CCSK

Question 1

Which technology is generally required to build resource pools?

The Internet
Virtualization
VLANs
CPUs and memory

Answer 1

Virtualization

Question 2

What is the key difference between traditional virtualization and cloud?

Orchestration
Abstraction
Hypervisors
Commercial virtualization software

Answer 2

Orchestration

Question 3

Which of the following is not a key potential benefit of cloud computing?

Economics
Agility
Resiliency
Compliance

Answer 3

Compliance

Question 4

What business benefit(s) was Amazon attempting to realize when they created their internal cloud computing program? Select all that apply

Better match real-time capacity to fluctuating demand
Beat Microsoft
Build a world class public cloud computing platform
Faster time to deploy developer resources

Answer 4

Better match real-time capacity to fluctuating demand

Faster time to deploy developer resources

Question 5

Resource pools permanently assign resources to a user.

True
False

Answer 5

False

Question 6

Cloud computing supports scaling up of resources, but not scaling down.

True
False

Answer 6

False

Question 7

Which of the following appear in both the NIST and ISO/IEC cloud computing definitions? Select all that appl

Self Service/rapid provisioning
Self Service
Resource pools
On-demand
Network access

Answer 7

Self Service/rapid provisioning
Self Service
Resource pools
On-demand
Network access

Question 8

Which service model would a cloud database be considered?

Platform as a Service
Software as a Service
Infrastructure as a Service
Storage as a Service

Answer 8

Platform as a Service

Question 9

Software as a Service is always built on top of Platform as a Service which is always built on Infrastructure as a Service.

True
False

Answer 9

False

Question 10

Which of the following is most likely to be considered IaaS?

A container registry
The cloud’s management console
A virtual machine
A cloud message queue

Answer 10

A virtual machine

Question 11

In IaaS, individual virtual machines use which kind of storage?

The local hard drives on the servers
A database platform
VSTOR-based hardware
Virtual volumes from a storage pool

Answer 11

Virtual volumes from a storage pool

Question 12

Platform as a service abstracts application platforms and platform components from underlying resources, and can be built on top of IaaS.

True
False

Answer 12

True

Question 13

Which of the following is not required to e considered SaaS?

Customer management of the underlying resources
Underlying physical hardware
A complete application
The essential characteristics

Answer 13

Customer management of the underlying resources

Question 14

If an organization uses Community Cloud Deployment Model, some portion of the physical infrastructure MUST be on-premises with one of the community members.

True
False

Answer 14

False

Question 15

If an organization employs the technique of cloud bursting, which cloud model are they utilizing?

Hybrid
Multi-tenancy
PaaS
Proprietary

Answer 15

Hybrid

Question 16

Which element of the logical model describes the cloud management plane?

Infostructure
Applistructure
Infrastructure
Metastructure

Answer 16

Metastructure

Question 17

In which service model does the cloud consumer have the least amount of control over security?

Infrastructure as a Service
Platform as a Service
Software as a Service
Security as a Service

Answer 17

Software as a Service

Question 18

In which cloud service model is the cloud consumer responsible for ensuring that the hypervisor is not vulnerable to attack?

Infrastructure as a Service
Software as a Service
Platform as a Service
None of the above

Answer 18

None of the above

Question 19

When should you define the security controls when building a cloud deployment?

Before determining the service and deployment models
After identifying requirements
After identifying control gaps
Before selecting the provider

Answer 19

After identifying control gaps

Question 20

Cloud infrastructure security does not include the virtualization components.

True
False

Answer 20

False

Question 21

Which of the following resource pools is not associated with IaaS?

Compute
Storage
Network
Middleware

Answer 21

Middleware

Question 22

Which of the following are typically in the underlying infrastructure of a cloud? Select all that apply

Database
Identity Service
Message queue
API Server
Hypervisors

Answer 22

Database
Identity Service
Message queue
API Server
Hypervisors

Question 23

Why is hardening infrastructure components so important?

Clouds are sometimes based on common components that may cause vulnerabilities

All security is important

Infrastructure components are most likely to be exposed to cloud customers

This prevents the cloud provider from accessing cloud consumer data

Answer 23

Clouds are sometimes based on common components that may cause vulnerabilities

Question 24

Which of the following physical networks is used for Internet to instance traffic?

Management
Storage
Service
Virtual

Answer 24

Service

Question 25

Why should cloud providers use multiple underlying physical networks? Select all that apply

Cost management
Resiliency
Better performance
Better isolation

Answer 25

Better performance

Better isolation

Question 26

Which virtual network technology is best suited for cloud?

