The elephant 🐘 in the cloud

08 Jul 2024
Book your demo now >
Aviv Cohen, CMO at Pentera
Read more articles from this writer >
Back to top

As much as we love the cloud, we fear it as well.

We love it because cloud computing services of Amazon, Azure, and Google have transformed operational efficiency and costs, saving us money, time, and alleviating much of the IT burden. We also fear it because as companies moved to the cloud, they found that their existing tools were not equipped to handle the new security challenges of the cloud environment. 

In a perfect world, cloud security would have been the responsibility of the cloud providers. However, that is not the case. The responsibility for cloud security, as well as the responsibility for testing our security’s effectiveness against today’s cyber threats, remains with us.

It’s the “elephant in the cloud” or if you will – the “mammoth in the cloud.”

Meeting the Cloud Security elephant 

Cloud environments are becoming more and more of a target for cyberattackers. It’s enough to glance at IBM’s 2023 Cost of a Data Breach Report to see that 82% of breaches involved data stored in the cloud—public, private or hybrid environments. Also stated in the report was that 39% of breaches spanned multiple environments, causing higher-than-average costs of USD 4.75 million per breach.

A classic example of the risks involved can be found in the Capital One data breach, where firewall misconfiguration was exploited using a technique called Server-Side Request Forgery (SSRF) to gain access to Capital One’s cloud data storage buckets. With an estimated 100 millions records jeopardized, the breach highlights the vulnerabilities of cloud environments and the importance of proper configuration and access controls. It serves as a wake-up call for all organizations to prioritize cloud security and data protection.

Traditional pentesting falls short when it comes to the cloud. We’re tempted to say “same old, same old, let’s just run our annual pentest in the Cloud environment and be done with it.”

Right?! Ummm…think again.

Given the nature of the cloud, yesterday’s pentest is as meaningless as yesterday’s newspaper. Native Cloud computing lifecycle is speedy, introducing new environments, and applications. This pace makes it hard for security to keep up, and results in higher risk of misconfiguration or permission errors.

Cloud computing human and machine identities and roles adds another layer of complexity to its microservices-based distributed environment. Cloud-specific security validation solutions are needed to address these challenges.

Hello, cloud-native penetration testing

The need to define cloud-native penetration testing led to three guiding principles – Automated, Continuous, and Encompassing (ACE). All three are interconnected:

  • Automated – The only way to effectively cover millions of possible attacks on assets, protocols, payloads, and identities is through software-based automation. Manual Pentesting requires hundreds of red teams to cover all this, if even possible, and who can afford that?
  • Continuous – and even if you are the lucky one that can put to the work tens of pentesters, will they be able to cover the entire network time and again, aligning their coverage to the speed of the changes in your environments? Realistically, the only way of doing it is programmatically. Essentially, we should be looking to make it part of our DevSecOps or CloudOps processes so that all VNETs and VPCs are tested before they go live and then regularly thereafter. 
  • Encompassing – Traditional penetration tests are by definition sampling exercises that look for anomalies, for the one fluke out of the ordinary. However, in a cloud environment the concept of ‘test the golden image and you’ll be fine’ doesn’t hold water.

Don’t Assume. Validate.

Cloud Security without Pentesting means playing a game of assumption. You assume that your security controls are effective. You assume that the architecture you devised is hacker-proof. You assume your CIEM measures are sufficient for authentication and authorization. You assume a great deal. 

Embrace change and confront the elephant in the cloud. Proactive measures, including the adoption of automated penetration testing technologies, are essential to stay one step ahead of cyber attackers. In this ever-evolving digital landscape, complacency is a luxury no organization can afford.

A quick word about Pentera

Pentera leads the charge in automated security validation software for all attack surfaces. It has now announced Pentera Cloud, an additional product in its platform meticulously crafted for cloud environment testing. With its automated algorithmic engine, Pentera Cloud runs ethical attacks across the cloud estates and accounts. 

It thereafter shows which defenses work and which require remediation or mitigation with clear guidance on how to perform those. Pentera provides executives with an overall cloud posture resilience score to show improvement of attack resiliency over time. 

In conclusion, as organizations continue their journey into the cloud, addressing security concerns is non-negotiable. The elephant in the cloud is a stark reality, and it is through proactive measures, such as adopting automated penetration testing platforms like Pentera, that organizations can fortify their defenses. Thousands of security professionals use Pentera daily to remove security exposure and maintain better cybersecurity readiness against any threat the world throws at them.  

Pentera Cloud is available now. Click here to learn more and watch on-demand webinar on Pentera Cloud..

Subscribe to our newsletter

Find out for yourself.

Begin your journey in security validation and see why leading companies trust us with their cybersecurity validation.

Start with a demo
Related articles

Surviving LockBit Lessons from a Ransomware Attack

On April 13, 2023, we were hit hard. The University of Health Sciences and Pharmacy (UHSP) faced a serious adversary: The notorious LockBit ransomware...

Return of the RCE: Addressing the regreSSHion Vulnerability – CVE-2024-6378

A Regrettable Resurgence On July 1, 2024, the Qualys Threat Research Unit (TRU) published their discovery of an unauthenticated remote code executio...

Zero footprint attacks: 3 steps to bypass EDR with reflective loading

EDR (Endpoint Detection and Response) evasion techniques are becoming increasingly common amongst attackers as they evolve their strategies to bypass ...