CCSK Flashcards
1
Q
Which technology is generally required to build resource pools?
The Internet
Virtualization
VLANs
CPUs and memory
A
Virtualization
2
Q
What is the key difference between traditional virtualization and cloud?
Orchestration
Abstraction
Hypervisors
Commercial virtualization software
A
Orchestration
3
Q
Which of the following is not a key potential benefit of cloud computing?
Economics
Agility
Resiliency
Compliance
A
Compliance
4
Q
What business benefit(s) was Amazon attempting to realize when they created their internal cloud computing program? Select all that apply
Better match real-time capacity to fluctuating demand
Beat Microsoft
Build a world class public cloud computing platform
Faster time to deploy developer resources
A
Better match real-time capacity to fluctuating demand
Faster time to deploy developer resources
5
Q
Resource pools permanently assign resources to a user.
True
False
A
False
6
Q
Cloud computing supports scaling up of resources, but not scaling down.
True
False
A
False
7
Q
Which of the following appear in both the NIST and ISO/IEC cloud computing definitions? Select all that appl
Self Service/rapid provisioning Self Service Resource pools On-demand Network access
A
Self Service/rapid provisioning Self Service Resource pools On-demand Network access
8
Q
Which service model would a cloud database be considered?
Platform as a Service
Software as a Service
Infrastructure as a Service
Storage as a Service
A
Platform as a Service
9
Q
Software as a Service is always built on top of Platform as a Service which is always built on Infrastructure as a Service.
True
False
A
False
10
Q
Which of the following is most likely to be considered IaaS?
A container registry
The cloud’s management console
A virtual machine
A cloud message queue
A
A virtual machine
11
Q
In IaaS, individual virtual machines use which kind of storage?
The local hard drives on the servers
A database platform
VSTOR-based hardware
Virtual volumes from a storage pool
A
Virtual volumes from a storage pool
12
Q
Platform as a service abstracts application platforms and platform components from underlying resources, and can be built on top of IaaS.
True
False
A
True
13
Q
Which of the following is not required to e considered SaaS?
Customer management of the underlying resources
Underlying physical hardware
A complete application
The essential characteristics
A
Customer management of the underlying resources
14
Q
If an organization uses Community Cloud Deployment Model, some portion of the physical infrastructure MUST be on-premises with one of the community members.
True
False
A
False
15
Q
If an organization employs the technique of cloud bursting, which cloud model are they utilizing?
Hybrid
Multi-tenancy
PaaS
Proprietary
A
Hybrid
16
Q
Which element of the logical model describes the cloud management plane?
Infostructure
Applistructure
Infrastructure
Metastructure
A
Metastructure
17
Q
In which service model does the cloud consumer have the least amount of control over security?
Infrastructure as a Service
Platform as a Service
Software as a Service
Security as a Service
A
Software as a Service
18
Q
In which cloud service model is the cloud consumer responsible for ensuring that the hypervisor is not vulnerable to attack?
Infrastructure as a Service
Software as a Service
Platform as a Service
None of the above
A
None of the above
19
Q
When should you define the security controls when building a cloud deployment?
Before determining the service and deployment models
After identifying requirements
After identifying control gaps
Before selecting the provider
A
After identifying control gaps
20
Q
Cloud infrastructure security does not include the virtualization components.
True
False
A
False
21
Q
Which of the following resource pools is not associated with IaaS?
Compute
Storage
Network
Middleware
A
Middleware
22
Q
Which of the following are typically in the underlying infrastructure of a cloud? Select all that apply
Database Identity Service Message queue API Server Hypervisors
A
Database Identity Service Message queue API Server Hypervisors
23
Q
Why is hardening infrastructure components so important?
Clouds are sometimes based on common components that may cause vulnerabilities
All security is important
Infrastructure components are most likely to be exposed to cloud customers
This prevents the cloud provider from accessing cloud consumer data
A
Clouds are sometimes based on common components that may cause vulnerabilities
24
Q
Which of the following physical networks is used for Internet to instance traffic?
Management
Storage
Service
Virtual
A
Service
25
Why should cloud providers use multiple underlying physical networks? Select all that apply
Cost management
Resiliency
Better performance
Better isolation
Better performance
| Better isolation
26
Which virtual network technology is best suited for cloud?
