CCSK: Certificate of Cloud Security Knowledge 1 of 6 Practice Flashcards
What risk must be mitigated by a customer?
A. Any Risk
B. Risks associated with the service model
C.Risks accepted by the provider
D.Risks listed in the Cloud Controls Matrix
C.Risks accepted by the provider
Explanation:
The best answer is that a customer must mitigate any risk accepted by the provider, except for any risk the customer determines unacceptable. This must be based on the value of a particular system and cannot be a blanket approach.
What is the number one tool of governance in a cloud?
A.Reviewing vendor certifications
B.Training your people on cloud security
C.Working with auditors with cloud experience
D.Contract review
D.Contract review
Explanation:
Contract reviews are the primary tool associated with governance in a cloud.
Which of the following will not prevent you from moving unapproved data to cloud services?
A.Data Loss Prevention B.Database Activity Monitoring (DAM) C.File Activity Monitoring (FAM) D.URL Filtering E.Intrusion Detection System (IDS)
E.Intrusion Detection System (IDS)
Explanation:
Aside from traditional data security controls (like access controls or encryption), there are two other steps to help manage unapproved data moving to cloud services: Monitor for large internal data migrations with Database Activity Monitoring (DAM) and File Activity Monitoring (FAM). Monitor for data moving to the cloud with URL filters and Data Loss Prevention.
Which of the following is one of the most common open standards to enable federation in the cloud?
A.XML B.Kerbros C.SAML D.X.509 E.SOAP
C.SAML
Explanation:
A variety of Identity providers or Service providers may generate tokens such as SAML, OpenID, or OAuth tokens for session caching allowing a pass-through sign-on capability. Applications to be deployed in cloud should have capability to integrate with these claims/assertion services and Applications/services should be designed to support the open standards for Federation, i.e. SAML, OAuth, OpenID. Source: Security Guidance for Critical Areas of Focus in Cloud Computing Topic: IAM Standards for
How can you prevent cloud providers from inappropriately accessing customer data?
A.Encrypt your data at rest and implement multi-factor authentication
B.Implement strong access controls on your data
C.Wherever possible, do not store the keys in the cloud
D.Disable the root user access and delete the access keys
E.Use strong contractual controls to prevent unauthorized access
C.Wherever possible, do not store the keys in the cloud
Explanation:
Wherever possible, keys should not be stored in the cloud and must be maintained by the enterprise or a trusted key management service provider. Where data is stored in a public cloud environment, there are problems when exiting that environment to be able to prove that all data (especially PII or SPI data, or data subject to regulatory assurance regimes) has been deleted from the public cloud environment, including all other media, such as back-up tapes. Maintaining local key management allows
Which of the following is a permission to do something like access a file, network, or perform a certain function like an API call on a particular resource?
A.Identification B.Authorization C.Authentication D.Access Control E.Entitlement
B.Authorization
Explanation:
An authorization is permission to do something—access a file or network, or perform a certain function like an API call on a particular resource. An access control allows or denies the expression of that authorization, so it includes aspects like assuring that the user is authenticated before allowing access. An entitlement maps identities to authorizations and any required attributes (e.g. user x is allowed access to resource y when z attributes have designated values). We commonly refer to a m
Role-Based Access Control (RBAC) model for IAM offers greater flexibility and security than the Attribute-Based Access Control (ABAC) model
A.INCORRECT
B.CORRECT
A.INCORRECT
Explanation:
Cloud platforms tend to have greater support for the Attribute-Based Access Control (ABAC) model for IAM, which offers greater flexibility and security than the Role-Based Access Control (RBAC) model. RBAC is the traditional model for enforcing authorizations and relies on what is often a single attribute (a defined role). ABAC allows more granular and context aware decisions by incorporating multiple attributes, such as role, location, authentication method, and more. • ABAC is the preferred mo
Which of the following is a preferred model for cloud-based access management?
