AIO QA Comprehensive Flashcards

Question

Which of the following storage types are used with Infrastructure as a Service (IaaS)? A. Structured and unstructured B. File and database C. Object and volume D. Block and striped Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 362). McGraw Hill LLC. Kindle Edition.

Answer 1

C. Object and volume Explanation: C. IaaS uses object and volume storage types. With volume storage, a logical storage unit will be allocated to the virtual machine, and it will appear to the system, applications, or users as part of the file system. It can then be used as normal storage would in a physical server model, complete with file system organization, permissions, data structures, and any other aspects of a file system. With object storage, data is kept in a flat structure and accessed through the use of opaque tokens, rather than a filename or through a directory structure. This type of storage is often used for media objects such as images, videos, and audio files and is where cloud providers store system images and virtual machine files. A is incorrect because structured and unstructured storage types belong to PaaS, not IaaS. Structured storage is done typically through systems such as databases, which have a set, defined data-organization scheme and are maintained by the cloud provider, with data inserted or created by the cloud customer. Unstructured data does not follow platform-defined structures and is open to the data structures defined by the cloud customer. This will typically be used for web-based systems within a PaaS environment, where the web objects, media files, and components are stored and accessed via the application framework. B is incorrect because while file and database are two common storage methods or concepts, they are higher-level concepts that many other data structures fit within, and they are not part of the formal data structures that IaaS uses. D is incorrect because while block and striped are concepts in computing that relate to data storage and structure, they are not data types themselves, nor are they used and defined within IaaS or other cloud models. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 362-363). McGraw Hill LLC. Kindle Edition.

Answer 2

D. Cryptographic erasure Explanation: D. Cryptographic erasure is a means of ensuring data is no longer accessible, and it can always be used within a cloud environment because it is purely a software approach and not dependent on the infrastructure. Rather than a traditional means of overwriting or destroying physical media, cryptographic erasure is performed by encrypting data and then destroying the keys that were used to encrypt it, thus rendering it inaccessible and unreadable. This method, especially where data is already encrypted, is extremely fast and efficient. Whereas deleting large volumes or numbers of files on a system can often take substantial time to complete, in addition to the significant time required for overwriting or ensuring it is deleted, keys can be deleted instantaneously and from where they are housed, sometimes without even accessing the systems holding the actual data. If the data was encrypted with strong encryption, the chances of it ever being accessed again are extremely low; for the most part, it’s virtually impossible. A is incorrect because physical destruction of media is virtually impossible within a cloud environment. With multitenancy and resource pooling, you can be assured that every physical device houses more than one cloud customer. Due to this, the idea of having the cloud provider destroy the physical media housing the data is an impossibility. Also, with how much data is always moving and being balanced within a cloud environment, it is almost impossible to fully determine all the physical locations of data at any one point so that such destruction could even be requested. B is incorrect because shredding is a form of physical destruction of media and, as explained for answer A, would not be possible within a cloud environment. C is incorrect because the realities of a cloud environment, with the use of virtualization and constant balancing and migrating of data, make it impossible to perform overwriting in a manner where it could be ensured that all data is overwritten. It also would be virtually impossible to isolate a particular customer’s data, even if one could determine all the locations of that data, and perform overwriting in a manner that would not impact other tenants within the same environment. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 363). McGraw Hill LLC. Kindle Edition.

Answer 3

A. IPS Explanation: A. The use of intrusion prevention systems (IPSs) can be complicated with elasticity and auto-scaling; as systems are expanded programmatically, it is difficult to ensure that traffic is accurately routed through IPSs and that the correct signatures, policies, and rules are applied. Within a traditional data center, network pathways are known, and routing as well as physical network connections will ensure that the correct paths are always taken. In cloud environments, where the infrastructure is in a constant state of flux, this is far more difficult to achieve. The primary means to implement intrusion prevention to get around the shortcomings of virtual network-based IPSs is through the use of host-based IPSs in a cloud environment. B is incorrect because XML accelerators will be placed around load balancers and will automatically be added as systems are expanded programmatically. This differs from IPSs because it relates to where in the network flow XML accelerators are placed and how the network is routed. XML accelerators also are used in conjunction with established web services, which, regardless of the number of virtual machines accessing them, will remain the same. C is incorrect because elasticity will have no impact on vulnerability scanners, other than changing the number of systems that must be scanned. However, through auto-scaling and elasticity, the server type and purpose will be known, and it is easy to ensure that these systems are added to the lists for vulnerability scanning. D is incorrect because web application firewalls (WAFs) are used based on the purpose of the server, which will be known through auto-scaling. Also, they are often placed in front of servers at the load balancer level, so the number of servers behind the load balancer will not have any direct impact on the use of WAFs. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 364). McGraw Hill LLC. Kindle Edition.

Answer 4

B. Portability Explanation: B. Portability is the feature that allows a system to easily move between different cloud providers. This is accomplished by relying on standardized toolsets and platforms and avoiding the use of propriety APIs or other toolsets that will end up binding an organization to a particular cloud provider, making the cost of moving to another substantial, in both time and money. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 365). McGraw Hill LLC. Kindle Edition.

Answer 5

D. Spoofing Explanation: D. The S in the STRIDE threat model stands for “spoofing,” or more specifically, “spoofing identity.” This involves applications that have unique access controls for individual users and administrators, but then within the application they use service accounts or common credentials to communicate with databases, APIs, or other services. In this instance, it is possible for a user to assume the identity of another within the application once authenticated and then make it appear as if that user is accessing resources through the application. To mitigate this threat, the system should continually check the access of a user as they move between interfaces or functions to ensure they have the proper level of access. The system should also check that the identity it assumes the user has actually matches the identity they used to initially authenticate and access the system or application. A is incorrect because the S stands for “spoofing identity” and not for “secure.” While security is obviously a large part of the STRIDE threat model at a high level and is the overarching concept, it is not the actual term used here. B is incorrect because the S stands for “spoofing identity” and not for “structured.” The term structured typically applies to data types, especially for PaaS implementations, where structured and unstructured are the two official data types. C is incorrect because the S stands for “spoofing identity” and not for “standard.” While standard is a term used a lot within security and IT in general, especially as it relates to certifications and best practices, it is not applicable in this instance as part of the STRIDE threat model. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 365-366). McGraw Hill LLC. Kindle Edition.

Answer 6

A. Integrity Explanation: A. Encryption is intended to protect the confidentiality and privacy of data first and foremost. While encryption can certainly prevent the unauthorized altering of data at rest, and thus its integrity, that is not its intended purpose. B is incorrect because confidentiality is the main concern and focus of encryption. It is intended to prevent the unauthorized exposure or leakage of data to parties that are not authorized to have it. In order to read data that is encrypted, a party would need to have access to the keys used to encrypt it. Encryption is focused solely on the ability to read data, so it is not used to prevent the encrypted volumes from being intercepted specifically—just the reading and access of the data contained with them. C is incorrect because in order for an encryption system to be usable in a real environment and within applications, it must be easy and efficient to use. That is one of the main benefits and features of encryption. Although an encryption system is virtually unbreakable with current technology and capabilities, if you are in possession of the correct keys, it takes very little overhead to decrypt and read the data. In order to integrate into applications, especially those open to the public and that have larger user bases, this speed and efficiency are absolutely crucial. D is incorrect because key management is one of the central challenges and components of any encryption system. The keys are central to encrypting and then decrypting data, and the corruption, loss, or exposure of the keys will either render the security useless or make the data unrecoverable. Each organization will have to carefully analyze its systems and applications where encryption is used, and based on the particulars of each system and application, where it is hosted, how it is accessed, and many other factors, make the most appropriate decision on how keys will be secured and managed. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 366). McGraw Hill LLC. Kindle Edition.

Answer 7

C. Healthcare Explanation: C. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the United States is concerned with the protection of patient privacy and the security involved with the protection of medical records. While a major part of the law protects workers and their families from losing health insurance when they change or lose their jobs, the other major parts of the law that are important in this context are the protection of patient data, the requirements to establish electronic healthcare transactions, and the attempt to standardize identifiers with healthcare institutions. A is incorrect because HIPAA is concerned with healthcare data, not financial data. Other major regulatory and standards systems are concerned with financial data, such as SOX and PCI DSS. B is incorrect because HIPAA has nothing to do with historical data beyond how it relates to healthcare data. As with most regulatory systems, there are requirements for data retention that establish minimum periods of time to maintain data, but the overall focus of the regulations is not “historical” in any sense. D is incorrect because HIPAA was established long before cloud computing came into existence, and it is not focused on specific technologies, but rather on the overall handling of records and security requirements. While HIPAA will certainly apply to any healthcare systems hosted in a hybrid cloud environment, that is not the purpose or focus of the law. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 367). McGraw Hill LLC. Kindle Edition.

