Cloud Computing

1
Cloud Computing

• Security PENTESTING THE CLOUD

Diogenes S. De Jesus CEH, Security
2
Agenda

• Cloud Computing Intro
• Pentesting the Cloud
• Advices
• QA

3
Cloud Characteristics

• On-demand self-service
• Broad network access
• Resource pooling (multi-tenant model)
• Rapid elasticity
• Measured Service

NIST - National Institute of Standards and
Technology
4
Service Models

• Cloud Software as a Service (SaaS)
• Cloud Platform as a Service (PaaS)
• Cloud Infrastructure as a Service (IaaS)

NIST - National Institute of Standards and
Technology
5
What Security sees in all this?

• Cloud computing will move slices of
  organizational data outside the companys
  perimeter out of companys controls.

6
Security control in the cloud
PaaS
SaaS
IaaS
Customer
CSP
7
Vulnerability trend
Source SANS
8
Typical network pentest
9
IAAS AMAZON
AWS Vulnerability / Penetration Testing Request
Form

10
IAAS AMAZON

11
IAAS AMAZON

12
IAAS AMAZON

DoS
(Source)
13
Iaas Specifics

• TOS explicitly excludes some tests we would
  normally do
• The tests are more analytical and less ./execute
• Some CSPs exclude some tests, others may not
• Tests tend to be more customized to meet CSP
  demands

14
Paas Windows azure
Cloud OS as a Service (OSaaS)
Source MSDN
15
Paas specifics

• Check the contract and TOS for specific backend
  tests
• Testing one platform doesnt necessary give you
  right to test other APIs
• Windows platform and SQL backend
• Frontend and backend are different
  infraestructures for the CSP
• Particularly bad for WebApp vulnerability
  assessment

16
SAaS pentest?

• Most likely no test
• Availability depends on CSP

17
Advice
18
ADVICE
Issuing Bank
Merchant
2
eShop
3
4
Payment Gateway
5
1
Customer
19
ADVICE
Cloud Provider
Issuing Bank
2
3
4
Payment Gateway
5
1
Customer
20
ADVICE

• Am I allowed to run tests throught third-parties?
  
• What are the tests I can run on CSP?
• How flexible is the customization of contracts?

21
ADVICE

• Where is your cloud placed, where is our data
  phisically stored?
• Compliance with regional laws
• The data can be exported to another CSP?
• Risk of Vendor / Data Lock-In
• Virtualization through instance-level isolation?
• Data leakage
• Application conflicts

22
ADVICE

• Some other questions the Cloud Provider should be
  asked
• Is there a DoS mitigation system in place?
• What about packet sniffing by other tenants?
• Is your cloud designed to be a disaster-tolerant
  solution?
• How is your backup made? How long it takes for a
  full system restore?
• Do you have a security policy and related
  standards?
• When was the last time you tested your BCP and
  DRP?
• How quickly you can increase the performance of
  your cloud? How quickly we get the required
  resources?
• How many security incidents have you had in the
  past and which kind?
• What's your downtime per year?

23
Wrap up

• The cloud is a reality and pentesting isnt much
  different
• Pentest / vuln. assessment will still exist to
  meet compliance requirements
• Specifics to cloud
• Work with the CSP good SLA will help doing
  good tests
• Multi-tenant model brings its own limitation
  and risk to CSP
• Attacks must be carried out carefully to
  mitigate impact issues
• Watch out for compartmentalized architectures
  (PaaS)
• SaaS limitation
• Future
• Separation of duties third-party testers

24
QA

• ?