CCSK: Certificate of Cloud Security Knowledge 1 of 6 Practice

Question 1

What risk must be mitigated by a customer?

A. Any Risk
B. Risks associated with the service model
C.Risks accepted by the provider
D.Risks listed in the Cloud Controls Matrix

Answer 1

C.Risks accepted by the provider

Explanation:
The best answer is that a customer must mitigate any risk accepted by the provider, except for any risk the customer determines unacceptable. This must be based on the value of a particular system and cannot be a blanket approach.

Question 2

What is the number one tool of governance in a cloud?

A.Reviewing vendor certifications
B.Training your people on cloud security
C.Working with auditors with cloud experience
D.Contract review

Answer 2

D.Contract review

Explanation:
Contract reviews are the primary tool associated with governance in a cloud.

Question 3

Which of the following will not prevent you from moving unapproved data to cloud services?

A.Data Loss Prevention
B.Database Activity Monitoring (DAM)
C.File Activity Monitoring (FAM)
D.URL Filtering
E.Intrusion Detection System (IDS)

Answer 3

E.Intrusion Detection System (IDS)

Explanation:
Aside from traditional data security controls (like access controls or encryption), there are two other steps to help manage unapproved data moving to cloud services: Monitor for large internal data migrations with Database Activity Monitoring (DAM) and File Activity Monitoring (FAM). Monitor for data moving to the cloud with URL filters and Data Loss Prevention.

Question 4

Which of the following is one of the most common open standards to enable federation in the cloud?

A.XML
B.Kerbros
C.SAML
D.X.509
E.SOAP

Answer 4

C.SAML

Explanation:
A variety of Identity providers or Service providers may generate tokens such as SAML, OpenID, or OAuth tokens for session caching allowing a pass-through sign-on capability. Applications to be deployed in cloud should have capability to integrate with these claims/assertion services and Applications/services should be designed to support the open standards for Federation, i.e. SAML, OAuth, OpenID. Source: Security Guidance for Critical Areas of Focus in Cloud Computing Topic: IAM Standards for

Question 5

How can you prevent cloud providers from inappropriately accessing customer data?

A.Encrypt your data at rest and implement multi-factor authentication
B.Implement strong access controls on your data
C.Wherever possible, do not store the keys in the cloud
D.Disable the root user access and delete the access keys
E.Use strong contractual controls to prevent unauthorized access

Answer 5

C.Wherever possible, do not store the keys in the cloud

Explanation:
Wherever possible, keys should not be stored in the cloud and must be maintained by the enterprise or a trusted key management service provider. Where data is stored in a public cloud environment, there are problems when exiting that environment to be able to prove that all data (especially PII or SPI data, or data subject to regulatory assurance regimes) has been deleted from the public cloud environment, including all other media, such as back-up tapes. Maintaining local key management allows

Question 6

Which of the following is a permission to do something like access a file, network, or perform a certain function like an API call on a particular resource?

A.Identification
B.Authorization
C.Authentication
D.Access Control
E.Entitlement

Answer 6

B.Authorization

Explanation:
An authorization is permission to do something—access a file or network, or perform a certain function like an API call on a particular resource. An access control allows or denies the expression of that authorization, so it includes aspects like assuring that the user is authenticated before allowing access. An entitlement maps identities to authorizations and any required attributes (e.g. user x is allowed access to resource y when z attributes have designated values). We commonly refer to a m

Question 7

Role-Based Access Control (RBAC) model for IAM offers greater flexibility and security than the Attribute-Based Access Control (ABAC) model

A.INCORRECT
B.CORRECT

Answer 7

A.INCORRECT

Explanation:
Cloud platforms tend to have greater support for the Attribute-Based Access Control (ABAC) model for IAM, which offers greater flexibility and security than the Role-Based Access Control (RBAC) model. RBAC is the traditional model for enforcing authorizations and relies on what is often a single attribute (a defined role). ABAC allows more granular and context aware decisions by incorporating multiple attributes, such as role, location, authentication method, and more. • ABAC is the preferred mo

Question 8

Which of the following is a preferred model for cloud-based access management?

