Cloud hosting (such as with AWS, Azure Cloud, etc) is relatively new, and has quickly superseded traditional methods of website hosting. But how is cloud hosting different? Are there security advantages? And is penetration testing still necessary?
Prior to cloud hosting, there were two primary methods for hosting a website – maintaining a physical server, or using a web hosting company. Regardless of the method used, this meant that the website was located on a single physical which ‘served’ the site to anyone wanting to access it. Cloud hosting on the other hand, hosts websites on multiple interconnected web servers.
Advantages of cloud hosting
One advantage of cloud hosting is there is no single point of failure. If a natural disaster or hardware failure renders one server inoperable, the other servers can substitute it, resulting in greater server uptime (the amount of time a system is running and available, opposed to being inaccessible due to maintenance, hardware failure, etc.). Users will also experience faster load speeds as these servers are dispersed, meaning that there is less distance between users and the server they’re fetching the website from.
The Cloud also makes scalability incredibly easy, as resources such as storage and RAM can be increased or reduced with the click of a button. Compare this to maintaining your own server, where increasing resources such as processing power (CPU) would involve replacing physical hardware within the server. Not only does this result in downtime as the server is upgraded, but any unutilised processing power would be wasted.
Security on The Cloud
But what about security? Well there are some security benefits to hosting a website on the cloud, primarily due to virtualization – meaning your data is segmented, reducing the ease at which an intruder can access to different data. For the vast majority of security concerns however, cloud hosting is exactly the same as traditional hosting.
Take for example, third party software. Many servers will be running software such as Nginx and Apache. This software can, and often does, have security vulnerabilities which are routinely patched. If these patches aren’t applied, your server is vulnerable (and generally speaking, no – your cloud provider does not patch your server for you). This software must also be securely configured. Misconfigurations (and other things such as weak passwords) can leave otherwise secure software vulnerable. Unneeded ports should also be closed, as open ports give attackers a means through which to communicate with your server.
If that wasn’t enough, websites themselves offer plenty of opportunities for attackers. They’re often exploited to steal sensitive data, defaced, or even brought under the attacker’s control and used to launch further attacks (such as being used as part of a botnet – a network of computers controlled by a malicious actor). This is because websites are built from code, and the people writing that code often make mistakes – which create vulnerabilities. Once again, cloud hosting providers provide no form of security verification or testing of the websites hosted on their servers (though they will take-down any site discovered to be malicious). Cloud hosted websites should therefore be penetration tested – and this is the sole responsibility of the owner.
As you can see, from a security perspective, it really doesn’t matter whether a website is hosted on a company’s own physical servers, with a hosting company, or in the cloud. Cloud providers may provide some layers of security, such as WAFs (web application firewalls), but ultimately, the management of security is entirely up to whoever is renting the server, and penetration testing is absolutely necessary. Vertex Cyber Security is a CREST ANZ certified penetration tester, and are happy to answer any queries you may have via phone 1300 2 CYBER (29237) or email .
If you’d like to learn about the different types of penetration testing and the difference between them, be sure to check out our blog post.