With the growth of cloud computing, tests for cloud-based applications, services, and infrastructures are on the rise. When performing penetration tests on cloud deployments, one of the biggest concerns is shared ownership. In the past, when performing a penetration test, the organization would own all the components on the network and we were able to test them all; in a cloud environment, depending on the deployment and service model, we can be presented with a very limited scope.
Before we start using cloud computing as penetration testers, let me first get some terms out of our way:
- The provider is the entity that built the cloud deployment, and it is offering a service to one or more tenants; tenants are the ones who contract the service from the provider.
- Infrastructure as a Service (IaaS): This is a cloud service model where...