CCSK Practice Exam 2 (WhizLabs) Flashcards

1
Q

In which phase of the application design and development process, the focus in on architecture?

A.Training
B.Define
C.Design
D.Develop
E.Test
A

C.Design

Explanation:
Design
During the application design process, especially when PaaS is involved, the focus for security in cloud is on architecture, the cloud providers baseline capabilities, cloud provider features and automating and managing security for deployment and operations.
There are often significant security benefits to integrating security into the application architecture since there are opportunities to leverage the providers own security capabilities.
For example, inserting a serverless load balancer or message queue could completely block certain network attack paths.
This is also where you perform threat modeling, which must also be cloud and provider/platform specific

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following governance domain focuses on proper and adequate incident detection, response, notification and remediation?

A.Infrastructure Security
B.Information Governance and Enterprise Risk Management
C.Compliance and Audit Management
D.Incident Response
E.Information Governance
A

D.Incident Response

Explanation:
The Incident Response Lifecycle as defined in the NIST-800 document includes the following phases and major activities:

Detection and Analysis:
Alerts
Endpoint protection, network security monitoring, host monitoring, account creation, privilege escalation, other IoCs, SIEM, security analytics (baseline and anomaly detection), end user behavior analytics
-Validate Alerts (reducing false positives) and escalation
-Estimate the scope of the incident
-Assign an Incident Manager who will coordinate further actions
-Designate a person who will communicate the incident containment and recovery status to senior management
-Build a timeline of the attack
-Determine the extent of the potential data loss
-Notification and coordination activities
-Containment, eradication and recovery

Containment
Taking systems offline. Considerations for data loss versus service availability. Ensuring systems dont destroy themselves upon detection

Eradication and Recovery
Clean up compromised devices and restore systems to normal operations. Confirm systems are functioning properly. Deploy controls to prevent similar incidents

Documenting the incident and gathering evidence (chain of custody)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The main difference between traditional virtualization and cloud computing is abstraction

A. True
B. False

A

B. False

Explanation:
Virtualization abstracts resources, but it typically lacks the orchestration to pool them together and deliver them to customers on demand, instead relying on manual processes

The key techniques to create a cloud are abstraction and orchestration.
We abstract the resources from the underlying physical infrastructure to create our pools, and use orchestration (and automation) to coordinate carving out and delivering a set of resources from the pools to the consumers.
As you will see, these two techniques create all the essential characteristics we use to define something as a cloud

The difference between cloud computing and traditional virtualization; virtualization abstracts resources, but it typically lacks the orchestration to pool them together and deliver them to customers on demand, instead relying on manual processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is a cloud infrastructure that is shared by several organizations and supports a specific group that has shared concerns?

A.Public Cloud
B.Private Cloud
C.Community Cloud
D.Hybrid Cloud
E.Common Cloud
A

C.Community Cloud

Explanation:
Community Cloud is the cloud infrastructure that is shared by several organizations and supports a specific community that has shared concerns (ie mission, security requirements, policy, or compliance considerations)

Community Cloud
It may be managed by the organizations or by a third party and may be located on-premises or off-premises

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following describes the cloud management plane?

A. APIs that are remotely accessible and those wrapped into a web-based user interface
B. Is a layer in which all types of devices and resources from different vendors and interconnected
C. Is a layer where the data center is the component element
D. Is a layer consisting of plenty of vendors and third party applications

A

A. APIs that are remotely accessible and those wrapped into a web-based user interface

Explanation:
APIs are both remotely accessible and wrapped into a web based user interface.
This combination is the cloud management plane, since consumers use it to manage and configure the cloud resources, such as launching virtual machines (instances) or configuration virtual networks

Option B is infrastructure
Option C is Cloud Control plane
Option D is application plane

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

If an attacker gets into your management plane, they have full remote access to your entire cloud environment

A. True
B. False

A

A. True

Explanation:
If an attacker gets into your management plane, they potentially have full remote access to your entire cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The data and information like content in database or file storage are part of which layer of Logical Model?

A.Infrastructure
B. Metastructure
C.Infostructure
D.Applistructure

A

C.Infostructure

Explanation:
The data and information.
Content in a database, file storage, etc is part of Infostructure
At a high level, both cloud and traditional computing adhere to a logical model that helps identify different layers based on functionality.
This is useful to illustrate the differences between the different computing models themselves:

Infrastructure
The core components of a computing system; compute, network and storage.
The foundation that everything is built on. The moving parts

Metastructure
The protocols and mechanisms that provide the interface between the infrastructure layer and the other layers. The glue that ties the technologies and enable management and configuration

Infostructure
The data and information. Content in a database, file storage, etc.

Applistructure
The application deployed in the cloud and the underlying application services used to build them.
For example, PaaS features like message queues, artificial intelligence analysis, or notification services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is the most commonly used application programming interface?

