With so many virtual resources and tenants moving around in our cloud services environment, how can we best determine where our cloud is most vulnerable?
It's important to conduct both internal and external cloud vulnerability and penetration testing on a regular basis to get an accurate, up-to-date security risk analysis. Having proper audits and effective alerts is also a must.
Providers should be able to schedule additional, ad hoc vulnerability assessments whenever there is a change in the physical and virtual infrastructure or in any software; adding a new appliance will also call for renewed testing and audits. For example, if a complete vulnerability assessment shows that a customer has provisioned new virtual machine instances and destroyed some older ones, the provider would need an audit trail to prove that this was indeed done for the customer and that this vulnerability was addressed.
This was first published in January 2013