Red Arrow Black Arrow All Webinars

Best Practices to Protect Your Organization’s Cloud Assets

Watch Now

Overview 

Nearly every organization is talking about moving to the cloud, developing a strategy to move to the cloud, in the process of moving to the cloud, or already all in on the cloud. Where do you fall in this journey?  

Join two of NetSPI’s cloud security experts, VP of Research Karl Fosaaen and former CISO/Managing Director Bill Carver to learn if your cloud assets are as protected as you think they are. 

Key highlights:

Moving to the Cloud 

Cloud security is challenging, and many companies are behind in protecting their cloud assets. Part of the reason is that for years, the cloud was seen as a buzzword, and companies often thought it wouldn’t have much of an impact from a security perspective. Even some experienced security professionals have minimized or overlooked the security challenges associated with the cloud.  

Now, nearly every organization is either: 

  • Talking about moving to the cloud 
  • Developing a strategy to move to the cloud 
  • In the process of moving to the cloud 
  • Already in the cloud 

However, from a security perspective, the narrative has often been:

  • Cloud providers are taking care of security 
  • Cloud security is the same as traditional security 
  • Cloud security expertise has kept pace 
  • Outsourcing your assets reduces risk 

In some cases, individuals within companies have taken shortcuts by adopting the cloud and using cloud applications without information security oversight, which presents significant risks from a security perspective. And this leaves security professionals behind in implementing best practices to effectively protect organizations’ cloud assets. 

Are Your Cloud Assets as Protected as You Think? 

Given the momentum surrounding moving to the cloud and the fact that most security teams have been slow to respond, cloud assets likely aren’t protected as some may think.  

Some challenges with securing cloud assets include:

  • Despite available resources, there are still many ways to configure services incorrectly 
  • Public and non-public breaches seem to happen weekly, and the maturity of information security programs doesn’t seem to influence the likelihood of a breach  
  • A single mistake in a cloud environment could be disastrous 
  • Many of the technologies and designs that have resulted in recent cloud breaches are used in most environments  

Common Cloud Security Challenges  

At NetSPI, our expert human pentesters regularly run cloud penetration tests against client environments. A common pattern is that similar issues are found across different platforms, environments, and verticals.  

Top challenges include:

  • Credentials can be obtained by numerous sources: By utilizing common vulnerabilities, public data exposures, and active credential guessing attacks, attackers can gain access to cloud environments.  
  • Properly configuring permissions can be difficult: Security can often take a backseat when developers are trying to be agile. 
  • Integrating cloud can create risk for on-premise technology: By integrating cloud and on-premise environments, organizations are making it easier for attackers to pivot into traditional (often less secure) network resources.
Be Proactive with Cloud Pentesting

How You Can Protect Yourself 

Given the challenges related to cloud security, it’s important for organizations to understand how to protect against risks. A key to effective cloud security is to shift the mindset away from thinking that the cloud is the same or similar to traditional infrastructure.  

As more breaches happen across organizations, this mindset is changing and security teams are thinking more about cloud-centric activities like conducting risk assessments of cloud infrastructure, establishing recurring processes and methodologies, and adopting and documenting cloud security control checklists. 

Some steps organizations and security teams can take to protect cloud assets include:  

  • Practice proper cloud hygiene  
    • Define requirements 
    • Isolate your development, staging, and product environments 
    • Limit privileges in all environments 
  • Test regularly and fully 
    • Penetration test all the layers of your environment 
    • Utilize cloud configuration reviews  

How Cloud Penetration Testing Differs from External Network Penetration Testing 

With Cloud Penetration Testing compared to External Network Penetration Testing (which is more of the traditional environment review), the cloud penetration test focuses on all of the standard issues we’re going to look for on any cloud service. 

While many penetration deliverables are applicable to both external and cloud pentesting, some additional deliverables specific to cloud penetration testing include:

  • Network penetration testing includes internal network layer testing of all virtual machines and services from the cloud virtual networks, along with external network layer testing of externally exposed sources   
  • Configuration of cloud services: review of firewall rules, IAM/RBAC, review of users/roles/groups/policies, review of utilized cloud services (including but not limited to, servers, databases, and serverless computing) 

Are you getting the most out of your penetration testing reports? See our Penetration Testing Report Example to double check. 

Recommendations for Cloud Testing 

For cloud testing to be effective, companies and security teams need to take a proactive role in understanding the full scope of their cloud environments and the services or applications they have, and ensuring systems and services within these cloud environments are being updated.  

Once you have a grasp on the full scope of your cloud environment, some best practices for cloud testing include:

  • Ensure systems and services are updated and patched in accordance with industry/vendor recommendations 
  • Verify IAM/RBAC roles are assigned appropriately 
  • Utilize security groups and firewall rules to limit access between services and virtual machines 
  • Ensure that sensitive information is not written in cleartext to any cloud services, and encrypt data prior to storage 
  • Verify user permissions for any cloud storage containing sensitive data and ensure that the rules represent only the users who require access to the storage 
  • Ensure only the appropriate parties have access to key material for decryption purposes 

Protect Your Assets with NetSPI’s Cloud Penetration Testing  

Whether your company is at the early stages of talking about moving to the cloud, already in the cloud—or at any stage in between—prioritizing cloud security is critical to protecting your cloud assets. 

NetSPI’s Cloud Penetration Testing services can help your business identify vulnerabilities in your AWS, Azure, or GCP cloud infrastructure, reduce organizational risk, and improve cloud security. Our expert cloud pentesters follow manual and automated penetration testing processes and focus on Configuration Review, External Network Cloud Pentesting, and Internal Network Pentesting.  

Learn more about NetSPI’s Cloud Penetration Testing Services to schedule a demo to discuss in more detail.

Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.

X