Answer 8

A. Relying party Explanation: A. The relying party in a federated environment is the actual service provider that gives access to secure systems or data. The relying party consumes authentication tokens that are generated by an acceptable identity provider and then grants authorization to access the systems or data based on the successful authentication, and possibly based on specific attributes about the user or entity that are provided by the identity provider, enabling the relying party to make decisions about roles based on predefined configurations. B is incorrect because the identity provider is the generator of authentication tokens in a federated system, not the component that will consume and process them. The role of the identity provider is to perform authentication on users who are known to it, and in many instances to provide additional attributes and information about those users to the relying party so that it can make authorization decisions that are appropriate for the user and the data access they are attempting to use. C is incorrect because a cloud services broker does not play any role in a federated system or environment. The role of a cloud services broker is to take the cloud services offered by public or private cloud providers and then extend or add value to them through integration, aggregation, or by providing customized interfaces or data fields. D is incorrect because authentication provider could be another term for identity provider. Thus, the authentication provider would not be a consumer of authentication tokens, but rather a generator or provider of them. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 367-368). McGraw Hill LLC. Kindle Edition.

Answer 9

D. Use Explanation: D. The Use phase of the cloud data lifecycle is where the data is actually processed or consumed by an application or user. During the Use phase, data will transition between the data-at-rest and data-in-use states and will require additional security as it is exposed and accessed by systems. Therefore, it must be presented in an unencrypted state. This also extends the data security concerns from the server or storage aspect to the client aspect and the security of the specific device or client being used to access the data. Compared to some other phases, the Use phase is considered read-only because any modification or creation would fall under a different phase. A is incorrect because the Create phase is when data is first entered into a system, or modified from a previous form, and thus new data has been created. At the Create phase, the important initial decisions as to data classification are made so that security controls can be immediately placed on the data from the point of conception. These decisions will impact all later phases for the data and will govern much of its use and processing for its lifetime. B is incorrect because the Share phase is where data is made available for systems or applications outside of the original intended ones for the data. Because the data will be leaving the original system and its security enclave, security becomes an important aspect, as it is incumbent on the receiving party to secure it from that point onward. This is typically accomplished from auditing reports and operating agreements that establish security standards and requirements for all parties that will consume and accept the data. C is incorrect because the Store phase is where the data is officially recorded and entered upon its creation. This is usually a simultaneous process, or one that happens immediately after the creation of the data. Data can be entered in many different types of storage, including databases and file systems. Storage must be done with respect to the classification of the data, ensuring that appropriate security controls are in place immediately upon the data being entered. This is also the phase where concepts such as redundancy and backup methods are used on the data. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 368-369). McGraw Hill LLC. Kindle Edition.

Answer 10

D. Data in archive Explanation: Data in archive is not one of the official states of data as it applies to security and encryption. Although the other three states of data in use, data at rest, and data in transit will have implications and applicability to archiving, the concept of archiving is found within them and is not considered a state in and of itself. A is incorrect because data in use is an official state of data. During this state, data is actually consumed and processed by a system or application. As such, additional security controls need to be applied compared to when the data is in static storage. This also exposes the security from the client side because it will be what is viewing the data and in some instances processing the data as well. B is incorrect because data in transit is also an official state of data. During this phase, data will traverse networks and systems, typically between storage and processing entities. During this phase, particular security concerns arise because the data will usually cross systems and networks that are not under the control or security perimeter of the originating organization. This will often be mitigated by the use of encryption, where the entities on both sides are knowledgeable of the keys. This prevents any systems in the middle, or anyone who manages to capture the data, from being able to read or modify it. C is incorrect because data at rest is an official state of data. With this state, the data is contained within storage systems and is not actively being processed or consumed. This is typically the easiest state in which to secure data because technologies such as encryption and isolation can be used to prevent the access or exposure of data. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 369). McGraw Hill LLC. Kindle Edition.

Answer 11

B. FIPS 140 Explanation: B. FIPS 140 (specifically the current revision, FIPS 140-2) is a processing standard published by the United States government pertaining to the certification of cryptographic modules used within systems. Following this standard, which is contained in four levels, will ensure varying degrees of confidence in the security of cryptographic modules used to encrypt and decrypt data on systems. A is incorrect because FIPS 199 is a U.S. government standard that defines security categories of systems that are used by the government and are not specifically related to cryptographic modules. The FIPS 199 standard establishes low, moderate, and high categories for information systems, and it requires all agencies of the government to evaluate and rate their systems into one of the categories for confidentiality, integrity, and availability security concerns. The highest rating from any of these three areas becomes the overall rating of the system. For example, if a system is rated moderate for confidentiality and availability but high for integrity, then the system as a whole will be considered a high system. C is incorrect because FIPS 201 is a U.S. government standard that establishes guidelines for personal identity verification (PIV) for any employees or contractors of the federal government. The requirements apply to all federal government information systems and applications, with the exception of national security systems, which are covered under their own separate regulations and policies. The PIV standard advocates for the use of smartcard technology as a requirement for any identification systems, extending beyond the typical password requirements into the multifactor realm. D is incorrect because FIPS 153 is a standard relating to 3D graphics and has no impact on or role in cryptographic modules. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 370). McGraw Hill LLC. Kindle Edition.

Answer 12

B. Type 1 hypervisor Explanation: B. Type 1 hypervisors run directly attached to the underlying hardware of the host and do not have any software between them or dependencies on external operating systems. With configuration, the Type 1 hypervisor is highly optimized for its intended functions, and all code is removed by the vendor, with the exception of the code explicitly required for it. This removes the complexity and flexibility of operating systems, which even with all unnecessary services and functions disabled or removed will still contain large amounts of code or components that are not needed to operate the hypervisor. The direct tie between the hypervisor and hardware allows the vendors to lock down and patch specific to threats and exploits in their software only, without the need to rely on other libraries or components from operating systems, including being at the mercy of the operating system vendors to appropriately patch their own systems within a reasonable timeframe. A is incorrect because the management plane is a web portal or utility for managing hypervisors that runs within its own systems and software. This creates dependencies on operating systems and application frameworks that will run the portal or utilities, potentially introducing many security vulnerabilities and requiring the reliance on those vendors for timely and comprehensive patching. Because the management plane is used to manage and control hypervisors throughout the environment, any security exploit of it will potentially expose an entire infrastructure or data center to threats and exposure. C is incorrect because Type 2 hypervisors are software-based applications that reside on a host system and then launch virtual machines within them. With this type of configuration, the hypervisor is dependent on the operating system of the host, rather than running directly on top of the hardware with a Type 1 hypervisor. Due to this dependency, the hypervisor is potentially vulnerable to any security exploits that occur with the underlying operating system. Operating systems are also designed to support a wide range of applications and uses. Therefore, they will have large amounts of code and components that are not necessary for the use of the hypervisor, potentially exposing far more possible vulnerabilities to protect and monitor than if the hypervisor was dedicated and running on the hardware directly. D is incorrect because, as part of their nature, virtual machines run under host systems and therefore are dependent on them and are largely at their mercy from a security perspective. Any compromise of the host system can potentially render any virtual machines hosted by it vulnerable as well. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 371). McGraw Hill LLC. Kindle Edition.

Answer 13

A. Cross-site scripting Explanation: A. Cross-site scripting involves injecting scripts into web pages that are then executed on the client side by the browser. This allows an attack to run scripts using the permissions of the browser and any authenticated sessions to execute. This can expose web applications to potential attacks by allowing the bypassing of some security controls such as same-origin policies as well as by utilizing the credentials of a valid user to execute. B is incorrect because injection attempts involve sending segments of code through input fields in order to have the code executed by the system or application. This is done to attempt to access information and bypass security controls when the input fields are not properly validated or sanitized when submitted by the user. For example, a field may call for the user’s e-mail address, but an attacker may send SQL code in the input field. If the application does not properly validate the input fields, the application may either directly run the code or insert it into the database and then execute it later when a SQL command is run against that field. This can be used by an attacker to expose other database areas beyond those intended, or even to dump entire database fields or file system information back to the malicious actor. C is incorrect because unvalidated redirects occur when an application does not properly validate input and sets up a situation where users can be redirected through this untrusted input to external sites. Through this kind of attack, it is possible for the attacker to steal user credentials and attempt phishing attacks against users as well. Because the user went through a trusted application and was redirected by it, they may not be aware they are no longer sending input to the trusted application and are thus exposing their private data or privileged access. D is incorrect because a man-in-the-middle attack involves the interception of communications between two parties. The attacker attempts to read, alter, or redirect the data flows in such a manner that the parties are unaware it is happening and continue to use the transmissions as they normally would. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 372). McGraw Hill LLC. Kindle Edition.

Answer 14

C. Tokenization Explanation: C. Tokenization is the process of replacing sensitive data with an opaque or random value, with the ability to map back the value to the original real value. This allows an application to operate in the same manner in which it was coded and to use the same values as keys, but without using the actual real values, which may contain PII or other sensitive data. This can allow an application to conform to confidentiality or privacy requirements without the need for other, more expensive and intensive implementations such as encryption. With the ability to map back tokenized values to the original sensitive values, the system that contains the original mappings or is responsible for generating them must be protected and secured to prevent exposure. A is incorrect because obfuscation involves replacing sensitive or protected data fields with random information, typically for generating data sets for testing in nonproduction systems or other purposes similar in nature. The difference between tokenization and obfuscation is that, with obfuscation, the original mappings to the protected data are not maintained, nor are they important. Although this will be more secure than tokenization because the original mappings are not preserved anywhere, it also means that the data cannot be used in any meaningful way beyond functional testing or development purposes. B is incorrect because masking is another term for obfuscation. D is incorrect because anonymization involves replacing data so that it cannot be successfully mapped back to an individual. It is built on the concept of direct and indirect identifiers. Indirect identifiers are those attributes that by themselves cannot map to a single individual, but a combination of many indirect identifiers could lead to the identification of a specific individual. Anonymization is often used in conjunction with the obfuscation or tokenization of sensitive fields as a way of removing the indirect identifiers to ensure the data sets cannot be mapped back successfully through any means. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 373). McGraw Hill LLC. Kindle Edition.