Token Ring
V-flow
VLAN
SDN

Answer 26

SDN

Question 27

Virtual Networks:

Are more flexible, but more difficult to secure
Substitute for physical networks
May include inherent security capabilities
Take fewer resources

Answer 27

May include inherent security capabilities

Question 28

Which is a defining characteristic of Software Defined Networks?

Uses OpenFlow

Decouples the control plane from the underlying physical network

Leverages packet tagging

Autoscaling for resiliency

Answer 28

Decouples the control plane from the underlying physical network

Question 29

Which SDN security capability often replaces the need for a physical or virtual appliance?

Integrated isolation
Default deny
Lack of support for packet sniffing
Security groups

Answer 29

Security group

Question 30

The most effective way for an attacker to compromise a security group is to compromise the host/virtual machine and then modify the rules.

True
False

Answer 30

False

Question 31

Which of the following is the most effective security barrier to contain blast radius?

Virtual network
Virtual subnet (with or without ACLs)
Security group
Cloud account/project/subscription

Answer 31

Cloud account/project/subscription

Question 32

How does a virtual network affect network visibility?

Virtual networks block packet capture for better isolation

An SDN can provide more visibility than a physical network

Virtual networks always encrypt traffic and break packet capturing

Virtual machines on the same physical host don’t use the physical network

Answer 32

Virtual machines on the same physical host don’t use the physical network

Question 33

Place the following network security tools in the preferred order in most cloud deployments, from 1 (most preferred} to 4.

Virtual appliance
Physical Appliance
Inherent cloud controls
Host security agents

Answer 33

1. Inherent cloud controls
2. Host security agents
3. Virtual appliance
4. Physical Appliance

Question 34

What is the purpose of a bastion network/transit VPC?

To better support multiple virtual networks and accounts in hybrid scenarios

To better lock down a hybrid cloud

To create a cloud DMZ

To improve internal routing and IP address space availability

Answer 34

To better support multiple virtual networks and accounts in hybrid scenarios

Question 35

Which of the following is primarily a responsibility of the cloud provider?

Configuring security groups
Securing the underlying virtualization technology
Correct configuration in the management plane
Designing subnets, virtual networks, and ACLS2

Answer 35

Securing the underlying virtualization technology

Question 36

Of the following, which is the most important use case for the Software Defined Perimeter?

To secure hybrid networks
To encrypt SON traffic
For federated network identity
To improve and secure remote access

Answer 36

To improve and secure remote access

Question 37

Which of the following are cloud workloads? Select all that apply:

Virtual machines

Serverless/Function as a Service

Host servers

Containers

Answer 37

Virtual machines

Serverless/Function as a Service

Containers

Question 38

Which of the following most impacts traditional workload security controls when applied to cloud deployments?

Hypervisors

Low resiliency

High volatility/rates of change Security groups

Serverless

Answer 38

High volatility/rates of change Security groups

Question 39

How can immutable workloads improve security?

They eliminate error-prone manual management
They better support use of traditional security tools
They better meet performance requirements
They scale for DDoS

Answer 39

They eliminate error-prone manual management

Question 40

Select the cloud workload security option that can most improve overall security and reduce attack surface:

Store Logs external to instances
Select cloud aware host security agents
Use immutable as much as possible
Leverage existing/traditional vulnerability assessment tools

Answer 40

Use immutable as much as possible

Question 41

Which of the following is primarily a cloud consumer workload security responsibility?

Volatile memory security
Hypervisor security
Underlying infrastructure security
Monitoring and logging

Answer 41

Monitoring and logging

Question 42

Why is management plane security so critical?

It is the primary integration point for hybrid cloud.

It is the best way for cloud consumers to protect themselves from hostile cloud provider employees.

REST APIs are inherently insecure.

Compromise of the management plane potentially compromises all cloud assets

Answer 42

Compromise of the management plane potentially compromises all cloud assets

Question 43

Select the best option for authenticating to a cloud API

HTTP request signing
Username/password
Biometrics
TLS-MA

Answer 43

HTTP request signing

Question 44

Place the management plane security steps to the correct order

Secure Root Account

Enable Monitoring/Auditing

Manage non-Root Users

Answer 44

1. Secure Root Account
2. Manage non-Root Users
3. Enable Monitoring/Auditing

Question 45

Identify one drawback to managing users in the management plane:

The reliance on RAC
Insufficient MFA support
High variability between cloud providers
Lack of SSO support

Answer 45

High variability between cloud providers

Question 46

What is the role of a service administrator?

They are the core administrators for a cloud account.

To administer a limited set of cloud services

To administer cloud platform/management plane users.