A. REST
B.SOAP
C. HTTP
D. JSON

A

A. REST

Explanation:
Most cloud APIs these days use REST (Representational State Transfer), which runs over the HTTP protocol, making it extremely well suited for Internet services.

APIs are typically the underlying communications method for components within a cloud, some of which (or an entirely different set) are exposed to the cloud user to manage their resources and configurations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following tools lists cloud security controls and maps them to multiple security and compliance standards?

A.Consensus Assessments Initiative Questionnaire
B.Cloud Controls Matrix
C.Cloud Provider Controls
D. Supplier (Cloud Provider) Assessments
E.Cloud Security Alliance STAR Registry
A

B.Cloud Controls Matrix

Explanation:
The Cloud Controls Matrix (CCM) lists cloud security controls and maps them to multiple security and compliance standards. The CCM can also be used to document security responsibilities

The Consensus Assessments Initiative Questionnaire (CAIQ) is a standard template for cloud providers to document their security and compliance controls
Both documents will need tuning for specific organizational and project requirements, but provider comprehensive starting template and can be especially useful for ensuring compliance requirements are met

Contracts are the primary tool of governance between a cloud provider and a cloud customer (this is true for public and private cloud). The contracts is your only guarantee of any level or service or commitment - assuming there is no breach of contract, which tosses everything into a legal scenario. Contracts are the primary tool to extend governance into business partners and providers

Supplier (Cloud Provider) Assessments
These assessments are performed by the potential cloud customer using available information and allowed processes/techniques. They combine contractual and manual research with third-party attestations (legal statements often used to communicate the results of an assessment or audit) and technical research.
They are very similar to any supplier assessment and can include aspects like financial viability, history, feature offerings, third-party attestations, feedback from peers and so on

The Cloud Security Alliance STAR Registry
This is an an assurance program and documentation registry for cloud provider assessments based on the CSA Cloud Controls Matrix and Consensus Assessments initiative questionnaire.
Some providers also disclose documentation for additional certifications and assessments (including self-assessments)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The following list of controls belongs to which domain of the CCM?

GRM 04 - Management Program

GRM 05 - Support / Involvement

GRM 06 - Policy

GRM 07 - Policy Enforcement

A.Data Center Security
B.Encryption and Key Management
C.Governance and Risk Management
D.Change Control & Configuration Management

A

C.Governance and Risk Management

Explanation:
The following list of controls belong to Governance and Risk Management domain of CCD

GRM -01 Baseline Requirements
GRM - 02 Data Focus Risk Assessments
GRM - 03 Management Oversight
GRM - 04 Management Program
GRM - 05 Management Support/Involvement
GRM - 06 Management Policy
GRM - 07 Policy Enforcement
GRM - 08 Policy Impact on Risk Assessment
GRM - 09 Policy Reviews
GRM - 10 Risk Assessments
GRM - 11 Risk Management Framework
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Cloud service providers leverage which of the following to manage costs and enable capabilities?

A.On-demand self-service
B.Broad Network Access
C.Economies of Scale
D.Measured Service
E.Resource Pooling
A

C.Economies of Scale

Explanation:
Cloud service providers try to leverage economies of scale to manage costs and enable capabilities
This means creating extremely standardized services (including contracts and server level agreements) that are consistent across all customers.
Governance models can necessarily treat cloud providers the same way they would treat dedicated external service providers, which typically customize their offerings, including legal agreements, for each client.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

In which of the five main phases of secure application design and development, would you perform Threat Modeling?

A.Training
B.Define
C.Design
D.Develop
E.Test
A

C.Design

Explanation:
During the application design process, especially when PaaS is involved, the focus for security in cloud is on architecture, the cloud providers baseline capabilities, cloud provider features, and automating and managing security for deployment and operations.
We find that there are often significant security benefits to integrating security into the application architecture since there are opportunities to leverage the providers own security capabilities.
For example, inserting a serverless load balancer or message queue could completely block certain network attacks paths.
This is also where you perform threat modeling, which must also be cloud and provider/platform specific

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

All services from a particular provider meet the same audit/assessment standards

A.True
B.False

A

B.False

Explanation:
All services from a particular provider may not meet the same audit/assessment standards.
They can vary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

In the United States, a party is obligated to take reasonable steps to prevent the destruction or modification of data in its possession that it knows is relevant to pending litigation or government investigation

A.True
B.False

A

A.True

Explanation:
In the United States, a party is generally obligated to undertake reasonable steps to prevent the destruction or modification of data in its possession, custody or control that it knows, or reasonably should know, is relevant either to pending or reasonably anticipated litigation or a government investigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The nature of contracts with cloud providers will often preclude things like on-premises audits.
What options does the customer have in this situation?

