Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CCSK > CCSK Practice Exam 3 (WhizLabs) > Flashcards

CCSK Practice Exam 3 (WhizLabs) Flashcards

1
Q

Virtualization security in cloud computing is the responsibility of cloud provider

A. True
B. False

A

B. False

Explanation:
Virtualization security in cloud computing follows the shared responsibility model
The cloud provider will always be responsible for securing the physical infrastructure and the virtualization platform itself.
Meanwhile, the cloud customer is responsible for properly implementing the available virtualized security controls and understanding the underlying risks, based on what is implemented and managed by the cloud provider.
For example, deciding when to encrypt virtualized storage, properly configuring the virtual network and firewalls, or deciding when to use dedicated hosting vs a shared host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following statements regarding SDN (Software Defined Networking) is not true?

A. Segregates and isolates the traffic properly
B. Supports orchestration and agility
C. Does not overlay the overlapping addresses
D. Is defined using software settings and API calls
E. Abstracts the network management plane from physical infrastructure

A

C. Does not overlay the overlapping addresses

Explanation:
You can overlay multiple virtual networks using SDN, even the ones that completely overlap their address ranges.
SDN abstracts the network management plane from the underlying physical infrastructure, removing many typical networking constraints.
For example, you can overlay multiple virtual networks, even ones that completely overlap their address ranges, over the same physical hardware, with all traffic properly segregated and isolated.
SDNs are also defined using software settings and API calls, which supports orchestration and agility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Containers provide full security isolation and task segregation

A. True
B. False

A

B. False

Explanation:
Containers dont necessarily provide full security isolation, but they do provider task segregation
That said, virtual machines typically do provide security isolation.
Thus, you can put tasks of equivalent security context on the same set of physical or virtual hosts in order to provide greater security segregation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following essential characteristics of a cloud allows customers to closely match resource consumption with demand?

A. Resource Pooling
B. On-demand Self-Service
C. Broad Network Access
D. Rapid Elasticity
E. Measured Service
A

D. Rapid Elasticity

Explanation:
Rapid elasticity allows consumers to expand or contract the resources they use from the pool (provisioning and deprovisioning), often completely automatically.
This allows them to more closely match resource consumption with demand (for example, adding virtual servers as demand increases, then shutting them down when demand drops)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following statements regarding cloud platform architecture is true?

A. Single cloud assets are typically less resilient than the traditional infrastructure
B. Single cloud assets are typically more resilient than the traditional infrastructure
C. Single cloud assets are equally resilient as traditional infrastructure
D. Single cloud assets and traditional infrastructure should be combined together to provide a more resilient infrastructure

A

A. Single cloud assets are typically less resilient than the traditional infrastructure

Explanation:
Cloud platforms can be incredibly resilient, but single cloud assets are typically less resilient than in the case of traditional infrastructure.
This is due to the inherently greater fragility of virtualized resources running in highly-complex environments.
This mostly applies to compute, networking and storage, since those allow closer to raw access, and cloud providers can leverage additional resiliency techniques for their platforms and applications that run on top of IaaS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Infrastructure in the cloud cannot be defined and implemented through templates and automation

A. True
B. False

A

B. False

Explanation:
Infrastructure is more often in scope for application testing due to infrastructure as code, where the infrastructure itself is defined and implemented through templates and automation
Security testing should be integrated into the deployment process and pieline.
Testing tends to span this and the Secure Deployment phase, but leans towards security unit tests, security functional tests.

Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).
Due to the overlap, we cover the cloud infrastructure is more often in scope for application testing due to infrastructure as code, where the infrastructure itself is defined and implemented through templates and automation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

CI/CD pipelines can enhance security through support of which of the following?

A. Restricted logging on application
B. Restricted logging on Infrastructure
C. Manual Security Testing
D. Immutable Infrastructure

A

D. Immutable Infrastructure

Explanation:
CI/CD pipelines can enhance security through support of immutable infrastructure (fewer manual changes to production environments), automating security testing, and extensive logging of application and infrastructure changes when those changes run through the pipeline.
When configured properly, logs can track every code, infrastructure, and configuration change and tie them back to whoever submitted the change and whoeever approved it; they will also include any testing results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You do not trust your SaaS provider and have chosen to encrypt all of your data. Which of the following is true is this situation?

A. You have ensured the security of your data by encrypting it
B. Encrypting everything may lead to false sense of security
C. You do not have to ensure the security of the device if you have encrypted the data
D. You can continue with the provider as encrypting all the data will take care of trust issues

A

B. Encrypting everything may lead to false sense of security

Explanation:
Encrypting everything in SaaS because you do not trust that provider at all likely means that you shouldnt be using the provider in the first place.
But encrypting everything is not a cure-all and may lead to a false sense of security, ie encrypting data traffic without ensuring the security of the devices themselves.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following regarding customer managed keys is true?

