For security reasons, many organizations offload a significant portion of their IT services, applications and other...
data to the nebulous locale known as the cloud. Many times, moving data to the cloud means moving data to a server or a cluster of servers that resides within a remotely located data center. Remotely offloading data is a commonly recommended security practice, if for no other reason than to transfer responsibility for that data to another entity.
However, even after transferring responsibility, is that data really more secure? How does a cloud user know if the data center -- assuming that is where the data is hosted -- is more secure than the employee workstation from which the data originated? One way to answer that question is to know whether the destination data center has been properly penetration tested.
The benefits of external penetration testing
Many Internet-connected organizations undergo penetration testing on a regular basis. This allows security officials within organizations to gain a thorough, up-to-date snapshot of their security approach. Furthermore, external penetration testing on IT infrastructure allows an organization to gauge its compliance with security standards. Some organizations have teams that are devoted to, among other things, penetration testing their own network. However, most organizations rely on third parties because it involves a fresh pair of eyes.
Some organizations accept, handle and store Payment Card Industry (PCI) data in some form. According to commonly accepted industry standards, PCI data must be segmented from areas of the network that handle other, less sensitive types of data. External penetration testing allows an organization to determine how closely they are complying with such standards.
How is penetration testing done?
If a company chooses to offload sensitive data to the cloud, it's often choosing to offload data to a remotely located data center. If the company is curious about how that data center fits into its security posture, external penetration testing, administered by a third-party such as VerSprite, may be necessary.
After finalizing the agreed-upon testing scope, many penetration testing providers begin by taking a black box approach. This means testers conduct research against a target without the benefit of any insider knowledge. The black box approach allows penetration testers to better simulate the actions of a traditional attacker.
Many data center managers have enterprise-level software that allows them to centrally manage their data center assets. Furthermore, this software is sometimes configured so that data center managers can manage assets remotely. Taken one step further, penetration testers can often discover the publicly assigned IP address of the interface the data center manager uses to oversee his assets. The testers can do this remotely via a WhoIs lookup of the data center's domain or a simple Google search. Once the IP address is discovered, penetration testers can dive deeper, using Nmap port scans or other methods to view open ports, operating system information, user-agent strings and other information.
After conducting their initial research, penetration testers examine potential entry points to the network. If deeper penetration is part of the agreed-upon scope, testers will venture further into the network as they search for management assets.
From the data center's perspective, the responsibility of handling massive amounts of data should be motivation enough to carry out external penetration testing periodically. While many organizations can take comfort in offloading responsibility, data centers may not have that luxury.
Applications that companies should consider moving to the cloud
How the results of network penetration testing should be applied
IT firms increasingly rely on cloud technology in their business operations
Advantages of using a vendor's cloud & managed security services platform