Dec 24, 2014

How does penetration testing for the cloud differ from pen testing for a traditional On premises network?

Is the cloud service provider generally responsible for pen testing, or is it something that the provider allows but the responsibility falls on the customer?
Best answer
12/26/2014
This is an old article but does a nice job delineating the responsibilities of the provider and the customer for different kinds of cloud services:
http://pen-testing.sans.org/blog/2012/07/05/pen-testing-in-the-cloud

This is another older article, specifically talking about the various pen testing tools that are available for OpenStack clouds here:
http://cryptome.org/2013/07/cloud-pentest.pdf

Most of the professional pen test organizations have cloud expertise by now and most of the providers have done at least some rudimentary efforts, tip sheets, and other suggestions. For example, here are some tips from Rackspace on how to conduct them:
http://www.rackspace.com/blog/vulnerability-assessment-and-penetration-testing-identify-and-fix-flaws/

One issue is that many times the traffic generated by pen tests looks like criminal hacking efforts. Amazon has put together a request form if a customer wants certain network scans of particular IP address ranges performed:
http://aws.amazon.com/security/penetration-testing/
Best answer
12/26/2014
This is an old article but does a nice job delineating the responsibilities of the provider and the customer for different kinds of cloud services:
http://pen-testing.sans.org/blog/2012/07/05/pen-testing-in-the-cloud

This is another older article, specifically talking about the various pen testing tools that are available for OpenStack clouds here:
http://cryptome.org/2013/07/cloud-pentest.pdf

Most of the professional pen test organizations have cloud expertise by now and most of the providers have done at least some rudimentary efforts, tip sheets, and other suggestions. For example, here are some tips from Rackspace on how to conduct them:
http://www.rackspace.com/blog/vulnerability-assessment-and-penetration-testing-identify-and-fix-flaws/

One issue is that many times the traffic generated by pen tests looks like criminal hacking efforts. Amazon has put together a request form if a customer wants certain network scans of particular IP address ranges performed:
http://aws.amazon.com/security/penetration-testing/
Answer this