A.Attribute based
B.Access based
C,Identity based
D.Role based
A.Attribute based
Explanation:
ABAC is the preferred model for cloud-based access management. Cloud platforms tend to have greater support for the Attribute-Based Access Control (ABAC) model for IAM, which offers greater flexibility and security than the Role-Based Access Control (RBAC) model. RBAC is the traditional model for enforcing authorizations and relies on what is often a single attribute (a defined role). ABAC allows more granular and context aware decisions by incorporating multiple attributes, such as role, loca
In addition to providing better server utilization, and data center consolidation, virtualization also reduces the security threats significantly.
A.INCORRECT
B. CORRECT
A.INCORRECT
Explanation:
Virtualization brings with it all the security concerns of the operating system running as a guest, together with new security concerns about the hypervisor layer, as well as new virtualization specific threats, inter-VM (Virtual Machine) attacks and blind spots, performance concerns arising from CPU and memory used for security, and operational complexity from “VM sprawl” as a security inhibitor. New problems like instant-on gaps, data comingling, the difficulty of encrypting virtual machine im
Which logical model holds the management plane that is exposed to customers?
A.Infostructure
B.Applistructure
C.Metastrcture
D.Infrastructure
C.Metastrcture
Explanation:
The management plane is part of the metastructure logical model.
You are running a web server in an IaaS environment. You get a call from a customer saying the server appears to have been compromised. Which logical model has been impacted?
A.Infostructure
B.Applistructure
C.Metastructure
D.Infrastructure
B.Applistructure
Explanation:
The web server is part of the applistructure. The controls surrounding the web server would be implemented at the metastructure level, but the web server itself is at the applistructure level (and data is at the infostructure layer).
Which of the following is NOT an essential characteristic of cloud as per NIST?
A.Multitenancy
B.Elasticity
C.Resource pooling
D.On-demand self-service
D.On-demand self-service
Explanation:
NIST doesn’t call out multitenancy as an essential characteristic. ISO, however, does call out multitenancy as part of the resource-pooling essential characteristics.
In which logical model would you implement a virtual firewall?
A.Infostructure
B.Applistructure
C.Metastructure
D.Infrastrucure
C.Metastructure
Explanation:
All controls in the virtual environment are performed at the metastructure layer. If the question asked about installing a firewall agent, that would occur at the applistructure layer.
How is one consumer’s access tightly isolated from other consumers in a public cloud environment?
A.Strong passwords
B.RBAC
C.Policies at the provider side
D.Policies at the customer side
C.Policies at the provider side
Explanation:
Tenants are protected by policies at the provider side. Consider, for example, network sniffing. One tenant will never see network traffic destined for another tenant. As a general rule, one tenant should never know that another tenant even exists. Although consumers will also have their own policies in place, the provider must ensure that there is strong isolation of workloads and tenants. This makes C the best answer.
Orchestration enables a controller to request resources from a pool of resources. How is this done?
A.Ticketing systems prioritizes clients based on support level
B.Through the use of REST APIs
C.Through the use of RPC
D.Via network calls
B.Through the use of REST APIs
Explanation:
Orchestration generally uses REST API calls. Although orchestration is, of course, performed across a network, the best answer is REST API calls. This is an example of the tricks that test writers like to pull on candidates.
You are instructed to build a server with eight CPUs and 8GB of RAM. Which service model would you use?
A.SaaS
B.PaaS
C.IaaS
D.No cloud provider supports a machine with 8 CPUs
C.IaaS
Explanation:
This is a prime example of why you would use IaaS—access to core foundational computing.
Your company is using a PaaS provider to host a Python 2.7–based application. One day, the provider sends you an e-mail stating they will no longer support the Python 2.7 platform and all applications must be upgraded to use Python 3.6 within two weeks. What is the first action you should take?