A.Remote Audit of Provider Services
B.Service Level Agreement
C.Non Disclosure Agreement
D.Third Party Certification
E.Third Party Attestation
A

E.Third Party Attestation

Explanation:
Some cloud customers may be used to auditing the third party provides, but the nature of cloud computing and contracts with cloud providers will often preclude things like on-premises audits.

Customers should understand that providers can (and often should) consider on premises audits a security risk when proving multitenant services

Multiple on-premises audits from large numbers of customers present clear logistical and security challenges, especially when the provider relies on shared assets to create the resource pools

Customers working with these providers will have to rely more on third-party attestations rather than audits they perform themselves.

Depending on the audit standard, actual results may only be releasable under a NDA, which means customers will need to enter into a basic legal agreement before access to attestations for risk assessments or other evaluative purposes.

This is often due to legal or contractual requirements with the audit firm, not due to any attempts and obfuscation by the cloud provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Cloud user does not require special permission to perform vulnerability assessment on its environment in cloud

A.True
B.False

A

B.False

Explanation:
Certain types of customer technical assessments and audits (such as vulnerability assessment) may be limited in the providers terms of service and may require permission.
This is often to help the provider distinguish between a legitimate assessment and an attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

All assets in the cloud require some business continuity

A.True
B.False

A

B.False

Explanation:
Overall, a risk based approach is key:
Not all assets need equal continuity
Dont drive yourself crazy by planning for full provider outages just because of the perceived loss of control.
Look at historical performance
Strive to design for RTOs and RPOs equivalent to those on traditional infrastructure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following is a key tool in enabling and enforcing separation and isolation in multi-tenancy?

A.Infrastructure
B.Infostructure
C.Applistructure
D.Metastructure

A

D.Metastructure

Explanation:
The management plane is a key tool for enabling and enforicing separation and isolation in multitenancy.

Limiting who can do what with the APIs is one important means for segregating out customers, or different users within a single tenant.
Resources are in the pool, out of the pool and where they are allocated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following statement regarding service administrator account is not true?

A.Service administrators account are more suited for common daily user
B.Service administrators help compartmentalize individual sessions
C.Service administrator accounts can expose the entire deployment
D.Service administrators accounts manage parts of the service

A

C.Service administrator accounts can expose the entire deployment

Explanation:
Service administrator accounts dont necessarily expose the entire deployment if they are abused or compromised and thus are better for common daily usage
Your platform or provider may support low level admin accounts that can only manage parts of the service
We sometimes call these service admins or day to day admins.
These accounts dont necessarily expose the entire deployment if they are abused or compromised, and thus are better for common daily usage.
They also help compartmentalize individual sessions, so it isnt unusual to allow a single human admin access to multiple service admin accounts (or roles) so they can log in with the privileges they need for that particular action instead of having to expose a much wider range of entitlements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Business Continuity and Disaster Recovery is not a shared responsibility and the cloud user is completely responsible for it

A.True
B. False

A

B. False

Explanation:
Like security and compliance, BC/DR is a shared responsibility
There are aspects that the cloud provider has to manage, but the cloud customer is also ultimately responsible fhor how they use and manage the cloud service.
This is especially true when planning for outages of the cloud provider (or parts of the cloud providers service)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following statements regarding SDN (Software Defined networking) is not true?

A. SDN firewalls apply more flexible criteria than hardware-based firewalls
B. SDN fireewalls apply to single assets or group of assets
C.SDN firewall rules can be applied to any asset or groups of assets with a particular tag
D.SDN firewalls define rules can apply to a specific network location only (within a given virtual network)
E.SDN firewalls can define both ingress and egress rules

A

D.SDN firewalls define rules can apply to a specific network location only (within a given virtual network)

Explanation:
SDN firewalls (ie security groups) can apply to assets based on more flexible criteria than hardware-based firewalls, since they are not lmimited based on physical topology
SDN firewalls are typically policy sets that define ingress and egress rules that can apply to single assets or groups of assets, regardless of network location (within a given virtual network)
For example, you can create a set of firewall rules that apply to any asset with a particular tag

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which of the following WAN virtualization technology is used to create networks which span multiple base networks?