A. Cloud customer manages the encryption key and the provider manages the encryption engine
B. Provider manages the encryption key and cloud customer manages the encryption engine
C. Cloud customer manages both the encryption key and the encryption engine
D. Cloud customer and provider jointly manage the encryption key and encryption engine
E. Cloud customer and provider jointly manage the encryption engine and cloud customer manages their own encryption key

A

A. Cloud customer manages the encryption key and the provider manages the encryption engine

Explanation:
A customer managed key allows a cloud customer to manage their own encryption key while the provider manages the encryption engine.
For example, using your own key to encrypt SaaS data witihin the SaaS platform.
Many providers encrypt data by default, using keys completely in their control.
Some may allow you to substitute your own key, which integrates with their encryption system.
Make sure your vendors practices align with your requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following is the most obvious form of provider lock-in?

A. Data Lock-In
B. Application Lock-In
C. Infrastructure Lock-In
D. Meta-Data Lock-In

A

B. Application Lock-In

Explanation:
Application lock-in is the most obvious form of lock in (although it is not specific to cloud services)
SaaS providers typically develop a custom application tailored to the needs of their target market.
SaaS customers with a large user-base can incur very high switching costs when migrating to another SaaS provider as the end-user experience is impact (ie re-training is necessary)
Where the customer has developed programs to interact with the providers API directly (ie for integration with other applications), these will also need to be re-written to take into account the new providers API

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

“Cloud Provider Acquisition” is which form of risk?

A. Legal Risk
B. Technical Risk
C. Policy and Organizational Risk
D. Compliance Risk

A

C. Policy and Organizational Risk

Explanation:
Policy and Organization risks cover the following:

  1. LOCK IN
  2. LOSS OF GOVERNANCE
  3. COMPLIANCE CHALLENGES
  4. LOSS OF BUSINESS REPUTATION DUE TO CO-TENANT ACTIVITIES
  5. CLOUD SERVICE TERMINATIONS OF FAILURE
  6. CLOUD PROVIDER ACQUISITION
  7. SUPPLY CHAIN FAILURES
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Inability to provide sufficient capacity to a customer can lead to which of the following?

A. Isolation Failure
B. Abuse of High Privileged Roles
C. Resource Exhaustion
D. Denial of Service (DoS)
E. Data Leakage
A

C. Resource Exhaustion

Explanation:
Resource Exhaustion (Under or Over Provisioning)
There is a level of calculated risk in allocation all the resources of a cloud service, because resources are allocated according to statistical projections.
Inaccurate modelling of resources usage - common resources allocation algorithms are vulnerable to distortions of fairness - or inadequate resource provisioning and inadequate investments in infrastructure can lead, from the CP perspective to:
Service unavailability: failure in certain highly specific application scenarios which use a particular resource very intensively (ie CPU/Memory intensive number crunching or simulation (ie forecasting stock prices)

Access Control Compromised: In some cases it may be possible to force a system to fail open in the event of resource exhaustion

Economic and reputational losses; due to failure to meet customer demand
The opposite consequences of inaccurate estimation of resource needs cloud lead to
Infrastructure oversize: Excessive provisioning leading to economic losses and loss of profitability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following defines the amount of risk that the leadership and stakeholders of an organization are willing to accept?

A. Risk Acceptance
B. Risk Tolerance
C. Residual Risk
D. Risk Target

A

B. Risk Tolerance

Explanation:
Risk tolerance is the amount of risk that the leadership and stakeholders of an organization are willing to accept.
It varies based on asset and you shouldnt make a blanket risk decision about a particular provider; rather, assessments should align with the value and requirements of the assets involved.
Just because a public cloud provider is external and a consumer might be concerned with shared infrastructure for some assets doesnt mean it isnt within risk tolerance for all assets.
Over time this means that, practically speaking, you will build out a matrix of cloud services along with which types of assets are allowed in those services.
Moving to the cloud doesnt change your risk tolerance, it just changes how risk is managed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

In addition to providing better server utilization, and data center consolidation, virtualization also reduces the security threats significantly

A. True
B. False

A

B. False

Explanation:
Virtualization brings with it all the security concerns of the operating system running as a guest, together with new security concerns about the hypervisor layer, as well as new virtualization specific threats, inter-VM attacks and blind spots, performance concerns arising from CPU and memory used for security, and operational complexity from “VM Sprawl” as a security inhibitor.
New problems like instant-on gaps, data co-mingling, the difficulty of encrypting virtual machine images, and residual data destruction are coming into focus

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Installing traditional agents designed for physical servers will not result in the same amount of efficiency and performance on a virtualized server