Answer 15

A. Financial security Explanation: Financial security is not one of the specific security domains presented as part of the Cloud Controls Matrix (CCM). While many other domains will play into the protection of financial information, there is not a domain that is specifically related to it. This also includes the inclusion of costs as a factor in security, because only security controls and policies are part of the CCM. B is incorrect because mobile security is one of the specific domains outlined in the Cloud Controls Matrix. C is incorrect because data center security is one of the specific domains outlined in the Cloud Controls Matrix. D is incorrect because interface security is one of the specific domains outlined in the Cloud Controls Matrix, specifically labeled as application and interface security. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 373-374). McGraw Hill LLC. Kindle Edition.

Answer 16

B. ISO/IEC 17788 Explanation: B. ISO/IEC 17788 (specifically the latest revision, ISO/IEC 17788:2014) provides an overview and vocabulary for cloud computing. It defines much of the commonly used cloud terminology, such as service categories and cloud deployment models. A is incorrect because ISO/IEC 27001 is a general security standard that can apply to any type of system in any type of hosting environment. C is incorrect because ISO/IEC 17789 is focused on cloud computing and the reference architecture, including the common features that define cloud computing, such as measured service, broad network access, multitenancy, on-demand self-service, rapid elasticity and scalability, and resource pooling. D is incorrect because ISO/IEC 27040 is focused on security techniques as they relate to storage security. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 374). McGraw Hill LLC. Kindle Edition.

Answer 17

B. ZIP Code Explanation: B. As they relate to PII, ZIP Codes would not be considered a protected piece of information. A ZIP Code, being a broad geographic area, would not meet the definition required for PII because it solely cannot be used to identify an individual. However, combined with other various pieces of information, a ZIP Code could be used to narrow down information and possibly identify or distinguish an individual from others with similar attributes. A is incorrect because an address relates to a specific resident or location and, as such, can directly identify an individual. C is incorrect because biometrics can immediately and directly identify an individual, and most biometric markers will be unique to a single individual. D is correct because a personal phone number, and in many instances even a business phone number, can be directly tied to a specific individual and, as such, is definitely considered PII. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 374-375). McGraw Hill LLC. Kindle Edition.

Answer 18

C. Portability Explanation: Portability is the concept that allows a cloud customer to easily move between cloud providers at a later date. Portability takes into account the characteristics and features of a system or application that can lead to vendor lock-in and therefore are aspects that should be avoided. For example, if a cloud customer builds their systems or applications around specific APIs or features that are proprietary to a specific cloud provider, it will be almost impossible for the cloud customer to later move to a different cloud provider without incurring substantial costs in both time and money to change their applications, which would also expose them to significant risk for such an undertaking. A is incorrect because interoperability refers to the ability of a system or application to reuse components from previous versions or other applications in new ways. With this ability, developers can save time and money building applications and components through the use of code that not only is already written but also tested and verified by both users and security scanning. B is incorrect because reversibility refers to the ability of a cloud customer to remove all systems, applications, and data from a cloud environment as well as to ensure that all traces of them have been securely deleted. This is governed by contract terms for the level of assistance that the cloud provider must provide as well as the timeliness of having all tasks completed and verified. D is incorrect because broad network access is one of the core components of cloud computing, but it does not relate at all to moving between cloud providers. Broad network access refers to the ability to access cloud resources and systems from anywhere and over the public Internet, rather than through restricted network tunnels or specific physical networks. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 375). McGraw Hill LLC. Kindle Edition.

Answer 19

B. Edge computing ExplanatioN: B. Edge computing is a computing paradigm that is based on putting the processing of data and computing resources as close to the source of that data as possible. The main purpose of edge computing is to reduce latency by removing the need for data and computing resources to be accessed over remote networks. A is incorrect because an XML accelerator can be used to improve performance of the processing of XML data, but it is not a better answer than edge computing to deliver the lowest latency to customers. C is incorrect because data loss prevention (DLP) is used to prevent the accidental disclosure or leakage of data, but it is not used to lower latency for data access. D is incorrect because an intrusion detection system (IDS) will monitor for possible breaches and attempted breaches, but it will not improve latency for data access. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 376). McGraw Hill LLC. Kindle Edition.

Answer 20

D. Hardware Explanation: D. Hardware is not considered one of the core building blocks of cloud computing. With cloud computing specifically, hardware should not be a concern at all for cloud customers, because they will never interact with it or even have a need to really know what it is. All cloud services are segregated from the hardware layer, and cloud customers are only buying computing resources that are consumable in nature and specific to their computing needs. A is incorrect because CPU is a core building block of cloud computing. When new virtual machines or virtual appliances are provisioned in a cloud environment, one of the main selections made is in regard to their CPU resources. The measured service costs associated with each virtual machine and the aggregate total of CPU resources will tie directly into the costs of hosting with the cloud environment. With the cloud built entirely on virtual and logical infrastructure from the perspective of the cloud customer, CPU allocations per virtual machine can easily be changed with stopping and starting of a virtual machine after configuration changes have been made through the service portal. CPU is part of the resource pooling and is shared between the tenants of the cloud environment. B is incorrect because memory is a core building block of cloud computing. Much like CPU resources, memory is configured per virtual machine, and the individual or aggregate totals will tie into the cost structure for the cloud customer. Memory can also be changed after the provisioning configurations have been updated by a simple stopping and starting of the virtual machine instance. Memory is part of the resource pooling and is shared among the tenants of the cloud environment. D is incorrect because storage is also part of the pooled resources of a cloud infrastructure, and it shares similar qualities to memory and CPU as far as ease of changes and modifications after initial builds. Depending on the cloud service category, storage will come in different formats, and billing may differ as a unit cost based on the type of storage selected. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 376-377). McGraw Hill LLC. Kindle Edition.

Answer 21

D. Costs Explanation: D. The audit scope statement focuses on the reasons and goals for conducting the audit, and the costs associated with the audit are handled under different processes. By the time an audit scope statement is being worked out between the organization and the auditor, costs will have already been determined and the scope will focus on the technical and procedural details of the audit. A is incorrect because the statement of purpose is the first step in the audit scope statement. The statement of purpose covers the reason for the audit. Typically, audits can be conducted either for internal purposes of the organization and at the organization’s own request or they can be conducted to fulfill requirements from regulations. In the case of regulations, the statement of purpose, as well as many aspects of the audit scope as a whole, may be dictated by the regulatory requirements pertinent to the type of application or data under review. B is incorrect because deliverables are a key component to an audit scope statement. While all audits will ultimately result in the production of certain reports, these reports can differ greatly based on the audience or purpose of the audit. The scope will cover the format of the deliverables, which can be textual reports, presentations, or even formatted specifically for import into software applications for tracking. This also includes who should receive the reports in the end. In most instances, even if they are done for regulatory reasons, unless the auditors are tied directly to the regulators, the reports will first go to management for review and will then be made known to the regulators. C is incorrect because the classification of the data, as well as the reports produced, is a key consideration of an audit scope. Under most regulatory systems, the classification of the data will directly tie into the type and scope of audit as well as to what degree specific security controls are tested and what is required of them. When the report is ultimately produced, it could fall under classification requirements as well, depending on the system and data. Audit reports should be well protected at all times because they essentially contain information about verified and perceived weaknesses of the security controls employed on a system as well as information pertaining to specific threats and the likeliness of their successful exploit. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 377-378). McGraw Hill LLC. Kindle Edition.

Answer 22

D. PIN code Explanation: A PIN could not be used as part of a multifactor authentication system if a password is also used because a PIN is essentially a type of numeric password, so both would be in the same category of authentication types—in this case, something “known” to the user. A is incorrect because a fingerprint could be used along with a password for multifactor authentication. The password would be something “known” to the user, while the fingerprint would be something in the user’s possession as well as being a biometric factor. B is incorrect because an RSA token could be used as secondary factor with multifactor authentication if a password is used as well. The RSA token represents a PIN code, and the user would need to be in possession of the token in order to know the regularly changing PIN code that the token has at the time the PIN code needs to be entered. This would satisfy the multifactor requirements because the password would constitute something “known” to the user and the RSA token would be something in possession of the user. C is incorrect because the use of a text message as a secondary factor along with a password would satisfy the requirement for multifactor authentication. To receive the text message with a secondary code, the user would need to be in possession of a preregistered device, which would be something in their possession. Because the device would have to be preregistered with the system to receive the text code, this also is a robust security system because it would negate someone from getting a new device and then trying to use it to access the system. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 378). McGraw Hill LLC. Kindle Edition.

