to very tight software development and infrastructure deployment deadlines, the security aspect of IT systems and services (infrastructure, web, API, firewalls, mobile apps, etc.) are quite often not prioritised, which makes these services vulnerable to malicious attacks.
This is particularly important if a specific IT component such as a server, an API endpoint or an e-commerce website is hosted on the cloud but is fully accessible from the Internet. If that IT component hasn’t been deployed with security in mind, it can be vulnerable to the same type of attacks as any IT system hosted by an on-premises solution.
It is therefore essential to carry out a penetration test of every IT system and service that is hosted on the cloud and is configured and maintained by the client.
Cloud-based penetration tests IRM can perform to help secure your IT systems.
IRM recommend that depending on the type of IT solution configured on the cloud, the following security assessments should be carried out where required.
- Web application assessment. Just like any website hosted by an on premise solution, a web application hosted on the cloud can be affected by the OWASP Top 10 vulnerabilities and many other sophisticated attacks. IRM highly recommends that an in depth penetration assessment is carried out annually.
- API Assessment. RESTful and SOAP-based API solutions have become very popular in the past few years. If an API endpoint is being hosted on the cloud but it is accessible from the Internet, it can be attacked and compromised if it contains vulnerabilities.
- Firewalls/Security Groups. It is very common to utilise the firewall services offered by the cloud solution rather than deploy a typical firewall device such as a Cisco ASA. However, just like in the case with an on premise firewall device, the network rules and firewall settings setup on the cloud can be misconfigured and be overly permissive allowing access to critical IT systems (e.g. a database) from the Internet.
- External/internal infrastructure. While the cloud environment itself is offered by the host often Microsoft or Amazon, it is the responsibility of the client to ensure they have their external and internal infrastructure configured to the highest security standard. If that is not the case, a threat actor could exploit a vulnerable port exposed to the Internet and use it as a pivot point to start attacking the internal infrastructure, which in itself can also be vulnerable to attacks if it’s not secured correctly.
- Individual servers and hosts. The company that has decided to move their servers powered by Windows (e.g. Server 2016), Linux (RedHat) and other operating systems can still have them compromised if they are not fully hardened with the latest security patches released by the vendor. It is therefore essential to perform a build review of such machines even if they are hosted on the cloud. Such systems can still be missing security patches, can have a misconfigured and weak password policy as well as an outdated anti-virus solution not protecting the system from viruses and other malware.
- The cloud environment itself is offered by such companies as Microsoft and Amazon. However, it is the responsibility of the organisation’s system administrator and/or cloud architect to harden that environment by ensuring that multi-factor authentication (MFA) is enforced for all users and their associated groups, logging and monitoring settings are properly configured, and the usage of secure storage solutions such as AWS S3 buckets is implemented the right way. Access to a cloud management portal is normally available from the Internet. An attacker would only need one set of privileged credentials (username and password) to be able to access to the company’s entire cloud environment and all the IT systems and services that are managed by it. If, however, a proper MFA mechanism is enforced during the login process, it would be significantly harder to execute such an attack.
IRM provide a comprehensive portfolio of security services to address the challenges presented by cloud adoption. This includes the complete end-to-end global Managed Security Services offering regardless of location – on premise, public, private, and multi-cloud.
Our clients are from many different industries such as large telecommunication businesses, financial institutions, high street retailers and government organisations. They already benefit from cloud security that has been customized to their needs, ensuring an efficient response to the evolving threat landscape. Our integrated approach means that we can secure legacy/ on-premises or cloud (any cloud) environment.
If you feel you’d like to explore how IRM can help you and your business with cloud penetration testing please contact us 01242 225200 or email sales@irmsecurity.com