A.Attribute based
B.Access based
C,Identity based
D.Role based

Answer 8

A.Attribute based

Explanation:
ABAC is the preferred model for cloud-based access management. Cloud platforms tend to have greater support for the Attribute-Based Access Control (ABAC) model for IAM, which offers greater flexibility and security than the Role-Based Access Control (RBAC) model. RBAC is the traditional model for enforcing authorizations and relies on what is often a single attribute (a defined role). ABAC allows more granular and context aware decisions by incorporating multiple attributes, such as role, loca

Question 9

In addition to providing better server utilization, and data center consolidation, virtualization also reduces the security threats significantly.

A.INCORRECT
B. CORRECT

Answer 9

A.INCORRECT

Explanation:
Virtualization brings with it all the security concerns of the operating system running as a guest, together with new security concerns about the hypervisor layer, as well as new virtualization specific threats, inter-VM (Virtual Machine) attacks and blind spots, performance concerns arising from CPU and memory used for security, and operational complexity from “VM sprawl” as a security inhibitor. New problems like instant-on gaps, data comingling, the difficulty of encrypting virtual machine im

Question 10

Which logical model holds the management plane that is exposed to customers?

A.Infostructure
B.Applistructure
C.Metastrcture
D.Infrastructure

Answer 10

C.Metastrcture

Explanation:
The management plane is part of the metastructure logical model.

Question 11

You are running a web server in an IaaS environment. You get a call from a customer saying the server appears to have been compromised. Which logical model has been impacted?

A.Infostructure
B.Applistructure
C.Metastructure
D.Infrastructure

Answer 11

B.Applistructure

Explanation:
The web server is part of the applistructure. The controls surrounding the web server would be implemented at the metastructure level, but the web server itself is at the applistructure level (and data is at the infostructure layer).

Question 12

Which of the following is NOT an essential characteristic of cloud as per NIST?

A.Multitenancy
B.Elasticity
C.Resource pooling
D.On-demand self-service

Answer 12

D.On-demand self-service

Explanation:
NIST doesn’t call out multitenancy as an essential characteristic. ISO, however, does call out multitenancy as part of the resource-pooling essential characteristics.

Question 13

In which logical model would you implement a virtual firewall?

A.Infostructure
B.Applistructure
C.Metastructure
D.Infrastrucure

Answer 13

C.Metastructure

Explanation:
All controls in the virtual environment are performed at the metastructure layer. If the question asked about installing a firewall agent, that would occur at the applistructure layer.

Question 14

How is one consumer’s access tightly isolated from other consumers in a public cloud environment?

A.Strong passwords
B.RBAC
C.Policies at the provider side
D.Policies at the customer side

Answer 14

C.Policies at the provider side

Explanation:
Tenants are protected by policies at the provider side. Consider, for example, network sniffing. One tenant will never see network traffic destined for another tenant. As a general rule, one tenant should never know that another tenant even exists. Although consumers will also have their own policies in place, the provider must ensure that there is strong isolation of workloads and tenants. This makes C the best answer.

Question 15

Orchestration enables a controller to request resources from a pool of resources. How is this done?

A.Ticketing systems prioritizes clients based on support level
B.Through the use of REST APIs
C.Through the use of RPC
D.Via network calls

Answer 15

B.Through the use of REST APIs

Explanation:
Orchestration generally uses REST API calls. Although orchestration is, of course, performed across a network, the best answer is REST API calls. This is an example of the tricks that test writers like to pull on candidates.

Question 16

You are instructed to build a server with eight CPUs and 8GB of RAM. Which service model would you use?

A.SaaS
B.PaaS
C.IaaS
D.No cloud provider supports a machine with 8 CPUs

Answer 16

C.IaaS

Explanation:
This is a prime example of why you would use IaaS—access to core foundational computing.

Question 17

Your company is using a PaaS provider to host a Python 2.7–based application. One day, the provider sends you an e-mail stating they will no longer support the Python 2.7 platform and all applications must be upgraded to use Python 3.6 within two weeks. What is the first action you should take?

