Cloud computing has influenced IT delivery services (including storage, computing, deployment, and management) with the maturity of automation and virtualization technologies. With these maturing technologies, a major obstacle in the adoption of cloud computing is security. Cloud security testing, as a relatively new service model, allows IT security testing service providers to perform on-demand application security testing in the cloud. This allows organizations to control costs while maintaining secure applications. Thus, the objective of cloud-based applications security testing is to enable these service providers to leverage cloud technologies and solutions in a secure manner.
However, challenges involving security testing in the cloud do exist. Today, I’ll highlight these challenges and let you in on a few tips to address them.
The concept of the cloud implies an unlimited resource pool for sharing and utilization. Deploying applications into the cloud is a process that many expect to benefit from by leveraging distributed computing capabilities—while inheriting associated security risks at the same time. With such multi-tenancy service leasing, in which clients don’t have access to the internal operational details, the risk likelihood increases. These risks can include:
Fun fact: Apart from the security risks listed above, all traditional application and infrastructure security risks are still applicable to cloud.
It’s important to note that on-demand services can be considered a benefit and a challenge depending on the circumstances. There is an expectation for cloud services to be available in a timely manner, easily reachable, and capable of integrating with other components while maintaining data confidentiality. Service providers should offer assistance and tools for integration. Additionally, providers should ensure compliance so that cloud clients can run necessary tests. On the other hand, clients should selectively expose data and services for testing. They should also communicate their security policies and requirements to the cloud provider.
No universally-approved method of cloud security testing currently exists. It all depends on client needs and provider offerings. Some service providers choose to focus on aspects of cloud services for their testing process that other providers wouldn’t consider to be as critical. In reality, there’s a wide range of approaches and techniques for cloud testing. As such, there should also be an expectation involving the impacts of quality of service and the pricing models.
Apply security aspects including confidentiality, integrity, and availability of cloud security testing as the building block for designing secure systems. Cloud applications need to offer security and data privacy in a cost-effective manner. Also recognize that security in the cloud isn’t limited to application components. It also involves network and data-level security, in addition to back-up and disaster recovery considerations.
IT security testing service providers and clients strongly benefit from cloud-based application threat models. Understanding the dependencies and relationships between cloud computing deployment and service models is crucial for assessing cloud security risks and controls.
Establish and enhance effective security policies to identify and implement security controls. Achieve this by combining available security best practices (e.g., CIS, NIST) to address cloud security threats and needs. Enhancing current security policies should effectively adhere to external audit requirements and security certifications—this is especially true of the cloud maturity evolution.
Maintain interoperability between components to potentially reduce manual testing workarounds, minimize overhead costs, and save time. Additionally, keep in mind the limitations of cloud components and standardized integration capabilities to effectively streamline automated testing techniques in the cloud.
Cloud-based security testing utilizes the cloud computing resources to perform testing activities on-demand. Both large and small organizations utilize this service. While testing activities in the cloud do hold some challenges, your organization can overcome these hurdles. It’s imperative that service providers work to ensure cloud security around applications, services, and data.
AlJowhara AlSuwailem is a security consultant at Synopsys. She specializes in security architecture reviews, cloud security, and vulnerability assessments. Prior to Synopsys, AlJowhara spent five years working in the IT governance field for one of the leading banks in the Middle East as a Senior System Integration Specialist. She comes from a computer science background and holds a MS in Information Security and Assurance from George Mason University.