Friday, June 5, 2015

Do you need to do an internal pen test when the CDE is in the Cloud?

Client: 
We have a Cloud based, virtual data center that we access and manage using a 2-factor, on-demand VPN to a remote jump-box from anywhere in the world. As a result, our corporate network and admin machines are considered out-of-scope for PCI. Do we still need to do an internal penetration test?


Answer: 
Our experience is that these tests are limited and quick, however they must be done.  While it’s true that in this case the in-scope systems could just as easily be administered from a Starbucks, the administrator’s workstation in a Starbucks cannot easily be compromised by exploiting other systems in the coffee shop, whereas in the corporate network the administrator's system is often joined to a domain and can be affected by other systems in the domain. The environment where users routinely access in scope systems will present an attacker with a unique opportunity to steal those credentials or manipulate that traffic.  Such an opportunity would not be afforded to an attacker in a Starbucks. The interrelationship of systems inside the corporate network creates a unique set a threat vectors that must be tested.


So for PCI Pen Testing, a corporate network is defined as having a common network connect AND localized common resources such as file shares and authentication mechanisms.