Pen Testing the Cloud and Hybrid Environments

Cloud technologies enable companies to build and run scalable applications in dynamic public, private, and hybrid environments. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify the elastic cloud approach.  

Cloud-Native applications are a relatively new and exciting approach to designing and building software. However, it also raises an entirely new set of security challenges. For example, end-to-end visibility, monitoring, and detection become more complex. 

With cloud deployments, you do not own or have access to all the resources included in your software solutions. Therefore, you must rely on the cloud service providers' security and robust vendor risk management along with your own best practices. 

Cloud Top Ten Challenges 

The Cloud is subject to malware, viruses, and unpatched software versions like traditional data centers but has a different management paradigm. There are many security risks to consider when deploying cloud services. Here are the top ten prominent examples of Cloud computing challenges: 

Challenge #1. Accountability & Data Risk 

A traditional 'on-premise' data center is under that organization's logical and physical control. An organization that chooses to use a public cloud for hosting its business service loses control of its data. Once you entrust your data to a third operator, you need guarantees that you will be able to recover your data in case of a breach. 

Challenge #2. User Identity Federation 

It is imperative for enterprises to keep control over centralized user identities as they move services and applications to the different cloud providers. Therefore, users should be uniquely identifiable with a federated authentication that works across the cloud providers.  

Challenge #3. Legal & Regulatory Compliance 

It can be complex to demonstrate regulatory compliance. For example, data that is perceived to be secure in one country may not be perceived as secure in another due to different laws across countries or regions. 

Challenge #4. Business Continuity & Resiliency 

The Business Continuity of an organization that uses the Cloud gets delegated to the cloud provider. Be sure to understand the contractual solutions proposed by the Operator of Cloud, the Service Level Agreement, and Quality-of-Service guarantees.  

Challenge #5. User Privacy & Secondary Usage of Data 

Make sure you stay compliant with data privacy regulations. You need to ensure with your Cloud providers what data can or cannot be used for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming & outgoing URLs, etc.). 

Challenge #6. Service & Data Integration 

Organizations must ensure that their proprietary data is adequately protected as it is transferred between the end-user and the cloud data center. Unsecured data is susceptible to interception and compromise during transmission. 

Challenge #7. Multi-tenancy & Physical Security 

Multi-tenancy in Cloud means sharing resources and services among multiple clients (CPU, networking, storage/databases, application stack). It increases dependence on logical segregation and other controls to ensure that one tenant deliberately or inadvertently can not interfere with the other tenants' confidentiality, integrity, and availability. 

Challenge #8. Incidence Analysis & Forensics 

In the event of a security incident, applications and services hosted at a Cloud provider are challenging to investigate as logging may be distributed across multiple hosts and data centers. 

Challenge #9. Infrastructure Security 

All infrastructure must be hardened and configured securely, and the hardening/configuration baselines should be based on Industry Best Practices. Administrative access must be role-based and granted on a need-to-know basis. Regular risk assessments must be done, preferably by an independent party. A policy and process must be in place for patching/security updates and based on risk/threat assessments of new security issues. The Provider must be willing to provide at least high-level details. 

Challenge #10. Non-production Environment Exposure 

An IT organization that develops software applications internally employs a set of non-production environments for design, development, and test activities. Unfortunately, the non-production environments are generally not secured to the same extent as the production environment. Therefore, if an organization uses a Cloud provider for non-production environments, there is a high risk of unauthorized access. 

Cloud Services Checklist 

  • Assess the risk of adopting cloud services 
  • Compare different cloud provider offerings 
  • Obtain assurance from selected cloud providers 
  • Reduce the assurance burden on cloud providers 
  • Review The Cloud Security Alliance (CSA) for the latest cloud security research. 
  • Review The Center for Internet Security, Inc. (CIS®) guidance on cloud security best practices. 

Performing Step-by-Step Cloud Penetration Testing 

Understand the cloud service provider's policies 

Pent testing cloud includes many technical and legal aspects, some of which are complex and not easily understood. Therefore, proper planning, identifying key risks and objectives, and selecting an appropriate pentest company are crucial for success. In addition, you need to understand the providers' policies and make them aware of your pen-testing activities. 

Create a cloud penetration testing plan 

  1. Resources you control, including your cloud configuration settings. Again, these are items that can be pen tested directly.  
  2. Resources that the cloud provider is responsible for 
    1. Maintain a robust vendor risk management process which includes reviewing vendor compliance and pen-testing reports, audit history, and contracts. 
    2. It is essential to understand that the vendors' cloud platform upon which you build your environment cannot be pen tested directly. However, you can test your organization's configuration of the platform and the additional application code or assets living in your domain. 
    3. Recognize the things that cannot be pen tested within the vendors' cloud platform due to legal and technological constraints: 

Attackers will attack any way they can. If they can breach your resources using a cloud provider's service, they will do it. Therefore, you need to keep the holistic attack surface in mind. In most cases, you will have a hybrid architecture consisting of on-premises resources, cloud resources, and data streams between endpoints. 

Execute the plan 

Pen testing begins with the discovery phase to examine the available attack surface and find exploitable vulnerabilities. From there, the tester will move on to gain unauthorized access to the environment, escalate privileges, browse the environment, install tools and exfiltrate data. 

Truvantis makes use of unique technology for efficient, low-impact pen-testing—getting you the information you need while minimizing the impact on your business.  

Detect and fix vulnerabilities 

Truvantis will provide a documented report of findings and remediation recommendations to the organization following a pentest. We will conduct a detailed review meeting and work with you to develop a remediation plan. 


Cloud computing is a new way of delivering computing resources. First, assess the risk of adopting cloud services and compare cloud provider offerings. Then, obtain assurance from selected cloud providers and reduce the assurance burden where possible. 

Truvantis is a cybersecurity consulting organization with comprehensive expertise in implementing, testing, auditing, and operating information security programs. We specialize in helping our clients improve their cyber security posture through practical, effective, and actionable programs—balancing security, technology, business impact, and organizational risk tolerance. 


Contact Us
Speak to an expert to help scope your next pen test.
Schedule a call
Contact Us
Attack Surface Analysis
Purchase your initial attack surface analysis now. Find out how the attackers will be targeting you before they break in.