Token Ring
V-flow
VLAN
SDN
SDN
27
Virtual Networks:
Are more flexible, but more difficult to secure
Substitute for physical networks
May include inherent security capabilities
Take fewer resources
May include inherent security capabilities
28
Which is a defining characteristic of Software Defined Networks?
Uses OpenFlow
Decouples the control plane from the underlying physical network
Leverages packet tagging
Autoscaling for resiliency
Decouples the control plane from the underlying physical network
29
Which SDN security capability often replaces the need for a physical or virtual appliance?
Integrated isolation
Default deny
Lack of support for packet sniffing
Security groups
Security group
30
The most effective way for an attacker to compromise a security group is to compromise the host/virtual machine and then modify the rules.
True
False
False
31
Which of the following is the most effective security barrier to contain blast radius?
Virtual network
Virtual subnet (with or without ACLs)
Security group
Cloud account/project/subscription
Cloud account/project/subscription
32
How does a virtual network affect network visibility?
Virtual networks block packet capture for better isolation
An SDN can provide more visibility than a physical network
Virtual networks always encrypt traffic and break packet capturing
Virtual machines on the same physical host don't use the physical network
Virtual machines on the same physical host don't use the physical network
33
Place the following network security tools in the preferred order in most cloud deployments, from 1 (most preferred} to 4.
Virtual appliance
Physical Appliance
Inherent cloud controls
Host security agents
1. Inherent cloud controls
2. Host security agents
3. Virtual appliance
4. Physical Appliance
34
What is the purpose of a bastion network/transit VPC?
To better support multiple virtual networks and accounts in hybrid scenarios
To better lock down a hybrid cloud
To create a cloud DMZ
To improve internal routing and IP address space availability
To better support multiple virtual networks and accounts in hybrid scenarios
35
Which of the following is primarily a responsibility of the cloud provider?
Configuring security groups
Securing the underlying virtualization technology
Correct configuration in the management plane
Designing subnets, virtual networks, and ACLS2
Securing the underlying virtualization technology
36
Of the following, which is the most important use case for the Software Defined Perimeter?
To secure hybrid networks
To encrypt SON traffic
For federated network identity
To improve and secure remote access
To improve and secure remote access
37
Which of the following are cloud workloads? Select all that apply:
Virtual machines
Serverless/Function as a Service
Host servers
Containers
Virtual machines
Serverless/Function as a Service
Containers
38
Which of the following most impacts traditional workload security controls when applied to cloud deployments?
Hypervisors
Low resiliency
High volatility/rates of change Security groups
Serverless
High volatility/rates of change Security groups
39
How can immutable workloads improve security?
They eliminate error-prone manual management
They better support use of traditional security tools
They better meet performance requirements
They scale for DDoS
They eliminate error-prone manual management
40
Select the cloud workload security option that can most improve overall security and reduce attack surface:
Store Logs external to instances
Select cloud aware host security agents
Use immutable as much as possible
Leverage existing/traditional vulnerability assessment tools
Use immutable as much as possible
41
Which of the following is primarily a cloud consumer workload security responsibility?
Volatile memory security
Hypervisor security
Underlying infrastructure security
Monitoring and logging
Monitoring and logging
42
Why is management plane security so critical?
It is the primary integration point for hybrid cloud.
It is the best way for cloud consumers to protect themselves from hostile cloud provider employees.
REST APIs are inherently insecure.
Compromise of the management plane potentially compromises all cloud assets
Compromise of the management plane potentially compromises all cloud assets
43
Select the best option for authenticating to a cloud API
HTTP request signing
Username/password
Biometrics
TLS-MA
HTTP request signing
44
Place the management plane security steps to the correct order
Secure Root Account
Enable Monitoring/Auditing
Manage non-Root Users
1. Secure Root Account
2. Manage non-Root Users
3. Enable Monitoring/Auditing
45
Identify one drawback to managing users in the management plane:
The reliance on RAC
Insufficient MFA support
High variability between cloud providers
Lack of SSO support
High variability between cloud providers
46
What is the role of a service administrator?
They are the core administrators for a cloud account.
To administer a limited set of cloud services
To administer cloud platform/management plane users.