A.Test the application in Python 3.6
B.Tell the provider you cant meet this timeline
C.Providers are restricted by law from doing this
D.Launch a lawsuit against the provider for pain and suffering
A.Test the application in Python 3.6
Explanation:
When a platform is deprecated (no longer supported), the provider will generally give you access to a test environment where you can test your application using the new platform. As for the time provided in the question, it’s a bit extreme based on what I’ve experienced, but there is no law stopping a provider from giving you hours to migrate, let alone weeks.
Chris is looking to procure a new CRM SaaS solution for his organization’s business unit. What is the first step Chris should take as part of performing a risk assessment of a potential vendor?
A.Determine monthly costs
B.Ask reference clients about their satisfaction with their product
C.Determine the level of sensitivity of data that will be stored in the application
D.Obtain and review supplier documentation
D.Obtain and review supplier documentation
Explanation:
The first step in performing a risk assessment is requesting documentation.
Pat is looking for an industry standard set of controls that are cloud specific. What can Pat select controls from to create a baseline risk assessment process?
A.ISO 27001
B.NOST RMF
C.COBIT
D.CCM
D.CCM
Explanation:
The CCM has a series of controls that are cloud specific. None of the other answers are applicable
Your IaaS vendor assures you that your applications will be PCI compliant if you use their cloud offering. What is wrong with this statement?
A.The vendor has no idea what they are talking about
B.The vendor is lying to you
C.The vendor doesn’t understand the shared responsibility model of cloud
D.All of these are true
D.All of these are true
Explanation:
All of the statements are applicable.
How often should risk assessments be performed against a cloud service provider?
A.Upon initial assessment prior to on-boarding
B.Upon initial assessment and on an ongoing basis
C.Providers dont allow customers to perform risk assessments
D.There are no risks associated with cloud services
B.Upon initial assessment and on an ongoing basis
Explanation:
Risk assessments should be performed prior to and throughout the use of a provider’s offering.
Virtualization security in cloud computing is the responsibility of cloud provider.
A.INCORRECT
B.CORRECT
A.INCORRECT
Explanation:
Virtualization security in cloud computing follows the shared responsibility model. Virtualization security in cloud computing follows the shared responsibility model. The cloud provider will always be responsible for securing the physical infrastructure and the virtualization platform itself. Meanwhile, the cloud customer is responsible for properly implementing the available virtualized security controls and understanding the underlying risks, based on what is implemented and managed by the cl
Which of the following statements regarding SDN (Software Defined Networking) is not CORRECT?
A.Abstracts the network management plane from physical infrastructure
B.Is defined using software settings and API calls
C.Does not overlay the overlapping addresses
D.Supports orchestration and agility
C.Does not overlay the overlapping addresses
Explanation:
You can overlay multiple virtual networks using SDN, even the ones that completely overlap their address ranges. SDN abstracts the network management plane from the underlying physical infrastructure, removing many typical networking constraints. For example, you can overlay multiple virtual networks, even ones that completely overlap their address ranges, over the same physical hardware, with all traffic properly segregated and isolated. SDNs are also defined using software settings and API cal
Containers provide full security isolation and task segregation.
A.INCORRECT
B.CORRECT
A.INCORRECT
Explanation:
Containers don’t necessarily provide full security isolation, but they do provide task segregation. Containers don’t necessarily provide full security isolation, but they do provide task segregation. That said, virtual machines typically do provide security isolation. Thus you can put tasks of equivalent security context on the same set of physical or virtual hosts in order to provide greater security segregation.
Which of the following refers to a model that allows customers to closely match resource consumption with demand?
A.Measured Service B.Rapid elasticity C.Broad network access D.On-demand self service E.Resource pooling
B.Rapid elasticity
Explanation:
Rapid elasticity allows consumers to expand or contract the resources they use from the pool (provisioning and deprovisioning), often completely automatically. This allows them to more closely match resource consumption with demand (for example, adding virtual servers as demand increases, then shutting them down when demand drops). Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Essential Characteristics Domain 1 // Cloud Computing Concepts and Architectures
Which of the following statements regarding cloud platform architecture is CORRECT?
