CCSK Practice Exam 1 (WhizLabs) Flashcards
Which of the following is the key difference between cloud computing and traditional computing?
A.Infrastructure
B.Metastructure
C.Infostructure
D.Appistructure
B.Metastructure
Explanation:
The key difference between cloud and traditional computing is the metastructure.
Cloud metastructure includes the management plane components, which are network-enabled and remotely accessible
At a high level, both cloud and traditional computing adhere to a logical model that helps identify different layers based on functionality. This is useful to illustrate the differences between the different computing models themselves:
Infrastructure: The core components of a computing system: compute, network and storage. The foundation that everything else is built on. The moving parts
Metastructure: The protocols and mechanisms that provide the interface between the infrastructure layer and the other layers. The glue that ties the technologies and enables management and configuration
Infostructure: The data and information. Content in a database, file storage etc.
Applistructure: The application deployed in the cloud and the underlying application services used to build them. For example, Platform as a Service features like message queues, artificial intelligence analysis, or notification services.
The data security lifecycle includes six phases from creation to destruction, which of the following are these stages and in the correct order?
A. Create, Use, Store, Share, Archive, Destroy
B. Create, Store, Use, Share, Archive, Destroy
C.Create, Use, Store, Archive, Share, Destroy
D.Create, Process, Store, Share, Archive, Destroy
E.Create, Process, Store, Archive, Share, Destroy
F.0
B. Create, Store, Use, Share, Archive, Destroy
Explanation:
The lifecycle includes six phases from creation to destruction. Although it is shown as linear progression, once created, data can bounce between phases without restriction, and may not pass through all stages
update
Create - Creation is the generation of new digital content, or the alteration/updating/modifying of existing content
Store - Storing is the act of committing the digital data to some sort of storage repository and typically occurs nearly simultaneously with creation
Use -Data, is viewed, processed, or otherwise used in some sort of activity, not including modification
Share - Information is made accessible to others, such as between users, to customers and to partners
Destroy - Data is permanently destroyed using physical or digital means (ie cryptoshredding)
What are the three main aspects of business continuity and disaster recovery in the cloud?
A.Ensuring continuity and recovery within a cloud provider, Preparing for and managing cloud provider outages, Considering options for portability, in case you need to migrate providers or platforms
B.Ensuring continuity and recovery within a cloud provider, Preparing for and managing cloud provider services, Considering options for portability, in case you need to migrate providers or platforms
C.Ensuring continuity and recovery within a cloud provider, Preparing for and managing cloud provider services, Considering options for portability, in case you need to migrate providers or platforms
D.Ensuring continuity and recovery within a given cloud provider, Preparing for and managing cloud provider services, Considering options for availability, in case you need to migrate providers or platforms
A.Ensuring continuity and recovery within a cloud provider, Preparing for and managing cloud provider outages, Considering options for portability, in case you need to migrate providers or platforms
Explanation:
Business Continuity and Disaster Recovery (BC/DR) is just as important in cloud computing as it is for any other technology. Aside from differences resulting from the potential involvement of a third-party (something we often deal with in BC/DR), there are additional consideration due to the inherent differences when using shared resources.
The three main aspects of BC/DR in the cloud are:
Ensuring continuity and recovery within a given cloud provider.
These are the tools and techniques to best architect your cloud deployment to keep things running if either what you deploy breaks, or a portion of the cloud provider breaks
Preparing for and managing cloud provider outages.
This extends from the more constrained problems that you can architect around within a provider to the wider outages that take down all or some of the provider in a way that exceeds the capabilities of inherent DR controls
Considering options for portability, in case you need to migrate providers or platforms
This could be due to anything from desiring a different feature set to the complete loss of the provider, if for example, they go out of business or you have a legal dispute
Which of the following is not a security benefit of immutable workloads?
A.Security testing can be manage during image creation
B. You no longer patch running systems or worry about dependencies
C.You can enable remote logins to running workloads
D.It is much faster to roll out updated versions
E.It is easier to disable services and whitelist applications
C.You can enable remote logins to running workloads
Explanation:
You can, and should, disable remote logins to running workloads (if logins are even an option).
This is an operational require to prevent changes that arent consistent across the stack, which also has significant security benefits
Auto-scaling and containers, by nature, work best when you run instances launched dynamically based on an image: Those instances can be shut down when no longer needed for capacity without breaking an application stack.
This is core to the elasticity of compute in the cloud.
