EH-Net

As a Security Professional supporting the Government, I have been bombarded with the organization using Cloud Computing for the day to day applications and operations. The move to the Cloud is easy for the end user - but is a pain and potential nightmare for those that want to secure the data and protect our Assets.

My Team and I am working our security assessment approach - following the government approved standards. However, from the EH side, am adding additional items as we won't be able to see the assets first hand and have to entrust a third party to protect us.

But aside from the obvious items (scanning from IP's of the unknown, XSS attacks, social engineering, and maybe a spearphish scenario/test case. anyone have any good items to share to add to my list of tests or maybe past experiences or "it was easy" to get to the jewels?!?!?

Thanks.
savingpvtryansdad

I don't work in the security industry but I do work in sys admin with a heavy focus towards virtualisation and cloud computing.

This sort of topic is something I face very much every day from my management and my clients.

I don't have anything specific to add to the discussion but I do want to bring up that going to the cloud you are essentially outsourcing your IT. Or at least part of the infrastructure.
Is that acceptable to your organisation?

In relation to your question, I don't see cloud computing to be much different to any other computing system. If your cloud apps are web applications, for instance a business I look after uses Xero a web based accounting software package, then you are just pen testing a web app. If your definition of cloud computing revolves around virtualisation then the only added component I would say would be that you need to also test the hypervisor layer.

Just some things to think about.

In regards to KamiCrazy's post, he / she asked a very important question:

"I don't have anything specific to add to the discussion but I do want to bring up that going to the cloud you are essentially outsourcing your IT. Or at least part of the infrastructure.
Is that acceptable to your organisation?"

It's interesting that this topic came up, and that this question comes up, as a major provider of webhosting services recently (within the past couple of weeks) had their customers websites defaced.  While it was likely some 'script-kiddie' looking for a thrill - they posted images similar to what might be posted on islamic militant and terror groups' sites - it still doesn't bode well for the customers, whose sites were defaced.  One such site was for a county government's Health Department.  While defacing may or may not have been the worst thing that could have happened (they also had scripts on there to auth to employee data, email, and others, so it could be a lot worse, if the attackers would've gained access to said data through XSS to gain passwords, etc,) ultimately, you have to decide how worth the costs it can be, if you're allowing the security of your 'public image' and public site to be hosted by someone else.

I'd agree fully with savingpvtryansdad, in that it certainly does make things easy for end-users and customers, sometimes, but can be an overall nightmare for IT staff, to try to manage services and security that are out of their control, to whatever extent.

Muss gave a great presentation at Kiwicon about the state of security of most shared web hosting providers and it didn't paint a pretty picture.
So when I read hayabusa's example of defaced websites I could almost visualise what exactly happened.