To isolate application security

Answer 46

To administer a limited set of cloud services

Question 47

Select the best option for management plane monitoring, when it is available:

Inherent cloud auditing, since it captures the most activity

Inherent cloud auditing, since that offloads responsibility to the cloud provider

Proxy-based auditing, since it eliminates the need to trust the cloud provider

Proxy-based auditing, since it captures more activity

Answer 47

Inherent cloud auditing, since it captures the most activity

Question 48

Multi factor authentication is the single most important management plane security control.

True
False

Answer 48

True

Question 49

What is the single most important rule for cloud BC/DR?

Use object storage for backups
Snapshot regularly
Architect for failure
Use multiple cloud providers

Answer 49

Architect for failure

Question 50

Which is not a key aspect of cloud BC/DR?

Hypervisor resiliency
Continuity within the provider/platform
Portability
Preparing for provider outages

Answer 50

Hypervisor resiliency

Question 51

Which is the logical model layer that is most difficult to enable for DR across cloud providers.

Metastucture
Infrastructure
Infostructure
Applicstructure

Answer 51

Metastucture

Question 52

Select a technique to manage continuity within the cloud provider.

Multi-cloud provider plans
Cross-location/region design
Hybrid cloud backup
Data portability

Answer 52

Cross-location/region design

Question 53

Select the governance tool that is most affected by the transition to cloud computing:

Chart of accounts
Mission statement
Board of director reporting
Compliance reporting

Answer 53

Compliance reporting

Question 54

In terms of cloud computing and security… what is the primary governance role of a contract?

To define the data custodian
Defines how you extend internal controls to the cloud provider
Cost management
Regulatory Requirements

Answer 54

Defines how you extend internal controls to the cloud provider

Question 55

Does the shared responsibilities model define the contract or the contract define the shared responsibilities model?

The contract defines the shared responsibilities model
The shared responsibilities model defines the contract

Answer 55

The contract defines the shared responsibilities model

Question 56

Select the layer where you evaluate your providers:

Governance
Risk tolerance
Supplier Assessment
Contracts
Share Responsibilities Model
Risk mangement

Answer 56

Supplier Assessment

Question 57

What is the responsibility of information risk management?

Manage overall risk to the organization
Determine the overall risk of cloud providers
Eliminate all risks to information assets
Align risk management to the tolerance of the data owner

Answer 57

Align risk management to the tolerance of the data owner

Question 58

Your risk assessment effort should be equal for all information assets.

True
False

Answer 58

False

Question 59

In which service model does the cloud consumer have to rely most on what is in the contract and documented to enforce and manage security?

Hybrid
SaaS
PaaS
IaaS

Answer 59

SaaS

Question 60

Under which conditions is managing risk similar for public and private cloud?

When your private cloud is third party hosted and managed
The risk profiles are always the same
No conditions; public cloud is always riskier
When using a major public cloud provider

Answer 60

When your private cloud is third party hosted and managed

Question 61

Which do you need to rely more on to manage risks when using public cloud computing?

Testing instead of assessments and attestations
Contracts and SLA
Physical control of assets
Consultants

Answer 61

Contracts and SLA

Question 62

What is critical when evaluating a cloud service within your risk management program?

Accounting for the context of the information assets involved
Eliminating all outsourcing risk
Minimizing regional harm
Ensuring the provider’s security program supports your existing on-premise tools

Answer 62

Accounting for the context of the information assets involved

Question 63

How can you manage risk if you can’t negotiate a contract with the cloud provider?

Use compensating controls and your own risk mitigation mechanisms
Always choose a different provider
Accept all potential risks
Obtain cyberinsurance

Answer 63

Use compensating controls and your own risk mitigation mechanisms

Question 64

Audits are only used to meet government regulatory requirements.

True
False

Answer 64

False

Question 65

Cloud changes compliance. Select the statement that is incorrect:

Metastructure/management may span jurisdictions even if data is localized

There may be a greater reliance on third party audits

There are large variations between the compliance capabilities of different cloud providers

The cloud provider is ultimately responsible for their customer’s compliance

Answer 65

The cloud provider is ultimately responsible for their customer’s compliance

Question 66

Which is not a source of compliance obligations?

Internal Audits
Legislation
Contracts
Industry Standards

Answer 66

Internal Audits

Question 67

Compliance inheritance means that an application built on top of a cloud provider’s service that is compliant with a regulation/standard is always guaranteed to be compliant.

True
False

Answer 67

False

Question 68

The Cloud Security Alliance Security Guidance provides:

Legal Advice
Legal Guidance
Legal Recommendation
Information you should discuss with your attorneys.

Answer 68

Information you should discuss with your attorneys.

Question 69

The Australian Privacy Act of 1988 can apply to Australian customers, even if the cloud service provider is based elsewhere:

True
False

Answer 69

True

Question 70

What is the purpose of a data localization law?