Answer 23

A. ISO/IEC 27050 Explanation: A. ISO/IEC 27050 is a standard focused on eDiscovery processes and how best to approach an order. The goal of the standard is to establish common terminology, give an overview of the eDiscovery process, and then provide guidance and best practices for conducting the data collection, including discovery, preservation, and analysis. B is incorrect because ISO/IEC 17789 provides a reference architecture for cloud computing and is focused on general cloud computing design and implementation. While some information contained would be useful in some instances of eDiscovery, the standard itself does not address eDiscovery at all or provide any guidance toward it. C is incorrect because ISO/IEC 27001 is focused on general security principles and best practices and does not have any specific guidance or focus on eDiscovery processes or anything that is involved with them. D is incorrect because ISO/IEC 17788 provides terminology and definitions for cloud computing in general but does not have any focus on or sections pertaining to eDiscovery at all. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 379). McGraw Hill LLC. Kindle Edition.

Answer 24

C. Cloud service administrator Explanation: C. The activity of a cloud service administrator is not one of the defined cloud computing activities in ISO/IEC 17789. A is incorrect because the cloud service provider is an official role established in ISO/IEC 17789. The cloud service provider is the entity that makes cloud services available to users or customers, regardless of the cloud deployment model or hosting model used. B is incorrect because the cloud service partner is an official role established in ISO/IEC 17789. The cloud service partner is defined as an entity that assists the cloud service customer or the cloud service provider, or both, in the delivery of cloud services. D is incorrect because the cloud service customer is an official role established in ISO/IEC 17789. The cloud service customer is defined as any entity that has a business relationship for the use of cloud services. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 379-380). McGraw Hill LLC. Kindle Edition.

Answer 25

B. GLBA Explanation: The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is specifically focused on the use of PII by financial institutions and the necessary requirements for the protection of it. The act contains what is known as the Safeguards Rule, which puts the specific requirements and burdens on financial institutions to protect the privacy and personal information of their customers. The act also requires regular notification of the privacy practices of financial institutions as well as with whom they share personal information and for what purposes. A is incorrect because the Sarbanes-Oxley Act (SOX) is focused on the protection of stakeholders and shareholders from financial irregularities, improper practices, and errors by organizations. The act also outlines specific requirements for data retention and preservation of financial and system records. C is incorrect because the Health Insurance Portability and Accountability Act (HIPAA) is focused on privacy and personal information as it relates to healthcare and health records. It has no bearing on financial institutions at all. D is incorrect because PCI DSS is a financial industry regulation as it pertains to organizations that accept credit card payments from the major credit network providers. It is focused on security requirements and records retention for those types of transactions specifically and does not apply to personal data or the financial sector in general. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 380). McGraw Hill LLC. Kindle Edition.

Answer 26

B. Network Explanation: B. Network is not a defined cloud service capability. Network services are a major component of cloud computing in general, and all service capabilities heavily use and depend on network services, but network is not a standalone category. A is incorrect because infrastructure is one of the three cloud service capabilities. This is why Infrastructure as a Service is one of the three main cloud service categories, where the cloud provider is responsible for the physical environment and making services available, but the cloud customer is responsible for the virtual machines, configurations, storage, and almost all aspects of maintenance. C is incorrect because platform is one of the three cloud service capabilities. Platform as a Service, being one of the main cloud service categories, is where the cloud provider makes available to the cloud customer virtual machines with application frameworks installed and configured, where the cloud customer just needs to load their application code and data. The cloud service provider is responsible for the patching and maintenance of the virtual machines and the associated frameworks running on them. D is incorrect because software is one of the three cloud service capabilities. Software as a Service is one of the main cloud service categories, and one where the cloud provider is responsible for the infrastructure up through the fully functional application. The cloud customer may have limited configuration or default settings to leverage but otherwise is responsible for importing or loading applicable data and then for user account management. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 380-381). McGraw Hill LLC. Kindle Edition.

Answer 27

D. Future use Explanation: D. The future use or intended use of data should have no bearing on the classification of it. The classification of data should be based on the sensitivity of the data, any regulatory requirements, and the potential risks and costs associated with compromise. Applications and services that intend to use data must adapt their security controls and policies to the classification of the data. The data should not be classified based on the demands or needs of specific applications or users. A is incorrect because metadata is one of the keys for classifying data. Information about the creation of data, the time of creation, who created the data, where and how it is stored, and the specific fields involved all play heavily into data classification, and all fall under the concept of metadata. B is incorrect because any data that contains PII will automatically have legal or regulatory requirements placed on it for data classification. In most regulatory systems, the inclusion of PII will have automatic ramifications on the classification level of the data and the necessary security controls that must be used on it. C is incorrect because the creator of data can definitely have an impact on the classification level of it. For example, if the creator of data is a doctor’s office and the nature of the data is healthcare related, then the data will automatically assume certain data classification requirements. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 381-382). McGraw Hill LLC. Kindle Edition.

Answer 28

D. Location Explanation: D. The location of the data, and any jurisdictions that the location falls under, will always be the prevailing factor for determining which regulations apply to it, regardless of what type of data it is. A is incorrect because while PII will have a definite impact on the regulations that apply to data, it is a subsection of the overall data classification requirements. B is incorrect because the classification of the data will always have a major impact on the regulations that apply to it, but the jurisdiction, based on location, is ultimately what makes that determination. C is incorrect because while the population of the data can certainly have an impact on the regulations that apply to it, it is a subset of the overall data classification requirements. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 382). McGraw Hill LLC. Kindle Edition.

Answer 29

C. Baselines Explanation: C. Baselines are set configuration standards and requirements that apply to a system or application. Baselines are often part of regulatory or legal requirements and oftentimes follow published industry standard guidelines. A is incorrect because images form the basis for virtual machines but are the end result of applied configurations and requirements, not the mechanism for applying or ensuring their compliance. B is incorrect because repudiation deals with the verifiability of an individual and proof of their activities and does not have any impact or bearing on system configurations or regulatory requirements, though repudiation and nonrepudiation may certainly be themes of regulatory requirements. D is incorrect because interoperability has to do with the ability of systems or applications to reuse components or code to make development simpler, more granular and efficient, and less costly. It does not have anything to do with regulatory requirements or their enforcement. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 382-383). McGraw Hill LLC. Kindle Edition.

Answer 30

B. Chain of custody Explanation: B. When a company is dealing with eDiscovery orders, the chain of custody is extremely important as it pertains to official legal proceedings. The chain of custody documents everyone who has had possession of the data, in what format, and for what reasons. For data to be admissible for legal proceedings, the chain of custody is vital in showing that nothing has been tampered with and that everyone in possession of the data can be questioned and investigated, if needed. A is incorrect because although encryption may be used as part of eDiscovery to sign, preserve, and protect any evidence that is collected and turned over, especially if the data is sensitive, in general it is not a required element of eDiscovery. C is incorrect because although compression may be used when preserving and submitting evidence pursuant to the order, it is not a required element and will have no bearing on the overall process of eDiscovery. D is incorrect because confidentiality may or may not be a factor with eDiscovery, depending on the nature of the data requested and the types of systems involved. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 383). McGraw Hill LLC. Kindle Edition.

Answer 31

A. Limits Explanation: A. Limits are put in place to enforce the maximum amount of compute resources that any one tenant or system can consume. The limits can be placed on various levels and units, ranging from a specific virtual machine to a cloud customer for the aggregate of their utilization across all systems. They are designed to ensure that no single host or customer can utilize enormous resources that will ultimately make the cloud provider unable to properly allocate resources and serve the needs of other cloud customers. B is incorrect because multitenancy is the larger concept that deals with hosting multiple, different cloud customers within the same cloud environment. While it is certainly the driving reason why the need for balancing resource allocations is necessary, that concept itself does not play into the specific details of implementations like this. C is incorrect because a reservation is the minimum amount of resources guaranteed to a cloud customer within the environment. A reservation will typically guarantee to a cloud customer that they will have the minimum required resources necessary to power on and operate their services within the environment. Reservations also offer insurance against denial of service (DoS) attacks or other customers using such large amounts of resources that the cloud customer cannot operate their services. D is incorrect because shares are focused on cloud customers requesting more resources for allocation and provisioning than are currently available in the environment. Shares establish a prioritization and weighting system, defined by the cloud provider, that determines which systems, applications, and customers will receive priority for additional resource requests when utilization is high and resources are limited. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 384). McGraw Hill LLC. Kindle Edition.

Answer 32

B. Data steward Explanation: B. The data steward is responsible for overseeing an organization’s policy in regard to data access as well as for evaluating access requests and matching them with organizational policy to ensure compliance and proper use. If the business purpose is acceptable, the data steward is responsible for ensuring that appropriate approvals have been obtained and documented as well. A is incorrect because while the data owner has final authority and responsibility over data policies and access, the data steward is the position officially designated for directly carrying out those duties. The data owner is responsible for establishing the risk management approach to data security and access in conjunction with management and then matching this to the organizational policies or regulatory requirements. C is incorrect because the data processor is the one who actually uses the data within an application or service. As the consumer of the data, the data processor does not play a role in granting data access or policy enforcement. D is incorrect because the term data controller is synonymous with data owner; they have the same duties and responsibilities. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 384-385). McGraw Hill LLC. Kindle Edition.

