1 00:00:06,570 --> 00:00:07,450 - [Instructor] Whenever you perform 2 00:00:07,450 --> 00:00:09,330 penetration testing in the cloud, 3 00:00:09,330 --> 00:00:11,760 you must understand 4 00:00:11,760 --> 00:00:16,010 what you can and you cannot do in that cloud environment. 5 00:00:16,010 --> 00:00:19,180 Most of the cloud service providers that are mature, 6 00:00:19,180 --> 00:00:20,460 you know, the biggest one out there, 7 00:00:20,460 --> 00:00:23,160 have detailed guidelines on how to perform 8 00:00:23,160 --> 00:00:26,160 security assessments and penetration testing in the cloud. 9 00:00:26,160 --> 00:00:29,170 Now, regardless, there are many potential threats 10 00:00:29,170 --> 00:00:31,890 when organizations move to a cloud model. 11 00:00:31,890 --> 00:00:35,610 For instance, although your data is actually in the cloud, 12 00:00:35,610 --> 00:00:37,900 it actually has to reside somewhere, right? 13 00:00:37,900 --> 00:00:40,000 In a physical location somewhere. 14 00:00:40,000 --> 00:00:44,000 So, your cloud provider should agree, in writing, 15 00:00:44,000 --> 00:00:46,070 to provide the level of security required 16 00:00:46,070 --> 00:00:47,960 for your customers, right? 17 00:00:47,960 --> 00:00:50,010 And, you know, for your organization. 18 00:00:50,010 --> 00:00:52,740 Now, these are a few questions that 19 00:00:52,740 --> 00:00:56,150 most people in the industry asked cloud providers 20 00:00:56,150 --> 00:00:58,840 before they actually signed their contract. 21 00:00:58,840 --> 00:01:03,010 And, you know, they contract them for their services. 22 00:01:03,010 --> 00:01:04,730 First one is actually, you know, 23 00:01:04,730 --> 00:01:06,270 who has access to the data, right? 24 00:01:06,270 --> 00:01:08,700 Access control is a key concern 25 00:01:08,700 --> 00:01:10,670 because even insider attacks 26 00:01:10,670 --> 00:01:13,070 are actually a huge risk nowadays, 27 00:01:13,070 --> 00:01:15,440 even in the cloud environment. 28 00:01:15,440 --> 00:01:16,273 The other thing is that, 29 00:01:16,273 --> 00:01:19,180 what are the providers regulatory requirement? 30 00:01:19,180 --> 00:01:22,820 And especially organizations operating in different, 31 00:01:22,820 --> 00:01:25,450 you know, geographical locations like the U.S., Canada, 32 00:01:25,450 --> 00:01:28,970 European Union, and Asia, must, 33 00:01:28,970 --> 00:01:33,150 you know, abide by different regulatory requirements 34 00:01:33,150 --> 00:01:35,710 that may be specific for those areas. 35 00:01:35,710 --> 00:01:38,010 The other question is, do you have the right to audit? 36 00:01:38,010 --> 00:01:38,960 What type of training 37 00:01:38,960 --> 00:01:41,110 does the provider offer to the employee? 38 00:01:41,110 --> 00:01:43,590 What type of data classification system 39 00:01:43,590 --> 00:01:45,590 does the provider use? 40 00:01:45,590 --> 00:01:49,410 You know, how's your data separated from other users' data? 41 00:01:49,410 --> 00:01:52,850 And is the data on, you know, a shared server 42 00:01:52,850 --> 00:01:54,950 or a dedicated server that they actually may have? 43 00:01:54,950 --> 00:01:57,430 And of course, you know, if it's on a dedicated server, 44 00:01:57,430 --> 00:02:00,180 or a dedicated system, they may actually, 45 00:02:00,180 --> 00:02:01,490 you know, charge extra. 46 00:02:01,490 --> 00:02:04,270 But those are actually some requirements that you must, 47 00:02:04,270 --> 00:02:06,520 you know, explore 48 00:02:06,520 --> 00:02:08,810 before you actually sign a contract, right? 49 00:02:08,810 --> 00:02:10,960 Now is encryption being used, right? 50 00:02:10,960 --> 00:02:15,000 Not only encryption during transit, right? 51 00:02:15,000 --> 00:02:18,590 But also, is data encrypted at rest in the cloud? 52 00:02:18,590 --> 00:02:22,530 And also, what are the crypto algorithms and implementations 53 00:02:22,530 --> 00:02:25,470 that the cloud provider, you know, uses, right? 54 00:02:25,470 --> 00:02:29,550 Who maintains control of the encryption key? 55 00:02:29,550 --> 00:02:30,870 Is it gonna be your company, 56 00:02:30,870 --> 00:02:32,940 or is it gonna be the cloud provider? 57 00:02:32,940 --> 00:02:37,940 Also, what are the service level agreements, or SLA? 58 00:02:37,970 --> 00:02:41,020 You know, different terms that you, you know, must abide. 59 00:02:41,020 --> 00:02:43,960 And the cloud provider also should agree 60 00:02:43,960 --> 00:02:47,680 and guarantee the service, you know, between them and, 61 00:02:47,680 --> 00:02:49,830 you know, you as a consumer. 62 00:02:49,830 --> 00:02:54,090 Also, will they assume liability in the case of a breach? 63 00:02:54,090 --> 00:02:57,818 What is the disaster recovery and business continuity plan 64 00:02:57,818 --> 00:03:00,010 that the cloud provider actually has? 65 00:03:00,010 --> 00:03:03,080 So, all those are different questions that you must ask 66 00:03:03,080 --> 00:03:05,760 whenever, you know, not only for performing 67 00:03:05,760 --> 00:03:09,010 a security assessment, but overall, you know, 68 00:03:09,010 --> 00:03:11,900 how they actually perform a security assessment 69 00:03:11,900 --> 00:03:14,043 in their infrastructure as well.