CCSK Practice Exam 2 (WhizLabs) Flashcards
In which phase of the application design and development process, the focus in on architecture?
A.Training B.Define C.Design D.Develop E.Test
C.Design
Explanation:
Design
During the application design process, especially when PaaS is involved, the focus for security in cloud is on architecture, the cloud providers baseline capabilities, cloud provider features and automating and managing security for deployment and operations.
There are often significant security benefits to integrating security into the application architecture since there are opportunities to leverage the providers own security capabilities.
For example, inserting a serverless load balancer or message queue could completely block certain network attack paths.
This is also where you perform threat modeling, which must also be cloud and provider/platform specific
Which of the following governance domain focuses on proper and adequate incident detection, response, notification and remediation?
A.Infrastructure Security B.Information Governance and Enterprise Risk Management C.Compliance and Audit Management D.Incident Response E.Information Governance
D.Incident Response
Explanation:
The Incident Response Lifecycle as defined in the NIST-800 document includes the following phases and major activities:
Detection and Analysis:
Alerts
Endpoint protection, network security monitoring, host monitoring, account creation, privilege escalation, other IoCs, SIEM, security analytics (baseline and anomaly detection), end user behavior analytics
-Validate Alerts (reducing false positives) and escalation
-Estimate the scope of the incident
-Assign an Incident Manager who will coordinate further actions
-Designate a person who will communicate the incident containment and recovery status to senior management
-Build a timeline of the attack
-Determine the extent of the potential data loss
-Notification and coordination activities
-Containment, eradication and recovery
Containment
Taking systems offline. Considerations for data loss versus service availability. Ensuring systems dont destroy themselves upon detection
Eradication and Recovery
Clean up compromised devices and restore systems to normal operations. Confirm systems are functioning properly. Deploy controls to prevent similar incidents
Documenting the incident and gathering evidence (chain of custody)
The main difference between traditional virtualization and cloud computing is abstraction
A. True
B. False
B. False
Explanation:
Virtualization abstracts resources, but it typically lacks the orchestration to pool them together and deliver them to customers on demand, instead relying on manual processes
The key techniques to create a cloud are abstraction and orchestration.
We abstract the resources from the underlying physical infrastructure to create our pools, and use orchestration (and automation) to coordinate carving out and delivering a set of resources from the pools to the consumers.
As you will see, these two techniques create all the essential characteristics we use to define something as a cloud
The difference between cloud computing and traditional virtualization; virtualization abstracts resources, but it typically lacks the orchestration to pool them together and deliver them to customers on demand, instead relying on manual processes
Which of the following is a cloud infrastructure that is shared by several organizations and supports a specific group that has shared concerns?
A.Public Cloud B.Private Cloud C.Community Cloud D.Hybrid Cloud E.Common Cloud
C.Community Cloud
Explanation:
Community Cloud is the cloud infrastructure that is shared by several organizations and supports a specific community that has shared concerns (ie mission, security requirements, policy, or compliance considerations)
Community Cloud
It may be managed by the organizations or by a third party and may be located on-premises or off-premises
Which of the following describes the cloud management plane?
A. APIs that are remotely accessible and those wrapped into a web-based user interface
B. Is a layer in which all types of devices and resources from different vendors and interconnected
C. Is a layer where the data center is the component element
D. Is a layer consisting of plenty of vendors and third party applications
A. APIs that are remotely accessible and those wrapped into a web-based user interface
Explanation:
APIs are both remotely accessible and wrapped into a web based user interface.
This combination is the cloud management plane, since consumers use it to manage and configure the cloud resources, such as launching virtual machines (instances) or configuration virtual networks
Option B is infrastructure
Option C is Cloud Control plane
Option D is application plane
If an attacker gets into your management plane, they have full remote access to your entire cloud environment
A. True
B. False
A. True
Explanation:
If an attacker gets into your management plane, they potentially have full remote access to your entire cloud
The data and information like content in database or file storage are part of which layer of Logical Model?
A.Infrastructure
B. Metastructure
C.Infostructure
D.Applistructure
C.Infostructure
Explanation:
The data and information.
Content in a database, file storage, etc is part of Infostructure
At a high level, both cloud and traditional computing adhere to a logical model that helps identify different layers based on functionality.
This is useful to illustrate the differences between the different computing models themselves:
Infrastructure
The core components of a computing system; compute, network and storage.
The foundation that everything is built on. The moving parts
Metastructure
The protocols and mechanisms that provide the interface between the infrastructure layer and the other layers. The glue that ties the technologies and enable management and configuration
Infostructure
The data and information. Content in a database, file storage, etc.
Applistructure
The application deployed in the cloud and the underlying application services used to build them.