Answer 33

D. Before the image is created Explanation: D. The optimal time for the application of baselines for use with auto-scaling is before the image is created that will be used in production. With auto-scaling, you want the systems ready to be used with minimal additional configurations as soon as they are enabled within the cloud. Applying baselines, along with verification of them before the image is created to be used, will alleviate the need to do so after a new virtual machine is powered on as well as increase the immediate availability of it. A is incorrect because applying baselines after a virtual machine is brought online would dramatically delay the availability of the new system and create additional work and processing that are needed before it can be used. This would negate the intended goal and purposes of auto-scaling. B is incorrect because penetration testing would not be done immediately upon new systems enabled via auto-scaling. Certainly, penetration testing against the image, before it is created and finalized for use with auto-scaling, is desirable, but the correct time is not as a post-process after the image is enabled. C is incorrect because doing baseline applications after a new virtual machine is enabled would negate the benefits and speed of auto-scaling, and with the use of an image for all new systems, this would create redundant work versus doing the baseline application before the image is finalized. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 385). McGraw Hill LLC. Kindle Edition.

Answer 34

C. Licensing Explanation: C. With PaaS, the cloud provider is giving the cloud customer a fully functioning environment, including the operating system and any middleware or application framework components. As part of the services, the licensing costs and tracking are the responsibility of the cloud provider and are factored into the metered costs of the cloud customer. A is incorrect because staffing comes in many different forms, with many different parties involved. Within cloud computing, although the cloud provider has staffing to maintain the environment, due to self-service provisioning, staffing is not needed as additional virtual machines are brought online or new services provisioned; this is all handled through automated processes. B is incorrect because development is not part of the services from a cloud provider, nor is it included in the costs from the cloud provider for cloud services. Development would be done under its own contract, or possibly even under contracts that incorporate the costs of the cloud hosting services as well. However, it would not be a direct part of the metered services from the cloud provider as additional resources are allocated or provisioned. D is incorrect because auditing is part of all cloud server categories and is documented in the contract and SLA requirements. It is not a specific part of any one category over another, though it can differ in scope based on the specific category used. Regardless, it does not relate to the metered costs of any cloud category. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 386). McGraw Hill LLC. Kindle Edition.

Answer 35

C. FIPS 140-2 Explanation: C. FIPS 140-2 is a certification for cryptographic modules based on the specific needs and requirements for the level of encryption and the protection of them. It is based on both software and hardware requirements and the level of control, features, and protections that each has. It is not a regulatory framework with compliance requirements. A is incorrect because FedRAMP is a regulatory framework that the United States federal government uses to assess and certify cloud services for its use by federal agencies. As part of FedRAMP, there is a certification process for low and moderate systems, as well as high systems as of 2016, to meet requirements and auditing. One aspect of FedRAMP is that it was designed for use by any federal agency once a provider had been certified, removing the need for each agency to conduct its own certifications and audits of the cloud services provider. FedRAMP is available for use by civilian agencies and can be used for data and systems other than those for national defense. B is incorrect because HIPAA relates to regulated healthcare and personal data within the United States, and it sets strict and extensive requirements for how this data must be protected. It is specialized for healthcare data and supersedes any other regulatory requirements to which a system or data might be subjected. As part of HIPAA regulations, data controllers are subjected to increased scrutiny for the methods and processes they use to protect personal and patient data. D is incorrect because PCI DSS is an industry-specific regulation and oversight framework, established by the major credit card companies and networks, and is a requirement for any business that conducts transactions over those networks. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 386-387). McGraw Hill LLC. Kindle Edition.

Answer 36

A. Private Explanation: A. Private clouds offer the most control and ownership for an organization. With a private cloud, an organization will either have sole ownership or be a strategic paying partner with the entity running the cloud and thus have much more influence and input into decisions and policies than any other model affords. B is incorrect because an organization would have very little say, or possibly even no say, in how a public cloud operates or functions. Public clouds typically offer free services to the public at large, or offer services to any customer willing to pay. With the large number of customers or free services offered, it is not possible for a public cloud to take into account individual demands from customers or for customers to have any reasonable expectation of their demands being met. Public clouds are intended to serve mass populations and to do so cheaply and efficiently. They are not intended for a large degree of customization or for adapting to the particular needs of individual customers. C in incorrect because while a community cloud will typically offer customers a higher degree of input and influence than a public cloud, it will not match what a private cloud can offer. While a community cloud will usually have a smaller subset of users, who share many common traits, it is still bound to serve multiple different customers with their own needs, desires, and expectations. Any requested changes by one customer would almost certainly have an impact on other customers, so it is difficult to allow customers to have significant influence for particular needs or requests. D is incorrect because a hybrid cloud itself is not an entity that an organization could have influence over; it is a concept that involves the use of multiple cloud deployment models. As such, the positives and negatives of each environment would be combined within a hybrid cloud and ultimately would minimize the level of influence a cloud customer could have. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 387-388). McGraw Hill LLC. Kindle Edition.

Answer 37

D. Confidentiality Explanation: D. The purpose of encryption, first and foremost, is to prevent the unauthorized viewing of data. While encryption can be a useful tool when used in conjunction with other tools (for digital signing and nonrepudiation, for example), the protection against unauthorized access to data is its primary intended use and focus. With the use of modern and strong encryption techniques, along with the proper protection of keys, data can easily and efficiently be rendered inaccessible and virtually unbreakable. A is incorrect because encryption is not focused on integrity, or useful to protect it, in any reasonable sense. Encryption is focused solely on the confidentiality aspect of security overall. While it will prevent a user from accessing the data to modify it, especially while the data is at rest, it is not a tool that can be used with an application or live environment to prevent the unauthorized modification of data once it is accessible. B is incorrect because encryption will not promote or assist in availability at all. Instead, it is merely designed to protect the confidentiality of data. C is incorrect because encryption will not prevent the destruction or deletion of data at all. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 388). McGraw Hill LLC. Kindle Edition.

Answer 38

B. Application virtualization Explanation: B. Application virtualization allows you to run parallel application deployments in the same environment for the purposes of testing new features or patches. It differs from sandboxing because it does not require distinct systems or segregated networks to function, and it can be focused purely at the application level. It takes far fewer resources to set up and use than sandboxing. A is incorrect because sandboxing goes far beyond isolating applications for testing. With sandboxing, you are setting up totally separate and distinct virtual machines, and in most cases network isolation as well. Although sandboxing could be used to test new features for applications, it goes far beyond that mandate. Therefore, application virtualization is a more appropriate approach to take. C is incorrect because a honeypot does not have anything to do with the testing of new application features or the isolation of them. A honeypot is a security concept of setting up servers and data that appear to be legitimate production systems in order to entice attackers to go after them instead of the real systems. The security team can then use the attacks and traffic they see going against the honeypot to block sources or refine security controls and configurations of the actual production systems. D is incorrect because a federation is a concept within identity and access management and does not have any relationship to or impact on application isolation or testing. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 389). McGraw Hill LLC. Kindle Edition.

Answer 39

D. Auditors Explanation: Auditors would not be included or considered during the collection of requirements for an application or system. While auditors will play a role later in any new design or modification by ensuring compliance with regulation and policy, they would not be involved at an early stage at all. The role of an auditor is to validate configurations, policies, and practices against the regulations they are designed to comply with as well as to establish a gap analysis between the desired and actual state of the system or application, not to be involved with design or development decisions. A is incorrect because users would be a primary concern and focus during the requirements-gathering stage of a system or application. Input from users, as the ultimate consumers of the system, is vital for a system to work efficiently and easily, with features that consumers find beneficial and productive. Without the input of users, stakeholders and developers are left to assume their decisions are what people will ultimately desire and need, and substantial gaps between their perceptions and the perceptions of users are very likely. This could lead to a system that does not meet expectations, or even ultimately fails to catch on with consumers. B is incorrect because management has the major financial role and responsibility to both shareholders and users of a system or application. While the users and their satisfaction will ultimately decide the fate or success of an application, management sets the direction and desired features of the application as well as ensures compliance with regulators. Management also has the responsibility for protecting both personal and financial data, and it needs to be heavily involved at all stages to set priorities and budgets for development as well as to make decisions as to which requirements to focus on and which might be deferred to a later version or update. C is incorrect because regulators and the regulations they enforce will have a strong influence on all aspects of an application in regard to security and policies. Many of the features and configurations of a system or application will be driven directly by regulations, or at least choices in approach will be limited by regulations. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 389-390). McGraw Hill LLC. Kindle Edition.

Answer 40

D. Requirement analysis Explanation: D. The requirement analysis phase is where the specific hardware and software platforms with which the programmers will work are decided, along with the specific functionality and features that are expected. This will then be used during the design phase for the programmers to plan the actual coding and methodology to develop the application around to meet the design requirements. A is incorrect because the requirement-gathering phase is where the mandatory requirements and success criteria for the development and overall project are decided. This involves representation from all stakeholder groups as well as an analysis of any regulatory requirements that must be adhered to. The overall budget and timeline for the project are also decided at this phase. B is incorrect because the development phase is where the actual coding of the application occurs and where the executable code is compiled. As each segment of code is completed and each milestone reached, functional testing is completed against the code to ensure that it functions as designed and required. The development phase is typically the longest phase of the SDLC process. C is incorrect because the design phase is where the requirements for and decisions on platforms and technologies are combined to form a project plan to create the actual code. This phase also includes the merging of security and risk management concerns into the overall plan as well as the testing and validation to be completed during the development phase. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 390-391). McGraw Hill LLC. Kindle Edition.