A.Single cloud assets and traditional infrastructure should be combined together to provide more resilient infrastructure
B.Single cloud assets are equally resilient as traditional infrastructure
C.Single cloud assets are typically more resilient than the traditional infrastructure
D.Single cloud assets are typically less resilient than the traditional infrastructure
D.Single cloud assets are typically less resilient than the traditional infrastructure
Explanation:
Cloud platforms can be incredibly resilient, but single cloud assets are typically less resilient than in the case of traditional infrastructure. This is due to the inherently greater fragility of virtualized resources running in highly-complex environments. This mostly applies to compute, networking, and storage, since those allow closer to raw access, and cloud providers can leverage additional resiliency techniques for their platforms and applications that run on top of IaaS. Source: Security
Infrastructure in the cloud cannot be defined and implemented through templates and automation.
A.INCORRECT
B.CORRECT
A.INCORRECT
Explanation:
-Infrastructure is more often in scope for application testing due to “infrastructure as code,” where the infrastructure itself is defined and implemented through templates and automation. Security testing should be integrated into the deployment process and pipeline. Testing tends to span this and the Secure Deployment phase, but leans towards security unit tests, security functional tests, Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST). Due to the ov
CI/CD pipelines can enhance security through support of which of the following?
A.Immutable infrastructure
B.Manual security testing
C.Restricted logging on infrastructure
D.Restricted logging on application
A.Immutable infrastructure
Explanation:
CI/CD pipelines can enhance security through support of immutable infrastructure (fewer manual changes to production environments), automating security testing, and extensive logging of application and infrastructure changes when those changes run through the pipeline. When configured properly, logs can track every code, infrastructure, and configuration change and tie them back to whoever submitted the change and whoever approved it; they will also include any testing results. Source: Security
You do not trust your SaaS provider and have chosen to encrypt all of your data. Which of the following is CORRECT is this situation?
A.You can continue with the provider as encrypting all the data will take care of trust issues
B.You dont have to ensure the security of the device if you have encrypted the data
C.Encrypting everything may lead to INCORRECT sense of security
D.You have ensured the security of your data by encrypted it
C.Encrypting everything may lead to INCORRECT sense of security
Explanation:
Encrypting everything in SaaS because you don’t trust that provider at all likely means that you shouldn’t be using the provider in the first place. But encrypting everything is not a cure-all and may lead to a INCORRECT sense of security, e.g., encrypting data traffic without ensuring the security of the devices themselves. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Introduction Domain 10 // Data Security and Encryption
Which of the following regarding customer managed keys is CORRECT?
A.Cloud customer and provider jointly manage the encryption engine and cloud customer manages their own encryption key
B.Cloud customer and provider joinly manage the encryption key and encryption engine
C.Cloud customer manages both the encryption key and the encryption engine
D.Provider manages the encryption key and cloud customer manages the encryption engine
E.Cloud customer manages the encryption key and the provider manages the encryption engine
E.Cloud customer manages the encryption key and the provider manages the encryption engine
Explanation:
-A customer-managed key allows a cloud customer to manage their own encryption key while the provider manages the encryption engine. For example, using your own key to encrypt SaaS data within the SaaS platform. Many providers encrypt data by default, using keys completely in their control. Some may allow you to substitute your own key, which integrates with their encryption system. Make sure your vendor’s practices align with your requirements. Source: Security Guidance for Critical Areas of Foc`
Which of the following is the most obvious form of provider lock-in?
A.Meta-data Lock-in
B.Infrastructure Lock-In
C.Application Lock-in
D.Data Lock-in
C.Application Lock-in
Explanation:
Application lock-in is the most obvious form of lock-in (although it is not specific to cloud services). SaaS providers typically develop a custom application tailored to the needs of their target market. SaaS customers with a large user-base can incur very high switching costs when migrating to another SaaS provider as the end-user experience is impacted (e.g., re-training is necessary). Where the customer has developed programs to interact with the providers API directly (e.g., for integration
“Cloud Provider Acquisition” is which form of risk?
