With many companies migrating to Cloud computing solutions for part or all of their Information Technology infrastructure, it is important to maintain clarity on roles and responsibilities (R&R). Ultimately, your company is your responsibility, even if you outsource portions of your workflow. While you might assume a Cloud Service Provider (CSP) would have complete ownership of access and security of the Cloud environment, you would be mistaken. Once you begin establishing your business presence on their Cloud servers, you have the capability of defining custom accesses to your systems and applications, and as such you have a role in ensuring security concerns are addressed. When it comes to Penetration Testing, you may choose to engage your CSP or another service provider, or you might perform it yourself. Regardless of who is tasked with performing Pen testing, there are several things to consider beyond just running a scanning tool to identify weaknesses.
Start with the Contract. Your Cloud services are provided under contract between you and your CSP. This forms the base of the relationship, and defines what activities each party is responsible to perform. Not all CSP’s are the same, nor are all contracts identical. Some will have various tiers of service, others may provide a base offering with additional “add-on” options. Whatever your situation, it is vital to have a clear understanding of R&R, policies, service commitments, and restrictions.
- Check the Service Level Agreement (SLA) to ensure the appropriate Pen Test policy has been identified, and R&R clearly defined. In many cases, elements of Pen Testing are spread across multiple players such as the CSP and the client, so it is necessary to clearly document who does what, and when it is to be done.
- Governance & Compliance requirements need to be understood. Factors need to include which party will be responsible to define, configure and validate security settings required to meet applicable regulatory controls for your business. This includes providing appropriate evidence for audits and inspections.
- Security and Vulnerability Patching and general maintenance responsibilities and timeframes need to be documented. You as the client may have responsibility for maintaining your virtual images and resources, but the CSP will likely be accountable for the underlying physical hardware systems. Both need to be actively managed, along with all network and SAN equipment.
- Computer access and Internet usage policies need to be clearly defined and properly implemented to ensure appropriate traffic is permitted while inappropriate traffic is denied at the perimeter.
- Ensure all unused ports are disabled and unused protocols are either not installed or disabled and locked down to prevent unauthorized activation.
- Data encryption while both in transit and at rest is becoming more common, but never assume. Ensure that encryption is either set as the default or that appropriate steps are implemented to ensure it is activated.
- Verify that your requirements for Two Factor Authentication and One Time Passwords are implemented and actively securing network access. Check if your CSP permits any bypass scenarios.
- SSL is only as good as the Certificate Authority (CA) that issued the certificates. Ensure SSL is active, and that a reputable CA stands behind the certificates.
- Hold your CSP accountable and validate they are using appropriate security controls for physical and logical access to the data center and the infrastructure hardware with which they provide your services.
- Know your CSP’s policy and procedures relative to data disclosure to third parties, both for unauthorized access and providing data when requested or subpoenaed by law enforcement.
More than just running a scan, Pen Testing requires an understanding your environment and the associated roles and responsibilities and even liabilities between you and your CSP.