There is significant difference between cloud architecture/infrastructure and traditional on-premise architecture/infrastructure. Similarly, cloud penetration testing is different from traditional penetration testing. Cloud service providers such as Google Cloud Platform (GCP) offer numerous features and services, but generally follow a shared-responsibility model. In such models, the cloud providers are responsible for the security of the cloud, such as security related to hardware and backend infrastructure; while consumers are in charge of the security in the cloud, such as server configuration, granting of privileges within the environment, and many more.
There are a variety of ways in which cloud environments can be compromised and misconfiguration of servers can expose your environment to external attackers. However, external attackers are not the only threat, internal employees can also cause tremendous damage. They should be closely monitored due to several reasons such as potential of their own malicious intent/activity, potential for making mistakes that open a security loophole or by unintended action, or even falling prey to external attackers’ techniques.
GCP pen testing enables your organisation to effectively assess the security posture of your applications and infrastructure that usually would not be directly evaluated during a traditional pen test.
GCP pen testing is an authorised hacking attempt against a system hosted on the platform. The primary goal of this testing is to identify strengths and weaknesses of the system, so that its security posture can be determined.
Even though your organisation would have implemented robust security controls such as multi-factor authentication (MFA), strong security and password policies, attackers relentlessly keep looking for new ways to identify and exploit vulnerabilities in systems. Pen testing is an effective means to ensure your organisation’s capability to prevent, detect, respond, and react in case of any breaches.
No, it is not required to take formal approval from Google prior to pen testing. However, it is necessary to follow Google’s Acceptable Use Policy and Terms of Service, and ensure that your tests only affect your projects (and not other customers’ applications).
We do not perform any testing for vulnerabilities in the category of “denial-of-service” to avoid breaching Google’s AUP, and to not disrupt any of your operations during our pen test. Clients are typically notified before any potentially disruptive activity is performed.