Thus, you no longer patch or make other changes to a running workload, since that wouldnt change the image and thus new instances would be out of sync with whatever manual changes you make on whatever is running.
We call these virtual machines immutable.
Immutable workloads enable significant security benefits:
You no longer patch running systems or worry about dependencies, broken patch processes, etc. You replace them with a new gold master
It is much faster to roll out updated versions, since applications must be designed to handle individual nodes going down (remember, this is fundamental to any auto-scaling).
You are less constrained by the complexity and fragility of patching a running system. Even if something breaks , you just replace it.
It is easier to disable services and whitelist applications/processes since the instance should never change
Most security testing can be managed during image creation, reducing the need for vulnerability assessment on running workloads since their behavior should be completely known at the time of creation. This doesnt eliminate all security testing for production workloads, but it is a means of offloading large portions of testing
Which of the following is not the primary security responsibility of the cloud user when it uses the virtualized environment?
A.Monitoring and logging B.Image Asset Management C.Identity management to the virtual resources D.Use of dedicated hosting E.Isolation
E.Isolation
Explanation
Isolation is the primary security responsibility of the cloud provider in compute virtualization
Cloud User Responsibilities:
Security Settings
Settings such as identity management, to the virtual resources.
This is not the identity management within the resource, such as the operating system login credentials, but the identity management of who is allowed to access the cloud management of the resource - for example, stopping or changing the configuration of a virtual machine.
Monitoring and Logging
How to handle system logs from virtual machines of containers, but the cloud platform will likely offer additional logging and monitoring at the virtualization level. This can include the status of a virtual machine, management events, performance etc.
Image Asset Management
Cloud compute deployments are based on master images - be it a virtual machine, container or other code - that are then run in the cloud.
This is often highly automated and results in a larger number of images to base assets on, compared to traditional computing master images.
Managing these - including which meet security requirements, where they can be deployed and who has access to them is an important security responsibility
Use of Dedicated Hosting
If available, based on the security context of the resource.
In some situations you can specify that your assets run on hardware dedicated to only you (at higher cost), even on a multitenant cloud.
This may help meet compliance requirements or satisfy security needs in special cases where sharing hardware with another tenant is considered a risk
Which common component of big data is focused on the mechanisms used to ingest large volumes of data, often of a streaming nature?
A.Distributed data collection B.Distributed Attribution C.Distributed Processing D. Distributed Storage E.Distributed Data Information
A.Distributed data collection
Explanation:
Distributed data collection is the mechanism used to ingest large volumes of data, often of a streaming nature
There are three common components of big data, regardless of the specific toolset used:
Distributed Data Collection
Mechanisms to ingest large volumes of data, often of a streaming nature.
This could be as “lightweight” as web-click streaming data and as complex as highly distributed scientific imaging or sensor data
Not all big data relies on distributed or streaming data collection, but it is a core big data technology
Distributed Storage
The ability to store the large data sets in distributed file systems (such as Google File System, Hadoop Distributed File System etc) or databases (often NoSQL), which is often required due to the limitations of non-distributed storage technologies
Distributed Processing
Tools capable of distributing processing jobs (such as map reduce, spark, etc) for the effective analysis of data sets so massive and rapidly changing that single origin processing cant effectively handle them
What are the three main components of an encrypted system?
A. User, data and encryption engine
B. User, encryption, and key management
C. User, data, and encryption
D.Data, encryption, and decryption algorithm
E. Data, encryption engine and key management
E. Data, encryption engine and key management
Explanation:
There are three components of an encryption system: data, the encryption engine and key management
The data is of course, the information that you’re encrypting.
The engine is what performs the mathematical process of encryption
The key manager handles the keys for the encryption.
The overall design of the system focuses on where to put each of these components
In a cloud provider and user relationship, the virtual or abstracted infrastructure is managed by which entity?
A. Cloud user B.Cloud Provider C.As per the contract between the cloud provider and cloud user D.Its a shared responsibility E.It is managed by third party
A. Cloud user
Explanation:
In cloud computing there are two macro layers to infrastructure
The fundamental resources pooled together to create a cloud.
This is the raw, physical and logical compute (processors, memory etc), networks and storage used to build the clouds resource pools.
For example, this includes the security of networking hardware and software used to create the network resource pool
The virtual/abstracted infrastructure managed by a cloud user.
Thats the compute, network and storage assets that they use from the resource pools.
For example, the security of the virtual network, as defined and managed by the cloud user.
Which of the following statements best describes an identity federation?