A.Compliance Risk
B.Policy and Organization Risk
C.Technical Risk
D.Legal Risk
B.Policy and Organization Risk
Explanation:
Policy and Organization risks cover the following- 1 LOCK-IN 2 LOSS OF GOVERNANCE 3 COMPLIANCE CHALLENGES 4 LOSS OF BUSINESS REPUTATION DUE TO CO-TENANT ACTIVITIES 5 CLOUD SERVICE TERMINATIONS OR FAILURE 6 CLOUD PROVIDER ACQUISITIONS 7 SUPPLY CHAIN FAILURES Source: enisa Topic: Risks
Inability to provide sufficient capacity to a customer can lead to which of the following?
A.Data leakage B.Denial of Service (DOS) C.Resource exhaustion D.Abuse of high privileged roles E.Isolation failure
C.Resource exhaustion
Explanation: RESOURCE EXHAUSTION (UNDER OR OVER PROVISIONING) There is a level of calculated risk in allocating all the resources of a cloud service, because resources are allocated according to statistical projections. Inaccurate modelling of resources usage - common resources allocation algorithms are vulnerable to distortions of fairness - or inadequate resource provisioning and inadequate investments in infrastructure can lead, from the CP perspective, to: · Service unavailability: failure in certain hig
Which of the following defines the amount of risk that the leadership and stakeholders of an organization are willing to accept?
A.Risk Target
B.Residual Risk
C.Risk Tolerance
D.Risk Acceptance
C.Risk Tolerance
Explanation:
Risk tolerance is the amount of risk that the leadership and stakeholders of an organization are willing to accept. It varies based on asset and you shouldn’t make a blanket risk decision about a particular provider; rather, assessments should align with the value and requirements of the assets involved. Just because a public cloud provider is external and a consumer might be concerned with shared infrastructure for some assets doesn’t mean it isn’t within risk tolerance for all assets. Over tim
In addition to providing better server utilization, and data center consolidation, virtualization also reduces the security threats significantly.
A.INCORRECT
B.CORRECT
A.INCORRECT
Explanation:
Virtualization brings with it all the security concerns of the operating system running as a guest, together with new security concerns about the hypervisor layer, as well as new virtualization specific threats, inter-VM (Virtual Machine) attacks and blind spots, performance concerns arising from CPU and memory used for security, and operational complexity from “VM sprawl” as a security inhibitor. New problems like instant-on gaps, data comingling, the difficulty of encrypting virtual machine im
Installing traditional agents designed for physical servers will not result in the same amount of efficiency and performance on a virtualized server.
A.INCORRECT
B.CORRECT
B.CORRECT
Explanation:
Traditional” agents may impede performance more heavily in cloud. Lightweight agents with lower compute requirements allow better workload distribution and efficient use of resources. Agents not designed for cloud computing may assume underlying compute capacity that isn’t aligned with how the cloud deployment is designed. The developers on a given project might assume they are running a fleet of lightweight, single-purpose virtual machines. A security agent not attuned to this environment coul
Point-in-time activities like compliance, audit, and assurance should be conducted by cloud providers to avoid creating any gaps, and thus exposures, for their customers.
A.INCORRECT
B.CORRECT
A.INCORRECT
Explanation:
Compliance, audit, and assurance should be continuous. They should not be seen as merely point-in-time activities, and many standards and regulations are moving more towards this model. This is especially CORRECT in cloud computing, where both the provider and customer tend to be in more-constant flux and are rarely ever in a static state. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Recommendations Domain 4: COMPLIANCE AND AUDIT MANAGEMENT
In which of the following five essential characteristics, a consumer can unilaterally provision computing capabilities such as server time and network storage as needed?