Answer 41

A. GDPR Explanation: A. The General Data Protection Regulation (GDPR; EU 2016/679) is a regulation, covering the European Union and the European Economic Area, pertaining to data protection and privacy. The GDPR is a uniform regulation throughout the EU and covers all countries, citizens, and areas under its jurisdiction, regardless of where the data is created, processed, or stored. The regulation places the burden for technical and operational controls on the entities using and storing the data for the protection and enforcement of it. Under the GDPR, organizations must make it known to users what data they are collecting and for what purpose, whether it will be shared with any third parties, and what their policies are for data retention. The GDPR grants the right to individuals to obtain a copy of the data that an organization is storing in regard to themselves as well as the right to request deletion of the data in most instances. B is incorrect because the Health Insurance Portability and Accountability Act (HIPAA) is focused on healthcare data and the privacy and protection of patient data by covered healthcare professionals. It does not pertain to the privacy regulations regarding the European Union. C is incorrect because the Sarbanes-Oxley Act (SOX) pertains to financial and accounting records and their transparency to regulators and shareholders. It involves reporting requirements and data-retention requirements and does not pertain to the privacy of individuals or interactions with the European Union at all. D is incorrect because the Gramm-Leach-Bliley Act (GLBA) pertains to PII and financial institutions. It requires that financial institutions provide all users and customers with a copy of their privacy policy and practices, including when and with whom customer information may be shared. It also puts the burden on financial institutions for adequate security controls and oversight of any personal data they collect or store from customers. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 391-392). McGraw Hill LLC. Kindle Edition.

Answer 42

A. Dynamic optimization Explanation: A. Dynamic optimization is the continual and automatic process within a cloud environment of shifting resources and virtual machines between physical hosts and resources to ensure a proper balance is maintained. This ensures that a single physical host or a subset of physical hosts does not become maxed out on resources and thus impact other customers or virtual machines on the same host. This ensures availability and auto-scaling and makes sure any provisioning requests are able to be met as they come in from customers. B is incorrect because auto-scaling pertains to the automatic and programmatic mechanisms for scaling up or down a system or application based on load and demand. It pertains only to the system or application in question and does not pertain to the resources of the overall environment or to meeting the needs of each tenant. C is incorrect because elasticity refers to the ability of the environment to provision and de-provision resources to meet current needs in a programmatic and automated way. If elasticity is implemented correctly, the systems and applications should ideally have the exact resources they need at any time and not have an excess or deficit of resources. D is incorrect because resource pooling refers to the overall sharing of the aggregate resources available in a cloud environment between all the individual tenants of the environment. It refers to the overall allocation of resources and is not related to the ability to adapt to specific situations or demands on a system or application. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 392). McGraw Hill LLC. Kindle Edition.

Answer 43

B. Object Explanation: B. Object storage is a type of IaaS storage where files and objects are physically stored on a separate system and are referenced by a key or token value. It differs from traditional storage, as it does not contain any organizational or hierarchical capabilities; instead, everything is stored in a flat system with a token or key as the only reference for access. It is heavily used for media objects such as pictures and videos as well as for the storage of larger files where organization is not relevant, such as virtual machine image files. A is incorrect because structured is a type of storage under Platform as a Service, and it is typically related to storage types such as databases that have defined structures and rules pertaining to how the data is organized and stored. C is incorrect because while volume storage is a type used under IaaS, it involves and resembles traditional storage, with a file system and tree structure where data can be organized and accessed in the same manner as a traditional server (by pathname and filename). D is incorrect because unstructured is a type of storage under PaaS that is used for handling data objects that will not fit within a structured system. This includes websites and web pages, their associated components, media files, images, and anything else that will not fit within a typical database paradigm. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 393). McGraw Hill LLC. Kindle Edition.

Answer 44

D. Geofencing Explanation: D. Geofencing is the use of location technology, such as Wi-Fi, cellular networks, RFID tags, IP address locations, or GPS, to control access to or the behavior of devices. By using geofencing, a company can implement additional security layers by only allowing the use of certain devices or actions in specific areas, such as in a company’s office location. A is incorrect because although RFID is one technology that can be used to implement geofencing, it is not the best answer. B is incorrect because broad network access refers to the overall ability to access cloud services from anywhere with network access. Therefore, it is not pertinent to the question. C is incorrect because although geolocation will serve to tell a system where a user is located and connecting from, it will not allow for the implementation of security measures by itself. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 393). McGraw Hill LLC. Kindle Edition.

Answer 45

A. Define scope Explanation: A. After the objectives within an audit have been defined, the defining of the scope is the next step. This involves the specifics of what is to be tested as well as all the details about how and when it will be tested. B is incorrect because conducting the audit occurs after both the scope and objectives have been defined, which will serve as the roadmap for the actual audit. C is incorrect because the identification of stakeholders will be done as part of initially defining objectives and will then be refined some during the defining of the scope. D is incorrect because gathering documentation is not a step itself and is done as part of both the defining objectives and defining scope steps. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 394). McGraw Hill LLC. Kindle Edition.

Answer 46

D. Cryptography Explanation: D. Cryptography as an overall concept is a specific domain of ISO/IEC 27001:2013, which covers all of the various aspects and methods where cryptography is used within IT services and operations. A is incorrect because firewalls are covered under network domains and are not a specific domain themselves. B is incorrect because IPS is covered under network and application security and is not a domain itself. C is incorrect because a honeypot is a security mechanism for capturing and analyzing attack attempts against systems that uses a similar-looking server with fake data designed to entice attackers. The application owners can then use the exploit attempts that are directed toward the honeypot to refine and augment security controls on the actual production systems. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 394). McGraw Hill LLC. Kindle Edition.

Answer 47

A. REST and SOAP Explanation: A. Representational State Transfer (REST) and Simple Object Access Protocol (SOAP) are the two main types of APIs used within cloud-based systems. SOAP is focused on providing a structured information exchange system for web services, and REST is a protocol for using HTTP requests to access and manipulate data. B is incorrect because although SOAP is one of the two methods, XML is a protocol for encoding and representing data and is not one of the two main API types for cloud-based systems. C is incorrect because although REST is one of the two methods, XML is a protocol for encoding and representing data and is not one of the two main API types for cloud-based systems. D is incorrect because although REST is one of the two methods, HTTPS is a protocol for secure communication extensions to the HTTP web protocol and is not one of the two types of APIs used by cloud-based systems. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 395). McGraw Hill LLC. Kindle Edition.

Answer 48

A. XML accelerator Explanation: A. An XML accelerator is designed to sit in front of application servers or services and APIs for the purpose of offloading processing and validation of incoming XML. It is a highly scaled and tuned appliance for handling its specific purpose and will allow the back-end service providers to focus on business logic rather than processing and validating the incoming data. B is incorrect because an XML firewall is designed to protect systems and scan data as it is coming in and out of an application or data center for validity, but it does not provide the processing capabilities and application interaction of an XML accelerator. C is incorrect because a web application firewall is designed to inspect web traffic coming into an application to detect security exploit attempts or other signatures of the traffic and take specific action against them based on what policies are matched. This can include redirecting or blocking the traffic before it reaches the application. D is incorrect because a firewall is designed to control network communications between sources and destinations as well as the ports the networks are communicating over. It does not perform content inspection on packets. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 395-396). McGraw Hill LLC. Kindle Edition.

Answer 49

A. Token Explanation: A. With a single sign-on system, once the user has successfully authenticated, they are issued an opaque token that can then be used to access systems that are part of the federation. Each system can validate the token back to the identity provider to ensure it is current and to gain information about the user to then make informed decisions on authorization within the application. B is incorrect because a key would typically refer to encryption and is not used to refer to maintaining the session and presence within a single sign-on system. C is incorrect because XML is a standard for data encoding and presentation and would not be used for proving identity after successful login. D is incorrect because SAML is used within a federated system to pass information about the user for authorization or registration purposes, but it would not be used to validate the authentication in the way the token would be. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 396). McGraw Hill LLC. Kindle Edition.

Answer 50

C. Service level agreement Explanation: C. The service level agreement (SLA) will determine and document the requirements and expectations for factors such as uptime and availability within a cloud environment that are expected to be met by the cloud provider. This will be done on a percentage basis that represents how much unscheduled or unplanned downtime is allowable within a specified period of time, and it will be specific to the applications and systems in question. A is incorrect because the contract is the high-level formal agreement between the cloud provider and the cloud customer that documents the requirements for policies and resources covered for an agreed-upon price, but it does not specify operational details such as availability and uptime requirements like the SLA would, or the metrics used to evaluate them. B is incorrect because an operational level agreement is similar to an SLA but is used internally between components of the same organization to document duties and responsibilities; it would not pertain to the relations or arrangements between the cloud customer and the cloud provider. D is incorrect because regulations may serve as the inputs or requirements for specific performance metrics, but not how they would be enforced as part of the business relationship. They would be captured within the SLA, where their requirements and metrics are established. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 396-397). McGraw Hill LLC. Kindle Edition.