A.Interconnection of disparate directory services
B.Cloud service providers with the same identity store
C.Identities that share similar access rights
D.Shared use of single cloud services
E.Role based access provisioning
A.Interconnection of disparate directory services
Explanation:
Conceptually speaking, federation is the interconnection of disparate directories services
In cloud computing, the fundamental problem is that multiple organizations are now managing the identity and access management to resources, which can greatly complicate the process.
For example, imagine having to provision the same user on dozens - or hundreds - of different cloud services.
Federation is the primary tool used to manage this problem, by building a trust relationships between organizations and enforcing them through standards based technologies
Which of the following items is NOT an example of Security as a Service (SecaaS)?
A.Identity B.IDS/IPS C.Provisioning D.Email E.Web Services
C.Provisioning
Explanation:
Provisioning is not part of the most common categories
There are a large number of products and services that fall under the heading of SecaaS.
While the following is not a canonical list, it describes many of the more common categories soon are:
Identity, Entitlement and Access management services Cloud Access and Security Broker (CASB, also known as Cloud Security Gateways) Web Security Email Security Web Application Firewalls Intrusion Detection/Prevention SIEM Encryption and key Management BC/DR Security Management Distributed Denial of Service Protection
Identity brokers handle federating between identity providers and relying parties
A.True
B.False
A. True
Explanation:
Identity brokers handle federating between identity providers and relying parties (which may not always be a cloud service)
They can be located on the network edge or even in the cloud in order to enable web-SSO
Identity providers dont need to be located only on-premises; many cloud providers now support cloud-based directory servers that support federation internally and with other cloud services.
For example, more complex architectures can synchronize or federate a portion of an organizations identities for an internal directory through an identity broker and then to a cloud-hosted directory which then servers as an identity provider for other federated connections
Which of the following is a valid statement regarding entitlement?
A.Entitlement is the same thing as authorization
B.Entitlement maps identities to authorizations and any required attributes
C.Entitlement is the same thing as access control
D.Entitlement is permission to do something
E.Entitlement allows or denies the expression of authorization
B.Entitlement maps identities to authorizations and any required attributes
Explanation:
Entitlement maps identities to authorizations and any required attributes
The terms entitlement, authorization and access control all overlap somewhat and are defined differently depneding on the context.
An authorization is permission to do something - access a file, or perform a certain function like an API call on a particular resource
An access control allows or denies the expression of that authorization, so it includes aspects like assuring that the user is authenticated before allowing access
An entitlement maps identities to authorizations and any required attributes (ie user x is allowed access to resource y when z attributes have designated values.)
We commonly refer to a map of these entitlement as an entitlement matrix.
Entitlements are often encoded as technical policies for distribution and enforcement
When using federation, the cloud provider is responsible for mapping attributes, including roles and groups, to the cloud user.
A.True
B.False
B.False
Explanation:
When using federation, the cloud user is responsible for mapping attributes, including roles and groups, to the cloud provider and ensuring that these are properly communicated during authentication
In a cloud based WAF, the traffic is redirected to a service that analyzed and filters traffic before passing it to the web application
A.True
B.False
A.True
Explanation:
In a cloud based WAF, customers redirect traffic (using DNS) to a service that analyzes and filters traffic before passing it through to the destination web application.
Many cloud WAFs also include anti-DDoS capabiltities
Which of the following statements best describes the potential advantages of security as a service?
A.Many areas of security as a service are ready for adoption with notable exceptions of anti-malware and web security gateway programs
B. The advantage may include deployment flexibility, extensive domain knowledge and capabilities to scale of SecaaS providers
C.The standardization of security software makes the outsourcing of security as a service nearly obsolete
D.The higher costs and reduced flexibility are more than compensated by the ability to pass the security responsibilities on to another firm
B. The advantage may include deployment flexibility, extensive domain knowledge and capabilities to scale of SecaaS providers
Explanation:
Potential benefits of SecaaS are cloud computing benefits, staffing and expertise, intelligence sharing, deployment flexibility, insulation of clients and scaling and cost
Cloud Computing Benefits
The normal potential benefits of cloud computing - such as reduced capital expenses, agility, redundancy, high availability, and resiliency - all apply to SecaaS.
As with any other cloud provider the magnitude of these benefits depend on pricing, execution and capabilities of the security provider
Staffing and Expertise
Many organizations struggle to employ, train and retain security professionals across relevant domains of expertise.
This can be exacerbated due to limitations of local markets, high costs for specialists, and balancing day-to-day needs with the high rate of attacker innovation.