To isolate application security
To administer a limited set of cloud services
47
Select the best option for management plane monitoring, when it is available:
Inherent cloud auditing, since it captures the most activity
Inherent cloud auditing, since that offloads responsibility to the cloud provider
Proxy-based auditing, since it eliminates the need to trust the cloud provider
Proxy-based auditing, since it captures more activity
Inherent cloud auditing, since it captures the most activity
48
Multi factor authentication is the single most important management plane security control.
True
False
True
49
What is the single most important rule for cloud BC/DR?
Use object storage for backups
Snapshot regularly
Architect for failure
Use multiple cloud providers
Architect for failure
50
Which is not a key aspect of cloud BC/DR?
Hypervisor resiliency
Continuity within the provider/platform
Portability
Preparing for provider outages
Hypervisor resiliency
51
Which is the logical model layer that is most difficult to enable for DR across cloud providers.
Metastucture
Infrastructure
Infostructure
Applicstructure
Metastucture
52
Select a technique to manage continuity within the cloud provider.
Multi-cloud provider plans
Cross-location/region design
Hybrid cloud backup
Data portability
Cross-location/region design
53
Select the governance tool that is most affected by the transition to cloud computing:
Chart of accounts
Mission statement
Board of director reporting
Compliance reporting
Compliance reporting
54
In terms of cloud computing and security... what is the primary governance role of a contract?
To define the data custodian
Defines how you extend internal controls to the cloud provider
Cost management
Regulatory Requirements
Defines how you extend internal controls to the cloud provider
55
Does the shared responsibilities model define the contract or the contract define the shared responsibilities model?
The contract defines the shared responsibilities model
The shared responsibilities model defines the contract
The contract defines the shared responsibilities model
56
Select the layer where you evaluate your providers:
```
Governance
Risk tolerance
Supplier Assessment
Contracts
Share Responsibilities Model
Risk mangement
```
Supplier Assessment
57
What is the responsibility of information risk management?
Manage overall risk to the organization
Determine the overall risk of cloud providers
Eliminate all risks to information assets
Align risk management to the tolerance of the data owner
Align risk management to the tolerance of the data owner
58
Your risk assessment effort should be equal for all information assets.
True
False
False
59
In which service model does the cloud consumer have to rely most on what is in the contract and documented to enforce and manage security?
Hybrid
SaaS
PaaS
IaaS
SaaS
60
Under which conditions is managing risk similar for public and private cloud?
When your private cloud is third party hosted and managed
The risk profiles are always the same
No conditions; public cloud is always riskier
When using a major public cloud provider
When your private cloud is third party hosted and managed
61
Which do you need to rely more on to manage risks when using public cloud computing?
Testing instead of assessments and attestations
Contracts and SLA
Physical control of assets
Consultants
Contracts and SLA
62
What is critical when evaluating a cloud service within your risk management program?
Accounting for the context of the information assets involved
Eliminating all outsourcing risk
Minimizing regional harm
Ensuring the provider's security program supports your existing on-premise tools
Accounting for the context of the information assets involved
63
How can you manage risk if you can't negotiate a contract with the cloud provider?
Use compensating controls and your own risk mitigation mechanisms
Always choose a different provider
Accept all potential risks
Obtain cyberinsurance
Use compensating controls and your own risk mitigation mechanisms
64
Audits are only used to meet government regulatory requirements.
True
False
False
65
Cloud changes compliance. Select the statement that is incorrect:
Metastructure/management may span jurisdictions even if data is localized
There may be a greater reliance on third party audits
There are large variations between the compliance capabilities of different cloud providers
The cloud provider is ultimately responsible for their customer's compliance
The cloud provider is ultimately responsible for their customer's compliance
66
Which is not a source of compliance obligations?
Internal Audits
Legislation
Contracts
Industry Standards
Internal Audits
67
Compliance inheritance means that an application built on top of a cloud provider's service that is compliant with a regulation/standard is always guaranteed to be compliant.
True
False
False
68
The Cloud Security Alliance Security Guidance provides:
Legal Advice
Legal Guidance
Legal Recommendation
Information you should discuss with your attorneys.
Information you should discuss with your attorneys.