For example, PaaS features like message queues, artificial intelligence analysis, or notification services.
Which of the following is the most commonly used application programming interface?
A. REST
B.SOAP
C. HTTP
D. JSON
A. REST
Explanation:
Most cloud APIs these days use REST (Representational State Transfer), which runs over the HTTP protocol, making it extremely well suited for Internet services.
APIs are typically the underlying communications method for components within a cloud, some of which (or an entirely different set) are exposed to the cloud user to manage their resources and configurations.
Which of the following tools lists cloud security controls and maps them to multiple security and compliance standards?
A.Consensus Assessments Initiative Questionnaire B.Cloud Controls Matrix C.Cloud Provider Controls D. Supplier (Cloud Provider) Assessments E.Cloud Security Alliance STAR Registry
B.Cloud Controls Matrix
Explanation:
The Cloud Controls Matrix (CCM) lists cloud security controls and maps them to multiple security and compliance standards. The CCM can also be used to document security responsibilities
The Consensus Assessments Initiative Questionnaire (CAIQ) is a standard template for cloud providers to document their security and compliance controls
Both documents will need tuning for specific organizational and project requirements, but provider comprehensive starting template and can be especially useful for ensuring compliance requirements are met
Contracts are the primary tool of governance between a cloud provider and a cloud customer (this is true for public and private cloud). The contracts is your only guarantee of any level or service or commitment - assuming there is no breach of contract, which tosses everything into a legal scenario. Contracts are the primary tool to extend governance into business partners and providers
Supplier (Cloud Provider) Assessments
These assessments are performed by the potential cloud customer using available information and allowed processes/techniques. They combine contractual and manual research with third-party attestations (legal statements often used to communicate the results of an assessment or audit) and technical research.
They are very similar to any supplier assessment and can include aspects like financial viability, history, feature offerings, third-party attestations, feedback from peers and so on
The Cloud Security Alliance STAR Registry
This is an an assurance program and documentation registry for cloud provider assessments based on the CSA Cloud Controls Matrix and Consensus Assessments initiative questionnaire.
Some providers also disclose documentation for additional certifications and assessments (including self-assessments)
The following list of controls belongs to which domain of the CCM?
GRM 04 - Management Program
GRM 05 - Support / Involvement
GRM 06 - Policy
GRM 07 - Policy Enforcement
A.Data Center Security
B.Encryption and Key Management
C.Governance and Risk Management
D.Change Control & Configuration Management
C.Governance and Risk Management
Explanation:
The following list of controls belong to Governance and Risk Management domain of CCD
GRM -01 Baseline Requirements GRM - 02 Data Focus Risk Assessments GRM - 03 Management Oversight GRM - 04 Management Program GRM - 05 Management Support/Involvement GRM - 06 Management Policy GRM - 07 Policy Enforcement GRM - 08 Policy Impact on Risk Assessment GRM - 09 Policy Reviews GRM - 10 Risk Assessments GRM - 11 Risk Management Framework
Cloud service providers leverage which of the following to manage costs and enable capabilities?
A.On-demand self-service B.Broad Network Access C.Economies of Scale D.Measured Service E.Resource Pooling
C.Economies of Scale
Explanation:
Cloud service providers try to leverage economies of scale to manage costs and enable capabilities
This means creating extremely standardized services (including contracts and server level agreements) that are consistent across all customers.
Governance models can necessarily treat cloud providers the same way they would treat dedicated external service providers, which typically customize their offerings, including legal agreements, for each client.
In which of the five main phases of secure application design and development, would you perform Threat Modeling?
A.Training B.Define C.Design D.Develop E.Test
C.Design
Explanation:
During the application design process, especially when PaaS is involved, the focus for security in cloud is on architecture, the cloud providers baseline capabilities, cloud provider features, and automating and managing security for deployment and operations.
We find that there are often significant security benefits to integrating security into the application architecture since there are opportunities to leverage the providers own security capabilities.
For example, inserting a serverless load balancer or message queue could completely block certain network attacks paths.
This is also where you perform threat modeling, which must also be cloud and provider/platform specific
All services from a particular provider meet the same audit/assessment standards
A.True
B.False
B.False
Explanation:
All services from a particular provider may not meet the same audit/assessment standards.
They can vary
In the United States, a party is obligated to take reasonable steps to prevent the destruction or modification of data in its possession that it knows is relevant to pending litigation or government investigation
A.True
B.False
A.True
Explanation:
In the United States, a party is generally obligated to undertake reasonable steps to prevent the destruction or modification of data in its possession, custody or control that it knows, or reasonably should know, is relevant either to pending or reasonably anticipated litigation or a government investigation
The nature of contracts with cloud providers will often preclude things like on-premises audits.