As such, SecaaS provider bring the benefit of extensive domain knowledge and research that may be unattainable for many organizations that are not solely focused on security or the specific security domain
Intelligence-Sharing
SecaaS providers protect multiple clients simultaneously and have the opportunity to share data intelligence and data across them.
For example, finding a mawlare sample in one client allows the provider to immediately add it to their defensive platform, thus protecting all other customers.
Practically speaking this isnt a magic wand, as the effectiveness will vary across categories, but since intelligence-sharing is built into the service, the potential upside is there.
Deployment Flexibility
SecaaS may be better positioned to support evolving workplaces and cloud migrations, since it is itself a cloud-native model delivered using broad network access and elasticity.
Services can typically handle more flexible deployment models, such as supporting distributed locations without the complexity of multi-site hardware
Insulation of Clients
In some cases, SecaaS can intercept attacks before they hit the organization directly.
For example, spam filtering and cloud based Web Application Firewalls are positioned between the attackers and the organizations. They can absorb certain attacks before they ever reach the customers assets.
Scaling and Costs
The cloud model provides the customer with a “Pay as You Grow” model, which also helps organizations focus on their core business and lets them leave security concerns to the experts
By nature, most of the DDoS are not cloud based and they do not operate by rerouting traffic
A. False
B.True
A. False
Explanation:
By nature, most DDoS protections are cloud-based.
They operate by rerouting traffic through the DDoS service in order to absorb attacks before they can affect the customers own infrastructure
Which of the following is not a security concern of serverless computing?
A.Serverless places a much higher security burden on the cloud user
B.The cloud user will not have access to commonly used monitoring and logging levels
C.Serverless will result in high levels of access to the cloud providers management plane
D.Vulnerability assessment must comply with the providers terms of service
E.Incident response will be more complicated
A.Serverless places a much higher security burden on the cloud user
Explanation:
Choosing your provider and understanding security SLAs and capabilities is absolutely critical.
Although the cloud provider is responsible for security below the serverless platform level, the cloud user is still responsible for properly configuring and using the products
From a security standpoint, serverless key issues include:
Using serverless, the cloud user will not have access to commonly used monitoring and logging levels, such as server or network logs. Applications will need to integrate more logging and cloud providers should provide necessary logging to meet core security and compliance requirements
Although the providers services may be certified or attested for various compliance mappings to more up to date and customers need to ensure they only use services within their compliance scope
There will be high levels of access to the cloud providers management plane since that is the only way to integrate and use the serverless capabilities
Serverless can dramatically reduce attack surface and pathways and integrating serverless components may be an excellent way to break links in an attack chain, even if the entire application stack is not serverless.
Any vulnerability assessment or other security testing must comply with the providers terms of service.
Cloud users may no longer have the ability to directly test applications or must test with a reduced scope, since the providers infrastructure is now hosting everything and cant distinguish between legitimate tests and attacks
Incident response may also be complicated and will definitely require changes in process and tooling to manage a serverless based incident
Incident response plan following by cloud users must not change in case of serverless technology
A.False
B.True
A.False
Explanation:
Serverless places a much higher security burden on the cloud provider.
Choosing your provider and understanding security SLAs and capabilities is absolutely critical.
Incident response may also be complicated and will definitely require changes in process and tooling to manage a serverless based incident
In the SecasS relationship, who is responsible for the majority of the security?
A.Application User B.Cloud User C.Cloud Provider D.Application Owner E.Application Developer
C. Cloud Provider
Explanation:
Security as a Service (SeecaS) providers offer security capabilities as a cloud service
SecaaS providers offer security capabilities as a cloud service.
This includes dedicated SecaaS providers, as well as packaged security features from general cloud computing providers.
SecaaS encompasses a very wide range of possible technologies, but they must meet the following criteria:
SecaaS includes security products or services that are delivered as a cloud service
To be considered SecaaS, the services must still meet the essential NIST characteristics for cloud computing
What should every cloud customer set up with its cloud provider that can be utilized in the event of an incident?
A.Contract B. Communication Plan C. Remediation Kit D. A data destruction plan E. Communication Officer
B. Communication Plan
Explanation:
Cloud customers must be set up proper communication paths with the provider that can be utilized in the event of an incident.
Existing open standards can facilitate incident communication
Which of the following facilitates the underlying communications method for components within a cloud, some of which are exposed to the cloud user to manage their resources and configurations?
A. Cloud Service Provider B.Cloud Management Plane C. Cloud Control Plane D. Application Programming Interface E.Hypervisor
D. Application Programming Interface
Explanation:
APIs are typically the underlying communications method for components with a cloud, some of which (or an entirely different user) are exposed to the cloud user to manage their resources and configurations
The cloud resources are pooled using abstraction and orchestration.
Abstractions, often via virtualization, frees the resources from their physical constraints to enable pooling.
Then a set of core connectivity and delivery tools (orchestration) ties these abstracted resources together, creates the pools, and provides the automation to deliver them to customers.
All this is facilitated using Application Programming Interfaces. APIs are typically the underlying communications method for components within a cloud, some of which (or an entirely different set) are exposed to the cloud user to manage their resources and configurations. Most cloud APIs these days use REST (Representational State Transfer), which runs over the HTTP protocol, making it extremely well suited for Internet services.
In most cases, those APIs are both remotely accessible and wrapped into a web-based user interface.
This combination is the cloud management plane, since consumers use it to manage and configure the cloud resources, such as launching virtual machines (instances) or configuring virtual networks.
From a security perspective, it is both the biggest difference from protecting physical infrastructure (since you cant rely on physical access as a control) and the top priority when designing a cloud security program.
If an attacker gets into your management plane, they potentially have full remote access to your entire cloud deployment
Which of the following is the primary tool of governance between a cloud provider and a cloud customer which is true for both public and private cloud?
A.Audit B.Cloud provider assessment C.Compliance Reports D.Contract E.Non-Disclosure Agreements
D.Contract
Explanation:
The primary tool of governance is the contract between a cloud provider and a cloud customer (this is true for public and private cloud)
As with any other area, there are specific management tools used for cloud governance.
This list focuses more on tools for external providers, but these same tools can often be used internally for private deployments
Contracts
The primary tool of governance is the contract between a cloud provider and a cloud customer (this is true for public and private cloud)
The contract is your only guarantee of any level of service or commitment - assuming there is no breach of contract, which tosses everything into a legal scenario.
Contracts are the primary tool to extend governance into business partners and providers
Supplier (Cloud Provider) Assessments
These assessments are performed by the potential cloud customer using available information and allowed processes/techniques.
They combine contractual and manual research with third-party attestations (legal statements often used to communicate the results of an assessment or audit) and technical research.
They are very similar to any supplier assessment and can include aspects like financial viability, history feature offerings, third party attestations, feedback from peers and so on
Compliance Reporting
Compliance Reporting includes all the documentation on a providers internal and external compliance assessments.
They are the reports from audits of controls, which an organization can perform themselves, a customer can perform on a provider (although this usually isnt an option in cloud) or have performed by a trusted third party.
Third-party audits and assessments are preferred since they provide independent validation (assuming you trust the third party)
When associating the functions to an actor, which of the following is used to restrict a list of possible actions down to allowed actions?
A.Controls B.Functions C.Locations D.Permissions E.Actions
A.Controls
Explanation:
A control restricts a list of possible actions down to allowed actions
Functions can be performed with the data, by a given actor (person or system) and a particular location
Functions
There are three things we can do with a given datum:
Read - View/Read the data, including creating, copying, file transfers, dissemination, and other exchanges of information
Process - Perform a transaction on the data; update it; use it in a business processing transaction, etc.
Store
Hold the data (in a file, database etc)
Actor An actor (person, application or system/process as opposed to the access device) performs each function in a location
Controls
A control restricts a list of possible actions down to allowed actions.
Which of the following statement is false about Serverless Computing? (Select 2)
A.The cloud provider manages all the underlying layers
B.The cloud user manages all the underlying layers
C. The cloud provider manages the security functions and controls
D.The cloud user manages the security functions and controls
E.The cloud user accesses the exposed function
B.The cloud user manages all the underlying layers
D.The cloud user manages the security functions and controls
Explanation:
Serverless is merely a combined term that covers containers and platform-based workloads, where the cloud provider manages all the underlying layers, including foundational security functions and controls.
Serverless computing is broad category that refers to any situation where the cloud user doesnt manage any of the underlying hardware or virtual machines, and just accessed exposed functions.
For example, there are serverless platforms for directly executing application code.
Under the hood, these still utilize capabilties such as containers, virtual machines or specialized hardware platforms.
From a security perspective, serverless is merely a combined term that covers containers and platform-based workloads, where the cloud provider manages all the underlying layers, including foundational security functions and controls