69
The Australian Privacy Act of 1988 can apply to Australian customers, even if the cloud service provider is based elsewhere:
True
False
True
70
What is the purpose of a data localization law?
To require company to hire only local workers
To require that all business documents be in the country's official language
To require service providers to register with the country's data protection commission
To require that data about the country's citizens be stored in the country
To require that data about the country's citizens be stored in the country
71
Which of the following is correct?
GDPR Stands for "Government Data Privacy Rule".
GDPR Establishes fines of $1,000 per credit card number compromised
GDPR prohibits the transfer of personal data outside the EU or EEA to a country that does not offer a similar privacy rights
GDPR requires that EU member state's national laws impose network requirements on operators of essential services
GDPR prohibits the transfer of personal data outside the EU or EEA to a country that does not offer a similar privacy rights
72
The Federal Government in the United States does not directly address issues of data privacy, but instead leave it up to the states to create laws that address privacy concerns.
True
False
False
73
If a business is located outside the European Union it does not have to comply with the privacy laws of the European Union
True
False
False
74
In the United States, only entities that collect or process financial data or health data must comply with privacy or security laws
True
False
False
75
Which of the following is a standard?
COPPA
APPi
GDPR
PCI DSS
PCI DSS
76
When selecting a cloud provider, if a provider won't negotiate a contract:
Always choose another provider
Read the contract carefully, and consult with your advisors, to evaluate the terms and understand the potential risks
Always trust the provider
Contracts are not enforceable in cloud due to the wide range of jurisdictions
Read the contract carefully, and consult with your advisors, to evaluate the terms and understand the potential risks
77
Cloud consumers are ultimately responsible for understanding the legal implications of using a particular cloud provider and service.
True
False
True
78
A contract with a cloud service provider can fulfill all of the following except one
Clarify what happen when the service is terminated
Clarify the price for the service
Define the minimum security measures taken by the cloud provider
Clarify whether metadata can be reused for secondary purposes
Prevent a breach of security
Prevent a breach of security
79
If you own the data, it is still possible for your CSP to own the metadata:
True
False
True
80
Why do cloud providers typically limit their customers' ability to directly assess and inspect their facilities and services?
Cost management
They are worried customers will find vulnerabilities and they will lose business
On-site inspections can be a security risk, and remote assessments are hard to distinguish from real attacks
To deter paying out bug bounties
On-site inspections can be a security risk, and remote assessments are hard to distinguish from real attacks
81
Audit scopes for any given standard, like an SSAE16 are always consistent.
True
False
False
82
Select all the following sources that are considered artifacts of compliance
Log files
Activity reports
System configuration details
Change management details
Log files
Activity reports
System configuration details
Change management details
83
Should you assess or review the audits of a cloud provider more or less frequently than traditional outsourcers?
More
Less
More
84
Which CSA tool maps cloud security control specifications to architectural relevance?
Cloud Controls Matrix
STARWatch
The Security, Trust and Assurance Registry (STAR)
Consensus Assessment Initiative Questionnaire
Cloud Controls Matrix
85
Where can cloud providers publish their CAIQ and other security/compliance documents to help cloud prospects and customers assess the provider's current security posture?
The AWS marketplace
The Security, Trust and Assurance Registry (STAR)
The United States Federal Register of Cloud Providers Google
The Security, Trust and Assurance Registry (STAR)
86
You are a cloud provider and struggling to respond to a large amount of highly variable customer RFP requests for security controls documentation. Which CSA document could you instead complete and send to customers:
STARWatch
Cloud Controls Matrix
The Security, Trust and Assurance Registry (STAR)
Consensus Assessment Initiative Questionnaire
Consensus Assessment Initiative Questionnaire
87
Which CSA. tool allows you to quickly search a providers assessment for controls that map to regulations you care about and see the responses to those controls?
CCM
CAIQ
STAR
STARWatch
STARWatch
88
The CSA Cloud Controls Matrix v3.0.1 maps control specifications to FedRAMP High Impact Level.
True
False
False
89
The CSA Cloud Controls Matrix v3.0.1 contains how many control specifications?
295
57
133
16
133
90
All cloud data is eventually stored on a like a hard drive.
True
False
True
91
Which of the following cloud data storage types can be described as "a database for files"?
