1 / 24

Cloud Computing

Cloud Computing. Security – PENTESTING THE CLOUD. Diogenes S. De Jesus CEH, Security+. Agenda. Cloud Computing Intro Pentesting the Cloud Advices Q&A. Cloud Characteristics. On-demand self-service Broad network access Resource pooling ( multi-tenant model) Rapid elasticity

noma
Download Presentation

Cloud Computing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cloud Computing Security – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+

  2. Agenda • Cloud Computing Intro • Pentesting the Cloud • Advices • Q&A

  3. Cloud Characteristics • On-demand self-service • Broad network access • Resource pooling(multi-tenant model) • Rapid elasticity • Measured Service NIST - National Institute of Standards and Technology

  4. Service Models • Cloud Software as a Service (SaaS) • Cloud Platform as a Service (PaaS) • Cloud Infrastructure as a Service (IaaS) NIST - National Institute of Standards and Technology

  5. What Security sees in all this? • Cloud computing will move slices of organizational data outside the company’s perimeter – out of company’s controls.

  6. Security control in the cloud SaaS IaaS PaaS Customer CSP

  7. Vulnerability trend Source: SANS

  8. Typical network pentest

  9. IAAS: AMAZON AWS Vulnerability / Penetration Testing Request Form

  10. IAAS: AMAZON

  11. IAAS: AMAZON

  12. IAAS: AMAZON DoS (Source)

  13. Iaas: Specifics • TOS explicitly excludes some tests we would normally do • The tests are more analytical and less ./execute • Some CSPs exclude some tests, others may not • Tests tend to be more customized to meet CSP demands

  14. Paas: Windows azure Cloud OS as a Service (OSaaS) Source: MSDN

  15. Paas: specifics • Check the contract and TOS for specific backend tests • Testing one platform doesn’t necessary give you right to test other APIs • Windows platform and SQL backend • Frontend and backend are different infraestructures for the CSP • Particularly bad for WebApp vulnerability assessment

  16. SAaS: pentest? • Most likely no test • Availability depends on CSP

  17. Advice

  18. ADVICE Issuing Bank Merchant 2 eShop 3 4 Payment Gateway 5 1 Customer

  19. ADVICE Cloud Provider Issuing Bank 2 3 4 Payment Gateway 5 1 Customer

  20. ADVICE • Am I allowed to run tests throught third-parties? • What are the tests I can run on CSP? • How flexible is the customization of contracts?

  21. ADVICE • Where is your cloud placed, where is our data phisically stored? • Compliance with regional laws; • The data can be exported to another CSP? • Risk of Vendor / Data Lock-In; • Virtualization through instance-level isolation? • Data leakage; • Application conflicts;

  22. ADVICE Some other questions the Cloud Provider should be asked: • Is there a DoS mitigation system in place? • What about packet sniffing by other tenants? • Is your cloud designed to be a disaster-tolerant solution? • How is your backup made? How long it takes for a full system restore? • Do you have a security policy and related standards? • When was the last time you tested your BCP and DRP? • How quickly you can increase the performance of your cloud? How quickly we get the required resources? • How many security incidents have you had in the past and which kind? • What's your downtime per year?

  23. Wrap up • The cloud is a reality and pentesting isn’t much different • Pentest / vuln. assessment will still exist to meet compliance requirements • Specifics to cloud • Work with the CSP: good SLA will help doing good tests • Multi-tenant model brings its own limitation and risk to CSP • Attacks must be carried out carefully to mitigate impact issues • Watch out for compartmentalized architectures (PaaS) • SaaS limitation • Future • Separation of duties – third-party testers

  24. Q&A ?

More Related