A.Measured Service B.Rapid elasticity C.Broad network access D.On-demand Self-service E.Resource Pooling
D.On-demand Self-service
Explanation:
On-demand self-service- A consumer can unilaterally provision computing capabilities such as server time and network storage as needed automatically without requiring human interaction with a service provider. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Essential Characteristics Domain 1: CLOUD COMPUTING CONCEPTS AND ARCHITECTURES
Which of the following provides “Storage as a Service” as a sub-offering?
A.SecaaS
B.SaaS
C.PaaS
D.IaaS
D.IaaS
Explanation:
Narrowing the scope or specific capabilities and functionality within each of the cloud delivery models, or employing the functional coupling of services and capabilities across them, may yield derivative classifications. For example “Storage as a Service” is a specific sub-offering within the IaaS ‘family’. Source: Security Guidance for Critical Areas of Focus in Cloud Computing Topic: Service Models Domain 1: CLOUD COMPUTING CONCEPTS AND ARCHITECTURES
If in a multi-tenant environment, multiple different customers can see and modify each other’s assets, what will it be called as?
A.Information leakage B.Data breach C.Breach of trust D,Isolation failure E.Segregation failure
D,Isolation failure
Explanation;
Clouds are multitenant by nature. Multiple different consumer constituencies share the same pool of resources but are segregated and isolated from each other. Segregation allows the cloud provider to divvy up resources to the different groups, and isolation ensures they can’t see or modify each other’s assets. Multitenancy doesn’t only apply across different organizations; it’s also used to divvy up resources between different units in a single business or organization. Source: Guidance for Crit
Which of the following encryption will be used when object storage is used as the back-end for an application?
A.Data encryption
B.Proxy encryption
C.Server-side encryption
D.Client-side encryption
D.Client-side encryption
Explanation:
Object and file storage Client-side encryption: When object storage is used as the back-end for an application (including mobile applications), encrypt the data using an encryption engine embedded in the application or client. Source: Guidance for Critical Areas of Focus in Cloud Computing
Resource pooling practiced by the cloud services may especially complicate which part of the IR process?
A.Forensics B.Recovery C.Monitoring D.Prevention E.Detection
A.Forensics
Explanation:
The resource pooling practiced by cloud services, in addition to the rapid elasticity offered by cloud infrastructures, may dramatically complicate the IR process, especially the forensic activities carried out as part of the incident analysis. Forensics has to be carried out in a highly dynamic environment, which challenges basic forensic necessities [4] such as establishing the scope of an incident, the collection and attribution of data, preserving the semantic integrity of that data, and mai
Customers should view cloud services and security as –
A.Eneterprise security strategy B.Supply chain security issue C.Technology security issue D.Third-party security issue E.Service provider security issue
B.Supply chain security issue
Explanation:
Customers should view cloud services and security as supply chain security issues. This means examining and assessing the provider’s supply chain (service provider relationships and dependencies) to the extent possible. This also means examining the provider’s own third party management. Assessment of third party service providers should specifically target the provider’s incident management, business continuity and disaster recovery policies, and processes and procedures; and should include rev
Enisa: The risks identified can be classified into which of the following three categories?
A.Technical, Legal, Policy and Organizational
B.Technical, Operational, Policy and Organizational
C.Technical, Operational, Legal
D.Technical, Commercial, Legal
E.Technical, Commercial, Operational
A.Technical, Legal, Policy and Organizational
Explanation:
The risks identified in the assessment are classified into three categories: · Policy and organizational · Technical · Legal Source: enisa Topic: Risks
Enisa: Lock-in is under which category of risk?
A.Operational
B.Policy and Organizational
C.Legal
D.Technical
B.Policy and Organizational
Explanation:
Policy and Organization risks cover the following- 1 LOCK-IN 2 LOSS OF GOVERNANCE 3 COMPLIANCE CHALLENGES 4 LOSS OF BUSINESS REPUTATION DUE TO CO-TENANT ACTIVITIES 5 CLOUD SERVICE TERMINATIONS OR FAILURE 6 CLOUD PROVIDER ACQUISITIONS 7 SUPPLY CHAIN FAILURES Source: enisa Topic: Risks
Enisa: Which of the following statement is CORRECT regarding the risk of natural disasters in cloud?