To require company to hire only local workers
To require that all business documents be in the country’s official language
To require service providers to register with the country’s data protection commission
To require that data about the country’s citizens be stored in the country

Answer 70

To require that data about the country’s citizens be stored in the country

Question 71

Which of the following is correct?

GDPR Stands for “Government Data Privacy Rule”.

GDPR Establishes fines of $1,000 per credit card number compromised

GDPR prohibits the transfer of personal data outside the EU or EEA to a country that does not offer a similar privacy rights

GDPR requires that EU member state’s national laws impose network requirements on operators of essential services

Answer 71

GDPR prohibits the transfer of personal data outside the EU or EEA to a country that does not offer a similar privacy rights

Question 72

The Federal Government in the United States does not directly address issues of data privacy, but instead leave it up to the states to create laws that address privacy concerns.

True
False

Answer 72

False

Question 73

If a business is located outside the European Union it does not have to comply with the privacy laws of the European Union

True
False

Answer 73

False

Question 74

In the United States, only entities that collect or process financial data or health data must comply with privacy or security laws

True
False

Answer 74

False

Question 75

Which of the following is a standard?

COPPA
APPi
GDPR
PCI DSS

Answer 75

PCI DSS

Question 76

When selecting a cloud provider, if a provider won’t negotiate a contract:

Always choose another provider

Read the contract carefully, and consult with your advisors, to evaluate the terms and understand the potential risks

Always trust the provider

Contracts are not enforceable in cloud due to the wide range of jurisdictions

Answer 76

Read the contract carefully, and consult with your advisors, to evaluate the terms and understand the potential risks

Question 77

Cloud consumers are ultimately responsible for understanding the legal implications of using a particular cloud provider and service.

True
False

Answer 77

True

Question 78

A contract with a cloud service provider can fulfill all of the following except one

Clarify what happen when the service is terminated
Clarify the price for the service
Define the minimum security measures taken by the cloud provider
Clarify whether metadata can be reused for secondary purposes
Prevent a breach of security

Answer 78

Prevent a breach of security

Question 79

If you own the data, it is still possible for your CSP to own the metadata:

True
False

Answer 79

True

Question 80

Why do cloud providers typically limit their customers’ ability to directly assess and inspect their facilities and services?

Cost management

They are worried customers will find vulnerabilities and they will lose business

On-site inspections can be a security risk, and remote assessments are hard to distinguish from real attacks

To deter paying out bug bounties

Answer 80

On-site inspections can be a security risk, and remote assessments are hard to distinguish from real attacks

Question 81

Audit scopes for any given standard, like an SSAE16 are always consistent.

True
False

Answer 81

False

Question 82

Select all the following sources that are considered artifacts of compliance

Log files
Activity reports
System configuration details
Change management details

Answer 82

Log files
Activity reports
System configuration details
Change management details

Question 83

Should you assess or review the audits of a cloud provider more or less frequently than traditional outsourcers?

More
Less

Answer 83

More

Question 84

Which CSA tool maps cloud security control specifications to architectural relevance?

Cloud Controls Matrix
STARWatch
The Security, Trust and Assurance Registry (STAR)
Consensus Assessment Initiative Questionnaire

Answer 84

Cloud Controls Matrix

Question 85

Where can cloud providers publish their CAIQ and other security/compliance documents to help cloud prospects and customers assess the provider’s current security posture?

The AWS marketplace
The Security, Trust and Assurance Registry (STAR)
The United States Federal Register of Cloud Providers Google

Answer 85

The Security, Trust and Assurance Registry (STAR)

Question 86

You are a cloud provider and struggling to respond to a large amount of highly variable customer RFP requests for security controls documentation. Which CSA document could you instead complete and send to customers:

STARWatch
Cloud Controls Matrix
The Security, Trust and Assurance Registry (STAR)
Consensus Assessment Initiative Questionnaire

Answer 86

Consensus Assessment Initiative Questionnaire

Question 87

Which CSA. tool allows you to quickly search a providers assessment for controls that map to regulations you care about and see the responses to those controls?

CCM
CAIQ
STAR
STARWatch

Answer 87

STARWatch

Question 88

The CSA Cloud Controls Matrix v3.0.1 maps control specifications to FedRAMP High Impact Level.

True
False

Answer 88

False

Question 89

The CSA Cloud Controls Matrix v3.0.1 contains how many control specifications?

295
57
133
16

Answer 89

133

Question 90

All cloud data is eventually stored on a like a hard drive.

True
False

Answer 90

True

Question 91

Which of the following cloud data storage types can be described as “a database for files”?

Object storage
Volume storage
Database storage
Platform storage

Answer 91

Object storage

Question 92

Why do we use data dispersion in Cloud Computing?

