Choosing the right cloud option and enterprise mobility solution can enhance your security protection. However, the IT world continues to evolve, and it’s best to constantly check the protection of your cloud rather than be caught out without data loss protection. Security testing allows you to reveal flaws in the security mechanisms in a cloud and mobility system that should protect data and maintain functionality as intended. Download our Cloud Security Whitepaper Common Security Testing Areas for Cloud Models Penetration testing a cloud deployment can make for tricky waters to navigate, due to its shared responsibility model. Depending on the cloud model and type, it is entirely possible that your organization controls very few of those layers. See what you can do. Software as a Service (SAAS) Testing is commonly limited to ensuring that interactions with the application interface are being properly secured, API keys are being managed appropriately and so on. Tools such as Webscarab and Burp can be extremely helpful in analysing this interaction. Look for agents that do little to secure their own deployment. Is the agent simply a set of scripts that can be easily modified? Can the agent easily be turned against the local system? Does the solution have any way of verifying whether the agent has been compromised? You may be surprised by what you find. Platform as a Service (PAAS) It can be hard to perform security testing in a public PAAS environment as testing can potentially impact other tenants as well as the provider. There are a few possible ways around this problem: • Focus on code review and full white box testing of the development environment • Review the development software with your vendor or through Bugtraq • Examine your application’s code solely through SQL injection and cross-site scripting Infrastructure as a Service (IAAS) The cloud is typically shared space, so you cannot count on your IP address range being continuous. While IP addresses are usually only revealed during white box testing, exceptions can be made to ensure uninvolved third parties do not receive collateral probing. A technique called introspection tests the hypervisor of the virtual machine (VM) and could potentially lead to access on every VM the vendor hosts. While this can help augment security, it can also create points of insecurity and should only be done with the vendor’s awareness. Process of Security Testing Here’s a general process you can do for security testing. 1. Identify Targets Before you start testing, identify what it is you specifically want to test. Consider, for example, all of the systems that make up your platform, and the main dashboard applications used. 2. Select Testing Tools Selected tools that will help automate the testing and follow your criteria. Consider these measures: • Ability to identify vulnerabilities • Flexibility of reporting mechanism • Ability to test framework of applications 3. Where to Run Them? Determine where specifically in your cloud environment you want to run tests: • SAAS/PAAS/IAAS • Instance in the same/different cloud • Traditional hosting environment • Physical system on your network 4. Get Cloud Provider Authorization You may need authorization from your provider to perform security testing. If you are with Vita Enterprise Solutions, submit a Helpdesk Request, or phone 1300 139 310. We may require the IDs and IPs and source of testing, so that if our internal security alerts are triggered during testing, we don’t think it is a policy violation, and don’t cause port blocking, which would affect the test results. 5. Execute the Test While general methodology will differ based on the tools you used, it is best to perform all testing in both an authenticated state as well as an unauthenticated state. 6. Communicate Results Having completed your security testing, you should write a summary report that includes details of the vulnerabilities from each of the tools as appendices. Including details along with the final report allows stakeholders to review the overall testing methodology and findings, as well as dig down into the details of any vulnerabilities found. Leverage the feedback of the testing with the appropriate engineering, operations, or management teams. The most important part is to get the appropriate information to the people who can get the system services or applications fixed in a timely manner. Summary Security testing should be formalized within your organization, integral part of the IT culture. There will always be issues, as nothing is absolutely secure, but trying to stay ahead of the curve is a worthy cause. With a formal process, you can make it a regular occurrence, thus enhancing your security program and likely meeting many practical as well as compliance requirements. At Vita Enterprise Solutions, we can work with you to ensure that there is ongoing security testing! Talk to Vita Enterprise Solutions about any decision to test your cloud environment on 1300 139 310 or enquire online.