A penetration testing firm is contracted to test a cloud-based infrastructure. The client uses a shared responsibility model. Which of the following should be clarified in the rules of engagement to avoid legal issues?
Many cloud providers require explicit authorization for penetration testing; failing to obtain it can lead to service termination or legal action.
Why this answer
In a shared responsibility model, the cloud provider is responsible for the security of the cloud, while the customer is responsible for security in the cloud. However, penetration testing activities may violate the cloud provider's terms of service or acceptable use policy, potentially triggering legal action. Therefore, obtaining explicit authorization from the cloud provider is critical to ensure the tester's actions are legally permitted and to avoid liability for unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA).
Exam trap
CompTIA often tests the misconception that operational security tasks like patching or encryption are the primary legal concerns in a shared responsibility model, when in fact the critical legal issue is obtaining explicit authorization from the cloud provider to avoid violating their terms of service or anti-hacking laws.
How to eliminate wrong answers
Option A is wrong because patching the operating system is a shared responsibility that varies by service model (e.g., IaaS vs. PaaS), but it is an operational security task, not a legal authorization issue that must be clarified in the rules of engagement to avoid legal issues. Option C is wrong because encryption methods for data at rest are a security control configuration, not a legal authorization requirement; while important for data protection, they do not address the legal risk of unauthorized testing against the cloud provider's infrastructure.