A.There is no risk of natural disasters in cloud as the providers offer multiple redudant sites and network path
B.Risk of natural disasters in cloud is the same as in traditional infrastructure
C.Risk of natural disasters in cloud is lesser as compared to a traditional infrastructure
D.Risk of natural disasters in cloud is higher as compared to a traditional infrastructure
C.Risk of natural disasters in cloud is lesser as compared to a traditional infrastructure
Explanation:
-Generally speaking, the risk from natural disasters is lower compared to traditional infrastructures because cloud providers offer multiple redundant sites and network paths by default. Source: enisa Topic: Natural Disasters
Enisa: Password-based authentication should be sufficient for accessing cloud resources.
A.INCORRECT
B.CORRECT
A.INCORRECT
Explanation:
The cloud makes password based authentication attacks (trend of fraudster using a Trojan to steal corporate passwords) much more impactful since corporate applications are now exposed on the Internet. Therefore password-based authentication will become insufficient and a need for stronger or two-factor authentication for accessing cloud resources will be necessary. Source: enisa Topic: AAA Vulnerabilities
Enisa: Why Hardware Security Modules (HSM) are difficult to be distributed in the multiple locations used in cloud architectures?
A.HSM module contains one or more secure cryptoprocessor chips to prevent tampering
B.Many HSM systems have means to securely backup keys they handle outside of the HSM
C.HSMs are typically clustered for high availability and performance
D.HSMs are by necessity strongly physically protected from theft, eavesdrop, and tampering
D.HSMs are by necessity strongly physically protected from theft, eavesdrop, and tampering
Explanation:
HSMs are by necessity strongly physically protected (from theft, eavesdrop and tampering). This makes it very difficult for them to be distributed in the multiple locations used in cloud architectures (i.e., geographically distributed and highly replicated). Source: enisa Topic: Poor Key Management Procedures
Enisa: The lack of use of standards technologies and solutions by the cloud provider may lead to-
A.Data leakage B.Lock-in C.Loss of governance D.Resource exhaustion E.Isolatation failure
B.Lock-in
Explanation:
A lack of standards means that data may be ‘locked-in’ to a provider. This is a big risk should the provider cease operation. This may inhibit the use of managed security services and external security technologies such as FIM. Source: enisa Topic: Lack of Standard Technologies and Solutions
Enisa: Which of the following is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data?
A.Selector B.Processor C.Controller D.Keeper E.Subject
C.Controller
Explanation:
Controller means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law. Source: enisa Topic: Data protection
Enisa: Whose responsibility is it to choose a data processor that provides sufficient guarantees with respect to the technical security measures and organisational measures governing the processing to be carried out, and ensuring compliance with those measures?
A.Controller B.Processor C.Coordinator D.Keeper E.Subject
A.Controller
Explanation:
One of the main duties and obligations for the Controller set forth in the Data Protection Directive is- Choosing a Processor that provides sufficient guarantees with respect to the technical security measures and organisational measures governing the processing to be carried out, and ensuring compliance with those measures. Source: enisa Topic: Data protection
Which of the following is a responsibility of a cloud user?
A.Securing virtualization infrastructure B.Image asset management C.Isolation D.Physical Security E.Hypervisor security
B.Image asset management
Explanation:
loud User Responsibilities The cloud user should take advantage of the security controls for managing their virtual infrastructure, which will vary based on the cloud platform and often include: • Security settings, such as identity management, to the virtual resources. This is not the identity management within the resource, such as the operating system login credentials, but the identity management of who is allowed to access the cloud management of the resource— for example, stopping or chang
Exiting from an activity giving rise to more risk is called as?