Answer 51

D. Virtualization Explanation: D. Virtualization makes repeated audits and verifications difficult within a cloud environment because it is almost impossible to ensure that the system being tested now is the same as the previous one. In a virtual environment, images are changed often and systems reimaged for patches or other changes. This differs from a traditional data center, where servers are physical assets that can easily be verified as being the same system as before, even if upgrades and features have changed over time. A is incorrect because multitenancy refers to the hosting of multiple customers within the same cloud environment and within the same pool of resources, and it would not play into the ability to audit or ensure consistency over time. B is incorrect because resource pooling refers to the aggregation of resources from the entire cloud environment and how they are made available to all the customers within the cloud environment. It would not be a factor in auditing consistency over time. C is incorrect because elasticity refers to the ability for systems to automatically scale up or down to meet current demands without having an excess or deficiency of resources at any given point. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 397). McGraw Hill LLC. Kindle Edition.

Answer 52

C. Quantitative Explanation: C. Quantitative assessments are data-driven and assign numerical values for various metrics to do comparisons. Prominent calculations used with quantitative assessments are the single loss expectancy (SLE), annualized rate of occurrence (ARO), and the annualized loss expectancy (ALE). A is incorrect because qualitative assessments are done with nonnumerical data and are descriptive in nature. They typically involve reviews of documentation and interviews with system maintainers, developers, and security personnel. Many times, qualitative assessments are done when an organization lacks the time, money, or sophistication to conduct a quantitative assessment. B is incorrect because while numeric sounds similar to quantitative and encapsulates key aspects of that type of assessment, it is not an official term for a type of assessment. D is incorrect because metric is a type of value and measure used with quantitative assessments; it is not a type of assessment itself. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 398). McGraw Hill LLC. Kindle Edition.

Answer 53

B. Legal compliance controls Explanation: B. The SOC 2 reports do not contain the legal compliance controls as a factor because they can differ greatly from one jurisdiction to another, and each regulatory system will have its own compliance requirements and auditing demands. A is incorrect because the monitoring of controls is one of the seven main categories under SOC 2. It pertains to organizations effectively testing and verifying their controls are adequately addressing their intended threats as well as ensuring that mechanisms put in place are still in place and have not been changed through unintended or unauthorized means. C is incorrect because change management is a core component of SOC 2 reports and how an organization oversees and verifies the process of changes within their environments. This includes documentation, approvals, and risk management evaluations for all proposed changes as well as tracking their completion and the signoff from functional testing and validation. D is incorrect because system operations and how an organization runs its systems through policies and procedures is a core component of evaluation under the SOC 2 reports. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 398-399). McGraw Hill LLC. Kindle Edition.

Answer 54

C. GAPP Explanation: The Generally Accepted Privacy Principles (GAPP) was established by a joint effort between the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). It serves to assist organizations and their management in developing strong privacy programs that address risk and regulatory requirements. A is incorrect because the Gramm-Leach-Bliley Act (GLBA) was established by the United States federal government to deal with financial organizations and the way they handle personal and private information. B is incorrect because the Health Insurance Portability and Accountability Act (HIPAA) was established by the United States federal government and pertains to the protection of private health information and records. D is incorrect because the ISO/IEC 27001 standards on security were established by the joint technical committee between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 399). McGraw Hill LLC. Kindle Edition.

Answer 55

B. Reversibility Explanation: B. Reversibility refers to the ability for a cloud customer to withdraw their data and configurations from a cloud environment quickly and efficiently. The cloud provider must also provide assurances and a timeline for securely and completely removing the data from within their environment. A is incorrect because portability refers to the ability for a system or application to move between different cloud providers, but it does not relate to the ability to securely remove the data and configurations from one environment and move them to another. Instead, portability is purely focused on the ability to move or migrate. C is incorrect because sanitation commonly refers to the ability to ensure that data has been securely deleted and wiped from a system. It does not pertain to the ability to extract data or configurations from an environment. D is incorrect because wiping would be the same concept as sanitation in this case, and it would therefore have the same limitations and concepts that apply to sanitation. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 399-400). McGraw Hill LLC. Kindle Edition.

Answer 56

A. TLS Explanation: A. Transport Layer Security (TLS) is the standard protocol used for sending encrypted traffic over a network between two parties. It has replaced SSL, which is no longer considered secure enough for general usage. TLS supports much stronger and more robust encryption ciphers. B is incorrect because SSL was the predecessor to TLS and has been replaced as the standard method for encrypting communications over the network. At this point, SSL is considered insecure because it uses weaker and older ciphers that no longer provide adequate protection or assurance of security. C is incorrect because IPSec is a communications method that is used to encrypt traffic between two hosts. However, it is not in widespread use due to resource limitations and demands. It also requires known hosts to be configured to use it, and it is not a general-purpose encryption method that is widely available. D is incorrect because DNSSEC is used to verity the integrity and authority of DNS resolution and lookups back to their intended issuer. It digitally signs DNS resolutions that can be verified back to their source, thus preventing the spoofing or redirecting of network traffic by sending out incorrect IP address resolutions to hosts. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 400). McGraw Hill LLC. Kindle Edition.

Answer 57

B. VLANs Explanation: B. Because cloud environments do not have the ability to physically separate networks the same way a traditional data center would, they rely on logical separations with VLANs to keep systems isolated from others. This enables security to be controlled within the VLAN and allows similar systems and applications to communicate with each other within a secure enclave where the separation of physical networks and cabling is not possible. A is incorrect because subnets break up larger networks into logical sections for IP addressing and organization, but they do not contain the protections and segregations that VLANs afford and allow. C is incorrect because gateways are where systems send data when they do not know the specific route. A gateway can determine how to route the packets to the correct destination and can serve as a router on the network. D is incorrect because IPSec is an encryption protocol that is applied to each and every packet sent between two systems over the network, and it does not play a role in the segregation of networks without a logical framework. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 401). McGraw Hill LLC. Kindle Edition.

Answer 58

B. European Union Explanation: B. The European Union issued Directive 95/46, which established data privacy of personal information to be a human right. Following this directive, Europe has had some of the strictest privacy controls and requirements in the world. A is incorrect because the United States does not currently have a federal-level policy on data privacy and personal information protection in a general sense, but it does for more specific applications such as healthcare and financial data. C is incorrect because Russia did not issue Directive 95/46, but it does have its own laws focused on protecting the privacy of information for Russian citizens, including restrictions that require all data on Russian citizens to be housed on servers that reside within the political boundaries of the Russian Federation. D is incorrect because Japan was not a party to Directive 95/46. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 401). McGraw Hill LLC. Kindle Edition.

Answer 59

A. Homomorphic Explanation: A. Homomorphic is a new cutting-edge type of encryption that allows a system or application to read and manipulate encrypted data without first having to unencrypt it. This allows for enhanced security because the data does not need to reside on a system in unencrypted format at any point, so even a compromise of a system will not reveal data to the malicious actor, because they would still need the encryption keys to read it, even on a live system that is accessing the data. B is incorrect because symmetric encryption refers to the situation where both parties of a secure communication have the same key pairs, which are exchanged prior to communications being established. This allows for very fast communications over encrypted channels, but it does require both parties to be known and familiar with each other before attempting communication so that the keys can be exchanged. C is incorrect because asymmetric encryption is done through the use of keys and certificates issued by known authorities that are trusted by both parties. This requires reliance on the third-party authority to establish trust, and it enables communications over secure channels where the parties don’t know each other and haven’t already exchanged keys. D is incorrect because public key is another term for asymmetric encryption. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 402). McGraw Hill LLC. Kindle Edition.

Answer 60

A. DREAD Explanation: A. The DREAD threat model includes discoverability as the second D in the acronym. In this sense, discoverability refers to the likeliness or possibility that a malicious actor will discover that a specific vulnerability exists and have the ability to exploit it. B is incorrect because the Sarbanes-Oxley Act covers companies and the way they handle financial transactions, records, retention, and the transparency of their practices and compliance. The concept of discoverability does not directly play a role in SOX. C is incorrect because the STRIDE threat model does not include discoverability as one of its key components. With the STRIDE acronym, the D stands for denial of service. D is incorrect because the Cloud Security Alliance Treacherous 12 does not include discoverability as one of its 12 key components. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 402). McGraw Hill LLC. Kindle Edition.

Answer 61

B. Shared Explanation: B. From the perspective of eDiscovery, whom data is shared with is not a primary concern or one of the main principles of it. Data collection is the responsibility of the authoritative source or systems that use it, but logging and preservation are focused on the data owner or the one who controls and makes the data available to consumers. A is incorrect because possession of the data is one of the three main components of eDiscovery, and the party that possesses the data will likely be the first recipient of the eDiscovery order. C is incorrect because control of the data is one of the main components and principles of eDiscovery. This is of particular concern within a cloud environment because the boundaries will blur between the cloud customer and cloud provider with most cloud implementations. D is incorrect because custody is one of the main principles and components of eDiscovery. Within a cloud environment, custody is very important and can be complex because the duties for custody fall on both the cloud provider and the cloud customer, and depending on the type of cloud implementation, the duties may fall on one party more than the other. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 403). McGraw Hill LLC. Kindle Edition.