A.Cloud overlay networks
B.Virtual private networks
C.Virtual private cloud
D.Network peering

A

A.Cloud overlay networks

Explanation:
Cloud overlay networks are a special kind of WAN virtualization technology for created networks that span multiple base networks.
For example, an overlay network could span physical and cloud locations or multiple cloud networks, perhaps even on different providers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Who manages the web console which is one of the ways the management plane is delivered?m

A.Super Admin User
B.Cloud Access Security Broker
C.Cloud Provider
D.Cloud User

A

C.Cloud Provider

Explanation:
Web consoles are managed by the provider.
They can be organization-specific (typically using DNS redirection tied to federation identity)
For example, when you connect to your cloud file sharing application you are redirected to your own version of the application after you login.
This version will have its own domain name associated with it, which allows you to integrate more easily with federated identity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Logs, documentation and other materials that are needed for audits and compliance and are used as evidence to support compliance activities are called as-

A.Audit Proof
B.Audit Evidence
C.Audit Trail
D.Artifacts
E.Log Trail
A

D.Artifacts

Explanation:
Artifacts are the logs, documentation and other materials needed for audits and compliance; they are the evidence to support compliance activities
Both providers and customers have responsibilities for producing and managing their respective artifacts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following defines the ease with which application components are moved and reused elsewhere regardless of provider, platform, OS, infrastructure, location, storage, the format of data, or APIs?

A.Intraoperability
B. Interoperability
C. Portability
D.Movability

A

C. Portability

Explanation:
Portability defines the ease of ability to which application components are moved and reused elsewhere regardless of provider, platform, OS, infrastructure, location, storage, the format of data, or APIs.

Intraoperability is the requirements for the components of a cloud eco-system to work together to achieve their intended result.
In a cloud computing ecosystem the components may well come from different sources, both cloud and traditional, public and private cloud implementations (known as hybrid cloud)

Interopability mandates that those components should be replaceable by new or different components from different providers and continue to work, as should the exchange of data between systems

26
Q

Which of the following is an underlying vulnerability related to loss of Governance?

A.Lack of reputational isolation
B. Lack of resource isolation
C.Hypervisor vulnerabilities
D.Unclear asset ownership
E.Lack of supplier redundancy
A

D.Unclear asset ownership

Explanation:
Vulnerabilities related to lack of Governance are:
-Unclear roles and responsibilities
-Poor enforcement of role definitions
-Synchronizing responsibiltiies of contractural obligations external to cloud
-SLA clauses with conflicting prmises to different stakeholders
-Audit or certifications not available to customers
-Cross-cloud applications creating hidden dependency
-Lack of standard technologies and solution
-Storage of data in multiple jurisdictions and lack of transparency about this
-No source escrow agreement
-No control on vulnerability assessment process
-Certification schemes not adapted to cloud infrastructure
-Lack of information of jurisdictions
-Lack of completeness and transparency in terms of use
-Unclear asset ownership

27
Q

Which of the following is not one of the five key legal issues common across all scenarios?

A. Data Protection
B.Confidentiality
C.Intellectual Property
D.Professional Negligence
E.Global Proliferation
A

E.Global Proliferation

Explanation:

  1. Data Protection (availability and integrity) (minimum standard or guarantee)
  2. Confidentiality
  3. Intellectual Property
  4. Professional Negligence
  5. Outsourcing services and changes in control
28
Q

Which of the following is a key area of control for the cloud provider network architecture?

A.SANS Checklist
B.DDoS
C.Anti-virus
D. Hardened Virtualized Image
E.Host Based Intrusion Prevention Service (IPS)
A

B.DDoS

Explanation:
Network Architecture Controls:
Define the controls used to mitigate DDoS attacks
Defense in Depth (Deep packet analysis, traffic, throttling, packet black holing)
Do you have defenses against internal (originating from the cloud providers networks) attacks as well as external (originating from the Internet or customer networks) attacks?
What level of isolation are used?
For virtual machines, physical machines, network, storage (ie storage area networks) management networks and management support systems, etc.

29
Q

Which of the following can the cloud provider implement to mitigate the credential compromise or theft?

A.Separation of roles and responsibilities
B.Automated inventory of all assets
C.Federated method of authentication
D.Hardening of virtual machines using industry standards
E.Anomaly Detection

A

E.Anomaly Detection

Explanation:
Credential Theft or Compromise

Do you provide anomaly detection (the ability to spot unusual and potentially malicious IP traffic and user or support team behavior?
For example, analysis of failed and successful logins, unusual time of day and multiple logins etc.

What provisions exist in the event of the theft of a customers credentials (detection, revocation, evidence or actions)?

30
Q

In which of the following service models cloud consumers may only be able to manage authorizations and entitlements?

A.SaaS
B.PaaS
C.IaaS
D.Both A & B

A

A.SaaS

Explanation:
Software as a Service
The cloud provider is responsible for nearly all security, since the cloud user can only access and manage their use of the application, and cant alter how the application works.
For example, a SaaS provider is responsible for perimeter security, logging/monitoring/auditing, and application security, while the consumer may only be able to manage authorization and entitlements

31
Q

Which of the following statements regarding risk transfer is not true?

