Penetration Testing for Cloud-Based Apps: A Step-by-Step Guide


Although cloud providers offer more and more robust security controls, in the end, you’re the one who has to secure your company’s workloads in the cloud. According to the 2019 Cloud Security Report, the top cloud security challenges are data loss and data privacy, followed by compliance concerns, tied with worries about accidental exposure of credentials. Cloud penetration testing can help with this


What is cloud pen testing? It is an authorized simulation of a cyberattack against a system that is hosted on a cloud provider, e.g., Google Cloud Platform, Microsoft Azure, Amazon Web Services (AWS), etc. Its main objective is to find the threats and weaknesses of a system hosted on a cloud platform so that you can see how secure it really is. Cloud app pen testing also requires a shared responsibility model.


Shared Responsibility in Cloud Penetration Testing


In a cloud computing environment, there are two terms with which you need to be familiar:


Provider: Provider is the entity that builds and runs the cloud environment and offers its services on a metered basis to one or more tenants.
Tenant: Tenant is the entity that is using the metered service of the cloud provider.

When determining the scope, you should check whether the organization is a cloud provider or tenant. For multiple clouds, an organization can act as a provider for one and a tenant for others.


Cloud Service Models


Before penetration testing cloud-based applications, you should understand which resources the cloud service provider will take care of and which resources the tenant will take care of.


Infrastructure-as-a-Service (IaaS): ..

Support the originator by clicking the read the rest link below.