A. True
B. False

A

A. True

Explanation:
“Traditional” agents may impede performance more heavily in cloud.
Lightweight agents with lower compute requirements allow better workload distribution and efficient use of resources.
Agents not designed for cloud computing may assume underlying compute capacity that isnt aligned with how the cloud deployment is designed.
The developers on a given project might assume they are running a fleet of lightweight, single purpose virtual machines.
A security agent not attuned to this environment could significantly increase processing overhead, requiring larger virtual machine types and increasing costs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Point-in-time activities like compliance, audit, and assurance should be conducted by cloud providers to avoid creating any gaps, and thus exposures, for their customers

A. True
B. False

A

B. False

Explanation:
Compliance, audit and assurance should be continuous.
They should not be seen as merely point in time activities, and many standards and regulations are moving more towards this model.
This is especially true in cloud computing, where both the provider and customer tend to be in more-constant flux and are rarely ever in a static state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following characteristics of cloud allows a consumer to unilaterally provision computing capabilities such server time and network storage as needed?

A. Resource Pooling
B. On-Demand Self-Service
C. Broad Network Access
D. Rapid Elasticity
E. Measured Service
A

B. On-Demand Self-Service

Explanation:
On-Demand Self-Service
A consumer can unilaterally provision computing capabilities such as server time and network storage as needed automatically without requiring human interaction with a service provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following providers “Storage as a Service” as a sub offering?

A. IaaS
B. PaaS
C. SaaS
D. SecaaS

A

A. IaaS

Explanation:
Narrowing the scope or specific capabilities and functionality within each of the cloud deliver models, or employing the functional coupling of services and capabilities across them, may yield derivative classifications.
For example Storage as a Service is a specific sub-offering within the IaaS family

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

In a multi-tenant environment, if customers can access and modify each others assets which of the following has caused this issue?

A. Segregation Failure
B. Isolation Failure
C. Breach of Trust
D. Data Breach
E. Information leakage
A

B. Isolation Failure

Explanation:
Clouds are multi tenant by nature.
Multiple different consumer constituencies share the same pool of resources but are segregated and isolated from each other.
Segregation allows the cloud provider to divvy up resources to the different groups, and isolation ensures they cant see or modify each others assets.
Multitenancy doesnt only apply across different organizations; its also used to divvy up resources between different unites in a single business or organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of thew following encryption will be used when object storage is used as the back end for an application?

A. Object Encryption
B. Client-Side Encryption
C. Server-Side Encryption
D. Proxy Encryption
E. Data Encryption
A

B. Client-Side Encryption

Explanation:
Client Side encryption when a object storage is used as the back end for an application (including mobile applications), encrypt the data using an encryption engine embedded in the application or client

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Resource pooling practiced by the cloud services may especially complicate which part of the IR process?

A. Detection
B. Prevention
C. Monitoring
D. Recovery
E. Forensics
A

E. Forensics

Explanation:
The resource pooling practiced by cloud services, in addition to the rapid elasticity offered by cloud infrastructures, may dramatically complicate the IR process, especially the forensic activities carried out as part of the incident analysis.
Forensics has to be carried out in a highly dynamic environment, which challenges basic forensic necessitities such as establishing the scope of an incident, the collection and attribution of data, preserving the semantic integrity of that data, and maintaining the stability of evidence overall.
These problems are exacerbated when cloud customers may attempt to carry out forensic activities, since they operate in a non-transparent environment (which underscores the necessity of support by the cloud provider as mentioned above)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Customers should view cloud services and security as -

A. Service provider security issue
B. Third party security issue
C. Technology security issue
D. Supply chain security issue
E. Enterprise security strategy
A

D. Supply chain security issue

Explanation:
Customers should view cloud services and security as supply chain security issues.
This means examining and assessing the providers supply chain (service provider relationships and dependencies) to the extent possible
This also means examining the providers own third party management.
Assessment of third party service providers should specifically target the providers incident management, business continuity and disaster recovery policies, and processes and procedures’ and should include review of co-location and back-up facilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

The risks identified can be classified into which of the following three categories?

A. Technical, Commercial, Operational
B. Technical, Commercial, Legal
C. Technical, Operational, Legal
D. Technical, Operational, Policy and Organizational
E. Technical, Legal, Policy and Organizational

A

E. Technical, Legal, Policy and Organizational

Explanation:
The risks identified in the assessment are classified into three categories:
- Policy and Organizational
- Technical 
- Legal
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Lock-in us under which category of risk?

A. Technical
B. Legal
C. Policy and Organizational
D. Operational

A

C. Policy and Organizational

Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following statement is true regarding the risk of natural disasters in cloud?

