cloud computing n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Cloud Computing PowerPoint Presentation
Download Presentation
Cloud Computing

Loading in 2 Seconds...

play fullscreen
1 / 24

Cloud Computing - PowerPoint PPT Presentation


  • 172 Views
  • Uploaded on

Cloud Computing. Security – PENTESTING THE CLOUD. Diogenes S. De Jesus CEH, Security+. Agenda. Cloud Computing Intro Pentesting the Cloud Advices Q&A. Cloud Characteristics. On-demand self-service Broad network access Resource pooling ( multi-tenant model) Rapid elasticity

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Cloud Computing' - noma


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cloud computing

Cloud Computing

Security – PENTESTING THE CLOUD

Diogenes S. De Jesus

CEH, Security+

agenda
Agenda
  • Cloud Computing Intro
  • Pentesting the Cloud
  • Advices
  • Q&A
cloud characteristics
Cloud Characteristics
  • On-demand self-service
  • Broad network access
  • Resource pooling(multi-tenant model)
  • Rapid elasticity
  • Measured Service

NIST - National Institute of Standards and Technology

service models
Service Models
  • Cloud Software as a Service (SaaS)
  • Cloud Platform as a Service (PaaS)
  • Cloud Infrastructure as a Service (IaaS)

NIST - National Institute of Standards and Technology

what security sees in all this
What Security sees in all this?
  • Cloud computing will move slices of organizational data outside the company’s perimeter – out of company’s controls.
security control in the cloud
Security control in the cloud

SaaS

IaaS

PaaS

Customer

CSP

iaas amazon
IAAS: AMAZON

AWS Vulnerability / Penetration Testing Request Form

iaas amazon3
IAAS: AMAZON

DoS

(Source)

iaas specifics
Iaas: Specifics
  • TOS explicitly excludes some tests we would normally do
  • The tests are more analytical and less ./execute
  • Some CSPs exclude some tests, others may not
      • Tests tend to be more customized to meet CSP demands
paas windows azure
Paas: Windows azure

Cloud OS as a Service (OSaaS)

Source: MSDN

paas specifics
Paas: specifics
  • Check the contract and TOS for specific backend tests
  • Testing one platform doesn’t necessary give you right to test other APIs
        • Windows platform and SQL backend
  • Frontend and backend are different infraestructures for the CSP
        • Particularly bad for WebApp vulnerability assessment
saas pentest
SAaS: pentest?
  • Most likely no test
  • Availability depends on CSP
advice1
ADVICE

Issuing Bank

Merchant

2

eShop

3

4

Payment Gateway

5

1

Customer

advice2
ADVICE

Cloud Provider

Issuing Bank

2

3

4

Payment Gateway

5

1

Customer

advice3
ADVICE
  • Am I allowed to run tests throught third-parties?
  • What are the tests I can run on CSP?
  • How flexible is the customization of contracts?
advice4
ADVICE
  • Where is your cloud placed, where is our data phisically stored?
        • Compliance with regional laws;
  • The data can be exported to another CSP?
        • Risk of Vendor / Data Lock-In;
  • Virtualization through instance-level isolation?
          • Data leakage;
          • Application conflicts;
advice5
ADVICE

Some other questions the Cloud Provider should be asked:

  • Is there a DoS mitigation system in place?
  • What about packet sniffing by other tenants?
  • Is your cloud designed to be a disaster-tolerant solution?
  • How is your backup made? How long it takes for a full system restore?
  • Do you have a security policy and related standards?
  • When was the last time you tested your BCP and DRP?
  • How quickly you can increase the performance of your cloud? How quickly we get the required resources?
  • How many security incidents have you had in the past and which kind?
  • What's your downtime per year?
wrap up
Wrap up
  • The cloud is a reality and pentesting isn’t much different
  • Pentest / vuln. assessment will still exist to meet compliance requirements
  • Specifics to cloud
        • Work with the CSP: good SLA will help doing good tests
        • Multi-tenant model brings its own limitation and risk to CSP
        • Attacks must be carried out carefully to mitigate impact issues
        • Watch out for compartmentalized architectures (PaaS)
        • SaaS limitation
  • Future
        • Separation of duties – third-party testers