A.It is possible for the cloud customer to transfer risk to the cloud provider
B.All risks can be transferred
C.The level of risk may vary with the type of cloud architecture used
D.Risks should be considered against the cost benefit received from the services

A

B.All risks can be transferred

Explanation:
It is possible for the cloud customer to transfer risk to the cloud provider and the risks should be considered against the cost benefit received from the services.
However, not all risks can be transferred: if a risks leads to the failure of a business, serious damage to the reputation or legal implications, it is hard or impossible for any other party to compensate for this damage

32
Q

When it comes to securing the management plane, how are access identification, authentication and authorization implemented?

A.Identity and Access Management
B. Your directory service manages how your cloud providers are managed
C.Cloud providers provide the access layer; you must also have a directory service to get authentication
D.Authentication is based on your authentication provider and the cloud provider provides the access and authorization controls

A

A.Identity and Access Management

Explanation:
IAM includes identification, authentication, and authorizations (including access management).
This is how you determine who can do what within your cloud platform or provider

33
Q

How will you ensure that you have provided sufficient encryption protection to your data in the cloud?

A. Ensure that you are encrypting your data as it moves to the cloud
B. Do not encrypt the data when it is close to the cloud
C. Encrypt the data at rest when it is stored in the cloud
D. Encrypt the data only as it leaves the cloud
E. Both A and C

A

E. Both A and C

Explanation:
Ensure that you are protecting your data as it moves to the cloud.
This necessitates understanding your providers data migration mechanisms, as leveraging provider mechanism is often more secure and cost effective than manual data transfer methods
Use the appropriate encryption option based on the threat model for your data, business, and technical requirements

34
Q

How can web security as a service be offered to the cloud customer?

A. Either on-premise through software and/or appliance installation
B. Via the Cloud using proxy or redirecting web traffic to the cloud provider
C. By using separate VLANs
D. Both B & C
E. Both A & B

A

E. Both A & B

Explanation:
Web Security (Web Security Gateways) Web Security real-time protection, offered either on-premise through software and or application installation, or via the Cloud by proxying or redirecting web traffic to the cloud provider (or a hybrid of both)
This provides an added layer of protection on top of other protection, such as anti malware software to prevent malware from entering the enterprise via activities such as web browsing.
In addition, it can also enforce policy can provider an extra level of granular and contextual security enforcement for web applications

35
Q

Which of the following is among the top security benefits?

A. Compatibility with customer IT services and infrastructure
B. Data Protection
C. Lock-In
D. More timely, effective and efficient updates and default
E. Certifications and Accreditations

A

D. More timely, effective and efficient updates and default

Explanation:
More timely, effective updates and default is amongst one of the TOP SECURITY BENEFITS, MORE TIMELY, EFFECTIVE UPDATES AND DEFAULTS: default virtual machine images and software modules used by customers can be pre-hardened and updated with the latest patches and security settings according to fine tuned processes: IaaS cloud service APIs also allow snapshots of virtual infrastructure to be take regularly and compared with a baseline.
Updates can be rolled out many times more rapidly across a homogeneous platform than in traditional client-based systems that rely on the patching model

36
Q

Which of the following reflects the claim of an individuals to have cetain data deleted so that third persons can no longer trace them?

A. Rights to be Deleted
B. Rights to be Erased
C. Right to Non-Disclosure
D. Right to be Forgotten
E. Right to Privacy
A

D. Right to be Forgotten

Explanation:
The right to be forgotten “reflects the claim of an individual to have certain data deleted so that third persons can no longer trace them

Data Subjects Rights
Data subjects have rights to information regarding the processing of their data: the right to object to certain uses of their personal data; to have their data corrected or erased; to be compensated for damages suffered as a result of unlawful processing; the rights to be forgotten; and the right to data portability.
The existence of these rights significantly affects cloud service relationships

37
Q

In which type of environment is it impractical to allow clients to conduct their own audits?

A.Long Distance Relationships
B. Multi-tenant Environment
C. Dedicated Environment
D. Multi-Application Environment

A

B. Multi-tenant Environment

Explanation:
Bit by bit imaging of a cloud data source is generally difficult or impossible.
For obvious security reasons, providers are reluctant to allow access to their hardware, particularly in a multitenant environment where a client could gain access to other clients data.
Even in a private cloud, forensics may be extremely difficult and clients may need to notify opposing counsel or the courts of these limitations.
Luckily, this type of forensic analysis is rarely warranted in cloud computing, because the environment often consists of a structured data hierarchy or virtualization that does not provide significant additional relevant information in a bit by bit analysis

38
Q

Which of the following is not one of the benefits of Cloud Computing?

A.Agility
B.Resiliency
C.Economy
D.Vendor Lock In

A

D.Vendor Lock In

Explanation:
Vendor Lock in could be a disadvantage of Cloud Computing

39
Q

Which of the following statement is true for orchestration?

A.Orchestration is used to coordinate carving out and delivering a set of resources from the pools to the consumers
B. Orchestration abstracts the resources from the underlying physical infrastructure to create pools
C. Orchestration allows the cloud provider to divvy up resources to different groups
D. Orchestration ensures that different groups cant see or modify each others assets

A

A.Orchestration is used to coordinate carving out and delivering a set of resources from the pools to the consumers

Explanation:
The key techniques to create a cloud are abstraction and orchestration.
We abstract (abstraction) the resources from the underlying physical infrastructure to create our pools and use orchestration (and automation) to coordinate carving out and delivering a set of resources from the pools to the consumers.
As you will see, these two techniques create all the essential characteristics we use to define something as a cloud
The difference between cloud computing and traditional virtualization: virtualization abstracts resources, but it typically lacks the orchestration to pool them together and deliver them to customers on demand, instead relying on manual processes.
Segregation allows the cloud provider to divvy up resources to the different groups, and isolation ensures they cant see or modify each others assets

40
Q

Which communication method is used by customers to access database information using a web console?

A. Cross-Origin Resource Sharing (CORS)
B. Application Programming Interface (API)
C. Security Assertion Markup Language (SAML)
D. Extensible Markup Language (XML)
E. Software Development Kits (SDK)

A

B. Application Programming Interface (API)

Explanation:
The customer manages the database via API (and a web console) and accesses it either through the normal database network protocols, or again via an API

One option, frequently seen in the real world is to build a platform on top of IaaS.
A layer of integration and middleware is built on IaaS, then pooled together, orchestrated and exposed to customers using APIs as PaaS.
For example, a Database as a Service could be built by deploying modified database management system software on instances running IaaS.
The customer manages the database via API (and a web console) and accesses it either through the normal database network protocols or again an API

41
Q

Which plane is used by consumers to launch virtual machines or configure virtual networks?

A. Infrastructure Plane
B. Cloud Control Plane
C. Management Plane
D. Application Plane
E. Virtual Plane
A

C. Management Plane

Explanation:
In most cases, those APIs are both remotely accessible and wrapped into a web-based user interface.
This combination is the cloud management plane, since consumers use it to manage and configure the cloud resources, such as launching virtual machines (instances) or configuring virtual networks.
From a security perspective, it is both the biggest difference from protecting physical infrastructure (since you cant rely on physical access as an control) and the top priority when designing a cloud security program

42
Q

Which of the following allows you to create an Infrastructure template to configure all or some aspects of a cloud deployment?

A. Metastructure
B. Infostructure
C. Software-Defined Infrastructure
D. Applistructure
E. Infrastructure
A

C. Software-Defined Infrastructure

Explanation:
Software-Defined Infrastructure allows you to create an infrastructure template to configure all or some aspects of a cloud deployment

Software Defined Infrastructure allows you to create an infrastructure template to configure all or some aspects of a cloud deployment.
These templates are then translated natively by the cloud platform into API calls that orchestrate the configuration

43
Q

Dedicated or Private Tenancy Model is not possible in a cloud environment

A. True
B. False

A

B. False

Explanation:
In some environments dedicated/private tenancy is possible, but typically at a higher cost.
With this model only designated workloads run on a designated physical server.
Costs increase in public cloud as a consumer since you are taking hardware out of the general resource pool, but also in private cloud, due to less efficient use of internal resources.

44
Q

Which of the following leverages virtual network topologies to run smaller, and more isolated networks without incurring additional hardware costs?

A. Microsegmentation 
B. VLANs
C. Converged Networking
D. Virtual Private Networks
E. Virtual Private Cloud
A

A. Microsegmentation

Explanation:
Microsegmentation (also sometimes referred to as hypersegregation) leverages virtual network topologies to run more, smaller, and more isolated networks without incurring additional hardware costs historically make such models prohibitive.
Since the entire networks are defined in software without many of the traditional addressing issues, it is far more feasible to run these multiple, software-defined environments

45
Q

Which of the following is a form of a compliance inheritance in which all or some of the cloud providers infrastructure and services undergo an audit to a compliance standard?

A. Policy Audit
B. Pass-though Audit
C. Third Party Audit
D. Compliance Audit

A

B. Pass-though Audit

Explanation:
Many cloud providers are certified for various regulations and industry requirements, such as PCI DSS, SOC1, SOC2, HIPAA, best practices/frameworks like CSA COM, and global/regional regulations like the EU GDPR.
These are sometimes referred to ass pass-through audits.
A pass through audit is a form of compliance inheritance.
In this model all or some of the cloud providers infrastructure and services undergo an audit to a compliance standard.
The provider takes responsibility for the costs and maintenance of these certifications

46
Q

Which of the following is an important consideration in management plane usage?