Object storage
Volume storage
Database storage
Platform storage
Object storage
92
Why do we use data dispersion in Cloud Computing?
To improve security by reducing the chances a complete file can be stolen
To improve resiliency in case of individual drive failure
To improve resiliency by eliminating the need for physical drives
To improve security by obviating the need for encryption
To improve resiliency in case of individual drive failure
93
Which security tool can help detect sensitive data migrating to the cloud'?
IPS
Data Loss Prevention (DLP)
Data security proxies (DSP)
Firewalls
Data Loss Prevention (DLP)
94
Which of the available CASB modes is most cloud-native but often not supported by smaller, especially Saas, providers:
API
In line (cloud)
lnline (local)
Cloud-integrated
API
95
Which is the preferred model of protecting data migrating to the cloud:
Encryption proxies, because they are the most efficient
Encrypting files, since you can't trust network encryption
Encrypting network connections, since you can't trust file encryption
All are equally effective
All are equally effective
96
How does Cloud complicate access controls as compared to traditional data storage?
Cloud storage may offer more options, such as sharing privileges or access to the data's metadata
Cloud access controls are less reliable
All providers must support the same access controls, which makes building the cloud more complex
There is no difference; they are not more complicated
Cloud storage may offer more options, such as sharing privileges or access to the data's metadata
97
In a Cloud Computing Environment, what is always your most control?
Provider specific controls
Encryption controls
Access controls
Management controls
Access controls
98
Select the layer in the stack where encryption is best for protecting discrete data throughout the layers, but may be more complex and is less effective for bulk data.
Application
Database
File/API
Volume Storage
Application
99
Select the 3 components of an encryption system.
Encryption engine
Data
Protocol
Key
Encryption engine
Data
Key
100
In "externally managed" encryption, which is the key component that should be kept externally to improve security:
Data
Application code
Key management
Encryption Engine
Key management
101
Instance managed encryption is:
An example of what not to do
Your preferred option for volume encryption
An example of what not to do
102
Which of the following options encrypts data before you transfer it to object storage:
Client-side encryption
Server-side encryption
Externally managed encryption
Application encryption
Client-side encryption
103
Select all potential options for encrypting data in PaaS, if they are supported by the platform:
Application-level (in your own code)
Provider-integrated
Volume storage
Database
Application-level (in your own code)
Provider-integrated
Database
104
Which location would provide the most secure place to keep encryption keys?
App server
Encryption Server
Storage
Database
Encryption Server
105
When using provider managed encryption, you are always sharing the same keys with other tenants.
True
False
False
106
Proxy-encryption requires you to break any existing secure connection to your cloud provider.
True
False
True
107
Which is the most inherently secure key management option, but it not be viable or even needed depending on your project requirements and platform/provider support?
Third--Party Service
Cloud Provider Service
Virtual Appliance
HSM/Appliance
HSM/Appliance
108
To be considered Bring Your Own Key (BYOK) the provider must not be able to ever see or manage your keys.
True
False
False
109
Which key management option should you select if you are dealing with highly sensitive data that you don't want your provider to potentially access under any circumstances:
Virtual appliance
HSM/hybrid
BYOK
3rd party key management service
HSM/hybrid
110
Which option allows you to use an existing build for key management without replicating everything in the cloud?
Virtual Appliance
Hybrid
Third-party Service
HSM/Appliance
Hybrid
111
For the cloud, where is DLP often best integrated?
The cloud virtual network/VPC
NGFW
Secure Web Gateway
CASB
CASB
112
What is the primary goal of data masking?
Hide production data from employees
Turn test data back into production data
Generate test data that still resembles production data
Stop hackers
Generate test data that still resembles production data
113
Logs of some events in a cloud environment may not be available to you depending on your choice of cloud provider.
True
False
True
114
How should the data security lifecycle be used?
To replace existing data security architectures.
To create granular documentation for all sensitive data in the cloud.
As a lightweight tool to better understand data flow and potential vs. desired data usage.
To create granular documentation for all data, sensitive or not, in the cloud.
As a lightweight tool to better understand data flow and potential vs. desired data usage.