To improve security by reducing the chances a complete file can be stolen
To improve resiliency in case of individual drive failure
To improve resiliency by eliminating the need for physical drives
To improve security by obviating the need for encryption

Answer 92

To improve resiliency in case of individual drive failure

Question 93

Which security tool can help detect sensitive data migrating to the cloud’?

IPS
Data Loss Prevention (DLP)
Data security proxies (DSP)
Firewalls

Answer 93

Data Loss Prevention (DLP)

Question 94

Which of the available CASB modes is most cloud-native but often not supported by smaller, especially Saas, providers:

API
In line (cloud)
lnline (local)
Cloud-integrated

Answer 94

API

Question 95

Which is the preferred model of protecting data migrating to the cloud:

Encryption proxies, because they are the most efficient
Encrypting files, since you can’t trust network encryption
Encrypting network connections, since you can’t trust file encryption
All are equally effective

Answer 95

All are equally effective

Question 96

How does Cloud complicate access controls as compared to traditional data storage?

Cloud storage may offer more options, such as sharing privileges or access to the data’s metadata

Cloud access controls are less reliable

All providers must support the same access controls, which makes building the cloud more complex

There is no difference; they are not more complicated

Answer 96

Cloud storage may offer more options, such as sharing privileges or access to the data’s metadata

Question 97

In a Cloud Computing Environment, what is always your most control?

Provider specific controls
Encryption controls
Access controls
Management controls

Answer 97

Access controls

Question 98

Select the layer in the stack where encryption is best for protecting discrete data throughout the layers, but may be more complex and is less effective for bulk data.

Application
Database
File/API
Volume Storage

Answer 98

Application

Question 99

Select the 3 components of an encryption system.

Encryption engine
Data
Protocol
Key

Answer 99

Encryption engine
Data
Key

Question 100

In “externally managed” encryption, which is the key component that should be kept externally to improve security:

Data
Application code
Key management
Encryption Engine

Answer 100

Key management

Question 101

Instance managed encryption is:

An example of what not to do
Your preferred option for volume encryption

Answer 101

An example of what not to do

Question 102

Which of the following options encrypts data before you transfer it to object storage:

Client-side encryption
Server-side encryption
Externally managed encryption
Application encryption

Answer 102

Client-side encryption

Question 103

Select all potential options for encrypting data in PaaS, if they are supported by the platform:

Application-level (in your own code)
Provider-integrated
Volume storage
Database

Answer 103

Application-level (in your own code)
Provider-integrated
Database

Question 104

Which location would provide the most secure place to keep encryption keys?

App server
Encryption Server
Storage
Database

Answer 104

Encryption Server

Question 105

When using provider managed encryption, you are always sharing the same keys with other tenants.

True
False

Answer 105

False

Question 106

Proxy-encryption requires you to break any existing secure connection to your cloud provider.

True
False

Answer 106

True

Question 107

Which is the most inherently secure key management option, but it not be viable or even needed depending on your project requirements and platform/provider support?

Third–Party Service
Cloud Provider Service
Virtual Appliance
HSM/Appliance

Answer 107

HSM/Appliance

Question 108

To be considered Bring Your Own Key (BYOK) the provider must not be able to ever see or manage your keys.

True
False

Answer 108

False

Question 109

Which key management option should you select if you are dealing with highly sensitive data that you don’t want your provider to potentially access under any circumstances:

Virtual appliance
HSM/hybrid
BYOK
3rd party key management service

Answer 109

HSM/hybrid

Question 110

Which option allows you to use an existing build for key management without replicating everything in the cloud?

Virtual Appliance
Hybrid
Third-party Service
HSM/Appliance

Answer 110

Hybrid

Question 111

For the cloud, where is DLP often best integrated?

The cloud virtual network/VPC
NGFW
Secure Web Gateway
CASB

Answer 111

CASB

Question 112

What is the primary goal of data masking?

Hide production data from employees
Turn test data back into production data
Generate test data that still resembles production data
Stop hackers

Answer 112

Generate test data that still resembles production data

Question 113

Logs of some events in a cloud environment may not be available to you depending on your choice of cloud provider.

True
False

Answer 113

True

Question 114

How should the data security lifecycle be used?

To replace existing data security architectures.

To create granular documentation for all sensitive data in the cloud.

As a lightweight tool to better understand data flow and potential vs. desired data usage.

To create granular documentation for all data, sensitive or not, in the cloud.

Answer 114

As a lightweight tool to better understand data flow and potential vs. desired data usage.

Question 115

List the lifecycle phases in order:

Store
Share
Destroy
Create
Archive
Use

Answer 115

Create
Store
Use
Share
Archive
Destroy

Question 116

What is the primary objective of mapping functions, actors, and locations?