A. Segregation of Duties
B. Least Privilege
C. Multi-factor Authentication
D. Biometric Authentication
E. Authorization
A

B. Least Privilege

Explanation:
Both providers and consumers should consistently only allow the least privilege required for users, applications and other management plane usage
All privileged user accounts should use multi-factor authentication (MFA)
If possible, all cloud accounts (even individual user accounts) should use MFA.
Its one of the single most effective security controls to defend against a wide range of attacks.
This is also true regardless of the service model: MFA is just as important for SaaS as it is for IaaS

47
Q

PaaS needs to be built on top of IaaS and it cannot be a custom designed stand-alone architecture

A.True
B.False

A

B.False

Explanation:
PaaS doesnt necessarily need to be built on top of IaaS; there is no reason it cannot be a custom designed stand-alone architecture

PaaS doesnt necessarily need to be built on top of IaaS; there is no reason it cannot be a custom designed stand-alone architecture.
The defining characteristic is that consumers access and manage the platform, not the underlying infrastructure (including cloud infrastructure)

48
Q

They key difference between cloud and traditional computing is the infrastructure

A.True
B.False

A

B.False

Explanation:
The key difference between cloud and traditional computing is the metastrcture

Metastructure is the protocols and mechanisms that provides the interface between the infrastructure layer and the other layers.
The glue that ties the technologies and enables management configuration.
Cloud metastructure includes the management plane components, which are network enabled and remotely accessible

49
Q

Which of the following tools provide a standard template for cloud providers to document their security and compliance controls?

A. Consensus Assessments Initiative Questionnaire
B. Cloud Control Matrix
C. Cloud Provider Contracts
D. Supplier (Cloud Provider) Assessments
E. Cloud Security Alliance STAR Registry
A

A. Consensus Assessments Initiative Questionnaire

Explanation:
The Consensus Assessments Initiative Questionnaire (CAIQ) is a tool from Cloud Security Alliance (CSA) that provides standard template for cloud providers to document their security and compliance controls d

50
Q

Which of the following statement about CSA’s CCM and Security Guidance is not true?

A. CSA’s CCM provides a set of controls and maps them to multiple security and compliance standards
B. CSA’s CCM tells you what to do. CSA’s Security Guidance tells how to do it
C. CSA’s Security Guidance provides a set of best practices and recommendations
D. CSA’s Security Guidance tells you WHAT to do. The CCM tells you HOW to do it

A

D. CSA’s Security Guidance tells you WHAT to do. The CCM tells you HOW to do it

Explanation:
The Cloud Control Matrix (CCM), lists cloud security controls and maps them to multiple security and compliance standards.
CCM can also be used to document security responsibilities (What to do)
CSAs Security Guidance provides a set of best practices and recommendations (HOW to do it)

51
Q

What is the role of the Scope Applicability column in the CCM?

A. Applicability of controls in the domains
B. Maps the existing industry standards to the controls in the domains
C. Overall applicability of the domain
D. Shows architecture elements that are related to a given control

A

B. Maps the existing industry standards to the controls in the domains

Explanation:
Scope applicability column in CCM maps the existing industry standards like PCI DSS, NIST SP800-53 R3, ISO/IEC 27001-2005, HIPAA/HITECH Act, GAPP, ENISA IAF, COBIT etc to the controls in the domains

52
Q

The Cloud Security Alliance STAR Registry is used for which of the following purposes?

A.Used by cloud providers to document their security and compliance controls
B.List all cloud security controls mapped to multiple security standards
C. To public release certifications and attestations
D. Used by cloud providers to keep all the service contracts and service level agreements

A

C. To public release certifications and attestations

Explanation:
CLoud providers should understand that customers still need assurance that the provider meets their contractural and regulatory obligations, and should thus provide rigorous third-party attestations to prove their meet their obligations, especially when the provider does not allow direct customer assessments.
These should be based on industry standards, with clearly defined scopes and the list of specific controls evaluated.

Publishing certifications and attestations (to the degree legally allowed) will greatly assist cloud customers in evaluating providers.
The Cloud Security Alliance STAR Registry offers a central repository for providers to publicly release these documents.

53
Q

Attestations and certifications are activities that will be valid at any future point in time and providers must keep any published results readily available for quick reference.

A. True
B. False

A

B. False

Explanation:
Attestations and certifications are point in time activities
Its important to remember that attestations and certifications are point in time activities.
An attestation is a statement of an over a period of time assessment and may not be valid at any future point.
Providers must keep any published results current or they risk exposing their customers to risks of non-compliance.
Depending on contracts, this could even lead to legal exposures to the provider.
Customers are also responsible for ensuring they rely on current results and track when their providers statuses change over timwe

54
Q

The management plane controls and configures which of the following:

A. Infrastructure
B. Metastructure
C. Infostructure
D. Applistructure

A

B. Metastructure

Explanation:
The management plane controls and configures the metastructure and is also part of the metastructure itself

As a remind, cloud computing is the act of taking physical assets (like networks and processors) and using them to build resource pools.
Metastructure is the glue and guts to create, provision, and de-provision the pools.
The management plane includes the interfaces for building and managing the cloud itself, but also the interfaces for cloud users to manage their own allocated resources of the cloud

55
Q

Identity, and Access Management (IAM) includes which of the following?