Answer 62

C. Zero trust network Explanation: C. A zero trust network is based on the principle of automatically trusting no users or processes coming into or out of a network. In order to gain access, users must be authenticated, authorized, and validated against security policies during all transactions. While many networks will authenticate and authorize users coming into their networks, they often do not continually reevaluate the authorization as resources are accessed. With zero trust, the user or process is checked for authorization at any additional network points or data access against the current security policies, regardless of any type of authorization they have already been granted or the credentials they are presenting. A is incorrect because single sign-on will allow a user or process to access data via a central authentication system. It does not perform authorization checks during data access. B is incorrect because identity and access management is an umbrella term for managing users and credentials. It does not involve the level of validation and security checks asked by the question. D is incorrect because while authorization does check for appropriate access to systems or data, it is not the best answer because it does not encompass the continual checks that zero trust entails. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 403-404). McGraw Hill LLC. Kindle Edition.

Answer 63

A. Security controls Explanation: A. Security controls and testing are crucial aspects of an external audit and typically the focus of one. While internal audits may perform some level of security controls validation, they are not considered to be valid audits, because there is no independent external auditor to evaluate them. Independent and external testing for audits is paramount to instill trust in a system, and it is a required component for regulatory compliance and certification programs. B is incorrect because costs would be considered part of an internal audit of operation policies and procedures. External audits are focused on regulatory compliance or certifications as well as on ensuring customer requirements for security controls and validation, but they are not concerned with costs. They are only concerned with the compliance (or lack thereof) with requirements and regulation. C is incorrect because operating efficiency is a major component of internal auditing and a crucial input for management oversight and decision making. An external audit would not be concerned with operating efficiency, but rather only with compliance with regulatory or certification standards and the validation of security controls and policies. D is incorrect because system design overall is internal to an organization. While an external audit will likely include a review of system design, it is for the purposes of establishing knowledge of how security controls are designed and implemented, not with the soundness of efficiency or customer satisfaction beyond the security controls requirements and validation. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 404). McGraw Hill LLC. Kindle Edition.

Answer 64

A. iSCSI Explanation: A. iSCSI is a protocol that sits on top of the TCP stack and enables the sending of SCSI commands over a network, rather than through the traditional method in a physical environment where storage devices are directly attached to the server. Within a cloud data center especially, iSCSI is crucial because virtual machines and other virtual appliances will not have any direct physical connections to storage systems. B is incorrect because TCP is the general protocol for network communications and is not specifically related to storage systems or the direct carrier of storage communications or commands. TCP does play a central role given that iSCSI is dependent on it, but by itself TCP is not an appropriate answer here. C is incorrect because TLS is a secure communications and encryption protocol for network traffic. It’s not specifically related to storage systems or the carrying of storage solution communications. D is incorrect because NetBIOS is a program that allows applications to communicate over a local area network with each other. It is not specifically related to storage communications. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 405). McGraw Hill LLC. Kindle Edition.

Answer 65

C. Physical Explanation: C. Regardless of the cloud service category employed, the cloud provider will always be responsible for the management and operations of the underlying physical environment. Even with IaaS, the cloud customer is not responsible for, or involved with, the physical environment at all. A is incorrect because infrastructure is the sole responsibility of the cloud provider with PaaS or SaaS, but it is a shared responsibility with the cloud customer for IaaS. B is incorrect because data is always the responsibility of the cloud customer, who is responsible for the maintaining and loading of data as well as ensuring the appropriate use of it and access to it. Even within a SaaS implementation, the cloud customer as the data owner is always responsible for the data. D is incorrect because only in the SaaS service category is the cloud provider responsible for the applications. With both PaaS and IaaS, the cloud customer loads, configures, and maintains the applications at all times. Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 405-406). McGraw Hill LLC. Kindle Edition.

Answer 66

C. SAML Explanation:

Answer 67

C. Insufficient due dilligence Explanation: Insufficient due dilligence is where an organization does not properly evaluate, plan, design, operate or secure its systems and applications or the data that they house. Any of these areas can cause security exposure if sufficient due dilligence is not applied to them and can lead to any other sorts of culnerabilities and attacks being possible as a result

Answer 68

B. Potential customers Explanation: SOC 1 reports are considered restricted use reports and are limited in the audience they can or should be exposed to . Potential customers which do not currently have a contractual or business relationsji[ with a cloud provider would not be included witin the restricyed use classes

Answer 69

B. Encryption Explanation: In order for a DLP solution to work with data in transit, first and foremist it has to be able to read the data as it is transmitted. Typically, this will be done by having the DLP system unecrypt and the re-encrypt packets as they pass through it. This enables the point to point encryption to still be in place but also allows the DLP system to do its inspection and prociessing of data in a secure manner

Answer 70

A. Certifications Explanation: Certifications, based on industry and indepedent standards, are a primary means for a data center to ensure certain security controls and operational best pracxtices are followed by a cloud provider

Answer 71

A. Generators Explanation: Generators are considered an external reduyndancy issue because theyt are outside the interior of the data center; they work on the incoming power feeds and their availability. THey do not serve a redundancy capacity for power once it has entered within the data center itself, and they are indepedent of the data center

Answer 72

C. Masking Explanation: Masking involves replacing sensitive data fields with opaque and radomized values. It is particularly used for preparing production data for test or development environments, where the data is needed in the same format, but hacing connections to real users or sensiritve data is not important. UNlike tokenziation, making does not have the ability to map the data back ot the original values, which is why it is typically used for testing in non production environments

Answer 73

B. Gap analysis Explanation: A gap analysis is an official report on the differences and inconsistencies between the intended or required condfigurations and operations of a system or application and the reality of what is actually in place and in effect

Answer 74

C. Availability Explanation: Cloud based systems and applications are heavily dependent on encryption for virtually all communications and storage systems. They confidentiality and protection of the keys are the most important factors in rpvoding the security of data within the system.

Answer 75

B. Injection Explanation: Injection involves sending invalid commands through input fields in an application with the intent of getting the application to execute the code and thus bypass many security controls that are in place. If an application does not properly validate input fields to ensure that they are in the correct format and do not contain extraneous code or commands, the application may expose data or configuration information to a malicious actor

Answer 76

A. Integrity Explanation: Integrity is the main security prnicniple concerned with data being accurate and in its inteneded form. THis allows the data to be considered trustworthy throughout its entire lifecycle, ensuring that it has not been altered in an unauthorized manner or by an unauthorized party

Answer 77

B. Data flows Explanation: Data flows are serverless data processing managed services through cloud providers. They typically can support a variety of different frameworks for data pipelines and are designed to allow a customer to upload their pipeline code, along with data sets and have the operations performed. Being a fully managed environment, it allows the customer to quickly execute data processing without having to establish servers or perform configuration operations, whole also alleviating the nedd to maintain or secure them

Answer 78

C. Advanced persistent threats Explanation: Advanced persistent threats involve a malicious actor establishing a presence within a system or application, with the goal of accessing information or resources over an extended period of time while avoiding detection

Answer 79

B. BICSI Explanation: The Building Industry Consulting Service (BICSI) issues standards and certs related to complex cabling of data systems. The standards are focused on cabling setups and designs but also include specifications on power, energy efficiency and setup and configuration of hot and cold aisles within a data center

Answer 80

B. DHCP Explanation: The Dynamic Host Configuration Protocol is designed to automatically provide an IP address and other crucial network information to hosts on a network, as well as to provide for the centralized management of their network presence. This differs from the traditional static approach, where a host would have a specific configuration enetered into it that would need to be changed and individually and directly on the host if the need ever arose. With a cloud environment where systems autoscale and are dyanmically optimized and moved around constantly, the static method would never work

Answer 81

C.Web Application Firewall Explanation: A WAF is typically an application that inspoects HTTP traffic before it hits an application server and has the ability to apply a set of filters and rules to it

Answer 82

D. Penalties for privacy violations Explanation: ISO/IEC in general are standards based on IT policies and best practices. They are done at a higher level, so they are flexible for a variety of diverse systems and reqiorem,ents and they serve as a strong framework for implementating regulatory or organizational policies and requirements.

Answer 83

B. Multiltenancy Explanation: Multitenancy is the concept of hacing multiple customers sharing the same physical infrastructure and systems. With a traditional data center model, different customers use their own dedicated and segregated physical hardware, typically within their own cages and with totally separate networking cabling and hardware as well. With a cloud deployment, all customers share the same physical hardware, thus requiring the use of logical segregation to ensure security

Answer 84

C. Operating system Explanation: A container is a wrapper with all the components necessary to run an application that is deployed into a hosted environment. The container is completely removed from the OS and underlying hardwarew

Answer 85

B. CaaS Explanation: Compute as a Service (CaaS) allows for the execution of compute intesive workloads to be performed in the cloud. Code can be executed in a serverless environment where the customer oinly pays for the computing time and the cycles they consume, without the need for setting up server instances or environments

Answer 86

A. Spoofing Explanation: DNSSEC is explicitly designed to prove the validity and authenticity of DNS lookups from their authoritative host. It is inteded to eliminate the possibility of rogue DNS severs intercepting lookup requests from devices or clients and inserting incorrect IP address resolutions in an attempt to direct traffic away from legit sites