A.Accepting the risk B.Reducing the risk C.Transferring the risk D.Avoiding the risk E.Ignoring the risk
D.Avoiding the risk
Explanation:
Enterprise risk management in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. In a cloud environment, management selects a risk response strategy for specific risks identified and analyzed, which may include: · Avoidance—exiting the activities giving rise to risk · Reduction—taking action to reduce the likelihood or impact related to the risk · Share or insure—transferring or sharing a porti
Which of the following best describes the data protection when it moves to the cloud?
A.Ensure that a secure transfer channel is used and Data should remain protected both at rest and in use
B.Data should remain protected both at rest and in use
C.Encrypting the data when it leaves the cloud should be sufficient
D.Encrypt the data only when it is stored in the cloud
E.Ensure that a secure transfer channel is used
A.Ensure that a secure transfer channel is used and Data should remain protected both at rest and in use
Explanation:
Protecting data through encryption as it moves to the cloud requires more than just ensuring that a secure transfer channel (i.e. TLS) is used. Encrypting the transfer of data to the cloud does not ensure the data is protected in the cloud. Once data arrives in the cloud, it should remain protected both at rest and in use. Source: Security Guidance for Critical Areas of Focus in Cloud Computing Topic: Introduction Domain 11 // DATA SECURITY AND ENCRYPTION
Which of the following gives the customers ability to audit the cloud provider?
A.ISO27001 B.Customer cannot gain the rights to audit C.Right to transperancy clause D.Right to audit clause E.State Laws
D.Right to audit clause
Explanation:
A right to audit clause gives customers the ability to audit the cloud provider, which supports traceability and transparency in the frequently evolving environments of cloud computing and regulation. Use a normative specification in the right to audit to ensure mutual understanding of expectations. In time, this right should be supplanted by third-party certifications (e.g., driven by ISO/IEC 27001/27017). Source: Security Guidance for Critical Areas of Focus in Cloud Computing Topic: Requireme
Which of the following clauses in the agreement between customer and cloud provider can provide customers in highly regulated industries with the required information?
A.Customer cannot gain the access to required information B.Right to access clause C.Right to transparency D.Right to audit clause E.Right to information clause
C.Right to transparency
Explanation:
A right to transparency clause with specified access rights can provide customers in highly regulated industries (including those in which non-compliance can be grounds for criminal prosecution) with required information. The agreement should distinguish between automated/direct access to information (e.g., logs, reports) and ‘pushed’ information (e.g., system architectures, audit reports). Source: Security Guidance for Critical Areas of Focus in Cloud Computing Topic: Requirements Domain 4 // C
Which service model has the provider assuming the most responsibility?
A.SaaS
B.PaaS
C.IaaS
D.They are all the same as far as responsibility shifts are concerned.
A.SaaS
Explanation:
The SaaS service model has the provider assuming responsibility for most (not all) controls.
Which service model is most congruent with existing governance and risk management processes?
A.SaaS
B.PaaS
C.IaaS
D.Internally managed private cloud
C.IaaS
Explanation:
IaaS is the service model most congruent with traditional governance and risk management. The private cloud is a deployment model, not a service model. Note: Watch out for trick answers like this on any technical exam!
When you’re assessing a provider, which of the following SOC reports should be sought from a vendor when assessing security controls?
A.SOC1, Type 1
B.SOC 1, Type 2
C.SOC 2, Type 1
D.SOC 3
C.SOC 2, Type 1
Explanation:
The best answer listed is SOC 2, Type 1. SOC 1 deals with financial reporting controls. A SOC 3 report doesn’t contain any tests performed or their results. A SOC 2, Type 2, report is the best to use when reviewing a provider from a security perspective, but since it’s not listed as a potential answer, SOC 2, Type 1, is the best possible answer.
What is a natural property of multitenancy?
A.Inflexible contracts
B.Being hacked by co-tenants
C.Economies of scale
D.Shared responsibility
A.Inflexible contracts
Explanation:
Inflexible contracts are a natural characteristic of multitenancy because the provider cannot afford or manage a million-plus custom contracts.
