CCSK: Certificate of Cloud Security Knowledge 2 of 6 Practice

Question 1

For which of the following SecaaS concerns, providers should be held to the highest standards of multitenant isolation and segregation?

A.Lack of sufficient visibility
B.Fear of data leakage
C.Global Regulatory Differences
D.Requirements to handle regulated data

Answer 1

B.Fear of data leakage

Explanation:
Data leakage- As with any cloud computing service or product, there is always the concern of data from one cloud user leaking to another. This risk isn’t unique to SecaaS, but the highly sensitive nature of security data (and other regulated data potentially exposed in security scanning or incidents) does mean that SecaaS providers should be held to the highest standards of multitenant isolation and segregation. Security-related data is also likely to be involved in litigation, law enforcement i

Question 2

Cloud based Web Application Firewalls (WAFs) also include anti-DDoS capabilities.

Answer 2

B.CORRECT

Explanation:
In a cloud-based WAF, customers redirect traffic (using DNS) to a service that analyzes and filters traffic before passing it through to the destination web application. Many cloud WAFs also include anti-DDoS capabilities. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Web Application Firewalls Domain 13 // SECURITY AS A SERVICE

Question 3

Which of the following encryption methods is utilized when object storage is used as the back-end for an application?

A.Object encryption
B.Asymmetric encryption
C.Database encryption
D.Symmetric encryption
E.Client/Application Encryption

Answer 3

E.Client/Application Encryption

Explanation:
Object storage encryption protects from many of the same risks as volume storage. Since object storage is more often exposed to public networks, it also allows the user to implement Virtual Private Storage. Like a VPN, a VPS28 allows use of a public shared infrastructure while still protecting data, since only those with the encryption keys can read the data even if it is otherwise exposed. · File/Folder encryption and Enterprise Digital Rights Management. Use standard file/folder encryption too

Question 4

Which technique is used in the cloud to coordinate carving out and delivering a set of resources from the pools to the consumers?

A.Multi-tenanting
B.Virtualization
C.Orchestration
D.Abstraction

Answer 4

C.Orchestration

Explanation:
The key techniques to create a cloud are abstraction and orchestration. We abstract the resources from the underlying physical infrastructure to create our pools, and use orchestration (and automation) to coordinate carving out and delivering a set of resources from the pools to the consumers. As you will see, these two techniques create all the essential characteristics we use to define something as a “cloud.” Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Domain

Question 5

Which of the following frameworks is used in the industry to describe a series of security activities during all phases of application development, deployment, and operations?

A.SOC 2
B.ITIL
C.ISO27001
D.OWASP
E.FIPS

Answer 5

D.OWASP

Explanation:
The SSDLC describes a series of security activities during all phases of application development, deployment, and operations. There are multiple frameworks used in the industry, including: • Microsoft’s Security Development Lifecycle • NIST 800-64 • ISO/IEC 27034 • Other organizations, including Open Web Application Security Project (OWASP) and a variety of application security vendors, also publish their own lifecycle and security activities guidance Source: Security Guidance for Critical Areas

Question 6

Which of the following encrypts and prevents the unauthorized copying or changing of the content?

A.Public Key Cryptography
B.Digital Certificates
C.Digital Rights Management (DRM)
D.Data Encryption
E.Data Hashing

Answer 6

C.Digital Rights Management (DRM)

Explanation:
At its core, Digital Rights Management encrypts content, and then applies a series of rights. Rights can be as simple as preventing copying, or as complex as specifying group or user-based restrictions on activities like cutting and pasting, emailing, changing the content, etc. Any application or system that works with DRM protected data must be able to interpret and implement the rights, which typically also means integrating with the key management system. Source: Security Guidance for Critica

Question 7

Private Cloud operated solely for a single organization can be located at-

A.Trusted Third Party
B.Both On-premise and Off-premise
C.Only Off-premise
D.Only On-premise

Answer 7

B.Both On-premise and Off-premise

Explanation:
The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or by a third party and may be located on-premises or off-premises Source: Security Guidance for Critical Areas of Focus in Cloud Computing Topic: Deployment Models Domain 1 // CLOUD COMPUTING CONCEPTS AND ARCHITECTURES

Question 8

Which of the following ensures that the consumers only use what they are allotted, and are charged for it?

A.Metered Service
B.Measured Service
C.On-demand Service
D.Broad Network Access
E.Rapid Elasticity

Answer 8

B.Measured Service

Explanation:
Measured service meters what is provided, to ensure that consumers only use what they are allotted, and, if necessary, to charge them for it. This is where the term utility computing comes from, since computing resources can now be consumed like water and electricity, with the client only paying for what they use. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Essential Characteristics Domain 1 // CLOUD COMPUTING CONCEPTS AND ARCHITECTURE

Question 9

Which of the following includes all the documentation on a provider’s internal and external compliance assessments?