A.Test the application in Python 3.6
B.Tell the provider you cant meet this timeline
C.Providers are restricted by law from doing this
D.Launch a lawsuit against the provider for pain and suffering

Answer 17

A.Test the application in Python 3.6

Explanation:
When a platform is deprecated (no longer supported), the provider will generally give you access to a test environment where you can test your application using the new platform. As for the time provided in the question, it’s a bit extreme based on what I’ve experienced, but there is no law stopping a provider from giving you hours to migrate, let alone weeks.

Question 18

Chris is looking to procure a new CRM SaaS solution for his organization’s business unit. What is the first step Chris should take as part of performing a risk assessment of a potential vendor?

A.Determine monthly costs
B.Ask reference clients about their satisfaction with their product
C.Determine the level of sensitivity of data that will be stored in the application
D.Obtain and review supplier documentation

Answer 18

D.Obtain and review supplier documentation

Explanation:
The first step in performing a risk assessment is requesting documentation.

Question 19

Pat is looking for an industry standard set of controls that are cloud specific. What can Pat select controls from to create a baseline risk assessment process?

A.ISO 27001
B.NOST RMF
C.COBIT
D.CCM

Answer 19

D.CCM

Explanation:
The CCM has a series of controls that are cloud specific. None of the other answers are applicable

Question 20

Your IaaS vendor assures you that your applications will be PCI compliant if you use their cloud offering. What is wrong with this statement?

A.The vendor has no idea what they are talking about
B.The vendor is lying to you
C.The vendor doesn’t understand the shared responsibility model of cloud
D.All of these are true

Answer 20

D.All of these are true

Explanation:
All of the statements are applicable.

Question 21

How often should risk assessments be performed against a cloud service provider?

A.Upon initial assessment prior to on-boarding
B.Upon initial assessment and on an ongoing basis
C.Providers dont allow customers to perform risk assessments
D.There are no risks associated with cloud services

Answer 21

B.Upon initial assessment and on an ongoing basis

Explanation:
Risk assessments should be performed prior to and throughout the use of a provider’s offering.

Question 22

Virtualization security in cloud computing is the responsibility of cloud provider.

A.INCORRECT
B.CORRECT

Answer 22

A.INCORRECT

Explanation:
Virtualization security in cloud computing follows the shared responsibility model. Virtualization security in cloud computing follows the shared responsibility model. The cloud provider will always be responsible for securing the physical infrastructure and the virtualization platform itself. Meanwhile, the cloud customer is responsible for properly implementing the available virtualized security controls and understanding the underlying risks, based on what is implemented and managed by the cl

Question 23

Which of the following statements regarding SDN (Software Defined Networking) is not CORRECT?

A.Abstracts the network management plane from physical infrastructure
B.Is defined using software settings and API calls
C.Does not overlay the overlapping addresses
D.Supports orchestration and agility

Answer 23

C.Does not overlay the overlapping addresses

Explanation:
You can overlay multiple virtual networks using SDN, even the ones that completely overlap their address ranges. SDN abstracts the network management plane from the underlying physical infrastructure, removing many typical networking constraints. For example, you can overlay multiple virtual networks, even ones that completely overlap their address ranges, over the same physical hardware, with all traffic properly segregated and isolated. SDNs are also defined using software settings and API cal

Question 24

Containers provide full security isolation and task segregation.
A.INCORRECT
B.CORRECT

Answer 24

A.INCORRECT

Explanation:
Containers don’t necessarily provide full security isolation, but they do provide task segregation. Containers don’t necessarily provide full security isolation, but they do provide task segregation. That said, virtual machines typically do provide security isolation. Thus you can put tasks of equivalent security context on the same set of physical or virtual hosts in order to provide greater security segregation.

Question 25

Which of the following refers to a model that allows customers to closely match resource consumption with demand?

A.Measured Service
B.Rapid elasticity
C.Broad network access
D.On-demand self service
E.Resource pooling

Answer 25

B.Rapid elasticity

Explanation:
Rapid elasticity allows consumers to expand or contract the resources they use from the pool (provisioning and deprovisioning), often completely automatically. This allows them to more closely match resource consumption with demand (for example, adding virtual servers as demand increases, then shutting them down when demand drops). Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Essential Characteristics Domain 1 // Cloud Computing Concepts and Architectures

Question 26

Which of the following statements regarding cloud platform architecture is CORRECT?