What options does the customer have in this situation?
A.Remote Audit of Provider Services B.Service Level Agreement C.Non Disclosure Agreement D.Third Party Certification E.Third Party Attestation
E.Third Party Attestation
Explanation:
Some cloud customers may be used to auditing the third party provides, but the nature of cloud computing and contracts with cloud providers will often preclude things like on-premises audits.
Customers should understand that providers can (and often should) consider on premises audits a security risk when proving multitenant services
Multiple on-premises audits from large numbers of customers present clear logistical and security challenges, especially when the provider relies on shared assets to create the resource pools
Customers working with these providers will have to rely more on third-party attestations rather than audits they perform themselves.
Depending on the audit standard, actual results may only be releasable under a NDA, which means customers will need to enter into a basic legal agreement before access to attestations for risk assessments or other evaluative purposes.
This is often due to legal or contractual requirements with the audit firm, not due to any attempts and obfuscation by the cloud provider
Cloud user does not require special permission to perform vulnerability assessment on its environment in cloud
A.True
B.False
B.False
Explanation:
Certain types of customer technical assessments and audits (such as vulnerability assessment) may be limited in the providers terms of service and may require permission.
This is often to help the provider distinguish between a legitimate assessment and an attack
All assets in the cloud require some business continuity
A.True
B.False
B.False
Explanation:
Overall, a risk based approach is key:
Not all assets need equal continuity
Dont drive yourself crazy by planning for full provider outages just because of the perceived loss of control.
Look at historical performance
Strive to design for RTOs and RPOs equivalent to those on traditional infrastructure
Which of the following is a key tool in enabling and enforcing separation and isolation in multi-tenancy?
A.Infrastructure
B.Infostructure
C.Applistructure
D.Metastructure
D.Metastructure
Explanation:
The management plane is a key tool for enabling and enforicing separation and isolation in multitenancy.
Limiting who can do what with the APIs is one important means for segregating out customers, or different users within a single tenant.
Resources are in the pool, out of the pool and where they are allocated
Which of the following statement regarding service administrator account is not true?
A.Service administrators account are more suited for common daily user
B.Service administrators help compartmentalize individual sessions
C.Service administrator accounts can expose the entire deployment
D.Service administrators accounts manage parts of the service
C.Service administrator accounts can expose the entire deployment
Explanation:
Service administrator accounts dont necessarily expose the entire deployment if they are abused or compromised and thus are better for common daily usage
Your platform or provider may support low level admin accounts that can only manage parts of the service
We sometimes call these service admins or day to day admins.
These accounts dont necessarily expose the entire deployment if they are abused or compromised, and thus are better for common daily usage.
They also help compartmentalize individual sessions, so it isnt unusual to allow a single human admin access to multiple service admin accounts (or roles) so they can log in with the privileges they need for that particular action instead of having to expose a much wider range of entitlements
Business Continuity and Disaster Recovery is not a shared responsibility and the cloud user is completely responsible for it
A.True
B. False
B. False
Explanation:
Like security and compliance, BC/DR is a shared responsibility
There are aspects that the cloud provider has to manage, but the cloud customer is also ultimately responsible fhor how they use and manage the cloud service.
This is especially true when planning for outages of the cloud provider (or parts of the cloud providers service)
Which of the following statements regarding SDN (Software Defined networking) is not true?
A. SDN firewalls apply more flexible criteria than hardware-based firewalls
B. SDN fireewalls apply to single assets or group of assets
C.SDN firewall rules can be applied to any asset or groups of assets with a particular tag
D.SDN firewalls define rules can apply to a specific network location only (within a given virtual network)
E.SDN firewalls can define both ingress and egress rules
D.SDN firewalls define rules can apply to a specific network location only (within a given virtual network)
Explanation:
SDN firewalls (ie security groups) can apply to assets based on more flexible criteria than hardware-based firewalls, since they are not lmimited based on physical topology
SDN firewalls are typically policy sets that define ingress and egress rules that can apply to single assets or groups of assets, regardless of network location (within a given virtual network)
For example, you can create a set of firewall rules that apply to any asset with a particular tag
Which of the following WAN virtualization technology is used to create networks which span multiple base networks?
A.Cloud overlay networks
B.Virtual private networks
C.Virtual private cloud
D.Network peering
A.Cloud overlay networks
Explanation:
Cloud overlay networks are a special kind of WAN virtualization technology for created networks that span multiple base networks.
For example, an overlay network could span physical and cloud locations or multiple cloud networks, perhaps even on different providers.
