Cloud computing has influenced IT delivery services (including storage, computing, deployment, and management) with the maturity of automation and virtualization technologies. With these maturing technologies, a major obstacle in the adoption of cloud computing is security. Cloud security testing, as a relatively new service model, allows IT security testing service providers to perform on-demand application security testing in the cloud. This allows organizations to control costs while maintaining secure applications. Thus, the objective of cloud-based applications security testing is to enable these service providers to leverage cloud technologies and solutions in a secure manner.
However, challenges involving security testing in the cloud do exist. Today, I’ll highlight these challenges and let you in on a few tips to address them.
Challenge #1: Distributed Risks
The concept of the cloud implies an unlimited resource pool for sharing and utilization. Deploying applications into the cloud is a process that many expect to benefit from by leveraging distributed computing capabilities — while inheriting associated security risks at the same time. With such multi-tenancy service leasing, in which clients don’t have access to the internal operational details, the risk likelihood increases. These risks can include:
- Data segregation. The cloud concept implies shared resources (e.g., storage). Data in the cloud might be stored with other customers’ data. If the cloud misconfigures the logical isolation of client data, there is a risk of information leakage or exposure.
- Leakage of private information. An attacker can deliberately try to sneak confidential data past security policies. Encryption is effective but it is not a bulletproof solution. To prevent data leakage, protect and isolate data (at rest and in transit). Additionally, ensure that strong cloud security rules are in place.
- Service loss. Cloud services (including data) are intended to be accessible by authorized users at all times. If high availability architecture wasn’t built in the cloud, then cloud clients may experience loss of service due to a typical Denial of Service attack on a service (or simply an outage in the cloud service). In 2011, Amazon’s cloud services went down for several hours which impacted their clients.
- Malware attacks. An attacker can upload a piece of malware on their legitimate cloud instance. If the cloud isn’t hardened to protect against horizontal or vertical malware propagation, the impact is potentially catastrophic.
Fun fact: Apart from the security risks listed above, all traditional application and infrastructure security risks are still applicable to the cloud.
Challenge #2: On-Demand Services
It’s important to note that on-demand services can be considered a benefit and a challenge depending on the circumstances. There is an expectation for cloud services to be available in a timely manner, easily reachable, and capable of integrating with other components while maintaining data confidentiality. Service providers should offer assistance and tools for integration. Additionally, providers should ensure compliance so that cloud clients can run necessary tests. On the other hand, clients should selectively expose data and services for testing. They should also communicate their security policies and requirements to the cloud provider.
Challenge #3: Lack of Standards
No universally-approved method of cloud security testing currently exists. It all depends on client needs and provider offerings. Some service providers choose to focus on aspects of cloud services for their testing process that other providers wouldn’t consider to be as critical. In reality, there’s a wide range of approaches and techniques for cloud testing. As such, there should also be an expectation involving the impacts of quality of service and the pricing models.
Apply security aspects including confidentiality, integrity, and availability of cloud security testing as the building block for designing secure systems. Cloud applications need to offer security and data privacy in a cost-effective manner. Also recognize that security in the cloud isn’t limited to application components. It also involves network and data-level security, in addition to back-up and disaster recovery considerations.
IT security testing service providers and clients strongly benefit from cloud-based application threat models. Understanding the dependencies and relationships between cloud computing deployment and service models is crucial for assessing cloud security risks and controls.
Establish and enhance effective security policies to identify and implement security controls. Achieve this by combining available security best practices (e.g., CIS, NIST) to address cloud security threats and needs. Enhancing current security policies should effectively adhere to external audit requirements and security certifications—this is especially true of the cloud maturity evolution.
Maintain interoperability between components to potentially reduce manual testing workarounds, minimize overhead costs, and save time. Additionally, keep in mind the limitations of cloud components and standardized integration capabilities to effectively streamline automated testing techniques in the cloud.
The Bottom Line
Cloud-based security testing utilizes the cloud computing resources to perform testing activities on-demand. Both large and small organizations utilize this service. While testing activities in the cloud do hold some challenges, your organization can overcome these hurdles. It’s imperative that service providers work to ensure cloud security around applications, services, and data.