A. Risk of natural disasters in cloud is higher as compared to a traditional infrastructure
B. Risk of natural disasters in cloud is lesser as compared to a traditional infrastructure
C. Risk of natural disasters in cloud is same as in traditional infrastructure
D. There is no risk of natural disasters in cloud as the providers offer multiple redundant sites and network path

A

B. Risk of natural disasters in cloud is lesser as compared to a traditional infrastructure

Explanation:
Generally speaking, the risk from natural disasters is lower compared to traditional infrastructure because cloud providers offer multiple redundant sites and network paths by default

26
Q

Password-based authentication should be sufficient for accessing cloud resources

A. True
B. False

A

B. False

Explanation:
The cloud makes password based authentication attacks (trend of fraudster using a Trojan to steal corporate passwords) much more impactful since corporate applications are now exposed on the Internet.
Therefore password-based authentication will become insufficient and a need for strong or two-factor authentication for accessing cloud resources will be necessary

27
Q

Why are Hardware Security Modules (HSM) difficult to distribute in multiple locations used in cloud architectures?

A. HSMs are by necessity strongly physically protected from theft, eavesdrop and tampering
B. HSMs are typically clustered for high availability and performance
C. Many HSM systems have means to securely back up the keys they handle outside of the HSM
D. HSM module contains one or more secure cryptoprocessor chips to prevent tampering

A

A. HSMs are by necessity strongly physically protected from theft, eavesdrop and tampering

Explanation:
HSMs are by necessity strongly physically protected (from theft, eavesdrop and tampering)
This makes it very difficult for them to be distributed in the multiple locations used in cloud architecture (ie geographically distributed and highly replicated)

28
Q

The lack of use of standards technologies and solutions by the cloud provider may lead to -

A. Isolation Failure
B. Resource Exhaustion
C. Loss of Governance
D. Lock-In
E. Data Leakage
A

D. Lock-In

Explanation:
A lack of standards means that data may be locked in to a provider.
This is a big risk should the provider cease operation.
This may inhibit the use of managed security services and external security technologies such as FIM

29
Q

Which of the following is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data?

A. Subject
B. Keeper
C. Controller
D. Processor
E. Selector
A

C. Controller

Explanation:
Controller means the natural or legal person, public authority, agency or any other body which alone or jointly others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law

30
Q

Whose responsibility is it to choose a data processor that provides sufficient guarantees with respect to the technical security measures and organizational measures governing the processing to be carried out, and ensuring compliance with those measures?

A. Subject
B. Keeper
C. Coordinator
D. Processor
E. Controller
A

E. Controller

Explanation:
One of the main duties and obligations for the Controller set forth in the Data Protection Directive is - Choosing a Processor that provides sufficient guarantees with respect to the technical security measures and organizational measures governing the processing to be carried out and ensuring compliance with those measures.

31
Q

Which of the following is a responsibility of a cloud user?

A. Hypervisor security
B. Physical Security 
C. Isolation
D. Image Asset Management
E. Securing Virtualization Infrastructure
A

D. Image Asset Management

Explanation:
The cloud user should take advantage of the security controls for managing their virtual infrastructure, which will vary based on the cloud platform and often include:

Security settings, such as identity management, to the virtual resources. This is not the identitiy management within the resource, such as the operating system login credentials, but the identity management of who is allowed to access the cloud management of the resource - for example, stopping or changing the configuration of a virtual machine

Monitoring and Logging - How to handle system logs from virtual machines of containers, but the cloud platform will likely offer additional logging and monitoring at the virutalization level. This can also include the status of a virtual machine, management events, performance etc

Image Asset Management - Cloud compute deployments are based on master images - be it a virtual machine, container, or other code - that are then run in the cloud. This is often highly automated and results in a larger number of images to base assets on, compared to traditional computing master images. Managing these – including which meet security requirements, where they can be deployed and who has access to them - is an important security responsibility

Use of Dedicated Hosting - If available, based on the security context of the resource. In some situations you can specify that your assets run on hardware dedicated only to you (at a higher cost), even on a multitenant cloud. This may help meet compliance requirements or satisfy needs in special cases where sharing hardware with another tenant is considered a security risks

32
Q

Exiting from an activity giving risk to more risk is called as?

A. Ignoring the Risk
B. Avoiding the Risk
C. Transferring the Risk
D. Reducing the Risk
E. Accepting the risk
A

B. Avoiding the Risk

Explanation:
Enterprise risk management in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives.
In a cloud environment, management selects a risk response strategy for specific risks identified and analyzed, which may include:

Avoidance - Exiting the activities giving to risk
Reduction - Taking action to reduce the likelihood or impact related to the risk
Share or Insure - Transferring or sharing a portion of the risk to finance it
Accept - NO action is taken due to a cost/benefit decision

33
Q

Which of the following best describes the data protection when it moves to the cloud?

A. Encrypt the data only when it is stored in the cloud
B. Ensure that a secure transfer channel is used
C. Encrypting the data when it leaves the cloud should be sufficient
D. Data should remain protected both at rest and in use
E. B & D

A

E. B & D

Explanation:
Protecting data through encryption as it moves to the cloud require more than just ensuring that a secure transfer channel (ie TLS) is used.
Encrypting the transfer of data to the cloud does not ensure the data is protected in the cloud.
Once data arrives in the cloud, it should remain protected at rest and in use

34
Q

Which of the following gives the customers ability to audit the cloud provider?