Who manages the web console which is one of the ways the management plane is delivered?m
A.Super Admin User
B.Cloud Access Security Broker
C.Cloud Provider
D.Cloud User
C.Cloud Provider
Explanation:
Web consoles are managed by the provider.
They can be organization-specific (typically using DNS redirection tied to federation identity)
For example, when you connect to your cloud file sharing application you are redirected to your own version of the application after you login.
This version will have its own domain name associated with it, which allows you to integrate more easily with federated identity.
Logs, documentation and other materials that are needed for audits and compliance and are used as evidence to support compliance activities are called as-
A.Audit Proof B.Audit Evidence C.Audit Trail D.Artifacts E.Log Trail
D.Artifacts
Explanation:
Artifacts are the logs, documentation and other materials needed for audits and compliance; they are the evidence to support compliance activities
Both providers and customers have responsibilities for producing and managing their respective artifacts
Which of the following defines the ease with which application components are moved and reused elsewhere regardless of provider, platform, OS, infrastructure, location, storage, the format of data, or APIs?
A.Intraoperability
B. Interoperability
C. Portability
D.Movability
C. Portability
Explanation:
Portability defines the ease of ability to which application components are moved and reused elsewhere regardless of provider, platform, OS, infrastructure, location, storage, the format of data, or APIs.
Intraoperability is the requirements for the components of a cloud eco-system to work together to achieve their intended result.
In a cloud computing ecosystem the components may well come from different sources, both cloud and traditional, public and private cloud implementations (known as hybrid cloud)
Interopability mandates that those components should be replaceable by new or different components from different providers and continue to work, as should the exchange of data between systems
Which of the following is an underlying vulnerability related to loss of Governance?
A.Lack of reputational isolation B. Lack of resource isolation C.Hypervisor vulnerabilities D.Unclear asset ownership E.Lack of supplier redundancy
D.Unclear asset ownership
Explanation:
Vulnerabilities related to lack of Governance are:
-Unclear roles and responsibilities
-Poor enforcement of role definitions
-Synchronizing responsibiltiies of contractural obligations external to cloud
-SLA clauses with conflicting prmises to different stakeholders
-Audit or certifications not available to customers
-Cross-cloud applications creating hidden dependency
-Lack of standard technologies and solution
-Storage of data in multiple jurisdictions and lack of transparency about this
-No source escrow agreement
-No control on vulnerability assessment process
-Certification schemes not adapted to cloud infrastructure
-Lack of information of jurisdictions
-Lack of completeness and transparency in terms of use
-Unclear asset ownership
Which of the following is not one of the five key legal issues common across all scenarios?
A. Data Protection B.Confidentiality C.Intellectual Property D.Professional Negligence E.Global Proliferation
E.Global Proliferation
Explanation:
- Data Protection (availability and integrity) (minimum standard or guarantee)
- Confidentiality
- Intellectual Property
- Professional Negligence
- Outsourcing services and changes in control
Which of the following is a key area of control for the cloud provider network architecture?
A.SANS Checklist B.DDoS C.Anti-virus D. Hardened Virtualized Image E.Host Based Intrusion Prevention Service (IPS)
B.DDoS
Explanation:
Network Architecture Controls:
Define the controls used to mitigate DDoS attacks
Defense in Depth (Deep packet analysis, traffic, throttling, packet black holing)
Do you have defenses against internal (originating from the cloud providers networks) attacks as well as external (originating from the Internet or customer networks) attacks?
What level of isolation are used?
For virtual machines, physical machines, network, storage (ie storage area networks) management networks and management support systems, etc.
Which of the following can the cloud provider implement to mitigate the credential compromise or theft?
A.Separation of roles and responsibilities
B.Automated inventory of all assets
C.Federated method of authentication
D.Hardening of virtual machines using industry standards
E.Anomaly Detection
E.Anomaly Detection
Explanation:
Credential Theft or Compromise
Do you provide anomaly detection (the ability to spot unusual and potentially malicious IP traffic and user or support team behavior?
For example, analysis of failed and successful logins, unusual time of day and multiple logins etc.
What provisions exist in the event of the theft of a customers credentials (detection, revocation, evidence or actions)?
In which of the following service models cloud consumers may only be able to manage authorizations and entitlements?
A.SaaS
B.PaaS
C.IaaS
D.Both A & B
A.SaaS
Explanation:
Software as a Service
The cloud provider is responsible for nearly all security, since the cloud user can only access and manage their use of the application, and cant alter how the application works.
For example, a SaaS provider is responsible for perimeter security, logging/monitoring/auditing, and application security, while the consumer may only be able to manage authorization and entitlements
Which of the following statements regarding risk transfer is not true?
A.It is possible for the cloud customer to transfer risk to the cloud provider
B.All risks can be transferred
C.The level of risk may vary with the type of cloud architecture used
D.Risks should be considered against the cost benefit received from the services
B.All risks can be transferred
Explanation:
It is possible for the cloud customer to transfer risk to the cloud provider and the risks should be considered against the cost benefit received from the services.
However, not all risks can be transferred: if a risks leads to the failure of a business, serious damage to the reputation or legal implications, it is hard or impossible for any other party to compensate for this damage
When it comes to securing the management plane, how are access identification, authentication and authorization implemented?
A.Identity and Access Management
B. Your directory service manages how your cloud providers are managed
C.Cloud providers provide the access layer; you must also have a directory service to get authentication
D.Authentication is based on your authentication provider and the cloud provider provides the access and authorization controls
A.Identity and Access Management
Explanation:
IAM includes identification, authentication, and authorizations (including access management).
This is how you determine who can do what within your cloud platform or provider
How will you ensure that you have provided sufficient encryption protection to your data in the cloud?
A. Ensure that you are encrypting your data as it moves to the cloud
B. Do not encrypt the data when it is close to the cloud
C. Encrypt the data at rest when it is stored in the cloud
D. Encrypt the data only as it leaves the cloud
E. Both A and C
E. Both A and C
Explanation:
Ensure that you are protecting your data as it moves to the cloud.
This necessitates understanding your providers data migration mechanisms, as leveraging provider mechanism is often more secure and cost effective than manual data transfer methods
Use the appropriate encryption option based on the threat model for your data, business, and technical requirements
How can web security as a service be offered to the cloud customer?
A. Either on-premise through software and/or appliance installation
B. Via the Cloud using proxy or redirecting web traffic to the cloud provider
C. By using separate VLANs
D. Both B & C
E. Both A & B
E. Both A & B
Explanation:
Web Security (Web Security Gateways) Web Security real-time protection, offered either on-premise through software and or application installation, or via the Cloud by proxying or redirecting web traffic to the cloud provider (or a hybrid of both)
This provides an added layer of protection on top of other protection, such as anti malware software to prevent malware from entering the enterprise via activities such as web browsing.
In addition, it can also enforce policy can provider an extra level of granular and contextual security enforcement for web applications
Which of the following is among the top security benefits?
A. Compatibility with customer IT services and infrastructure
B. Data Protection
C. Lock-In
D. More timely, effective and efficient updates and default
E. Certifications and Accreditations
D. More timely, effective and efficient updates and default
Explanation:
More timely, effective updates and default is amongst one of the TOP SECURITY BENEFITS, MORE TIMELY, EFFECTIVE UPDATES AND DEFAULTS: default virtual machine images and software modules used by customers can be pre-hardened and updated with the latest patches and security settings according to fine tuned processes: IaaS cloud service APIs also allow snapshots of virtual infrastructure to be take regularly and compared with a baseline.
Updates can be rolled out many times more rapidly across a homogeneous platform than in traditional client-based systems that rely on the patching model
Which of the following reflects the claim of an individuals to have cetain data deleted so that third persons can no longer trace them?
A. Rights to be Deleted B. Rights to be Erased C. Right to Non-Disclosure D. Right to be Forgotten E. Right to Privacy
D. Right to be Forgotten
Explanation:
The right to be forgotten “reflects the claim of an individual to have certain data deleted so that third persons can no longer trace them
Data Subjects Rights
Data subjects have rights to information regarding the processing of their data: the right to object to certain uses of their personal data; to have their data corrected or erased; to be compensated for damages suffered as a result of unlawful processing; the rights to be forgotten; and the right to data portability.
The existence of these rights significantly affects cloud service relationships
In which type of environment is it impractical to allow clients to conduct their own audits?
A.Long Distance Relationships
B. Multi-tenant Environment
C. Dedicated Environment
D. Multi-Application Environment
B. Multi-tenant Environment
Explanation:
Bit by bit imaging of a cloud data source is generally difficult or impossible.
For obvious security reasons, providers are reluctant to allow access to their hardware, particularly in a multitenant environment where a client could gain access to other clients data.
Even in a private cloud, forensics may be extremely difficult and clients may need to notify opposing counsel or the courts of these limitations.
Luckily, this type of forensic analysis is rarely warranted in cloud computing, because the environment often consists of a structured data hierarchy or virtualization that does not provide significant additional relevant information in a bit by bit analysis
Which of the following is not one of the benefits of Cloud Computing?
A.Agility
B.Resiliency
C.Economy
D.Vendor Lock In
D.Vendor Lock In
Explanation:
Vendor Lock in could be a disadvantage of Cloud Computing
Which of the following statement is true for orchestration?
A.Orchestration is used to coordinate carving out and delivering a set of resources from the pools to the consumers
B. Orchestration abstracts the resources from the underlying physical infrastructure to create pools
C. Orchestration allows the cloud provider to divvy up resources to different groups
D. Orchestration ensures that different groups cant see or modify each others assets
A.Orchestration is used to coordinate carving out and delivering a set of resources from the pools to the consumers
Explanation:
The key techniques to create a cloud are abstraction and orchestration.
We abstract (abstraction) the resources from the underlying physical infrastructure to create our pools and use orchestration (and automation) to coordinate carving out and delivering a set of resources from the pools to the consumers.
As you will see, these two techniques create all the essential characteristics we use to define something as a cloud
The difference between cloud computing and traditional virtualization: virtualization abstracts resources, but it typically lacks the orchestration to pool them together and deliver them to customers on demand, instead relying on manual processes.
Segregation allows the cloud provider to divvy up resources to the different groups, and isolation ensures they cant see or modify each others assets
Which communication method is used by customers to access database information using a web console?
A. Cross-Origin Resource Sharing (CORS)
B. Application Programming Interface (API)
C. Security Assertion Markup Language (SAML)
D. Extensible Markup Language (XML)
E. Software Development Kits (SDK)
B. Application Programming Interface (API)
Explanation:
The customer manages the database via API (and a web console) and accesses it either through the normal database network protocols, or again via an API
One option, frequently seen in the real world is to build a platform on top of IaaS.
A layer of integration and middleware is built on IaaS, then pooled together, orchestrated and exposed to customers using APIs as PaaS.
For example, a Database as a Service could be built by deploying modified database management system software on instances running IaaS.
The customer manages the database via API (and a web console) and accesses it either through the normal database network protocols or again an API
Which plane is used by consumers to launch virtual machines or configure virtual networks?
A. Infrastructure Plane B. Cloud Control Plane C. Management Plane D. Application Plane E. Virtual Plane
C. Management Plane
Explanation:
In most cases, those APIs are both remotely accessible and wrapped into a web-based user interface.
This combination is the cloud management plane, since consumers use it to manage and configure the cloud resources, such as launching virtual machines (instances) or configuring virtual networks.
From a security perspective, it is both the biggest difference from protecting physical infrastructure (since you cant rely on physical access as an control) and the top priority when designing a cloud security program
Which of the following allows you to create an Infrastructure template to configure all or some aspects of a cloud deployment?
A. Metastructure B. Infostructure C. Software-Defined Infrastructure D. Applistructure E. Infrastructure
C. Software-Defined Infrastructure
Explanation:
Software-Defined Infrastructure allows you to create an infrastructure template to configure all or some aspects of a cloud deployment
Software Defined Infrastructure allows you to create an infrastructure template to configure all or some aspects of a cloud deployment.
These templates are then translated natively by the cloud platform into API calls that orchestrate the configuration
Dedicated or Private Tenancy Model is not possible in a cloud environment
A. True
B. False
B. False
Explanation:
In some environments dedicated/private tenancy is possible, but typically at a higher cost.
With this model only designated workloads run on a designated physical server.
Costs increase in public cloud as a consumer since you are taking hardware out of the general resource pool, but also in private cloud, due to less efficient use of internal resources.
Which of the following leverages virtual network topologies to run smaller, and more isolated networks without incurring additional hardware costs?
A. Microsegmentation B. VLANs C. Converged Networking D. Virtual Private Networks E. Virtual Private Cloud
A. Microsegmentation
Explanation:
Microsegmentation (also sometimes referred to as hypersegregation) leverages virtual network topologies to run more, smaller, and more isolated networks without incurring additional hardware costs historically make such models prohibitive.
Since the entire networks are defined in software without many of the traditional addressing issues, it is far more feasible to run these multiple, software-defined environments
Which of the following is a form of a compliance inheritance in which all or some of the cloud providers infrastructure and services undergo an audit to a compliance standard?
A. Policy Audit
B. Pass-though Audit
C. Third Party Audit
D. Compliance Audit
B. Pass-though Audit
Explanation:
Many cloud providers are certified for various regulations and industry requirements, such as PCI DSS, SOC1, SOC2, HIPAA, best practices/frameworks like CSA COM, and global/regional regulations like the EU GDPR.
These are sometimes referred to ass pass-through audits.
A pass through audit is a form of compliance inheritance.
In this model all or some of the cloud providers infrastructure and services undergo an audit to a compliance standard.
The provider takes responsibility for the costs and maintenance of these certifications
Which of the following is an important consideration in management plane usage?
A. Segregation of Duties B. Least Privilege C. Multi-factor Authentication D. Biometric Authentication E. Authorization
B. Least Privilege
Explanation:
Both providers and consumers should consistently only allow the least privilege required for users, applications and other management plane usage
All privileged user accounts should use multi-factor authentication (MFA)
If possible, all cloud accounts (even individual user accounts) should use MFA.
Its one of the single most effective security controls to defend against a wide range of attacks.
This is also true regardless of the service model: MFA is just as important for SaaS as it is for IaaS
PaaS needs to be built on top of IaaS and it cannot be a custom designed stand-alone architecture
A.True
B.False
B.False
Explanation:
PaaS doesnt necessarily need to be built on top of IaaS; there is no reason it cannot be a custom designed stand-alone architecture
PaaS doesnt necessarily need to be built on top of IaaS; there is no reason it cannot be a custom designed stand-alone architecture.
The defining characteristic is that consumers access and manage the platform, not the underlying infrastructure (including cloud infrastructure)
They key difference between cloud and traditional computing is the infrastructure
A.True
B.False
B.False
Explanation:
The key difference between cloud and traditional computing is the metastrcture
Metastructure is the protocols and mechanisms that provides the interface between the infrastructure layer and the other layers.
The glue that ties the technologies and enables management configuration.
Cloud metastructure includes the management plane components, which are network enabled and remotely accessible
Which of the following tools provide a standard template for cloud providers to document their security and compliance controls?
A. Consensus Assessments Initiative Questionnaire B. Cloud Control Matrix C. Cloud Provider Contracts D. Supplier (Cloud Provider) Assessments E. Cloud Security Alliance STAR Registry
A. Consensus Assessments Initiative Questionnaire
Explanation:
The Consensus Assessments Initiative Questionnaire (CAIQ) is a tool from Cloud Security Alliance (CSA) that provides standard template for cloud providers to document their security and compliance controls d
Which of the following statement about CSA’s CCM and Security Guidance is not true?
A. CSA’s CCM provides a set of controls and maps them to multiple security and compliance standards
B. CSA’s CCM tells you what to do. CSA’s Security Guidance tells how to do it
C. CSA’s Security Guidance provides a set of best practices and recommendations
D. CSA’s Security Guidance tells you WHAT to do. The CCM tells you HOW to do it
D. CSA’s Security Guidance tells you WHAT to do. The CCM tells you HOW to do it
Explanation:
The Cloud Control Matrix (CCM), lists cloud security controls and maps them to multiple security and compliance standards.
CCM can also be used to document security responsibilities (What to do)
CSAs Security Guidance provides a set of best practices and recommendations (HOW to do it)
What is the role of the Scope Applicability column in the CCM?
A. Applicability of controls in the domains
B. Maps the existing industry standards to the controls in the domains
C. Overall applicability of the domain
D. Shows architecture elements that are related to a given control
B. Maps the existing industry standards to the controls in the domains
Explanation:
Scope applicability column in CCM maps the existing industry standards like PCI DSS, NIST SP800-53 R3, ISO/IEC 27001-2005, HIPAA/HITECH Act, GAPP, ENISA IAF, COBIT etc to the controls in the domains
The Cloud Security Alliance STAR Registry is used for which of the following purposes?
A.Used by cloud providers to document their security and compliance controls
B.List all cloud security controls mapped to multiple security standards
C. To public release certifications and attestations
D. Used by cloud providers to keep all the service contracts and service level agreements
C. To public release certifications and attestations
Explanation:
CLoud providers should understand that customers still need assurance that the provider meets their contractural and regulatory obligations, and should thus provide rigorous third-party attestations to prove their meet their obligations, especially when the provider does not allow direct customer assessments.
These should be based on industry standards, with clearly defined scopes and the list of specific controls evaluated.
Publishing certifications and attestations (to the degree legally allowed) will greatly assist cloud customers in evaluating providers.
The Cloud Security Alliance STAR Registry offers a central repository for providers to publicly release these documents.
Attestations and certifications are activities that will be valid at any future point in time and providers must keep any published results readily available for quick reference.
A. True
B. False
B. False
Explanation:
Attestations and certifications are point in time activities
Its important to remember that attestations and certifications are point in time activities.
An attestation is a statement of an over a period of time assessment and may not be valid at any future point.
Providers must keep any published results current or they risk exposing their customers to risks of non-compliance.
Depending on contracts, this could even lead to legal exposures to the provider.
Customers are also responsible for ensuring they rely on current results and track when their providers statuses change over timwe
The management plane controls and configures which of the following:
A. Infrastructure
B. Metastructure
C. Infostructure
D. Applistructure
B. Metastructure
Explanation:
The management plane controls and configures the metastructure and is also part of the metastructure itself
As a remind, cloud computing is the act of taking physical assets (like networks and processors) and using them to build resource pools.
Metastructure is the glue and guts to create, provision, and de-provision the pools.
The management plane includes the interfaces for building and managing the cloud itself, but also the interfaces for cloud users to manage their own allocated resources of the cloud
Identity, and Access Management (IAM) includes which of the following?
A.Identification, Authentication and Authorization
B. Identification, Authentication, Authorization and Non-repudiation
C. Identification, authentication, authorization and encryption
D. Identification, Authentication, Authorization and Delegation
E. Identification, Authentication, Authorization and Deletion
A.Identification, Authentication and Authorization
Explanation:
Identity and Access Managament (IAM) includes identification, authentication and authorizations (including access management)
This is how you determine who can do what within your cloud platform provider
How can a single administrator access multiple service administrator accounts with just the privileges they need for that particular action?
A. Using Groups B. Using Assertions C. Using Roles D. Using Provider Policies E. Using Custom Policies
C. Using Roles
Explanation:
Single human administrator can access multiple service administrator accounts using roles.
Your platform or provider may support lower-level administrative accounts that can only manage parts of the service.
We sometimes call these “service administrators” or “day to day administrators”
These accounts dont necessarily expose the entire deployment if they are abused or compromised and thus are better for commonly daily usage.
They also help compartmentalize individual sessions, so it isnt unusual to allow a single human administrator access to multiple service admin accounts (or roles) so they can log in with just the privilege they need for that particular action instead of having to expose a much wider range of entitlements
Which process is used to determine and defend the applications from any weakness before they are introduced into production?
A. Threat Modeling B. Vulnerability Assessment C. Penetration Testing D. OWASP E. STRIDE
A. Threat Modeling
Explanation:
Application security encompasses an incredibly complex and large body of knowledge: everything from early design and threat modeling to maintaining and defending production applications
Design
During the application design process, especially when PaaS is involved, the focus for security in cloud is on architecture, the cloud providers baseline capabilities, cloud provider features, and automating and managing security for deployment and operations.
We find that there are often significant security benefits to integrating security into the application architecture since there are opportunities to leverage the providers own security capabilities.
For example, inserting a serverless load balancer or message queue could completely block certain network attack paths.
This is also where you perform threat modeling, which must also be cloud and provider/platform specific
Which of the following is true about the pass-through audit which is a form of compliance inheritance?
A. Providers infrastructure is not within the scope of customers audit/assessment
B. Everything the customer builds on top of Providers infrastructure is out of scope
C. Providers infrastructure is within the scope of customers audit/assessment
D. Customer is not responsible for maintaining the compliance as the Provider is already compliant
A. Providers infrastructure is not within the scope of customers audit/assessment
Explanation:
A pass-through audit is a form of compliance inheritance.
In this model all or some of the cloud providers infrastructure and services undergo an audit to a compliance standard.
The provider takes responsibility for the costs and maintenance of these certifications.
Provider audits, including pass-through audits, need to be understood within their limitations:
- They certify that the provider is compliant
-It is still the responsibility of the customer to build compliant applications and services on the cloud.
-This means the providers infrastructure/services are not within scope of a customers audit/assessment. But everything the customer builds themselves is still within scope
-The customer is still ultimately responsible for maintaining the compliance of what they build and manage.
For example, if an IaaS provider is PCI DSS-certified, the customer can build their own PCI-compliance service on that platform and the providers infrastructure and operations should be outisde the customers assessment scope.
However, the customer can just as easily run afoul of PCI and fail their assessment if they dont design their own application running in the cloud properly
When entrusting a third party to process the data on its behalf, who remains responsible for the collection and processing of the data?
A. Data Processor
B. Data Controller
C. Data Analyzer
D. Data Protector
B. Data Controller
Explanation:
When entrusting a third party to process data on its behalf (a data processor), a data controller remains responsible for the collection and processing of that data.
The data controller is require to ensure that any such third parties take adequate technical and organizational security measures to safeguard the data
SLA’s may limit a clients ability to collect large volumes of data quickly and in a forensically sound manner
A. True
B. False
A. True
Explanation:
In most cases, a clients access to its data in the cloud will be determined by its SLA.
This may limit its ability to collect large volumes of data quickly and in a forensically sound manner (ie with all reasonably relevant metadata preserved)
Clients and cloud providers should consider this issue at the outset of their relationship and establish a protocol (and cost) for extraordinary access in the case of litigation.
Absent these agreements, clients are responsible for the extra time and cost implicated by collection in the cloud when making representations to requesting parties and courts.