A.Cloud Security Alliance STAR Registry 
B.Audit Report
C.Compliance Reporting
D.Supplier (cloud provider) assessment
E.Contract

Answer 9

C.Compliance Reporting

Explanation:
Compliance reporting: Compliance reporting includes all the documentation on a provider’s internal (i.e. self) and external compliance assessments. They are the reports from audits of controls, which an organization can perform themselves, a customer can perform on a provider (although this usually isn’t an option in cloud), or have performed by a trusted third party. Third-party audits and assessments are preferred since they provide independent validation (assuming you trust the third party).

Question 10

As per GDPR company must report the breach in what amount of time?

A.There is no restriction on the reporting of data breach
B.Within 72 hours of the company becoming aware of the breach
C.Within 24 hours of the company becoming aware of the breach
D.You can report the breach any time after the breach is identified
E.As soon as the breach is identified

Answer 10

B.Within 72 hours of the company becoming aware of the breach

Explanation:
Breaches of Security: The GDPR requires companies to report that they have suffered a breach of security. The reporting requirements are risk-based, and there are different requirements for reporting the breach to the Supervisory Authority and to the affected data subjects. Breaches must be reported within 72 hours of the company becoming aware of the incident. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: General Data Protection Regulation (GDPR) Domain 3

Question 11

Which document type is stored in the STAR registry for Level 1 entries?

A.CCM
B.CAIQ
C.Vendor Statements of Compliance
D.Government-issued authority to operate letter

Answer 11

B.CAIQ

Explanation
Providers will upload copies of filled-out CAIQ responses. Although ISO and/or SOC can be used as part of a Level 2 STAR entry, Level 1 entries use the CAIQ, not the CCM.

Question 12

What must be first understood when considering governance of a private cloud?

A.Who owns and manages the private cloud
B.The automation and orchestration software used
C.The credentials of the people managing the private cloud
D.Contract clauses in place with the private cloud vendor

Answer 12

A.Who owns and manages the private cloud

Explanation:
The first item that must be understood when you’re dealing with a private cloud is who owns and manages the cloud infrastructure. If the infrastructure is internally owned and managed, little changes. If it’s outsourced, governance changes to reflect the fact that the supplier is in control.

Question 13

What does “authentication” mean in a trial?

A.Evidence is considered genuine
B.This is the stage at which a judge is assigned and known to both parties
C.A witness is approved as an expert and their testimony will be considered
D.Both parties involved in a lawsuit are declared

Answer 13

A.Evidence is considered genuine

Explanation:
“Authentication” means that the data evidence is considered genuine and is therefore admissible in a court of law.

Question 14

Which organization deals with privacy rights at a federal level in the United States?

A.Federal Communications Commission (FCC)
B.Federal Trade Commission (FTC)
C.Federal Office of the Attorney General
D.Homeland Security

Answer 14

B.Federal Trade Commission (FTC)

Explanation
The FTC is the federal organization responsible for consumer protection and privacy rights. The state attorney general performs the same activity at the state level.

Question 15

If a cloud service provider receives a request to provide client information in the form of a subpoena or a court order, how can client have the ability to fight the request?

A.The cloud service provider can work with the third party and negotiate the terms of data disclosure without information the client
B.The cloud service provider can ignore the request and let the client handle the court order
C.There is no option; cloud service provider will have to provide the requested data to the third party
D.The cloud service agreement can have a clause to notify the customer and give time to fight the request for access

Answer 15

D.The cloud service agreement can have a clause to notify the customer and give time to fight the request for access

Explanation
Should a cloud service provider receive, from a third party, a request to provide information; this may be in the form of a subpoena, a warrant, or a court order in which access to the client data is demanded. The client may want to have the ability to fight the request for access in order to protect the confidentiality of their data. To this end, the cloud service agreement should require the cloud service provider to notify the customer that a subpoena was received and give the company time to

Question 16

Which of the following comes immediately after the data creation in the data security lifecycle?

A.Provide
B.Use
C.Share
D.Store
E.Save

Answer 16

D.Store

Explanation
The lifecycle includes six phases from creation to destruction. Although it is shown as a linear progression, once created, data can bounce between phases without restriction, and may not pass through all stages (for example, not all data is eventually destroyed). Create- Creation is the generation of new digital content, or the alteration/ updating/modifying of existing content. Store- Storing is the act committing the digital data to some sort of storage repository and typically occurs nearly

Question 17

Which of the following statement related to direct “lift and shift” of existing application to a cloud environment is CORRECT?