A. State Laws
B. Right to audit clause
C. Right to transparency clause
D. Customer cannot gain the rights to audit
E. ISO27001
A

B. Right to audit clause

Explanation:
A right to audit clause gives customers the ability to audit the cloud provider, which supports traceability and transparency in the frequently evolving environments of cloud computing and regulation.
Use a normative specification in the right to audit to ensure mutual understanding of expectations.
In time, this right should be supplanted by third party certifications

35
Q

Which of the following clauses in the agreement between customer and cloud provider can provide customers in highly regulated industries with the required information?

A. Right to information clause
B. Right to audit clause
C. Right to transparency clause
D. Right to access clause
E. Customer cannot gain the access to required information
A

C. Right to transparency clause

Explanation:
A right to transparency clause with specified access rights can provide customers in highly regulated industries (including those in which non-compliance can be grounds for criminal prosecution) with require information.
The agreement should distinguish between automated/direct access to information (ie logs, reports) and pushed information (system architectures, audit reports)

36
Q

Which of the following will not prevent you from moving unapproved data to cloud services?

A. Database Activity Monitoring (DAM)
B. File Activity Monitoring (FAM)
C. URL Filtering
D. Intrusion Detection System (IDS)
E. Data Loss Prevention
A

D. Intrusion Detection System (IDS)

Explanation:
A common challenge organizations face with the cloud is managing data.
Many organizations report individuals or business units moving often sensitive data to cloud services without the approval or even notification of IT or security.
Aside from traditional data security controls (like access controls or encryption), there are two other steps to help manage unapproved data moving to cloud services:
1. Monitor for large internal data migrations with Database Activity Monitoring (DAM) and File Activity Monitoring (FAM)
2. Monitor for data moving to the cloud with URL filters and Data Loss Prevention

37
Q

Which of the following is one of the most common open standards to enable federation in the cloud?

A. SOAP
B. X.509
C. SAML
D. Kerberos
E. XML
A

C. SAML

Explanation:
A variety of identity providers or Service providers may generate tokens such as SAML, OpenID, or OAuth tokens for sessions caching allowing a pass through sign on capability.
Applications to be deployed in cloud should have capability to integrate with these claims/assertion services and Application/Services should be designed to support the open standards for Federation, ie SAML, OAuth, OpenID

38
Q

How can you prevent cloud providers from inappropriately accessing customer data?

A. Use strong contractual controls to prevent unauthorized access
B. Disable the root user access and delete the access keys
C. Wherever possible, do not store the keys in the cloud
D. Implement strong access controls on your data
E. Encrypt your data at rest and implement MFA

A

D. Implement strong access controls on your data

Explanation:
Whenever possible, keys should not be stored in the cloud and must be maintained by the enterprise or a trusted key management service provider
Where data is stored in a public cloud environment, there are problems when exiting that environment to be able to prove that all data (especially PII or SPI data, or data subject to regulatory assurance regimes) has been deleted from the public cloud environment, including all other media, such as back up tapes.
Maintaining local key management allows such assurance by revoking (or just deleting/losing) the key from the key management system, thus assuring that any data remaining in the public cloud cannot be decrypted

39
Q

Which of the following is a permission to do something like access a file, network, or perform a certain function like an API call on a particular resource?

A. Entitlement
B. Access Control
C. Authentication
D. Authorization
E. Identification
A

D. Authorization

Explanation:
An authorization is permission to do something - access a file or network, or perform a certain function like an API call on a particular resource.
An access control allows or denies the expression of that authorization, so it includes aspects like assuring that the user is authenticated before allowing access

An entitlement maps identities to authorizations and any requires attributes (ie user x is allowed access to resource y when z attributes have designated value)
We commonly refer to a map of these entitlements as an entitlement matrix.
Entitlements are often encoded as technical policies for distribution and enforcement

40
Q

Role-based Access Control (RBAC) model for IAM offers greater flexibility and security than the Attribute Based Access Control (ABAC) model

A. True
B. False

A

B. False

Explanation:
Cloud platforms tend to have greater support for the Attribute-Based Access Control (ABAC) model for IAM, which offers greater flexibility and security than the Role-Based Access Control (RBAC) model for IAM, which offers greater flexibility and security than the Role-Based Access Control (RBAC) model.
RBAC is the traditional model for enforcing authorizations and relies on what is often a single attribute (a defined role)

ABAC allows more granular and context aware decisions by incorporating multiple attributes, such as role, location, authentication method and more

ABAC is the preferred model for cloud based access management

41
Q

Which of the following is a preferred model for cloud based access management?

