You may have moved data to the cloud. But that doesn’t mean your responsibilities for securing it are gone.
Eager to embrace the cloud’s efficiency, organizations often solely rely on their cloud-service providers to secure data.
Alarmingly, when it comes to cloud security, data from 2017 indicates that almost 60 percent of cloud-utilizing enterprises don’t know the location of their stored data or whether it’s secure, TechRepublic reported. Such cloud storage confusion is leading to major security issues.
Organizations and cloud-service providers must secure data together to prevent breaches from occurring. And the importance of penetration testing in doing so remains constant.
In a hybrid cloud environment, where some data is stored locally while some lives in the cloud, security must be assessed wherever information resides. Penetration testing probes for weaknesses that could compromise security, perhaps leading to a data breach.
If your network extends into the cloud, you need to replicate your testing anywhere you have access to your sensitive data. On-premises penetration testing is not enough.
When your organization stores sensitive information on behalf of customers, like medical or financial records, you are not just responsible for protecting their data; you also must ensure that all of your outsourcing venues are following proper protocol.
Customers demand security.
Your customers want to know that their information is secure. They may take their business elsewhere if it is not.
Penetration testing of your application servers that are on-premises, where sensitive and regulated data is often stored, is important. But testing the cloud server is also important, particularly if that valuable information is stored there instead.
Testing mitigates risks.
Your organization is opening itself to the risk of a breach if you don’t test for vulnerability. With companies experiencing an average of more than one cyberattack per month, incurring annual costs of approximately $3.5 million as a result, this is a risk that you may not be able to afford. (Survey sponsored by BrandProtect and conducted by the Ponemon Institute.)
It is important to conduct regular penetration tests on all IT systems, particularly as organizations use more cloud-based infrastructure and applications, according to an InfoSec Institute article on penetration testing and cloud platforms. Such testing also may be required, like to maintain a PCI certification.
Regulators require compliance.
Depending on your industry, regulators may require penetration testing for on-prem/cloud hybrid systems, like with PCI certification. If a company that processes payments is not PCI-compliant, it can lose customers, face fines, and lose the ability to accept credit cards. Similarly, if your organization is in healthcare, you must comply with regulations such as HIPAA and HITECH.
Cloud data may not be configured properly.
Leaving data unencrypted on the cloud is a common mistake, CSO reported about cloud security controls, citing cloud security research by RedLock’s Cloud Infrastructure Security team. RedLock’s CSI found that 82 percent of databases in the public cloud are not encrypted and that 40 percent of organizations have inadvertently exposed at least one public cloud service due to misconfiguration.
According to CSO, improperly configured cloud environments contributed to data breaches that compromised millions of records. Penetration testing helps you identify and address vulnerabilities before they become liabilities.
Your standards may not be your cloud provider’s standards.
You control the standards when it comes to maintaining security on your premises. But you relinquish some of that control when outsourcing to a cloud-services provider. Penetration testing helps you assess a provider’s security.
When managing security risks in a hybrid cloud environment, consider factors like the following as part of penetration testing and risk assessments.
Physical access—Who can actually get to the physical cloud servers? And are the security measures for preventing unauthorized access adequate?
User access—Are there controls on where users can log in from and what they can access when they log in? Such security is vital, given that users could potentially access cloud resources from any online device.
Testing depends on your service.
The kind of service you pay for determines the degree to which you can test your cloud environment.
Best practices for cloud penetration testing vary based on whether you are paying for Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or Infrastructure-as-a-Service (IaaS).
- IaaS—You have control of the virtual machine, meaning you can test to the fullest extent possible.
- PaaS—Your testing is limited primarily to the application and interface. The provider sets up the environment.
- SaaS—Your only testing opportunities are the application interface and API key management. Otherwise, the provider gives you a turnkey solution.
Protecting against data breaches and maintaining compliance require constant vigilance. If you store any data in the cloud, you must confirm that your service provider’s security is as stringent as your on-premises security. Penetration testing for hybrid cloud environments helps you assess the security of your data wherever it is stored.
Want to learn more about penetration testing for on-prem/cloud environments? Contact us for a free consultation.