A. Direct “lift and shift” of existing applications to cloud without architectural change is not possible
B.Direct “lift and shift” of existing applications to cloud with or without architectural changes will take the same advantage of potential improvements from leveraging platforms
C.Direct “lift and shift” of existing applications to cloud without architectural changes are less likely to account for failures and will not take advantage of potential improvements from leveraging platforms
D.Direct “lift and shift” of existing applications to cloud without architectural changes are more likely to account for failures and will take advantage of potential improvements from leveraging platforms

Answer 17

C.Direct “lift and shift” of existing applications to cloud without architectural changes are less likely to account for failures and will not take advantage of potential improvements from leveraging platforms

Explanation
It is typically best to re-architect deployments when you migrate them to the cloud. Resiliency itself, and the fundamental mechanisms for ensuring resiliency, change. Direct “lift and shift” migrations are less likely to account for failures, nor will they take advantage of potential improvements from leveraging platform or service specific capabilities. Instead of lifting and shifting existing information architectures take the opportunity of the migration to the cloud to re-think and re-struc

Question 18

Which of the following are the most commonly seen networks that are isolated onto dedicated hardware since there is no functional or traffic overlap?

A.Server, network, storage
B.Server, Application, Storage
C.Management, server, application
D.Management, service, storage

Answer 18

D.Management, service, storage

Explanation
If you are a cloud provider (including managing a private cloud), physical segregation of networks composing your cloud is important for both operational and security reasons. We most commonly see at least three different networks which are isolated onto dedicated hardware since there is no functional or traffic overlap: • The service network for communications between virtual machines and the Internet. This builds the network resource pool for the cloud users. • The storage network to connect v

Question 19

CSA’s Software Defined Perimeter includes:

A.SDP client, SDP Controller, SDP Gateway
B.SDP Client, SDP Handler, SDP Gateway
C.SDP Node, SDP Handler, SDP Gateway
D.SDP Node, SDP COntroller, SDP Gateway

Answer 19

A.SDP client, SDP Controller, SDP Gateway

Explanation
The CSA Software Defined Perimeter Working Group has developed a model and specification that combines device and user authentication to dynamically provision network access to resources and enhance security. SDP includes three components: • An SDP client on the connecting asset (e.g. a laptop). • The SDP controller for authenticating and authorizing SDP clients and configuring the connections to SDP gateways. • The SDP gateway for terminating SDP client network traffic and enforcing policies in`

Question 20

The most fundamental security control for any multitenant network is-policies?

A.Secure image creation process
B.Logging and monitoring controls
C.Segregation and Isolation network traffic
D.Hypervisor security

Answer 20

C.Segregation and Isolation network traffic

Explanation
The cloud provider is primarily responsible for building a secure network infrastructure and configuring it properly. The absolute top security priority is segregation and isolation of network traffic to prevent tenants from viewing another’s traffic. This is the most foundational security control for any multitenant network. Source: Security Guidance for Critical Areas of Focus in Cloud Computing Topic: Cloud Provider Responsibilities Domain 8 // VIRTUALIZATION AND CONTAINERS

Question 21

Which of the following is the most important aspects of incident response for cloud-based resources?

A.Expectations around what the customer does versus what the provider does and Service Level Agreements
B.Service Level Agreements and Non Disclosure Agreement
C.Non Disclosure Agreement
D. Service Level Agreements
E.Expectations around what the customer does versus what the provider does

Answer 21

A.Expectations around what the customer does versus what the provider does and Service Level Agreements

Explanation
SLAs and setting expectations around what the customer does versus what the provider does are the most important aspects of incident response for cloud-based resources. Clear communication of roles/responsibilities and practicing the response and hand-offs are critical. Source: Security Guidance for Critical Areas of Focus in Cloud Computing Topic: Recommendations Domain 8// INCIDENT RESPONSE

Question 22

Which of the following is the key difference between cloud and traditional computing?

A.Applistructure
B.Infostructure
C.Metastructure
D.Infrastructure

Answer 22

C.Metastructure

Explanation
The key difference between cloud and traditional computing is the metastructure. The key difference between cloud and traditional computing is the metastructure. Cloud metastructure includes the management plane components, which are network-enabled and remotely accessible. At a high level, both cloud and traditional computing adhere to a logical model that helps identify different layers based on functionality. This is useful to illustrate the differences between the different computing models

Question 23

The data security lifecycle includes six phases from creation to destruction, which of the following are these stages and in the correct order?

A.Create, Process, Store, Archive, Share, Destroy
B.Create, Processm Store, Share, Archive, Destroy
C.Create, Use, Store, Archive, Share, Destroy
D.Create, Store, Use, Share, Archive, Destroy
E.Create, Use, Store, Share, Archive, Destroy

Answer 23

D.Create, Store, Use, Share, Archive, Destroy

Explanation
The life cycle includes six phases from creation to destruction. Although it is shown as a linear progression, once created, data can bounce between phases without restriction, and may not pass through all stages (for example, not all data is eventually destroyed). Create - Creation is the generation of new digital content, or the alteration/updating/modifying of existing content. Store - Storing is the act committing the digital data to some sort of storage repository and typically occurs nearl

Question 24

What are the three main aspects of business continuity and disaster recovery in the cloud?