A. Role Based
B. Identity Based
C. Access Based
D. Attribute Based

A

D. Attribute Based

Explanation:
ABAC is the preferred model for cloud based access management
Cloud platforms tend to have greater support for the Attribute Based Access COntrol (ABAC) model for IAM, which offers greater flexibility and security than the Role Based Access Control (RBAC) model
RBAC is the traditional model for enforcing authentications and relies on what is often a single attribute (a defined role)
ABAC allows more granular and context aware decisions by incorporating multiple attributes, such as role, location, authentication method and more

42
Q

For which of the following SecaaS concerns, providers should be held to the highest standard of multitenant isolation and segregation?

A. Requirement to handle regulated data
B. Global regulatory differences
C. Fear of data leakage
D. Lack of sufficient visibility

A

C. Fear of data leakage

Explanation:
As with any cloud computing service or product, there is always the concern of data from one cloud user leaking to another.
This risk isnt unique to SecaaS, but the highly sensitive nature of security data (and other regulated data potentially exposed in security scanning or incidents) does not means that SecaaS providers should be held to the highest standards of multitenant isolation and segregation.
Security-related data is also likely to be involved in litigation, law enforcement investigations, and other discovery situations.
Customers want to ensure their data will not be exposed when these situations involved another client on the service

43
Q

Cloud based Web Application Firewalls (WAFs) also include anti-DDoS capabilities

A. True
B. False

A

A. True

Explanation:
IN a cloud based WAF, customers redirect traffic (using DNS) to a service that analyzes and filters traffic before passing it through to the destionation web application.
Many cloud WAFs also include anti-DDoS capabilities

44
Q

Which of the following encryption methods is utilized when object storage is used as the back-end for an application?

A. Client/Application Encryption
B. Symmetric Encryption
C. Database Encryption
D. Asymmetric Encryption
E. Object Encryption
A

A. Client/Application Encryption

Explanation:
Object storage encryption protects from many of the same risks as volume storage.
Since object storage is more often exposed to public networks, it also allows the user to implement Virtual Private Storage
Like a VPN, a VPS28 allows use of a public shared infrastructure while still protecting data, since only those with the encryption keys can read the data even if it is otherwise exposed

File/Folder Encryption and Enterprise Digital Rights Management - Use standard file/folder encryption tools of EDRM to encrypt the data before placing in object storage

Client/Application Encryption - When object storage is used as the back end for an application (including mobile applications) encrypt the data using an encryption engine embedded in the application or client

Proxy Encryption - Data passes through an encryption proxy before being sent to object storage

45
Q

Which technique is used in the cloud to coordinate carving out and delivering a set of resources from the pools to the consumers?

A. Abstraction
B. Orchestration
C. Virtualization
D. Multi-Tenanting

A

B. Orchestration

Explanation:
The key technique to create a cloud are abstraction and orchestration.
We abstract the resources from the underlying infrastructure to create our pools, and use orchestration (and automation) to coordinate carving out and delivering a set of resources from the pools to the consumers.
As you will see, these two techniques create all the essential characteristics we use to define something as a cloud

46
Q

Which of the following is one of the challenges of application security in a cloud environment?

A. Responsiveness
B. Isolated Environments
C. Elasticity
D. DevOps
E. Limited Detailed Visibility
A

E. Limited Detailed Visibility

Explanation:
Limited Detailed Visibility - Visibility and the availability of monitoring and logging are impacted, requiring new approaches to gathering security related data. This is especially true when using PaaS, where commonly available logs such as system or network logs are often no longer accessible to the cloud user

Increase Application Scope - The management plane/metastructure security directly affects the the security of any applications associated with that cloud account. Developers and operations will also likely need access to the management plane, as oppose to always going through a different team. Data and sensitive information is also potentially exposable within the management plane. Lastly, modern cloud applications often connect with the management plane to trigger a variety of automated actions, especially when PaaS is involved. For all those reasons, management plane security is now within scope of the applications security and a failure on either side could bridge into the other

Changing Threat Models - The cloud provider relationship and the shared security model will need to be included in the threat model, as well as in any operational and incident response plans. Threat models also need to adapt to reflect the technical differences of the cloud provider or platform in use

Reduced Transparency - There may be less transparency as to what is going on within the application, especially as it integrates with external services. For example, you rarely know the entire set of security controls for an external PaaS service integrated with your application

47
Q

Which of the following frameworks is used in the industry to describe a series of security activities during all phases of application development, deployment and operations?

A. FIPS
B. OWASP
C. ISO27001
D. ITIL
E. SOC 2
A

B. OWASP

Explanation:
The SSDLC describes a series of security activities during all phases of application development, deployment and operations. There are multiple frameworks used in the industry, including:
Microsoft’s Security Development Lifecycle
NIST 800-64
ISO/IEC 27034

Other organizations, including Open Web Application Security Project (OWASP) and a variety of application security vendors, also publish their own lifecycle and security activities guidance

48
Q

Which of the following encrypts and prevents the unauthorized copying or changing of the content?