To replace data flow diagrams
To list all potential security controls
To document information risk
To determine what’s possible vs. what should be allowed

Answer 116

To determine what’s possible vs. what should be allowed

Question 117

What do we use to reduce what is possible to what should be allowed within the context of the lifecycle?

Security controls
Key management
CASB or DLP
Entitlement matrix

Answer 117

Security controls

Question 118

When moving to cloud, what now becomes within the scope of application security unlike with traditional infrastructure?

Management Plane
SAST
Source code
Architecture

Answer 118

Management Plane

Question 119

Arrange the phases of the lifecycle to the correct order.

Design
Test
Develop
Training
Define

Answer 119

Training
Define
Design
Develop
Test

Question 120

STRlDE is a common thread modeling framework. Which of the four categories does a cloud provider typically take more responsibility to manage:

Privilege escalation
Denial of service
Spoofing
Information disclosure

Answer 120

Denial of service

Question 121

What is one example of a control that can reduce the potential of spoofing:

Encryption
Audit logging
Authorization
Authentication

Answer 121

Authentication

Question 122

Specific testing techniques are tightly aligned and should only be performed during their designated phase in the secure software development process

True
False

Answer 122

False

Question 123

Which kind of test should be added to static analysis for cloud deployments?

API resiliency
Scanning for stored cloud credentials
Code completion
Regression tests

Answer 123

Scanning for stored cloud credentials

Question 124

Which kind of testing will most likely require permission from your cloud provider before performing?

SAST
Vulnerability assessment
Composition analysis
Security unit tests

Answer 124

Vulnerability assessment

Question 125

Which vulnerability analysis option will always comply with the terms of service of the cloud provider, but may require paying close attention to network architecture:

Penetration testing
Traditional network-based
Deployment pipeline testing
Host-based

Answer 125

Host-based

Question 126

While there are many definitions of DevOps, one technology/process is typically considered to be central to any DevOps program. Which technology is that?

Configuration management
Static analysis
Composition management
Continuous integration

Answer 126

Continuous integration

Question 127

Identify the core security benefit of immutable

There are are no manual changes, so everything is consistent and administrative access can be disabled.

It fully isolates developers from production environment

It fully isolates operations from production environments

AU security updates are automatically applied

Answer 127

There are are no manual changes, so everything is consistent and administrative access can be disabled.

Question 128

Which of the following are security benefits of DevOps?

Automated Testing
Greater Standardization
Improved Auditing
Improved Security 0perations

Answer 128

Automated Testing
Greater Standardization
Improved Auditing
Improved Security 0perations

Question 129

Which of the following is not a new concern of secure operations for applications in the cloud?

The management plane
SAST
WAF limitations/differences
The cloud configuration

Answer 129

SAST

Question 130

Which of the following is an inherent architectural security advantage cloud?

12 factor applications
The management plane
Containers
Segregation

Answer 130

Segregation

Question 131

How can serverless improve security?

Some attack surface is the responsibility of the cloud provider in the shared responsibilities model

Through automation

Serverless actually reduces security

Better visibility due to the management plane

Answer 131

Some attack surface is the responsibility of the cloud provider in the shared responsibilities mode

Question 132

Many of the new architectural options for cloud offer security benefits over what is possible in traditional infrastructure

True
False

Answer 132

True

Question 133

What could an email address be considered?

Entity
Identity
Identifier
Authorization

Answer 133

Identity

Question 134

What is the technical definition of authentication?

The process of confirming an identity
Providing a user access to a resource 
Allowing a user to perform an action 
The process of validating an entity 
 

Answer 134

The process of confirming an identity

Question 135

Which of the following is a discrete type that will have an identity? Examples include users and organizations.

Persona
Role
Entity
Attributes

Answer 135

Entity

Question 136

What is the biggest difference between IAM in cloud and in traditional environments?

They use different standards
Cloud is less secure
IAM Must span at least two organizational boundaries
Cloud is more secure

Answer 136

IAM Must span at least two organizational boundaries

Question 137

Which IAM standard is best suited for enterprises federating with cloud providers?

OACML
Kerberos
OATH
SAML

Answer 137

SAML

Question 138

Which of the following is one of the 3 most common identity standards cloud environments?

Kerberos
SCIM
OATH
XACML

Answer 138

OATH

Question 139

In a hub and spoke model, which technology mediates between director servers/identity providers and the service providers/relying parties:

CASB
Attribute services 
Directory servers 
Federated identity brokers 
 

Answer 139

Federated identity brokers

Question 140

Which of the following IAM security incidents is more likely in cloud versus traditional infrastructure and requires a dedicated incident response focus?’

Account takeover 
Pass the hash 
Privilege escalation 
Account abuse 
 

Answer 140

Account takeover

Question 141

Multifactor authentication is absolutely mandatory for cloud computing due to the higher potential for remote account takeovers.

True
False

Answer 141

True

Question 142

Checking to see if a user authenticated with MFA from a corporate IP address to authorize an action is an example of?

Role-based access controls
Authentication
Attribute based access controls
Multifactor authorization

Answer 142

Attribute based access controls

Question 143

What is an entitlement matrix used for?

To map the directory servers to the appropriate cloud provider
To translate physical security controls to cloud controls
To communicate security controls to a cloud provider
To document authorizations

Answer 143

To document authorizations

Question 144

Why are elasticity and infrastructure templating critical laaS security capabilities?

They optimize performance
These are operational capabilities, not security capabilities
They improve scalability
They enable immutable deployments.

Answer 144

They enable immutable deployments.

Question 145

Which of the following protocols should a SaaS provider support to help extend an enterprises existing user management security controls and is considered a critical security capability?

IPv6
AuthZ
SAML
LDAP

Answer 145

SAML

Question 146

Why are reviewable audits important when evaluating a cloud provider?

Third party auditors provide better results than internal auditors
They will meet all regulatory and compliance standards
They fill the gaps in any cloud provider security documentation
They provide third party validation when you cannot audit a provider yourself

Answer 146

They provide third party validation when you cannot audit a provider yourself

Question 147

Frequent audits and assessments are important when looking at a cloud provider due to how rapidly they evolved their services

True
False

Answer 147

True

Question 148

If an attacker compromises one of your virtual machines, and then uses to attack other clients on the same cloud platform, what is the cloud provider’s likely action?

The CSP will prioritize alerting you and providing information needed for you to respond to the attack.

The CSP will first protect the rest of their broader clients, which may mean disrupting your deployment

The CSP has no responsibility in this situation per the shared responsibilities model.

The CSP will prioritize defending the rest of your deployment from the attack.

Answer 148

The CSP will first protect the rest of their broader clients, which may mean disrupting your deployment

Question 149

Place the incident response phases in the proper order.

Containment, eradication, recovery
Preparation
Post-mortem
Detection and Analysis

Answer 149

Preparation
Detection and Analysis
Containment, eradication, recovery
Post-mortem

Question 150

In which phase would you build a cloud “jump kit” of tools and code to speed a response?

Detection and analysis
Containment and response
Postmortem
Preparation

Answer 150

Preparation

Question 151

In which phase would you snapshot a virtual machine for forensics?

Detection and analysis 
Containment and response 
Postmortem 
Preparation
 

Answer 151

Detection and analysis

Question 152

Which of the following most helps you quick[y build parallel infrastructure, so that you can rapidly restore operations while still having the compromised environment for analysis?

Infrastructure as code templates
Snapshots
SaaS
PaaS

Answer 152

Infrastructure as code templates

Question 153

In a postmortem what would be your highest priority to review and remediate if it was a blocker in your incident response?

Communications with the cloud provider
Internal communications
Container vulnerabilities
Operating system vulnerabilities

Answer 153

Communications with the cloud provider

Question 154

Security as a Service is only used to secure cloud services.

True
False

Answer 154

False

Question 155

Select all of the following characteristics that are required for something to be considered Security as a Service:

It is a security product or service delivered as a cloud service

It meets the NIST essential characteristics

It is marketed as SECaaS

It is built on a laaS provider

It has a hosted web interface

Answer 155

It is a security product or service delivered as a cloud service

It meets the NIST essential characteristics

Question 156

Which of the following is one of the more unique potential benefits of Security as a Service:

Intelligence Sharing
Customer Visibility
Compliance
Transparency

Answer 156

Intelligence Sharing

Question 157

Why are regulation differences a potential concern of using Security as a Service?

SECaaS is highly regulated

The cloud consumer may have regulatory obligations the SECaaS provider can’t meet

The cloud provider may have regulatory obligations the customer can’t meet

SECaaS is unregulated

Answer 157

The cloud consumer may have regulatory obligations the SECaaS provider can’t meet

Question 158

Using SECaaS removes accountability for the client, but only for the particular security control the service addresses.

True
False

Answer 158

False

Question 159

What characteristic would make a Federated Identity Broker be considered SECaaS vs. a traditional tool?

It supports SAML

It is hosted in the cloud, elastic, and you pay per user

It brokers authentication to cloud services

It supports multiple cloud providers AND on premise directories

Answer 159

It is hosted in the cloud, elastic, and you pay per user

Question 160

What is a potential advantage of a web security gateway SECaaS over an on-premise tool?