A.Ensuring continuity and recovery within a given cloud provider, Preparing for and managing cloud provider services, COnsidering options for availability, in case you need to migrate providers or platforms
B.Ensuring continuity and recovery within a given cloud provider, Preparing and managing cloud provider services, COnsidering options for portability, in case you need to migrate providers or platforms
C.Ensuring continuity and recovery within a given cloud provider, Preparing for and managing cloud provider services, Considering options for scalability, in case you need to expand your services
D.Ensuring continuity and recovery within a given cloud provider, Preparing for and managing cloud provider outages, Considering options for portability, in case you need to migrate providers or platforms

Answer 24

D.Ensuring continuity and recovery within a given cloud provider, Preparing for and managing cloud provider outages, Considering options for portability, in case you need to migrate providers or platforms

Explanation
Business Continuity and Disaster Recovery (BC/DR) is just as important in cloud computing as it is for any other technology. Aside from the differences resulting from the potential involvement of a third-party provider (something we often deal with in BC/DR), there are additional considerations due to the inherent differences when using shared resources. The three main aspects of BC/DR in the cloud are: • Ensuring continuity and recovery within a given cloud provider.

Question 25

Which of the following is not a security benefits of Immutable workloads?

A. It is easier to disable services and whitelist applications
B. It is much faster to roll out updated versions
C.You can enable remote logins to running workloads
D.You no longer patch running systems or worry about dependencies
E.Security testing can be managed during image creation

Answer 25

C.You can enable remote logins to running workloads

Explanation
You can, and should, disable remote logins to running workloads (if logins are even an option). This is an operational requirement to prevent changes that aren’t consistent across the stack, which also has significant security benefits. Auto-scaling and containers, by nature, work best when you run instances launched dynamically based on an image; those instances can be shut down when no longer needed for capacity without breaking an application stack. This is core to the elasticity of compute i

Question 26

Which of the following is not the primary security responsibility of the cloud user when it uses the virtualized environment?

A.Isolation
B.Use of dedicating hosting
C.Identity management to the virtual resources
D.Image asset management

Answer 26

A.Isolation

Explanation
Isolation is the primary security responsibilities of the cloud provider in compute virtualization. Cloud User Responsibilities The cloud user should take advantage of the security controls for managing their virtual infrastructure, which will vary based on the cloud platform and often include: • Security settings, such as identity management, to the virtual resources. This is not the identity management within the resource, such as the operating system login credentials, but the identity manage

Question 27

Which common component of big data is focused on the mechanisms used to ingest large volumes of data, often of a streaming nature?

A.Distributed data information
B.Distributed storage 
C.Distributed processing
D.Distributed Attribution
E.Distributed data collection

Answer 27

E.Distributed data collection

Explanation
Distributed data collection is the mechanism used to ingest large volumes of data, often of a streaming nature. There are three common components of big data, regardless of the specific toolset used: • Distributed data collection: Mechanisms to ingest large volumes of data, often of a streaming nature. This could be as “lightweight” as web-click streaming analytics and as complex as highly distributed scientific imaging or sensor data. Not all big data relies on distributed or streaming data col

Question 28

What are the three main components of an encrypted system?

A.Data, encryption engine and key management
B.Data, encryption and decryption algorithm
C.User, data and encryption
D.User, encryption and key management
E.User, data and encryption engine

Answer 28

A.Data, encryption engine and key management

Explanation
There are three components of an encryption system: data, the encryption engine, and key management. There are three components of an encryption system: data, the encryption engine, and key management. The data is, of course, the information that you’re encrypting. The engine is what performs the mathematical process of encryption. Finally, the key manager handles the keys for the encryption. The overall design of the system focuses on where to put each of these components. Source: Security Guid

Question 29

In a cloud provider and user relationship, the virtual or abstracted infrastructure is managed by which entity?

A.It is managed by third party
B.It is a shared responsibility
C.As per the contract between the cloud provider and cloud user
D.Cloud provider
E.Cloud user

Answer 29

E.Cloud user

Explanation
The virtual/abstracted infrastructure is managed by a cloud user. In cloud computing there are two macro layers to infrastructure: The fundamental resources pooled together to create a cloud. This is the raw, physical and logical compute (processors, memory, etc.), networks, and storage used to build the cloud’s resource pools. For example, this includes the security of the networking hardware and software used to create the network resource pool. The virtual/abstracted infrastructure managed by

Question 30

Which of the following statements best describes an identity federation?

A.Role based access provisioning
B. Shared use of single cloud services
C.Identities that share similar access rights
D.Cloud service providers with the same identity store
E.Interconnection of disparate directory services

Answer 30

E.Interconnection of disparate directory services

Explanation
Federation is the interconnection of disparate directories services. Conceptually speaking, federation is the interconnection of disparate directories services. In cloud computing, the fundamental problem is that multiple organizations are now managing the identity and access management to resources, which can greatly complicate the process. For example, imagine having to provision the same user on dozens—or hundreds—of different cloud services. Federation is the primary tool used to manage this

Question 31

Which of the following items is NOT an example of Security as a Service (SecaaS)?

A.Web Services
B.Email
C.Provisioning
D.IDS/IPS
E.Identity

Answer 31

C.Provisioningq

Explanation
Provisioning is not part of the most common categories. There are a large number of products and services that fall under the heading of Security as a Service. While the following is not a canonical list, it describes many of the more common categories seen are- · Identity, Entitlement, and Access Management Services · Cloud Access and Security Broker (CASB, also known as Cloud Security Gateways) · Web Security (Web Security Gateways) · Email Security · Security Assessment · Web Application Fire

Question 32

Identity brokers handle federating between identity providers and relying parties

A.CORRECT
B.INCORRECT

Answer 32

A.CORRECT

Explanation
Identity brokers handle federating between identity providers and relying parties (which may not always be a cloud service). Identity brokers handle federating between identity providers and relying parties (which may not always be a cloud service). They can be located on the network edge or even in the cloud in order to enable web-SSO. Identity providers don’t need to be located only on-premises; many cloud providers now support cloud-based directory servers that support federation internally a

Question 33

Which of the following is a valid statement regarding entitlement?

A.Entitlement allows or denies the expression of authorization
B.Entitlemenet is permission to do something
C.Entitlement is the same thing as access control
D. Entitlement maps identifies to authorization and any required attributes
E.Entitlement is the same thing as authorization

Answer 33

D. Entitlement maps identifies to authorization and any required attributes

Explanation
Entitlement maps identities to authorizations and any required attributes. The terms entitlement, authorization, and access control all overlap somewhat and are defined differently depending on the context. An authorization is permission to do something—access a file or network, or perform a certain function like an API call on a particular resource. An access control allows or denies the expression of that authorization, so it includes aspects like assuring that the user is authenticated before

Question 34

When using federation, the cloud provider is responsible for mapping attributes, including roles and groups, to the cloud user.

A.CORRECT
B.INCORRECT

Answer 34

B.INCORRECT

Explanation
When using federation, the cloud user is responsible for mapping attributes, including roles and groups, to the cloud provider and ensuring that these are properly communicated during authentication. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Entitlement and Access Management Domain 12 // IDENTITY, ENTITLEMENT, AND ACCESS MANAGEMENT

Question 35

In a cloud-based WAF, the traffic is redirected to a service that analyzes and filters traffic before passing it to the web application.

A.CORRECT
B.INCORRECT

Answer 35

A.CORRECT

Explanation
In a cloud-based WAF, customers redirect traffic (using DNS) to a service that analyzes and filters traffic before passing it through to the destination web application. Many cloud WAFs also include anti-DDoS capabilities. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Web Application Firewalls Domain 13 // SECURITY AS A SERVICE

Question 36

Which of the following statements best describes the potential advantages of security as a service?

A.The higher costs and reduced flexibility are more than compensated by the ability to pass the security responsibilities on to another firm
B.The standardization of security software makes the outsourcing of security as a service nearly obsolete
C.The advantage may include deployment flexibility, extensive domain knowledge and capabilities to scale of SecaaS providers
D.Many areas of security as a service are ready for adoption with notable exceptions

Answer 36

C.The advantage may include deployment flexibility, extensive domain knowledge and capabilities to scale of SecaaS providers

Explanation
Potential Benefits of SecaaS are Cloud-computing benefits, Staffing and expertise, Staffing and expertise, Intelligence-sharing, Deployment flexibility, Insulation of clients and Scaling and cost. • Cloud-computing benefits. The normal potential benefits of cloud computing—such as reduced capital expenses, agility, redundancy, high availability, and resiliency—all apply to SecaaS. As with any other cloud provider the magnitude of these benefits depend on the pricing, execution, and capabilities

Question 37

By nature, most of the DDoS protections are NOT cloud-based and they DO NOT operate by rerouting traffic.

A.CORRECT
B.INCORRECT

Answer 37

B.INCORRECT

Explanation
By nature, most DDoS protections are cloud-based. They operate by rerouting traffic through the DDoS service in order to absorb attacks before they can affect the customer’s own infrastructure. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Distributed Denial of Service Protection Domain 13 // SECURITY AS A SERVICE

Question 38

Which of the following is not a security concern of serverless computing?

A.Incident response will be more complicated
B.Vulnerability assessment must comply with the providers terms of service
C.Serverless will result in high levels of access to the cloud providers management plane
D.The cloud user will not have access to commonly-used monitoring and logging levels
E.Serverless places a much higher security burden on the cloud user

Answer 38

E.Serverless places a much higher security burden on the cloud user

Explanation
Serverless places a much higher security burden on the cloud provider. Choosing your provider and understanding security SLAs and capabilities is absolutely critical. Although the cloud provider is responsible for security below the serverless platform level, the cloud user is still responsible for properly configuring and using the products. From a security standpoint, Serverless key issues include: • Serverless places a much higher security burden on the cloud provider. Choosing your provider

Question 39

Incident response plan followed by Cloud user must not change in case of serverless technology.

A.CORRECT
B.INCORRECT

Answer 39

B.INCORRECT

Explanation
Cloud users must update incident response processes for serverless deployments. Serverless places a much higher security burden on the cloud provider. Choosing your provider and understanding security SLAs and capabilities is absolutely critical. Incident response may also be complicated and will definitely require changes in process and tooling to manage a serverless-based incident. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Serverless Computing Domain

Question 40

What should every cloud customer set up with its cloud provider that can be utilized in the event of an incident?

A.Communication Officer
B.A data destruction plan
C.Remediation kit
D.Communication Plan
E.Contract

Answer 40

D.Communication Plan

Explanation
Cloud customers must set up proper communication paths with the provider that can be utilized in the event of an incident. Existing open standards can facilitate incident communication Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Recommendations Domain 9 // INCIDENT RESPONSE

Question 41

Which of the following facilitates the underlying communications method for components within a cloud, some of which are exposed to the cloud user to manage their resources and configurations?

A.Hypervisor
B.Application Programming Interface
C.Cloud Control Plane
D.Cloud Management Plane
E.Cloud Service Provider

Answer 41

B.Application Programming Interface

Explanation
APIs are typically the underlying communications method for components within a cloud, some of which (or an entirely different set) are exposed to the cloud user to manage their resources and configurations. The cloud resources are pooled using abstraction and orchestration. Abstraction, often via virtualization, frees the resources from their physical constraints to enable pooling. Then a set of core connectivity and delivery tools (orchestration) ties these abstracted resources together, creat

Question 42

Which of the following is the primary tool of governance between a cloud provider and a cloud customer which is true for both public and private cloud?

A.Non Disclosure Agreement
B.Contract 
C.Compliance Reports
D.Cloud Provider Assessment
E.Audit

Answer 42

B.Contract

Explanation
The primary tool of governance is the contract between a cloud provider and a cloud customer (this is true for public and private cloud). As with any other area, there are specific management tools used for cloud governance. This list focuses more on tools for external providers, but these same tools can often be used internally for private deployments: Contracts: The primary tool of governance is the contract between a cloud provider and a cloud customer (this is true for public and private clo

Question 43

When associating the functions to an actor, which of the following is used to restrict a list of possible actions down to allowed actions?

A.Actions
B.Permissions
C.Locations
D.Functions
E.Controls

Answer 43

E.Controls

Explanation
A control restricts a list of possible actions down to allowed actions. Functions can be performed with the data, by a given actor (person or system) and a particular location. Functions: There are three things we can do with a given datum: Read- View/read the data, including creating, copying, file transfers, dissemination, and other exchanges of information. Process- Perform a transaction on the data; update it; use it in a business processing transaction, etc. Store- Hold the data (in a file,

Question 44

Which of the following are the primary security responsibilities of the cloud provider in compute virtualization? (Select 2)

A.Monitoring and Logging
B.Securing the underlying infrastructure
C.Encryption 
D.Identity and Access Management
E.Isolation

Answer 44

B.Securing the underlying infrastructure
E.Isolation

Explanation
The primary security responsibilities of the cloud provider in compute virtualization are to enforce isolation and maintain a secure virtualization infrastructure. Cloud Provider Responsibilities The primary security responsibilities of the cloud provider in compute virtualization are to enforce isolation and maintain a secure virtualization infrastructure. • Isolation ensures that compute processes or memory in one virtual machine/container should not be visible to another. It is how we separat

Question 45

Which action is part of the preparation phase of the incident response lifecycle?

A.Configuring and validating alerts
B.Notification and coordination of activities
C.Determining the extend of the potential data loss
D.Designating a person will communicate the incident containment and recovery status to senior management
E.Evaluating infrastructure by proactive scanning and network monitoring, vulnerability assessments and performing risk assessments

Answer 45

E.Evaluating infrastructure by proactive scanning and network monitoring, vulnerability assessments and performing risk assessments

Explanation
Evaluating infrastructure by proactive scanning and network monitoring, vulnerability assessments, and performing risk assessments is part of the preparation phase of the incident response lifecycle. The rest of the options are part of “Detection & Analysis” The Incident Response Lifecycle Preparation: “Establishing an incident response capability so that the organization is ready to respond to incidents.” • Process to handle the incidents. • Handler communications and facilities. • Incident analysis

Question 46

Which of the following is true of data collection forensics in a cloud environment?

A.If the data is hosted by the same provider, it is easy to conduct a thorough analysis
B.Bit by bit imaging of a cloud data source is typically difficult or impossible
C.Forensics is allows in private or hybrid cloud configurations after putting proper clauses in the contracts
D.Forensics is allowed in private or hybrid cloud configurations after taking approval from the cloud service provider
E.Forensics is not allowed in private or hybrid cloud configurations due to the sensitive nature of the data

Answer 46

B.Bit by bit imaging of a cloud data source is typically difficult or impossible

Explanation
Bit-by-bit imaging of a cloud data source is generally difficult or impossible. Bit-by-bit imaging of a cloud data source is generally difficult or impossible. For obvious security reasons, providers are reluctant to allow access to their hardware, particularly in a multitenant environment where a client could gain access to other clients’ data. Even in a private cloud, forensics may be extremely difficult, and clients may need to notify opposing counsel or the courts of these limitations.

Question 47

Which layer of the logical stack includes code and message queues?

A.Applistructure
B.Infostructure
C.Metastructure
D.Infrastructure

Answer 47

A.Applistructure

Explanation
Applistructure: The applications deployed in the cloud and the underlying application services used to build them. For example, Platform as a Service features like message queues, artificial intelligence analysis, or notification services. At a high level, both cloud and traditional computing adhere to a logical model that helps identify different layers based on functionality. This is useful to illustrate the differences between the different computing models themselves: • Infrastructure:

Question 48

Which of the following is one of the challenges of application security in a cloud environment?

A.Limited Detailed Visibility
B.Devops
C.Elasticity 
D.Isolated Environments
E.Responsiveness

Answer 48

A.Limited Detailed Visibility

Explanation
Visibility and the availability of monitoring and logging are impacted, requiring new approaches to gathering security-related data. The rest of the options are opportunities. Challenges of application security in a cloud environment · Limited detailed visibility. Visibility and the availability of monitoring and logging are impacted, requiring new approaches to gathering security-related data. This is especially true when using PaaS, where commonly available logs, such as system or network logs

Question 49

Which of the following is one of the five essential characteristics of cloud computing as defined by NIST?

A.Multi-tenancy
B.Measured Service
C.Unlimited Resources
D.Public Cloud
E.On-demand pricing

Answer 49

B.Measured Service

Explanation
Measured service meters what is provided, to ensure that consumers only use what they are allotted, and, if necessary, to charge them for it. NIST defines cloud computing by describing five essential characteristics, three cloud service models, and four cloud deployment models. These are the characteristics that make a cloud a cloud. If something has these characteristics, we consider it cloud computing. If it lacks any of them, it is likely not a cloud. • Resource pooling is the most fundamenta

Question 50

What factors should be considered about the data specifically due to regulatory, contractual and other jurisdictional issues?

A.The channel the data uses while in transit
B.Size of the data and the type of storage
C.Algorithm that is used to encrypt the data
D.Logical and Physical Locations of the data
E.Owner of the data who has accountability

Answer 50

D.Logical and Physical Locations of the data

Explanation
ue to all the potential regulatory, contractual, and other jurisdictional issues, it is extremely important to understand both the logical and physical locations of data. Data is accessed and stored in multiple locations, each with its own lifecycle. Due to all the potential regulatory, contractual, and other jurisdictional issues, it is extremely important to understand both the logical and physical locations of data. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.

Question 51

How will you ensure that all data has been removed from a public cloud environment including all media such as back-up tapes?

A.Work with CSP (Cloud Service Provider) and get all the data purged from main storage and back-ups
B.Use key management system provided by the CSP (Cloud Service Provider) and revoke/delete keys to prevent the data from being accessed again
C.Practice Segregation of duties so that only you can delete the data
D.Maintain Local Key Management and revoke or delete keys from the key management system to prevent the data from being accessed again
E.Encrypt the data while storing and allow decryption rights to authorized individuals

Answer 51

D.Maintain Local Key Management and revoke or delete keys from the key management system to prevent the data from being accessed again

Explanation
Where data is stored in a public cloud environment, there are problems when exiting that environment to be able to prove that all data (especially PII or SPI data, or data subject to regulatory assurance regimes) has been deleted from the public cloud environment, including all other media, such as back-up tapes. Maintaining local key management allows such assurance by revoking (or just deleting/losing) the key from the key management system, thus assuring that any data remaining in the public

Question 52

If, after all your assessments and the controls that you implement yourself there is still residual risk, what are your only options?

A.You can transfer, accept or avoid risks
B.You can change the cloud service provider and chose the one which has no risk
C.You can contact the cloud service provider as risk in the cloud is a shared responsibility
D.You can accept the risk by informing senior management
E.You should contact your insurance partner and have a contract on residual risk

Answer 52

A.You can transfer, accept or avoid risks

Explanation
After reviewing and understanding what risks the cloud provider manages, what remains is residual risk. Residual risk may often be managed by controls that you implement (e.g. encryption). The availability and specific implementation of risk controls vary greatly across cloud providers, particular services/features, service models, and deployment models. If, after all your assessments and the controls that you implement yourself there is still residual risk your only options are to transfer it,

Question 53

What must the monitoring scope cover in addition to the deployed assets?

A.The management plane
B.The access plane
C.The service plane
D.The application plane
E.The data plane

Answer 53

A.The management plane

Explanation
In all cases, the monitoring scope must cover the cloud’s management plane, not merely the deployed assets. Detection and analysis in a cloud environment may look nearly the same (for IaaS) and quite different (for SaaS). In all cases, the monitoring scope must cover the cloud’s management plane, not merely the deployed assets. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Detection and Analysis Domain 9 // INCIDENT RESPONSE

Question 54

Dynamic Application Security Testing (DAST) may be limited and / or require pre-testing permission from the provider.

A.CORRECT
B.INCORRECT

Answer 54

A.CORRECT

Explanation
Dynamic Application Security Testing (DAST): DAST tests running applications and includes tests such as web vulnerability testing and fuzzing. Due to the terms of service with the cloud provider DAST may be limited and/or require pre-testing permission from the provider. With cloud and automated deployment pipelines it is possible to stand up entirely functional test environments using infrastructure as code and then perform deep assessments before approving changes for production. Source: Secur

Question 55

Which of the following statements about Cloud Access and Security Brokers (CASB) is not true?

A.They cannot do man in the middle monitoring
B.They monitor DNS queries
C.They integrate with an existing network gateway
D.They use various mechanisms such as network monitoring
E.They help to discover internal use of cloud services

Answer 55

A.They cannot do man in the middle monitoring

Explanation
CASB can do inline interception (man in the middle monitoring). CASB: Cloud Access and Security Brokers (also known as Cloud Security Gateways) discover internal use of cloud services using various mechanisms such as network monitoring, integrating with an existing network gateway or monitoring tool, or even by monitoring DNS queries. After discovering which services your users are connecting to, most of these products then offer monitoring of activity on approved services through API connection

Question 56

Which of the following will not help to detect actual migrations, monitor cloud usage and any data transfers to cloud?

A.Data Encryption In Transit
B.DLP- Data Loss Prevention
C.URL Filtering
D.CASB-Cloud Access and Security Brokers

Answer 56

A.Data Encryption In Transit

Explanation
You can detect actual migrations, monitor cloud usage and any data transfers using CASB, URL filtering and DLP. Data encryption in transit will help to secure the data while in motion but will not help to detect actual migrations, monitor cloud usage and any data transfers to cloud To detect actual migrations, monitor cloud usage and any data transfers. You can do this with the help of the following tools: CASB: Cloud Access and Security Brokers (also known as Cloud Security Gateways) discover i

Question 57

Tokenization is often used when preserving the format of the data is not important.

A.CORRECT
B.INCORRECT

Answer 57

B.INCORRECT

Explanation
Tokenization is often used when the format of the data is important. Tokenization is often used when the format of the data is important (e.g. replacing credit card numbers in an existing system that requires the same format text string). Format Preserving Encryption encrypts data with a key but also keeps the same structural format as tokenization, but it may not be as cryptographically secure due to the compromises. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0

Question 58

Which of the following statements is not true regarding “Instance-managed encryption”?

A.The volume can be protected by a key pair
B.The volume can be protected by a passphrase
C.The key is stored outside the volume
D.The encryption engine runs within the instance

Answer 58

C.The key is stored outside the volume

Explanation
The key is stored in the volume but protected by a passphrase or keypair. IaaS volumes can be encrypted using different methods, depending on your data. Volume storage encryption Instance-managed encryption: The encryption engine runs within the instance, and the key is stored in the volume but protected by a passphrase or keypair. Externally managed encryption: The encryption engine runs in the instance, but the keys are managed externally and issued to the instance on request. Source: Security

Question 59

Which of the following is not part of the PaaS encryption?

A.Provider-managed layers in the application such as the messaging queue
B.Database encryption
C.Proxy encryption
D.Application layer encryption

Answer 59

C.Proxy encryption

Explanation
Proxy encryption is part of IaaS or SaaS encryption. PaaS Encryption PaaS encryption varies tremendously due to all the different PaaS platforms. • Application layer encryption: Data is encrypted in the PaaS application or the client accessing the platform. • Database encryption: Data is encrypted in the database using encryption that’s built in and is supported by a database platform like Transparent Database Encryption (TDE) or at the field level. • Other: These are provider-managed layers in

Question 60

GDPR replaced which Data Protection Directive?

A.PIPEDA
B.FRCP
C.Directive 95/46/EC
D.NIS

Answer 60

C.Directive 95/46/EC

Explanation:
GDPR replaced the Data Protection Directive 95/46/EC. PIPEDA is a Canadian data protection law. FRCP is the set of rules governing civil law. NIS is the EU-wide cybersecurity legislation.