EC-Council Certified Security Analyst (ECSA v10) — Question 11

SecGlobal Corporation hired Michael, a penetration tester. Management asked Michael to perform cloud penetration testing on the company's cloud infrastructure.
As a part of his task, he started checking all the agreements with cloud service provider and came to a conclusion that it is not possible to perform penetration testing on the cloud services that are being used by the organization due to the level of responsibilities between company and the Cloud Service Provider (CSP).
Identify the type of cloud service deployed by the organization?

Answer options

• A. Platform as a service (PaaS)
• B. Software as a service (SaaS)
• C. Anything as a service (XaaS)
• D. Infrastructure as a service (IaaS)

Correct answer: D

Explanation

The correct answer is D, Infrastructure as a Service (IaaS), because this model typically grants the organization a higher level of control over the infrastructure, which is why penetration testing would typically be restricted by the CSP agreements. Other options like PaaS and SaaS offer less control over the underlying infrastructure, making penetration testing possible in those cases, while XaaS is a broad term that does not specify a particular level of responsibility.