You can protect mobile users without requiring a VPN to the corporate network
It will generally catch more malware
They are always less expensive
Supports HTTPS

Answer 160

You can protect mobile users without requiring a VPN to the corporate network

Question 161

Can a cloud-based key management service be integrated with on -premise encryption?

Yes
No

Answer 161

Yes

Question 162

What is required to redirect traffic to a cloud WAF?

An on-premise Proxy
DNS Change
A VPN
GRE Tunneling

Answer 162

DNS Change

Question 163

Which of the following is not considered a related technology?

Internet of Things
Mobile computing
Security as a Service
Serverless

Answer 163

Security as a Service

Question 164

Big Data is often defined as “high volume, high velocity, and high variety What does “high velocity” mean?

Storage elasticity
The data changes constantly/rapidly
Fast raw storage speeds
Fast transfer speeds

Answer 164

The data changes constantly/rapidly

Question 165

Why should you consider relying extensively on the isolation capabilities of cloud to defend a big data deployment?

Isolation improves encryption
The distributed storage is always isolated by nature
To meet compliance requirements
Big data platforms tend to have low inherent security

Answer 165

Big data platforms tend to have low inherent security

Question 166

While not directly related to cloud, which loT principle is critical for Iong term security?

The ability to patch/update the “things” (devices)
Data encryption
Elasticity
Public APls

Answer 166

The ability to patch/update the “things” (devices)

Question 167

Which of the following issues on a mobile device can actually create security risks for the cloud deployment?

Embedded/static/stored credentials
Insecure wireless networks
Use of an out of date operating system
A malicious app

Answer 167

Embedded/static/stored credentials

Question 168

Serverless, used properly, can offer more security benefits than risks.

True
False

Answer 168

True

Question 169

Which of the following is considered a separate characteristic of cloud in ISO/IEC 17788?

Resource pooling
Metered usage
On-Demand Self-Service
Multi-Tenancy
Elasticity

Answer 169

Multi-Tenancy

Question 170

If you are asked to build a server with 8 CPUs and 16GB of RAM, which service model would you use?

VMWare vSphere
SaaS
PaaS
IaaS
RedHat OpenShift

Answer 170

IaaS

Question 171

In which layer of the logical model does the management plane exist?

Infostructure
Data Center
Metastructure
Infrastructure
Between PaaS and IaaS
Applistructure

Answer 171

Metastructure

Question 172

When dealing with a public cloud provider, what aspect most commonly impacts how you can manage risk?

Co-tenants want to hack your space
Economies of scale
Standard contracts that cannot be customized
Changes to external regulations

Answer 172

Standard contracts that cannot be customized

Question 173

What is a key consideration when evaluating private cloud governance?

The entity that owns and/or manages the private cloud
The hypervisor technology used
Control plane authentication methods
Public Cloud governance

Answer 173

The entity that owns and/or manages the private cloud

Question 174

In which situations is a party excused from presenting evidence in a court of law?

When it doesn’t exist

When it is too expensive to retrieve

Never; a party must always present data when it’s requested by a judge

When it is not reasonably accessible

Answer 174

When it doesn’t exist

When it is not reasonably accessible

Question 175

What is true about an attestation?

Attestation is a legal statement from a 3rd party
Attestation is a testimony in a court of law
Attestations can only be performed by a legal official
Attestation is another term for audit

Answer 175

Attestation is a legal statement from a 3rd party

Question 176

When evaluating a cloud provider’s audit report, what should you pay particular attention to?

Whether or not the auditor has their CCSK
Services and Jurisdiction of the audit
The date of the audit report
The auditor’s conclusion

Answer 176

Services and Jurisdiction of the audit

Question 177

Which of the following locations are considered part of the data security lifecycle?

A. Location of the Data
B. Location of the access device
C. Location of the data center
D. A and B

Answer 177

D. A and B

Question 178

What determines the functions actors are allowed to perform or not?

Entitlements
Information classification
Information governance
Contractual controls
Access Device

Answer 178

Entitlements

Question 179

What is meant by data “lock-in”?

Lock-in applies when you are contractually unable to export your data

Exporting data out of a provider would require significant effort

Data exported can be used only with the original provider’s services

All of the above

Answer 179

All of the above

Question 180

Which of the following MUST a cloud customer include in their business continuity planning?

Determine how to guarantee availability in the DR region by discussing your DR plans with the vendor

Determine how the IaaS provider will fix any availability issues in your application

Use contract to ensure DR does not result in different jurisdiction to store and process data

Implement Chaos Engineering

Answer 180

Determine how to guarantee availability in the DR region by discussing your DR plans with the vendor