You have your servers hosted in the cloud on one of the latest, it’s faster and more secure than any that have come before it. You do not need to have your virtual servers tested to ensure they are secure (or as secure as they can be) that is just a waste of your time and money.
The provider is responsible for ensuring that your systems are safe from any cybercriminals or script kiddies that want to bring your systems down just for the entertainment factor or to encrypt all of your data, just so they can squeeze you for every penny you have. Wrong, that is not our responsibility, we have antivirus on the servers to protect them and I do not know what your testing could do to help improve anything.
This is a story I have heard on many occasions over my career in both IT and Security that a customer has “the cloud” which I really don’t feel many understand is just a physical server platform hosted in someone’s datacentre or offices that they rent out to you at a price that allows them to share the costs of the equipment between clients and make some profit on the top for them (the cream).
A cloud-hosted server is not hosted in some magical place that is impenetrable to all of those above cybercriminals; it is still on physical hardware like the one you would put at your own premises if you were not in “The Cloud”, they are still hosted on some form of Linux, VMware, Nutanix platform and are just as vulnerable to threats as they are in your own building. Yes, they are probably much more expensive servers then you would probably get but that does not change the fact that they are still normal servers.
I want to clear some things up in this article about this belief, providers are only responsible for all of the security on your cloud service if it is a hosted application, in this case, you still need to keep your passwords etc at correct levels to help keep things secure but the platform it is hosted on is the providers responsibility.
If you have virtual servers hosted on the cloud the provider would only be responsible for the underlying hypervisor platform and the datacentre or site that it is hosted. You as a customer are still responsible for keeping your servers secure and protected from the operating system upwards.
If you have a physical server hosted in a data centre then you are responsible for everything regarding security on those physical systems and the cloud provider is only responsible for the physical data centres location and its networks.
It is also true on the other side that if you have hosted services in the cloud and decide that you are going to get a penetration test and/or a full security audit completed you need to notify the provider that this is going to be occurring and have a clearly defined scope of what is going to be tested. Don’t just go at the systems like the wild west with guns blazing (aggressive vulnerability scanners, brute force attacks, RDP attacks, systems exploits or whatever else the tester wants to throw at the systems) as this will get you some very unhappy people when they find out who was responsible for the incident.
Even if you don't get an unhappy call regarding a test, it is really just your legal and ethical right thing to do. Just because you can do anything you want with your own systems hosted internally, cloud-hosted platforms are generally shared platforms and, in some cases, could bring heavy legal penalties to the testers if they don’t have a good scope outlined for the job and make sure that they have the necessary authorisation to conduct the malicious activities on a client’s behalf.
Be smart get it all in writing and ensure that everyone including the hosting provider knows the periods for the tests, who and what is going to be executed against the systems ahead of time.
Now that we have covered what you are responsible for and what the service provider is responsible for as well as the requirement for all parties to be aware of what is happening we really need to cover why you should spend the budget on getting the tests done in the first instance (Cloud or no cloud).
Do me a favour and look over some more articles on CSO, open up a browser and type "cybersecurity breaches 2018" you will see so many articles about breaches and that is just for 2018.
Do not fall for that same load of crap like “I have insurance; I do not need to test my systems security or make sure my users abide by our system usage policies, isn’t that why we have the Cyber insurance?” Look at some of those articles which you would have just found on CSO or in your google search they will nearly all depict the same scenario. Millions of dollars in damage files all lost and companies going out of business because they have lost all of their data and a new reputation that makes them worse than the plague to potential customers.
Do your organisations a favour, get your systems tested, get the best protection you can afford, ensure you have proven policies in place (make sure you actually test incident response, data recovery plans. Don’t just make them and forget about them as you will really regret it when an incident does occur and trust me it will), train your staff and yes have cyber insurance. All these things will keep your business running and your reputation intact.
It is much better to prevent an incident then try to clean up after it. As always this is just my opinion and you don’t need to agree with me but let’s start a conversation about this to help make us all more secure in the long term.