Cloud data breaches are on the rise. In 2022, 45% of organizations reported a breach or compliance audit failure, representing a 5% increase from the year before. And just 11% reported that more than 80% of their sensitive data in the cloud is encrypted. With the help of red-team penetration testing, infosec developers have the ability to patch vulnerabilities before they reach end users. And as attacks continue to expand, red-team activities in the cloud are an absolute must for most organizations, and take up a growing chunk of infosec developers' time.
As a crucial layer of protection for businesses, infosec teams need technologies that make their work easier. Yet today, many cloud providers make security complex by overcomplicating either the deployment of required infrastructure or the pricing structure. This has to change. It's time for cloud providers to empower infosec developers with the right tools, platforms, and pricing to support essential testing and security work. Or risk breaches that cost money, reputation, and time.
Companies Deserve Full Capabilities and Affordable Costs
Security starts with the right strategy and tool set. When it comes to red-team activities, Kali is a top choice. A lightweight Linux distribution, Kali is open source and Debian-based, with a full suite of security testing tools. But Kali can be hard to use on some of the most popular cloud providers, like Amazon Web Services (AWS).
For one thing, deploying Kali Linux onto a cloud instance can be tedious and time consuming, especially if installing directly from an ISO using workarounds or exporting from a local VM. For example, though a penetration tester can set up a Kali Linux instance on Amazon's cloud, it's only available as an Amazon Machine Image (AMI) that runs Kali Linux on the Amazon Marketplace. This image doesn't include the full range of Kali's capabilities.
In addition to a challenging manual setup process, companies also need to grapple with pricing complexity — a problem that doesn't just affect finance teams but trickles down to developers too. Depending on the scope, size, and thoroughness of the engagement, penetration testing may require many instances and significant amounts of egress. On major cloud providers, these needs can run up a large bill. On top of that, pricing complexity may make these costs difficult to accurately estimate, placing an unfair responsibility on infosec professionals, developers, and business owners that may be expected to foresee (and prevent) high price tags.
While enterprise companies may not be concerned about these factors — they may have massive infosec teams to handle setup and deep pockets to deal with costs — small businesses will likely be more wary. As they grapple with a talent shortage and relatively tight budgets, they need partners that can support them in a different, more holistic way. Enter alternative cloud providers.
Though Kali is widely available, deploying it with a partner that offers deeper functionality and more thorough support at a fair cost is simply more practical, especially for SMBs. For security professionals in the cloud space to get the most of Kali, it must be offered as an officially supported distribution that can easily be deployed on any cloud instance. This ensures that the full range of testing opportunities and configurations supported by Kali Linux can easily run in the cloud. Akamai Linode offers Kali this way, giving end users access not only via the distribution but also as an app in Linode's marketplace. Another key differentiator is that alternative providers typically offer a higher level of support than other providers, helping SMBs tackle that tough initial setup, often with no added costs.
Pricing in general, not just for support, is more accessible through alternative providers as well. These players not only have more predictable, transparent costs thanks to flat rates, but some — like Linode — have generous transfer allowances and comparatively low overage costs. That's game-changing for penetration testers that deal with plenty of egress. Without worry about incurring significant extra costs, they can freely run the testing they need to protect their organizations.
Consider Alternative Cloud Providers for Security Testing
Every organization using cloud, no matter how small, should be doing security testing: cloud misconfiguration is the initial attack vector for 15% of all data breaches. And with breaches costing companies as much as $4 million dollars, they simply can't afford the risk.
As threats continue to grow, thorough and well-honed penetration testing is more important now than ever. And infosec teams need support. Let's arm these vital teams with key tools, easier deployment, and clearer, more affordable pricing schemes.
About the Author
Billy Thompson is a Solutions Engineering Manager on Akamai, Linode Compute, helping customers design portable architectures, and deploy them at scale for technical and business teams. Billy holds a degree in information security and has a special interest in IaC, Kubernetes, big data engineering, and Python and Rust programming languages. He is a longtime Arch Linux user and vegan, and never knows which to tell people first. Outside of work, he studies jujitsu, muay thai, and boxing. He also volunteers at his home for fostering and acclimating rescue dogs.