The world of software development has been undergoing revolutionary changes in recent years. The transition from a monolithic application to a micro-services environment on top of containers, requires a different approach to the issue of information security.
The current approach is that security procedures originally imposed on IT and information security teams are shifting to the development environment, which means that the responsibility for the level of hardening of the code also rests with the developers. In addition, the rapid pace of development requires testing weaknesses at the development stage instead of waiting until it ends.
The leading Cloud Service providers are:
- Amazon (AWS)-Their cloud services are called Amazon Web Services. They provide a comprehensive solution for the customer. The main advantage of AWS lies in the large user community and the platform’s maturity, which helps large organizations because of the wealth of services and business partners.
- Google (GCP)- The cloud services are called the Google Cloud Platform. Most people who choose this platform do so because of the integration and support for open source systems. In addition, the system has strengths in the field of machine learning as well as applications initially written for the cloud.
- Microsoft (Azure) – Microsoft’s cloud services are widespread because they integrate with the rest of the company’s development services. In addition, they enable a hybrid work environment thanks to the ability to set up a Domain Controller in Azure. This advantage allows for effortless synergy in organizations that also use On-Premise servers.
- To all these, we must add the Nimbus project to provide cloud services to Israeli government ministries. Nimbus will be subject to the laws of the State of Israel and inevitably cause the migration of many systems to the cloud within the territory of Israel.
Who would be likely candidates for Penetration Tests for Cloud Systems?
- Organizations that understand the need for security checks at all levels of code.
- DevOps who seek a testing protocol that is integrative with developers and various security teams.
What are the advantages of performing Penetration Tests for Cloud Systems?
- The examination of the developed code and interfaces is professional and objective.
- The examination provides a full response to the customer, with a comprehensive view of the system that includes a static and dynamic test.
- A professional Penetration tester examines the system, and the client receives a formal list of findings and guidelines for handling the weaknesses that are discovered.
What are the highlights of the test?
The tests are carried out in accordance with the NIST methodology, which constitutes the international
standard in the field as well as the best practice of cloud providers, and include an examination of the following topics:
- Accountability & Data Risk.
- User Identity Federation.
- Legal & Regulatory Compliance.
- Business Continuity & Resiliency.
- User Privacy & Secondary Usage of Data.
- Service & Data Integration.
- Multi-tenancy & Physical Security.
- Incidence Analysis & Forensics.
- Infrastructure Security.
- Non-production Environment Exposure.
A Cloud Penetration Test requires a tester with experience in cloud environments. Professional expertise decisively impacts the number of findings and the ability to assess their severity. Professionalism must never be trifled with! Always verify that the pentester is a company employee, has the necessary certifications, and has professional liability insurance.