Cloud security
- 2. AGENDA
q About Cloud
q Challenges Of Cloud Computing
q Why Cloud Security?
q Cloud Shared Responsibility Model
q Scope of Security in Public Cloud
q Cloud Security Penetration Testing
- 3. About Cloud:
Cloud computing is the on-demand delivery of IT resources over the Internet with pay-as-you-go pricing.
Instead of buying, owning, and maintaining physical data centers and servers, you can access technology
services, such as computing power, storage, and databases, on an as-needed basis from a cloud provider
(like – AWS, Azur).
q Benefits of Cloud
Computing:
§ Agility
§ Elasticity
§ Cost savings
§ Deploy globally in minutes
q Cloud Deployment
Model:
§ Private Cloud
§ Public Cloud
§ Hybrid Cloud
q Cloud Services:
§ Software as a Service (SaaS)
§ Platform as a Service (PaaS)
§ Infrastructure as a Service
(IaaS)
- 6. qData Breaches
qData Loss
qAccount Hijacking
qInsecure APIs
qDenial of Service
qMalicious Insiders
qAbuse of Cloud Services
qInsufficient Due Diligence
qShared Technology Issues
Critical Threats as per
CloudSecurity Alliance
- 11. Cloud Security Penetration Testing:
q Static Application Security Testing (SAST)
q Dynamic Application Security Testing (DAST)
q Microsoft Secure Software Development Life Cycle:
§ Application Programming Interface (API) (e.g.
HTTP/HTTPS)
§ Web and mobile applications that hosted by
your organization
§ The application server and associated stack
§ Virtual machines and operating systems.
q Basic Security Check/Tools:
§ AWS Inspector
§ Nmap
§ Identify misconfigured S3
buckets
- 12. Prerequisites before Cloud Penetration
Testing:
https://aws.amazon.com/security/penetration-testing/
q Legal Requirement:
§ Penetration Testing must comply with local and national law.
§ Written and Signed client authorization must be obtained.
§ During Penetration testing Data and PII’s must be handled as per GDPR (European), PDPA or
Country specific Data Privacy Act.
q AWS Customer Support Policy for Penetration Testing:
Permitted Services:
§ Amazon EC2 instances, NAT Gateways,
and Elastic Load Balancers
§ Amazon RDS
§ Amazon CloudFront
§ Amazon Aurora
§ Amazon API Gateways
§ AWS Lambda and Lambda Edge functions
§ Amazon Lightsail resources
§ Amazon Elastic Beanstalk environments
Prohibited Activities:
§ DNS zone walking via Amazon Route 53 Hosted
Zones
§ Denial of Service (DoS), Distributed Denial of Service
(DDoS), Simulated DoS, Simulated DDoS
§ Port flooding
§ Protocol flooding
§ Request flooding (login request flooding, API request
flooding)
- 15. Cloud Penetration Testing Method:
q Cloud Penetration Testing uses industry proven methodologies :
§ Open Source Security Testing Methodology Manual (OSSTMM)
§ NIST Cyber Security Framework - NIST SP 800-115
§ OWASP Testing Guide
- 16. Reconnaissance and Research:
q Standard Reconnaissance like – Records, Web, Network, IP/Port Fingerprinting.
q Additional information gathering using – OSINT, People, Social Media.
q Leverage DNS Record – MX, NS, SPF, TXT, Cname, A.
q Look for Cloud Credentials – such as API key, Storage account key.
q Identify DNS Record for S3 Bucket, like – abc.s3.amazon.com.
q Enumerate all the backend API calls.
q Conduct Research on:
§ Known Vulnerabilities
§ Common Misconfigurations
§ Exploitation Tools methods
§ Review Security Bulletin published by the CSP
- 18. References:
q Cloud Security Alliance (CSA)
q https://aws.amazon.com/compliance/csa/
q https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80
%90_10_Project