Exam PT0-002 topic 1 question 7 discussion

A. Whether sensitive client data is publicly accessible When assessing the security of hosted data in a cloud environment, the first thing that should be verified is whether sensitive client data is publicly accessible. This includes checking for any misconfigurations or vulnerabilities that could allow an unauthorized person to access the data. This could be accomplished by performing web application scans, network scans, and manual testing to check for any vulnerabilities that could allow for data exfiltration or unauthorized access. It's also important to check whether the connection between the cloud and the client is secure, whether the client's employees are trained properly to use the platform, and whether the cloud applications were developed using a secure SDLC, but verifying whether sensitive client data is publicly accessible should be the primary focus.

Answer is A as question is asking 'data'

A would be your first step to see if there is any security at all on the hosted data itself. The connection to the cloud is less relevant as the question asks specifically about the hosted data itself.

The tester should verify FIRST: A. Whether sensitive client data is publicly accessible Ensuring that sensitive client data is not publicly accessible is the most immediate and critical check. If such data is exposed, it represents a significant risk to the company and its clients. This verification will help identify any obvious and severe vulnerabilities that could be exploited by attackers.

B. makes the most sense in a cloud scenario

Too much groupthink in these forums. Do some research, and use some tools. Get practical experience, and stop copy/pasting ChatGPT (It's just not that reliable). MY OPINION (sure, I could be wrong): The COMPANY is going to scan the CSP. The FIRST thing to do is [B]. Because if the COMPANY's connection is unsecured and intercepted, the intercepting party may have live access to the vulnerability results, and can attack before the scan is complete or before vulnerability mitigations are implemented (because mitigations can take time to implement). NOT DOING SO: creates a situation where the COMPANY introduces greater risk. After [B] is implemented, the vulnerability scan may inform whether [A] is a concern.

Ensuring the security of the connection between the client and the cloud is a fundamental aspect of cloud security. This includes assessing the encryption protocols, data in transit protection, and the overall security of the network connection.

When assessing the security of hosted data in a cloud environment, one of the first things to verify is the security of the connection between the cloud and the client. Therefore, the correct answer is: B. Whether the connection between the cloud and the client is secure

B should be the first thing you do when assessing a cloud environment. Before anything else, you need to make sure that the connection between you (as a customer) and the cloud (as the provider), is secure, if not, there's no guarantee of the confidentiality and integrity of the information later, you can already assume that data might be exposed, eliminating alternative A as the answer.

A That's correct.

should be a

A: as not all cloud services require a client (B)

I’ll go with A, since the company is conducting “Security in the Cloud”. Whether it’s data is publicly exposed is paramount

i think B is the correct answer.