A.Single cloud assets and traditional infrastructure should be combined together to provide more resilient infrastructure
B.Single cloud assets are equally resilient as traditional infrastructure
C.Single cloud assets are typically more resilient than the traditional infrastructure
D.Single cloud assets are typically less resilient than the traditional infrastructure

Answer 26

D.Single cloud assets are typically less resilient than the traditional infrastructure

Explanation:
Cloud platforms can be incredibly resilient, but single cloud assets are typically less resilient than in the case of traditional infrastructure. This is due to the inherently greater fragility of virtualized resources running in highly-complex environments. This mostly applies to compute, networking, and storage, since those allow closer to raw access, and cloud providers can leverage additional resiliency techniques for their platforms and applications that run on top of IaaS. Source: Security

Question 27

Infrastructure in the cloud cannot be defined and implemented through templates and automation.

A.INCORRECT
B.CORRECT

Answer 27

A.INCORRECT

Explanation:
-Infrastructure is more often in scope for application testing due to “infrastructure as code,” where the infrastructure itself is defined and implemented through templates and automation. Security testing should be integrated into the deployment process and pipeline. Testing tends to span this and the Secure Deployment phase, but leans towards security unit tests, security functional tests, Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST). Due to the ov

Question 28

CI/CD pipelines can enhance security through support of which of the following?

A.Immutable infrastructure
B.Manual security testing
C.Restricted logging on infrastructure
D.Restricted logging on application

Answer 28

A.Immutable infrastructure

Explanation:
CI/CD pipelines can enhance security through support of immutable infrastructure (fewer manual changes to production environments), automating security testing, and extensive logging of application and infrastructure changes when those changes run through the pipeline. When configured properly, logs can track every code, infrastructure, and configuration change and tie them back to whoever submitted the change and whoever approved it; they will also include any testing results. Source: Security

Question 29

You do not trust your SaaS provider and have chosen to encrypt all of your data. Which of the following is CORRECT is this situation?

A.You can continue with the provider as encrypting all the data will take care of trust issues
B.You dont have to ensure the security of the device if you have encrypted the data
C.Encrypting everything may lead to INCORRECT sense of security
D.You have ensured the security of your data by encrypted it

Answer 29

C.Encrypting everything may lead to INCORRECT sense of security

Explanation:
Encrypting everything in SaaS because you don’t trust that provider at all likely means that you shouldn’t be using the provider in the first place. But encrypting everything is not a cure-all and may lead to a INCORRECT sense of security, e.g., encrypting data traffic without ensuring the security of the devices themselves. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Introduction Domain 10 // Data Security and Encryption

Question 30

Which of the following regarding customer managed keys is CORRECT?

A.Cloud customer and provider jointly manage the encryption engine and cloud customer manages their own encryption key
B.Cloud customer and provider joinly manage the encryption key and encryption engine
C.Cloud customer manages both the encryption key and the encryption engine
D.Provider manages the encryption key and cloud customer manages the encryption engine
E.Cloud customer manages the encryption key and the provider manages the encryption engine

Answer 30

E.Cloud customer manages the encryption key and the provider manages the encryption engine

Explanation:
-A customer-managed key allows a cloud customer to manage their own encryption key while the provider manages the encryption engine. For example, using your own key to encrypt SaaS data within the SaaS platform. Many providers encrypt data by default, using keys completely in their control. Some may allow you to substitute your own key, which integrates with their encryption system. Make sure your vendor’s practices align with your requirements. Source: Security Guidance for Critical Areas of Foc`

Question 31

Which of the following is the most obvious form of provider lock-in?

A.Meta-data Lock-in
B.Infrastructure Lock-In
C.Application Lock-in
D.Data Lock-in

Answer 31

C.Application Lock-in

Explanation:
Application lock-in is the most obvious form of lock-in (although it is not specific to cloud services). SaaS providers typically develop a custom application tailored to the needs of their target market. SaaS customers with a large user-base can incur very high switching costs when migrating to another SaaS provider as the end-user experience is impacted (e.g., re-training is necessary). Where the customer has developed programs to interact with the providers API directly (e.g., for integration

Question 32

“Cloud Provider Acquisition” is which form of risk?

A.Compliance Risk
B.Policy and Organization Risk
C.Technical Risk
D.Legal Risk

Answer 32

B.Policy and Organization Risk

Explanation:
Policy and Organization risks cover the following- 1 LOCK-IN 2 LOSS OF GOVERNANCE 3 COMPLIANCE CHALLENGES 4 LOSS OF BUSINESS REPUTATION DUE TO CO-TENANT ACTIVITIES 5 CLOUD SERVICE TERMINATIONS OR FAILURE 6 CLOUD PROVIDER ACQUISITIONS 7 SUPPLY CHAIN FAILURES Source: enisa Topic: Risks

Question 33

Inability to provide sufficient capacity to a customer can lead to which of the following?

A.Data leakage
B.Denial of Service (DOS)
C.Resource exhaustion
D.Abuse of high privileged roles
E.Isolation failure

Answer 33

C.Resource exhaustion

Explanation:
RESOURCE EXHAUSTION (UNDER OR OVER PROVISIONING) There is a level of calculated risk in allocating all the resources of a cloud service, because resources are allocated according to statistical projections. Inaccurate modelling of resources usage - common resources allocation algorithms are vulnerable to distortions of fairness - or inadequate resource provisioning and inadequate investments in infrastructure can lead, from the CP perspective, to: · Service unavailability: failure in certain hig

Question 34

Which of the following defines the amount of risk that the leadership and stakeholders of an organization are willing to accept?

A.Risk Target
B.Residual Risk
C.Risk Tolerance
D.Risk Acceptance

Answer 34

C.Risk Tolerance

Explanation:
Risk tolerance is the amount of risk that the leadership and stakeholders of an organization are willing to accept. It varies based on asset and you shouldn’t make a blanket risk decision about a particular provider; rather, assessments should align with the value and requirements of the assets involved. Just because a public cloud provider is external and a consumer might be concerned with shared infrastructure for some assets doesn’t mean it isn’t within risk tolerance for all assets. Over tim

Question 35

In addition to providing better server utilization, and data center consolidation, virtualization also reduces the security threats significantly.

A.INCORRECT
B.CORRECT

Answer 35

A.INCORRECT

Explanation:
Virtualization brings with it all the security concerns of the operating system running as a guest, together with new security concerns about the hypervisor layer, as well as new virtualization specific threats, inter-VM (Virtual Machine) attacks and blind spots, performance concerns arising from CPU and memory used for security, and operational complexity from “VM sprawl” as a security inhibitor. New problems like instant-on gaps, data comingling, the difficulty of encrypting virtual machine im

Question 36

Installing traditional agents designed for physical servers will not result in the same amount of efficiency and performance on a virtualized server.

A.INCORRECT
B.CORRECT

Answer 36

B.CORRECT

Explanation:
Traditional” agents may impede performance more heavily in cloud. Lightweight agents with lower compute requirements allow better workload distribution and efficient use of resources. Agents not designed for cloud computing may assume underlying compute capacity that isn’t aligned with how the cloud deployment is designed. The developers on a given project might assume they are running a fleet of lightweight, single-purpose virtual machines. A security agent not attuned to this environment coul

Question 37

Point-in-time activities like compliance, audit, and assurance should be conducted by cloud providers to avoid creating any gaps, and thus exposures, for their customers.

A.INCORRECT
B.CORRECT

Answer 37

A.INCORRECT

Explanation:
Compliance, audit, and assurance should be continuous. They should not be seen as merely point-in-time activities, and many standards and regulations are moving more towards this model. This is especially CORRECT in cloud computing, where both the provider and customer tend to be in more-constant flux and are rarely ever in a static state. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Recommendations Domain 4: COMPLIANCE AND AUDIT MANAGEMENT

Question 38

In which of the following five essential characteristics, a consumer can unilaterally provision computing capabilities such as server time and network storage as needed?

A.Measured Service
B.Rapid elasticity
C.Broad network access
D.On-demand Self-service
E.Resource Pooling

Answer 38

D.On-demand Self-service

Explanation:
On-demand self-service- A consumer can unilaterally provision computing capabilities such as server time and network storage as needed automatically without requiring human interaction with a service provider. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Essential Characteristics Domain 1: CLOUD COMPUTING CONCEPTS AND ARCHITECTURES

Question 39

Which of the following provides “Storage as a Service” as a sub-offering?

A.SecaaS
B.SaaS
C.PaaS
D.IaaS

Answer 39

D.IaaS

Explanation:
Narrowing the scope or specific capabilities and functionality within each of the cloud delivery models, or employing the functional coupling of services and capabilities across them, may yield derivative classifications. For example “Storage as a Service” is a specific sub-offering within the IaaS ‘family’. Source: Security Guidance for Critical Areas of Focus in Cloud Computing Topic: Service Models Domain 1: CLOUD COMPUTING CONCEPTS AND ARCHITECTURES

Question 40

If in a multi-tenant environment, multiple different customers can see and modify each other’s assets, what will it be called as?

A.Information leakage
B.Data breach
C.Breach of trust 
D,Isolation failure
E.Segregation failure

Answer 40

D,Isolation failure

Explanation;
Clouds are multitenant by nature. Multiple different consumer constituencies share the same pool of resources but are segregated and isolated from each other. Segregation allows the cloud provider to divvy up resources to the different groups, and isolation ensures they can’t see or modify each other’s assets. Multitenancy doesn’t only apply across different organizations; it’s also used to divvy up resources between different units in a single business or organization. Source: Guidance for Crit

Question 41

Which of the following encryption will be used when object storage is used as the back-end for an application?

A.Data encryption
B.Proxy encryption
C.Server-side encryption
D.Client-side encryption

Answer 41

D.Client-side encryption

Explanation:
Object and file storage Client-side encryption: When object storage is used as the back-end for an application (including mobile applications), encrypt the data using an encryption engine embedded in the application or client. Source: Guidance for Critical Areas of Focus in Cloud Computing

Question 42

Resource pooling practiced by the cloud services may especially complicate which part of the IR process?

A.Forensics
B.Recovery
C.Monitoring
D.Prevention
E.Detection

Answer 42

A.Forensics

Explanation:
The resource pooling practiced by cloud services, in addition to the rapid elasticity offered by cloud infrastructures, may dramatically complicate the IR process, especially the forensic activities carried out as part of the incident analysis. Forensics has to be carried out in a highly dynamic environment, which challenges basic forensic necessities [4] such as establishing the scope of an incident, the collection and attribution of data, preserving the semantic integrity of that data, and mai

Question 43

Customers should view cloud services and security as –

A.Eneterprise security strategy
B.Supply chain security issue
C.Technology security issue 
D.Third-party security issue
E.Service provider security issue

Answer 43

B.Supply chain security issue

Explanation:
Customers should view cloud services and security as supply chain security issues. This means examining and assessing the provider’s supply chain (service provider relationships and dependencies) to the extent possible. This also means examining the provider’s own third party management. Assessment of third party service providers should specifically target the provider’s incident management, business continuity and disaster recovery policies, and processes and procedures; and should include rev

Question 44

Enisa: The risks identified can be classified into which of the following three categories?

A.Technical, Legal, Policy and Organizational
B.Technical, Operational, Policy and Organizational
C.Technical, Operational, Legal
D.Technical, Commercial, Legal
E.Technical, Commercial, Operational

Answer 44

A.Technical, Legal, Policy and Organizational

Explanation:
The risks identified in the assessment are classified into three categories: · Policy and organizational · Technical · Legal Source: enisa Topic: Risks

Question 45

Enisa: Lock-in is under which category of risk?

A.Operational
B.Policy and Organizational
C.Legal
D.Technical

Answer 45

B.Policy and Organizational

Explanation:
Policy and Organization risks cover the following- 1 LOCK-IN 2 LOSS OF GOVERNANCE 3 COMPLIANCE CHALLENGES 4 LOSS OF BUSINESS REPUTATION DUE TO CO-TENANT ACTIVITIES 5 CLOUD SERVICE TERMINATIONS OR FAILURE 6 CLOUD PROVIDER ACQUISITIONS 7 SUPPLY CHAIN FAILURES Source: enisa Topic: Risks

Question 46

Enisa: Which of the following statement is CORRECT regarding the risk of natural disasters in cloud?

A.There is no risk of natural disasters in cloud as the providers offer multiple redudant sites and network path
B.Risk of natural disasters in cloud is the same as in traditional infrastructure
C.Risk of natural disasters in cloud is lesser as compared to a traditional infrastructure
D.Risk of natural disasters in cloud is higher as compared to a traditional infrastructure

Answer 46

C.Risk of natural disasters in cloud is lesser as compared to a traditional infrastructure

Explanation:
-Generally speaking, the risk from natural disasters is lower compared to traditional infrastructures because cloud providers offer multiple redundant sites and network paths by default. Source: enisa Topic: Natural Disasters

Question 47

Enisa: Password-based authentication should be sufficient for accessing cloud resources.

A.INCORRECT
B.CORRECT

Answer 47

A.INCORRECT

Explanation:
The cloud makes password based authentication attacks (trend of fraudster using a Trojan to steal corporate passwords) much more impactful since corporate applications are now exposed on the Internet. Therefore password-based authentication will become insufficient and a need for stronger or two-factor authentication for accessing cloud resources will be necessary. Source: enisa Topic: AAA Vulnerabilities

Question 48

Enisa: Why Hardware Security Modules (HSM) are difficult to be distributed in the multiple locations used in cloud architectures?

A.HSM module contains one or more secure cryptoprocessor chips to prevent tampering
B.Many HSM systems have means to securely backup keys they handle outside of the HSM
C.HSMs are typically clustered for high availability and performance
D.HSMs are by necessity strongly physically protected from theft, eavesdrop, and tampering

Answer 48

D.HSMs are by necessity strongly physically protected from theft, eavesdrop, and tampering

Explanation:
HSMs are by necessity strongly physically protected (from theft, eavesdrop and tampering). This makes it very difficult for them to be distributed in the multiple locations used in cloud architectures (i.e., geographically distributed and highly replicated). Source: enisa Topic: Poor Key Management Procedures

Question 49

Enisa: The lack of use of standards technologies and solutions by the cloud provider may lead to-

A.Data leakage
B.Lock-in
C.Loss of governance
D.Resource exhaustion
E.Isolatation failure

Answer 49

B.Lock-in

Explanation:
A lack of standards means that data may be ‘locked-in’ to a provider. This is a big risk should the provider cease operation. This may inhibit the use of managed security services and external security technologies such as FIM. Source: enisa Topic: Lack of Standard Technologies and Solutions

Question 50

Enisa: Which of the following is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data?

A.Selector
B.Processor
C.Controller
D.Keeper 
E.Subject

Answer 50

C.Controller

Explanation:
Controller means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law. Source: enisa Topic: Data protection

Question 51

Enisa: Whose responsibility is it to choose a data processor that provides sufficient guarantees with respect to the technical security measures and organisational measures governing the processing to be carried out, and ensuring compliance with those measures?

A.Controller
B.Processor
C.Coordinator
D.Keeper
E.Subject

Answer 51

A.Controller

Explanation:
One of the main duties and obligations for the Controller set forth in the Data Protection Directive is- Choosing a Processor that provides sufficient guarantees with respect to the technical security measures and organisational measures governing the processing to be carried out, and ensuring compliance with those measures. Source: enisa Topic: Data protection

Question 52

Which of the following is a responsibility of a cloud user?

A.Securing virtualization infrastructure
B.Image asset management
C.Isolation
D.Physical Security
E.Hypervisor security

Answer 52

B.Image asset management

Explanation:
loud User Responsibilities The cloud user should take advantage of the security controls for managing their virtual infrastructure, which will vary based on the cloud platform and often include: • Security settings, such as identity management, to the virtual resources. This is not the identity management within the resource, such as the operating system login credentials, but the identity management of who is allowed to access the cloud management of the resource— for example, stopping or chang

Question 53

Exiting from an activity giving rise to more risk is called as?