115
List the lifecycle phases in order:
```
Store
Share
Destroy
Create
Archive
Use
```
```
Create
Store
Use
Share
Archive
Destroy
```
116
What is the primary objective of mapping functions, actors, and locations?
To replace data flow diagrams
To list all potential security controls
To document information risk
To determine what's possible vs. what should be allowed
To determine what's possible vs. what should be allowed
117
What do we use to reduce what is possible to what should be allowed within the context of the lifecycle?
Security controls
Key management
CASB or DLP
Entitlement matrix
Security controls
118
When moving to cloud, what now becomes within the scope of application security unlike with traditional infrastructure?
Management Plane
SAST
Source code
Architecture
Management Plane
119
Arrange the phases of the lifecycle to the correct order.
```
Design
Test
Develop
Training
Define
```
```
Training
Define
Design
Develop
Test
```
120
STRlDE is a common thread modeling framework. Which of the four categories does a cloud provider typically take more responsibility to manage:
Privilege escalation
Denial of service
Spoofing
Information disclosure
Denial of service
121
What is one example of a control that can reduce the potential of spoofing:
Encryption
Audit logging
Authorization
Authentication
Authentication
122
Specific testing techniques are tightly aligned and should only be performed during their designated phase in the secure software development process
True
False
False
123
Which kind of test should be added to static analysis for cloud deployments?
API resiliency
Scanning for stored cloud credentials
Code completion
Regression tests
Scanning for stored cloud credentials
124
Which kind of testing will most likely require permission from your cloud provider before performing?
SAST
Vulnerability assessment
Composition analysis
Security unit tests
Vulnerability assessment
125
Which vulnerability analysis option will always comply with the terms of service of the cloud provider, but may require paying close attention to network architecture:
Penetration testing
Traditional network-based
Deployment pipeline testing
Host-based
Host-based
126
While there are many definitions of DevOps, one technology/process is typically considered to be central to any DevOps program. Which technology is that?
Configuration management
Static analysis
Composition management
Continuous integration
Continuous integration
127
Identify the core security benefit of immutable
There are are no manual changes, so everything is consistent and administrative access can be disabled.
It fully isolates developers from production environment
It fully isolates operations from production environments
AU security updates are automatically applied
There are are no manual changes, so everything is consistent and administrative access can be disabled.
128
Which of the following are security benefits of DevOps?
Automated Testing
Greater Standardization
Improved Auditing
Improved Security 0perations
Automated Testing
Greater Standardization
Improved Auditing
Improved Security 0perations
129
Which of the following is not a new concern of secure operations for applications in the cloud?
The management plane
SAST
WAF limitations/differences
The cloud configuration
SAST
130
Which of the following is an inherent architectural security advantage cloud?
12 factor applications
The management plane
Containers
Segregation
Segregation
131
How can serverless improve security?
Some attack surface is the responsibility of the cloud provider in the shared responsibilities model
Through automation
Serverless actually reduces security
Better visibility due to the management plane
Some attack surface is the responsibility of the cloud provider in the shared responsibilities mode
132
Many of the new architectural options for cloud offer security benefits over what is possible in traditional infrastructure
True
False
True
133
What could an email address be considered?
Entity
Identity
Identifier
Authorization
Identity
134
What is the technical definition of authentication?
```
The process of confirming an identity
Providing a user access to a resource
Allowing a user to perform an action
The process of validating an entity
```
The process of confirming an identity
135
Which of the following is a discrete type that will have an identity? Examples include users and organizations.
Persona
Role
Entity
Attributes
Entity
136
What is the biggest difference between IAM in cloud and in traditional environments?
They use different standards
Cloud is less secure
IAM Must span at least two organizational boundaries
Cloud is more secure
IAM Must span at least two organizational boundaries
137
Which IAM standard is best suited for enterprises federating with cloud providers?
OACML
Kerberos
OATH
SAML
SAML
138
Which of the following is one of the 3 most common identity standards cloud environments?
Kerberos
SCIM
OATH
XACML
OATH
139
In a hub and spoke model, which technology mediates between director servers/identity providers and the service providers/relying parties:
```
CASB
Attribute services
Directory servers
Federated identity brokers
```
Federated identity brokers
140
Which of the following IAM security incidents is more likely in cloud versus traditional infrastructure and requires a dedicated incident response focus?'
```
Account takeover
Pass the hash
Privilege escalation
Account abuse
```
Account takeover
141
Multifactor authentication is absolutely mandatory for cloud computing due to the higher potential for remote account takeovers.
True
False
True
142
Checking to see if a user authenticated with MFA from a corporate IP address to authorize an action is an example of?
Role-based access controls
Authentication
Attribute based access controls
Multifactor authorization
Attribute based access controls
143
What is an entitlement matrix used for?
To map the directory servers to the appropriate cloud provider
To translate physical security controls to cloud controls
To communicate security controls to a cloud provider
To document authorizations
To document authorizations
144
Why are elasticity and infrastructure templating critical laaS security capabilities?
They optimize performance
These are operational capabilities, not security capabilities
They improve scalability
They enable immutable deployments.
They enable immutable deployments.
145
Which of the following protocols should a SaaS provider support to help extend an enterprises existing user management security controls and is considered a critical security capability?
IPv6
AuthZ
SAML
LDAP
SAML
146
Why are reviewable audits important when evaluating a cloud provider?
Third party auditors provide better results than internal auditors
They will meet all regulatory and compliance standards
They fill the gaps in any cloud provider security documentation
They provide third party validation when you cannot audit a provider yourself
They provide third party validation when you cannot audit a provider yourself
147
Frequent audits and assessments are important when looking at a cloud provider due to how rapidly they evolved their services
True
False
True
148
If an attacker compromises one of your virtual machines, and then uses to attack other clients on the same cloud platform, what is the cloud provider's likely action?
The CSP will prioritize alerting you and providing information needed for you to respond to the attack.
The CSP will first protect the rest of their broader clients, which may mean disrupting your deployment
The CSP has no responsibility in this situation per the shared responsibilities model.
The CSP will prioritize defending the rest of your deployment from the attack.
The CSP will first protect the rest of their broader clients, which may mean disrupting your deployment
149
Place the incident response phases in the proper order.
Containment, eradication, recovery
Preparation
Post-mortem
Detection and Analysis
Preparation
Detection and Analysis
Containment, eradication, recovery
Post-mortem
150
In which phase would you build a cloud "jump kit" of tools and code to speed a response?
Detection and analysis
Containment and response
Postmortem
Preparation
Preparation
151
In which phase would you snapshot a virtual machine for forensics?
```
Detection and analysis
Containment and response
Postmortem
Preparation
```
Detection and analysis
152
Which of the following most helps you quick[y build parallel infrastructure, so that you can rapidly restore operations while still having the compromised environment for analysis?
Infrastructure as code templates
Snapshots
SaaS
PaaS
Infrastructure as code templates
153
In a postmortem what would be your highest priority to review and remediate if it was a blocker in your incident response?
Communications with the cloud provider
Internal communications
Container vulnerabilities
Operating system vulnerabilities
Communications with the cloud provider
154
Security as a Service is only used to secure cloud services.
True
False
False
155
Select all of the following characteristics that are required for something to be considered Security as a Service:
It is a security product or service delivered as a cloud service
It meets the NIST essential characteristics
It is marketed as SECaaS
It is built on a laaS provider
It has a hosted web interface
It is a security product or service delivered as a cloud service
It meets the NIST essential characteristics
156
Which of the following is one of the more unique potential benefits of Security as a Service:
Intelligence Sharing
Customer Visibility
Compliance
Transparency
Intelligence Sharing
157
Why are regulation differences a potential concern of using Security as a Service?
SECaaS is highly regulated
The cloud consumer may have regulatory obligations the SECaaS provider can't meet
The cloud provider may have regulatory obligations the customer can't meet
SECaaS is unregulated
The cloud consumer may have regulatory obligations the SECaaS provider can't meet
158
Using SECaaS removes accountability for the client, but only for the particular security control the service addresses.
True
False
False
159
What characteristic would make a Federated Identity Broker be considered SECaaS vs. a traditional tool?
It supports SAML
It is hosted in the cloud, elastic, and you pay per user
It brokers authentication to cloud services
It supports multiple cloud providers AND on premise directories
It is hosted in the cloud, elastic, and you pay per user
160
What is a potential advantage of a web security gateway SECaaS over an on-premise tool?
You can protect mobile users without requiring a VPN to the corporate network
It will generally catch more malware
They are always less expensive
Supports HTTPS
You can protect mobile users without requiring a VPN to the corporate network
161
Can a cloud-based key management service be integrated with on -premise encryption?
Yes
No
Yes
162
What is required to redirect traffic to a cloud WAF?
An on-premise Proxy
DNS Change
A VPN
GRE Tunneling
DNS Change
163
Which of the following is not considered a related technology?
Internet of Things
Mobile computing
Security as a Service
Serverless
Security as a Service
164
Big Data is often defined as "high volume, high velocity, and high variety What does "high velocity" mean?
Storage elasticity
The data changes constantly/rapidly
Fast raw storage speeds
Fast transfer speeds
The data changes constantly/rapidly
165
Why should you consider relying extensively on the isolation capabilities of cloud to defend a big data deployment?
Isolation improves encryption
The distributed storage is always isolated by nature
To meet compliance requirements
Big data platforms tend to have low inherent security
Big data platforms tend to have low inherent security
166
While not directly related to cloud, which loT principle is critical for Iong term security?
The ability to patch/update the "things" (devices)
Data encryption
Elasticity
Public APls
The ability to patch/update the "things" (devices)
167
Which of the following issues on a mobile device can actually create security risks for the cloud deployment?
Embedded/static/stored credentials
Insecure wireless networks
Use of an out of date operating system
A malicious app
Embedded/static/stored credentials
168
Serverless, used properly, can offer more security benefits than risks.
True
False
True
169
Which of the following is considered a separate characteristic of cloud in ISO/IEC 17788?
```
Resource pooling
Metered usage
On-Demand Self-Service
Multi-Tenancy
Elasticity
```
Multi-Tenancy
170
If you are asked to build a server with 8 CPUs and 16GB of RAM, which service model would you use?
```
VMWare vSphere
SaaS
PaaS
IaaS
RedHat OpenShift
```
IaaS
171
In which layer of the logical model does the management plane exist?
```
Infostructure
Data Center
Metastructure
Infrastructure
Between PaaS and IaaS
Applistructure
```
Metastructure
172
When dealing with a public cloud provider, what aspect most commonly impacts how you can manage risk?
Co-tenants want to hack your space
Economies of scale
Standard contracts that cannot be customized
Changes to external regulations
Standard contracts that cannot be customized
173
What is a key consideration when evaluating private cloud governance?
The entity that owns and/or manages the private cloud
The hypervisor technology used
Control plane authentication methods
Public Cloud governance
The entity that owns and/or manages the private cloud
174
In which situations is a party excused from presenting evidence in a court of law?
When it doesn't exist
When it is too expensive to retrieve
Never; a party must always present data when it's requested by a judge
When it is not reasonably accessible
When it doesn't exist
| When it is not reasonably accessible
175
What is true about an attestation?
Attestation is a legal statement from a 3rd party
Attestation is a testimony in a court of law
Attestations can only be performed by a legal official
Attestation is another term for audit
Attestation is a legal statement from a 3rd party
176
When evaluating a cloud provider's audit report, what should you pay particular attention to?
Whether or not the auditor has their CCSK
Services and Jurisdiction of the audit
The date of the audit report
The auditor's conclusion
Services and Jurisdiction of the audit
177
Which of the following locations are considered part of the data security lifecycle?
A. Location of the Data
B. Location of the access device
C. Location of the data center
D. A and B
D. A and B
178
What determines the functions actors are allowed to perform or not?
```
Entitlements
Information classification
Information governance
Contractual controls
Access Device
```
Entitlements
179
What is meant by data "lock-in"?
Lock-in applies when you are contractually unable to export your data
Exporting data out of a provider would require significant effort
Data exported can be used only with the original provider's services
All of the above
All of the above
180
Which of the following MUST a cloud customer include in their business continuity planning?
Determine how to guarantee availability in the DR region by discussing your DR plans with the vendor
Determine how the IaaS provider will fix any availability issues in your application
Use contract to ensure DR does not result in different jurisdiction to store and process data
Implement Chaos Engineering
Determine how to guarantee availability in the DR region by discussing your DR plans with the vendor