A.Identification, Authentication and Authorization
B. Identification, Authentication, Authorization and Non-repudiation
C. Identification, authentication, authorization and encryption
D. Identification, Authentication, Authorization and Delegation
E. Identification, Authentication, Authorization and Deletion

A

A.Identification, Authentication and Authorization

Explanation:
Identity and Access Managament (IAM) includes identification, authentication and authorizations (including access management)
This is how you determine who can do what within your cloud platform provider

56
Q

How can a single administrator access multiple service administrator accounts with just the privileges they need for that particular action?

A. Using Groups
B. Using Assertions
C. Using Roles
D. Using Provider Policies
E. Using Custom Policies
A

C. Using Roles

Explanation:
Single human administrator can access multiple service administrator accounts using roles.
Your platform or provider may support lower-level administrative accounts that can only manage parts of the service.
We sometimes call these “service administrators” or “day to day administrators”
These accounts dont necessarily expose the entire deployment if they are abused or compromised and thus are better for commonly daily usage.
They also help compartmentalize individual sessions, so it isnt unusual to allow a single human administrator access to multiple service admin accounts (or roles) so they can log in with just the privilege they need for that particular action instead of having to expose a much wider range of entitlements

57
Q

Which process is used to determine and defend the applications from any weakness before they are introduced into production?

A. Threat Modeling
B. Vulnerability Assessment
C. Penetration Testing
D. OWASP
E. STRIDE
A

A. Threat Modeling

Explanation:
Application security encompasses an incredibly complex and large body of knowledge: everything from early design and threat modeling to maintaining and defending production applications

Design
During the application design process, especially when PaaS is involved, the focus for security in cloud is on architecture, the cloud providers baseline capabilities, cloud provider features, and automating and managing security for deployment and operations.
We find that there are often significant security benefits to integrating security into the application architecture since there are opportunities to leverage the providers own security capabilities.
For example, inserting a serverless load balancer or message queue could completely block certain network attack paths.
This is also where you perform threat modeling, which must also be cloud and provider/platform specific

58
Q

Which of the following is true about the pass-through audit which is a form of compliance inheritance?

A. Providers infrastructure is not within the scope of customers audit/assessment
B. Everything the customer builds on top of Providers infrastructure is out of scope
C. Providers infrastructure is within the scope of customers audit/assessment
D. Customer is not responsible for maintaining the compliance as the Provider is already compliant

A

A. Providers infrastructure is not within the scope of customers audit/assessment

Explanation:
A pass-through audit is a form of compliance inheritance.
In this model all or some of the cloud providers infrastructure and services undergo an audit to a compliance standard.
The provider takes responsibility for the costs and maintenance of these certifications.
Provider audits, including pass-through audits, need to be understood within their limitations:
- They certify that the provider is compliant
-It is still the responsibility of the customer to build compliant applications and services on the cloud.
-This means the providers infrastructure/services are not within scope of a customers audit/assessment. But everything the customer builds themselves is still within scope
-The customer is still ultimately responsible for maintaining the compliance of what they build and manage.
For example, if an IaaS provider is PCI DSS-certified, the customer can build their own PCI-compliance service on that platform and the providers infrastructure and operations should be outisde the customers assessment scope.
However, the customer can just as easily run afoul of PCI and fail their assessment if they dont design their own application running in the cloud properly

59
Q

When entrusting a third party to process the data on its behalf, who remains responsible for the collection and processing of the data?

A. Data Processor
B. Data Controller
C. Data Analyzer
D. Data Protector

A

B. Data Controller

Explanation:
When entrusting a third party to process data on its behalf (a data processor), a data controller remains responsible for the collection and processing of that data.
The data controller is require to ensure that any such third parties take adequate technical and organizational security measures to safeguard the data

60
Q

SLA’s may limit a clients ability to collect large volumes of data quickly and in a forensically sound manner

A. True
B. False

A

A. True

Explanation:
In most cases, a clients access to its data in the cloud will be determined by its SLA.

This may limit its ability to collect large volumes of data quickly and in a forensically sound manner (ie with all reasonably relevant metadata preserved)
Clients and cloud providers should consider this issue at the outset of their relationship and establish a protocol (and cost) for extraordinary access in the case of litigation.
Absent these agreements, clients are responsible for the extra time and cost implicated by collection in the cloud when making representations to requesting parties and courts.