A.Accepting the risk
B.Reducing the risk
C.Transferring the risk
D.Avoiding the risk
E.Ignoring the risk

Answer 53

D.Avoiding the risk

Explanation:
Enterprise risk management in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. In a cloud environment, management selects a risk response strategy for specific risks identified and analyzed, which may include: · Avoidance—exiting the activities giving rise to risk · Reduction—taking action to reduce the likelihood or impact related to the risk · Share or insure—transferring or sharing a porti

Question 54

Which of the following best describes the data protection when it moves to the cloud?

A.Ensure that a secure transfer channel is used and Data should remain protected both at rest and in use
B.Data should remain protected both at rest and in use
C.Encrypting the data when it leaves the cloud should be sufficient
D.Encrypt the data only when it is stored in the cloud
E.Ensure that a secure transfer channel is used

Answer 54

A.Ensure that a secure transfer channel is used and Data should remain protected both at rest and in use

Explanation:
Protecting data through encryption as it moves to the cloud requires more than just ensuring that a secure transfer channel (i.e. TLS) is used. Encrypting the transfer of data to the cloud does not ensure the data is protected in the cloud. Once data arrives in the cloud, it should remain protected both at rest and in use. Source: Security Guidance for Critical Areas of Focus in Cloud Computing Topic: Introduction Domain 11 // DATA SECURITY AND ENCRYPTION

Question 55

Which of the following gives the customers ability to audit the cloud provider?

A.ISO27001
B.Customer cannot gain the rights to audit
C.Right to transperancy clause
D.Right to audit clause
E.State Laws

Answer 55

D.Right to audit clause

Explanation:
A right to audit clause gives customers the ability to audit the cloud provider, which supports traceability and transparency in the frequently evolving environments of cloud computing and regulation. Use a normative specification in the right to audit to ensure mutual understanding of expectations. In time, this right should be supplanted by third-party certifications (e.g., driven by ISO/IEC 27001/27017). Source: Security Guidance for Critical Areas of Focus in Cloud Computing Topic: Requireme

Question 56

Which of the following clauses in the agreement between customer and cloud provider can provide customers in highly regulated industries with the required information?

A.Customer cannot gain the access to required information
B.Right to access clause
C.Right to transparency
D.Right to audit clause
E.Right to information clause

Answer 56

C.Right to transparency

Explanation:
A right to transparency clause with specified access rights can provide customers in highly regulated industries (including those in which non-compliance can be grounds for criminal prosecution) with required information. The agreement should distinguish between automated/direct access to information (e.g., logs, reports) and ‘pushed’ information (e.g., system architectures, audit reports). Source: Security Guidance for Critical Areas of Focus in Cloud Computing Topic: Requirements Domain 4 // C

Question 57

Which service model has the provider assuming the most responsibility?

A.SaaS
B.PaaS
C.IaaS
D.They are all the same as far as responsibility shifts are concerned.

Answer 57

A.SaaS

Explanation:
The SaaS service model has the provider assuming responsibility for most (not all) controls.

Question 58

Which service model is most congruent with existing governance and risk management processes?

A.SaaS
B.PaaS
C.IaaS
D.Internally managed private cloud

Answer 58

C.IaaS

Explanation:
IaaS is the service model most congruent with traditional governance and risk management. The private cloud is a deployment model, not a service model. Note: Watch out for trick answers like this on any technical exam!

Question 59

When you’re assessing a provider, which of the following SOC reports should be sought from a vendor when assessing security controls?

A.SOC1, Type 1
B.SOC 1, Type 2
C.SOC 2, Type 1
D.SOC 3

Answer 59

C.SOC 2, Type 1

Explanation:
The best answer listed is SOC 2, Type 1. SOC 1 deals with financial reporting controls. A SOC 3 report doesn’t contain any tests performed or their results. A SOC 2, Type 2, report is the best to use when reviewing a provider from a security perspective, but since it’s not listed as a potential answer, SOC 2, Type 1, is the best possible answer.

Question 60

What is a natural property of multitenancy?

A.Inflexible contracts
B.Being hacked by co-tenants
C.Economies of scale
D.Shared responsibility

Answer 60

A.Inflexible contracts

Explanation:
Inflexible contracts are a natural characteristic of multitenancy because the provider cannot afford or manage a million-plus custom contracts.