Clouds in the sky
The Dangers of Neglecting Cloud Pentesting

Cloud providers handle the technical end of security quite well. But cloud environments can still be exploited. Most of the time, it’s end users that are the problem.

Valentina Flores

December 14, 2021

It’s not exactly news that cloud computing is exploding. It’s estimated 94% of all workloads are currently processed by cloud data centers. By 2025, the global cloud computing market is projected to be valued at an astonishing $832 billion, storing over 100 zettabytes of data.

This trend makes sense. You can spin up a cloud server in mere minutes, and only pay for what you use. It’s fast, convenient, and endlessly scalable.

But it can also be exploited. Most IT professionals assume that their cloud provider, whether it’s AWS (Amazon Web Services), Microsoft Azure, or Google Cloud, handles cybersecurity on their behalf. And they do, to a certain extent; they keep their systems updated and patch vulnerabilities daily. The technical end is handled quite well.

What cloud providers can’t control, however, are the end users. It turns out that you – yes, you – are the problem.

The vast majority of cloud vulnerabilities are user-caused misconfigurations. For example, an AWS user may create an S3 (Simple Storage Service) bucket and unintentionally set it to be accessible by the public. This can allow attackers to access data in that bucket.

Cloud providers allow admins to get very fine-grained with their permissions, which is laudable. However, admins sometimes don’t understand the nuances with these permissions. They may assume that checking a box to make a file “public” means only folks within the organization can access it, but it actually means anyone across the globe can get in.

Or an admin may get tired of user requests for additional permissions and decide to save time by giving everyone access to everything. If one of those employees gets hacked, the attacker can now breach the entire cloud.

Other user-generated vulnerabilities include people sharing their passwords (intentionally or unintentionally) or choosing weak passwords. Some applications are insecure at the code level, so if the application is on the cloud, now the cloud is insecure too.

What’s a cybersecurity professional to do?

Start with penetration testing. Most companies undergo an annual pentest on their publicly facing external assets (only). What many people don’t know is that penetration testing can (and should) be done on cloud environments as well. It’s a newer technique, so IT professionals are often not aware that it’s even an option. This is not something the cloud providers do as part of their service – it’s up to each cloud customer to pentest their own environment.

Cloud pentesting largely works by policy-matching; that is, by checking the company’s cloud permissions to make sure they’re set how they should be. A good cloud pentester will check for open S3 buckets, ensure that multi-factor authentication is turned on, attempt privilege escalation, and much more.

While performing pentests on your cloud environments (as well as your web applications, internal environment, and external assets) will certainly go a long way toward keeping data out of nefarious hands, IT experts should be intentional about what kind of cloud pentesting expertise they engage. There are two main options, manual and automated.

Many companies offer manual pentests, which typically cost in the low five figures and can take around four weeks to complete. There can be widely varying skill levels among these pentesters. Big companies may introduce their customers to their experienced, A-list ethical hackers, but it may be someone far more junior that’s handling the project. When hiring a firm to perform a manual pentest, be sure to ask to see the bios of the team members that will actually be doing the work. 

If your manual pentest doesn’t find any vulnerabilities, don’t assume you’re in great shape and never have to undergo a pentest again. Of course, new misconfigurations pop up daily. And there’s also a chance the company or the pentester assigned to your project may have missed something. One solution is to use a different company every year, almost like going to a different doctor to get a second opinion.

Automated pentests are typically much faster and more affordable than manual. They can run continuously, so you’re notified as soon as a misconfiguration occurs. These tools are consistent among customers, so you don’t have to worry about the skill of the person assigned to you. Of course, any technology is only as effective as the team that developed it, so you should do your due diligence here too. Watch a demo, try a free trial, read reviews, and ask for references.

Whether you choose a manual or automated cloud pentest, adding this tool to your cybersecurity arsenal will help ensure that user errors don’t jeopardize the security of your cloud assets.

Valentina Flores

CEO, Cybercrime investigation, product implementation specialist, and enterprise program management. University of Florida BA, WGU MS