Cloud Computing is a type of computing that uses Penetration testing as a technique for actively checking and investigating a Cloud system by simulating a malicious code assault. Cloud computing is a joint obligation of cloud providers and customers who pay for the service. Penetration testing is not permitted in the SaaS environment due to the infrastructure impact. Cloud penetration testing is permitted in PaaS and IaaS, with some coordination necessary. Security monitoring should be conducted on a regular basis to keep an eye on threats, risks, and vulnerabilities.
What is the purpose of Cloud penetration testing:
The goal of cloud penetration testing is to determine a cloud system’s strengths and weaknesses in order to improve its overall security posture. Penetration testing on the cloud aids in:
- Risks, vulnerabilities, and gaps all should be highlighted.
- Effects of exploitable bugs
- Determine how to make use of any access gained through exploitation.
- Deliver corrective information that would be both clear and actionable.
- Show details of best practices for maintaining visibility.
Checklist of Penetration Testing in cloud computing:
Active Directory Admins logging on to untrusted systems (non-DCs, regular workstations, servers, etc). Always restrict domain admins to limited servers only.
- Examine the Service Level Agreement to ensure that the Cloud Service Provider (CSP) and Client have agreed on the correct policies.
- Check the right duty between the Cloud service provider and the subscriber to maintain Governance & Compliance.
- Go through the service level agreement Document and Maintain the record of the Cloud Service Provider which determines the role and responsibility to maintain the cloud resources.
- Check out the computer and Internet usage policy to ensure that it has been applied correctly.
- Verify that any data stored on cloud servers is encrypted by default. Ensure network security by checking the Two Factor Authentication utilized by validating the One Time Password (OTP).
- Check the SSL certificates for cloud services in the URL and make sure they were obtained from a Certified Authority.
- Using Appropriate security Control, check the components of the access point, data center, and devices.
- Analyze the guidelines and standards for disclosing personal information to third parties.
- When appropriate, see whether CSP permits cloning and virtual machines.