Cloud Penetration Testing Services for a Multi-Cloud Platform

Client

The client is a US firm that develops innovative solutions in multi-cloud infrastructure for distributed enterprise cloud journeys. Cloud-forward enterprises, including Fortune 100, have adopted the client’s platform to improve operational efficiency and accelerate business outcomes.

The platform enables enterprises to create a secure network fabric, connecting virtual networks within one cloud or across clouds with the ability to microsegment to individual endpoints. The client also integrates data path protection, identity access, application security, and operational insights into a single service in only minutes.

Business Challenge

To satisfy enterprise client requirements and ensure the platform’s overall security, the client needed a penetration test, whose main goals were the following:

• Ensure the platform cannot be compromised by its clients.
• Verify that the platform properly applied segmentation and security policies that could not be circumvented by users.

DataArt was chosen as a trusted partner with solid cloud security experience. Penetration tests were carried out using a “gray box” technique with basic knowledge of the target environment and solution architecture. The client provided access to the control plane as well as to cloud environments (AWS, Microsoft Azure, and Google Cloud) used in the test setup.

Solution

To accurately evaluate the security of the platform, DataArt experts performed various tests utilizing industry-accepted penetration testing methodologies. The testing consisted of the following phases:

• Planning: Working with the client to understand platform architecture and security mechanisms, as well as document assessment’s objectives, scope, and rules of engagement.
• Information Gathering: Collecting key information about the target platform and related infrastructure to become familiar with the functionality and the placement of security controls.
• Vulnerability Discovery and Analysis: Identifying and confirming the exploitability of common application and server vulnerabilities, utilizing both automated and manual techniques, scanning networks, and attempting to bypass security and segmentation policies enforced by the platform.
• Exploitation: Leveraging the identified vulnerabilities to launch attacks against the targeted systems; this phase helps to collect evidence and demonstrate the potential consequences of the vulnerabilities discovered.
• Reporting: Compiling a report consisting of a non-technical executive summary and detailed technical sections with a prioritized list of findings and practical recommendations for their remediation.

The DataArt team comprised penetration testing guidelines based on:

• Open Web Application Security Project Testing Guide (OWASP Testing Guide)
• Penetration Test Guidance for PCI DSS Standard
• NIST Technical Guide to Information Security Testing and Assessment (NIST SP 800-115)

Business Benefits

During the assessment, DataArt found several ways the platform could be compromised. All the findings were prioritized by risk rating and described in the report, including detailed proofs-of-concept (PoCs) and recommendations on how to eliminate each vulnerability.

Once all the fixes were completed, DataArt executed subsequent re-tests and could not find a reasonable attack scenario that led to unauthorized access to clients’ networks or applications. As a result, the platform was recommended as a secure solution that can be safely used by their clients.

Tools Used by the DataArt Pen Test Team Include: