security auditing of cloud infrastructures

I just wondered for anyone in a role where you provide security auditing/vulnerability assessment type services to clients, if they have migrated many of their servers to a cloud based infrastructure, do you still find many of the same issues on the cloud based servers as you did for when clients housed their servers on their own internally managed infrastructure? I just wondered how this impacted on your assessments, i.e. do the cloud services still allow you to pen test/vulnerability assess their servers when hosted in the cloud, and have you found the security of cloud based servers any better/worse/the same as when they were managed on an internal infrastructure by the clients own ICT sections.
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
You could always pentest against your servers, however, they do not want you to try and pentest their infrastructure such as hypervisor, etc.  Also not that you do not have access to their hypervisors and in most cases, you will not even know the host that it is running on.  As part of their SLA, they provide you assurances that their infrastructure is safe, patches, etc. and you hold them to their end of the bargain.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
Hi - yeah it was really server level and upwards (i.e. the apps running on those servers) that was the main interest.
Rich RumbleSecurity SamuraiCommented:
Depends on the Cloud service in various ways. Managed services try to keep your environment up to date with patches for the OS at a minimum, and sometimes even other software, PHP, ASP, Java, Coldfusion, TomCat etc...
When it's Non-managed service providers the same issues you had before come right back up. Patching is up to the client so patching never get's done, or the regimen is similar to before where they are 6months to 1year behind in patching. Some cloud services provide hardening services, using deep packet inspection IPS , WAF and load balancing as needed. You can scan and pentest most Cloud providers externally without much fuss, well the big 3 hosting providers you can (Amazon, Azure, RackSpace) audit them from the outside.
Doesn't matter where the client is, if they aren't patching, or having someone else patch, they are vulnerable. If they write their own code and don't sanitize their inputs, they are still vulnerable even if they do patch. The ones that are not vulnerable are the proactive and security conscience ones. Well they are vulnerable for less time at any rate.
-rich
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cloud Computing

From novice to tech pro — start learning today.