A. Data Hashing
B, Data Encryption
C. Digital Rights Management (DRM)
D. Digital Certificates
E. Public Key Cryptography
A

C. Digital Rights Management (DRM)

Explanation:
At its core, Digital Rights Management encrypts content, and then appliesa a series of rights.
Rights can be as simple as copying, or as complex as specifying group or used based restrictions on activities like cutting and pasting, emailing, changing the content, etc.
Any application or system that works with DRM protected data must be able to interpret and implements the rights, which typically also means integrating with the key management system

49
Q

Private Cloud operated solely for a single organization can be located at -

A. Only On-Premise
B. Only Off-Premise
C. Both On-Premise and Off-Premise
D. Trusted Third Party

A

C. Both On-Premise and Off-Premise

Explanation:
The cloud infrastructure is operated solely for a single organization.
It may be managed by the organization or a third party and may be located on-premise or off-premise

50
Q

Which of the following ensures that the consumers only use what they are allotted and are charged for it?

A. Rapid Elasticity
B. Broad Network Access
C. On-Demand Service
D. Measured Service
E. Metered Service
A

D. Measured Service

Explanation:
Measured service meters what is proved, to ensure that consumers only use what they are allotted, and, if necessary, to charge them for it.
This is where the term utility computing comes from, since computing resources can now be consumed like water and electricity, with the client only paying for what they use

51
Q

Which of the following includes all the documentation on a providers internal and external compliance assessments?

A. Contract
B. Supplier (Cloud Provider) Assessment
C. Compliance Report
D. Audit Report
E. Cloud Security Alliance STAR Registry
A

C. Compliance Report

Explanation:
Compliance Reporting includes all the documentation on a providers internal and external compliance assessments.
They are the reports from audits of controls, which an organization can perform themselves, a customer can perform on a provider (although this usually isnt an option in cloud), or have performed by a trusted third party
Third party audits and assessments are preferred since they provide independent validation (assuming you trust the third party)
Compliance reports are often available to cloud prospects and customers but may only be available under NDA or to contracted customers.
This is often required by the firm that performed the audit and isnt necessarily something thats completely under the control of the cloud provider

52
Q

As per GDPR company must report that breach in what amount of time?

A. As soon as the breach is identified
B. You can report the breach any time after the breach is identified
C. Within 24 hours of the company becoming aware of the breach
D. Within 72 hours of the company becoming aware of the breach
E. There is no restriction on the report of data breach

A

D. Within 72 hours of the company becoming aware of the breach

Explanation:
The GDPR requires companies to report that they have suffered a a breach of security.
The reporting requirements are risk-based and there are different requirements for reporting the breach to the Supervisory Authority and to the affected data subjects.
Breaches must be reported within 72 hours of the company becoming aware of the incident

53
Q

If a cloud service provider receives a request to provide client information in the form of a subpoena or a court order, how can clients have the ability to fight the request?

A. The cloud service agreement can have a clause to notify the customer and give time to fight the request for access
B. There is no option; cloud service providers will have to provide the requested data to the third party
C. The cloud service provider can ignore the request and let the client handle the court order
D. The cloud service provider can work with the third party and negotiate the terms of data disclosure without informing the client

A

A. The cloud service agreement can have a clause to notify the customer and give time to fight the request for access

Explanation:
Should a cloud service provider receive, from a third party, a request to provide information; this may be in the form of a subpoena, a warrant, or a court order in which access to the client data is demanded.
The client may want to have the ability to fight the request for access in order to protect the confidentiality of their data.
To this end, the cloud service agreement should require the cloud service provider to notify the customer that a subpoena was received and give the company time to fight the request for access.
The cloud service provider might be tempted to reply to the request by opening its facilities and providing the requester with whatever they request.
Before doing so, the cloud service provider should ensure, in consultation with conunsel, that the request is legal and solid.
The cloud service provider should carefully analyze the request before disclosing information in its custody, and consider whether it can meets its obligations to its clients when releasing information.
In some cases, a provider may be better able to serve the needs of its clients by fighting an overbroad or otherwise problematic demand for information

54
Q

Which of the following comes immediately after the data creation in the data security lifecycle?

A. Save
B. Store
C. Share
D. Use
E. Provider
A

B. Store

Explanation:
The lifecycle includes six phases from creation to destruction.
Although it is shown as a linear progression, once created, data can bounce between phases without restriction, and may not pass through all stages (for example, not all data is eventually destroyed)

Create - Creation is the generation of new digital content, or the alteration/updating/modifying of existing content.

Store - Storing is the act committing the digital data to some sort of storage repository and typically occurs nearly simultaneously with creation

Use - Data is viewed, processed, or otherwise used in some sort of activity, not including modification. Share. Information is made accessible to others, such as between users, to customers, and to partners

Archive - Data leaves active use and enters long-term storage

Destroy - Data is permanently destroyed using physical or digital means (ie cryptoshredding)

55
Q

Which of the following statement related to lift and shift of existing application to a cloud environment is true?

A. Direct lift and shift of existing applications to cloud without architectural changes are more likely to account for failures and will take advantage of potential improvements from leveraging platform
B. Direct lift and shift of existing applications to cloud without architectural changes are less likely to account for failures and will not take advantage of potential improvements from leveraging platform
C. Direct lift and shift of existing applications to cloud with or without architectural changes will take the same advantage of potential improvements from leveraging platform
D. Direct lift and shift of existing applications to cloud without architectural changes is not possible

A

B. Direct lift and shift of existing applications to cloud without architectural changes are less likely to account for failures and will not take advantage of potential improvements from leveraging platform

Explanation:
It is typically best to re-architect deployments when you migrate them to the cloud.
Resiliency itself, and the fundamental mechanisms for ensuring resiliency, change.
Direct lift and shift migrations are less likely to account for failures, nor will they take advantage of potential improvements from leveraging platform or service specific capabilities
Instead of lifting and shifting existing information architectures take the opportunity of the migration to the cloud to re-think and re-structure what is often the fractured approach used in existing infrastructure.
Dont bring bad habits

56
Q

Which of the following are the most commonly seen networks that are isolated onto dedicated hardware since there is no functional or traffic overlap?

A. Management, Service, Storage
B. Management, Server, Application
C. Server, Application, Storage
D. Server, Network, Storage

A

A. Management, Service, Storage

Explanation:
If you are a cloud provider (including managing a private cloud) physical segregation of networks composing your cloud is important for both operational and security reasons
We most commonly see at least three different networks which are isolated onto dedicated hardware since there is no functional or traffic overlap:

  • The service network for communications between virtual machines and the internet. This builds the network resource pool for the cloud users
  • The storage network to connect virtual storage to virtual machines
  • A management network for management and API traffic
57
Q

CSA’s Software Defined Perimeter includes:

A. SDP Node, SDP Controller, SDP Gateway
B. SDP Node, SDP Handler, SDP Gateway
C. SDP Client, SDP Handler, SDP Gateway
D. SDP Client, SDP Controller, SDP Gateway

A

D. SDP Client, SDP Controller, SDP Gateway

Explanation:
The CSA Software Defined Perimeter Working Group has developed a model and specification t hat combines device and user authentication to dynamically provision network access to resources and enhance security.

SDP Includes three components:

  • An SDP Client on the connecting asset (ie a laptop)
  • The SDP Controller for authentication and authorizing SDP clients and configuring the connections to SDP Gateways
  • The SDP Gateway for terminating SDP client network traffic and enforcing policies in communication with the SDP controller
58
Q

The most fundamental security control for any multitenant network is:

A. Hypervisor Security
B. Segregation and Isolation of network traffic
C. Logging and monitoring Controls
D. Secure Image Creation Process

A

B. Segregation and Isolation of network traffic

Explanation:
The cloud provider is primarily responsible for build a secure network infrastructure and configuring it properly.
The absolute top security priority is segregation and isolation of network traffic to prevent tenants from viewing anothers traffic.
This is the most foundational security control for any multitenant network

59
Q

Which of the following is the most important aspects of incident response for cloud-based resources?

A. Expectations around what the customer does versus what the provider does
B. Service Level Agreements
C. Non Disclosure Agreement
D. B & C
E. A & B
A

E. A & B

Explanation:
SLAs and setting expectations around what the customer does versus what the provider does are the most important aspects of incident response for cloud-based resources.
Clear communications of roles/responsibilities and practicing the response and hand offs are critical

60
Q

In Federation which party makes assertions to which party?

A. Identity provider makes assertions to a relying party after building a trust relationship
B. Relying party makes assertions to Identity Provider after building a trust relationship
C. Relying party makes assertions to Identity Broker
D. Identity Broker Makes assertions to identity provider

A

A. Identity provider makes assertions to a relying party after building a trust relationship

Explanation:
How Federated Identity Management Works:
Federation involves an identity provider making assertions to a relying party after building a trust relationship.
At the heart are a series of cryptographic operations to build the trust relationships and exchange credentials.
A practical example is a user logging in to their work network, which hosts a directory server for accounts.
That user then opens a browser connection to a SaaS application.
Instead of logging in, there are a series of behind the scenes operations, where the identity provider (the internal directory server) asserts the identity of the user, and that the user authenticated, as well as any attributes.
The relying party trust those assertions and logs the user in without the user entering any credentials.
In fact, the relying party doesnt even have a username or password for that user; it relies on the identity provider to assert successful authentication.
To the user they simply go to the website for the SaaS application and are logged in, assuming they successfully authentication with the internal directory

CCSK (19 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions