CCSP Domain 1: Cloud Concepts, Architecture Mike Chappel 3rdEdition Flashcards
Matthew is reviewing a new cloud service offering that his organization plans to adopt. In this offering, a cloud provider will create virtual server instances under the multitenancy model. Each server instance will be accessible only to Matthews company. What cloud deployment model is being used?
A. Hybrid cloud
B. Public Cloud
C. Private cloud
D. Community Cloud
B. Public Cloud
Explanation:
The key to answering this questions is recognizing that the multi tenancy model involves many different customers accessing cloud resources hosted on shared hardware. That makes this a public cloud deployment, regardless of the fact that access to a particular server instance is limited to Matthews company. In a private cloud deployment, only Matthews company would have access to any resources hosted on the same physical hardware. This is not multi tenancy. There is no indication that Matthews organization is combining resources of public and private cloud computing, which would be a hybrid cloud, or that the resource use is limited to members of a particular group which would be a community cloud
Zeke is responsible for sanitizing a set of SSDs removed from servers in his organizations datacenter. The drives will be reused on a different project. Which of the following sanitization techniques would be most effective?
A. Cryptographic erasure
B. Physical destruction
C. Degaussing
D. Overwriting
A. Cryptographic erasure
Explanation:
A cryptographic erasure is a strong sanitization technique that involves encrypting the data with a strong encryption engine and then taking the keys generated in that process, encrypting them with a different encryption encryption engine, and destroying the resulting keys of the second round of encryption. This technique is effective on both magnetic and SSDs. Degaussing and overwriting are not effective on SSDs. Physical destruction would effectively sanitize the media but would prevent Zeke from reusing the drives
Tina would like to use technology that will allow her to bundle up workloads and easily move them between different operating systems. What technology would best meet this need?
A. Virtual machines
B. Serverless computing
C. Hypervisors
D. Containers
A. Virtual machines
Explanation:
Containers do not provide easy portability because they are dependent upon the host OS. Hypervisors are used to host virtual machines on a device, so that is another incorrect answer. Serverless computing is a PaaS model that allows customers to run their own code on the providers platform without provisioning servers, so that is also incorrect. Virtual machines are self contained and have their own internal OS, so it is possible to move them between different host OS
Under the cloud reference architecture, which one of the following activities is not generally part of the responsibilities of the customer?
A. Monitor services
B. Prepare systems
C. Perform business administration
D. Handle problem reports
B. Prepare systems
Explanation:
Under the cloud reference architecture, the activities of customers are to use cloud service, perform service trials, monitor services, administer service security, provide billing and usage reports, handle problem reports, administer tenancies, perform business administration, select and purchase service, and request audit reports. Preparing systems is one of the responsibilities of cloud service providers
Seth is helping his organization move their web server cluster to a cloud provider. The goal of this move is to provide the cluster with the ability to grow and shrink based on changing demand. What characteristic of cloud computing is Seth hoping to achieve?
A. Scalability
B. On Demand Self Service
C. Elasticity
D. Broad network access
C. Elasticity
Explanation:
The reality is that Seth will likely achieve all of these goals, but the most relevant one is elasticity. Elasticity refers to the ability of a system to dynamically grow and shrink based on the current level of demand. Scalability refers to the ability of a system to grow as demand increases but does not require the ability to shrink.
Sherry is deploying a zero trust network architecture for her organization. In this approach, which one of the following characteristics would be least important in validating a login attempt?
A. User Identity
B. IP Address
C. Geolocation
D. Nature of requested access
B. IP Address
Explanation:
The defining characteristic of zero trust network architecture is that trust decisions are not based on network location, such as IP address. It is appropriate to use other characteristics such as a users identity, the nature of the requested access, and the users geographic (not network) location
Which one of the following hypervisor models is the most resistant to attack?
A. Type 1
B. Type 2
C. Type 3
D. Type 4
A. Type 1
Explanation:
If a cloud provider is able to choose between types of hypervisors, the bare metal (Type 1) hypervisor is preferable to the hypervisor that runs off the OS (type 2) because it will offer less attack surface. Type 3 and 4 hypervisors do not exists
Joe is using a virtual server instance running on a public cloud provider and would like to restrict the ports on that server accessible from the internet. What security control would best allow him to meet this need?
A. Geofencing
B. Traffic inspection
C. Network firewall
D. NSGs
D. NSGs
Explanation:
NSGs provide functionality equivalent to network firewalls for cloud hosted server instances. They allow the restriction of traffic that may reach a server instance. Joe would not be able to modify the network firewall rules because those are only available to the cloud provider.
Geofencing would restrict the geographic locations from which users may access the servers, which is not Joes requirement.
Traffic inspection may be used to examine the traffic reaching the instance but is not normally used to create port based restrictions
Which of the following cybersecurity threats is least likely to directly affect an object storage service?
A. Disk failure
B. User error
C. Ransomware
D. Virus
D. Virus
Explanation:
Object storage services are susceptible to disk failures and user error that may unintentionally destroy or modify data. They are also vulnerable to ransomware attacks that infect systems with access to the object store and then encrypt data stored on the service. They are unlikely to be affected by traditional viruses because they do not have a runtime environment
Vince would like to be immediately alerted whenever a user with access to a sensitive cloud service leaves a defined physical area. What type of security control should he implement?
A. Intrusion prevention system
B. Geofencing
C. Firewall Rule
D. Geotagging
B. Geofencing
Explanation:
Geofencing may be used to trigger actions, such as an alert, when a user or device leaves a defined geographic area. Firewalls and intrusion prevention systems may incorporate geographic information into their decision making processes but would not provide the immediate notification that Vince desires. Geotagging simply annotates log records or other data with the geographic location of the user performing an action but does not directly provide alerting based on geographic location
Which of the following characteristics is not a component of the standard definition of cloud computing?
A. Broad network access
B. Rapid provisioning
C. Multitenancy
D. On Demand Self Service
C. Multitenancy
Explanation:
Cloud computing is a model for enabling ubiquitous, convenient on demand network access to a shared pool of configurable computing resources (ie networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This definition does not include multitenancy, which is a characteristic of public cloud computing but not all cloud computing models
Which one of the following sources providers a set of vendor neutral design patterns for cloud security?
A. Cloud Security Alliance
B. AWS
C. Microsoft
D. ICS^2
A. Cloud Security Alliance
Explanation:
CSA provides an enterprise architecture reference guide that offers vendor netural design patterns for cloud security. AWS and Microsoft do provide cloud patterns but they are specific to the service offerings of those vendors.
Lori is using an API to access sensitive information stored in a cloud service. What cloud secure data lifecycle activity is Lori engage in?
A. Store
B. Use
C. Destroy
D. Create
B. Use
Explanation:
The use of an API is an example of accessing data programmatically during the Use phase of the lifecycle. If Lori were simply placing data into a cloud service or maintaining data there, that would be an example of the Store phase. Lori is not creating or destroying data; she is simply using the data that is already stored in the cloud service
Helen would like to provision a disk volume in the cloud that is mountable from a server. What cloud capability does she want?
A. Virtualized server
B. Object storage
C. Network capacity
D. Block storage
D. Block storage
Explanation:
This is an example of block storage, storage that is available as disk volumes. Object storage maintains files in buckets. Virtualized servers are compute capabilities, not storage capabilities. Network capacity is used to connect servers to each other and the internet and is not used for the storage of data
Ben is using the sudo command to carry out operations on a Linux server. What type of access is he using?
A. Service access
B. Unauthorized access
C. User access
D. Privileged Access
D. Privileged Access
Explanation:
The sudo command allows a normal user account to execute administrative commands and is an example of privileged access, not standard user access. There is no indication in the scenario that Ben lacks proper authorization for this access. Service access is the access to resources by system services, rather than individual people
Which one of the cryptographic goals protects against the risks posed when a device is lost or stolen?
A. Nonrepudiation
B. Authentication
C. Integrity
D. Confidentiality
D. Confidentiality
Explanation:
The greatest risk when a device is lost or stolen is that sensitive data contained on the device will fall into the wrong hands. Confidentiality protects against the risk. Nonrepudiation is when the recipient of a message can prove the originators identity to a third party. Authentication is a means of proving ones identity. Integrity demonstrates that information has not been modified since transmission
What type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence?
A. Quantitative
B. Qualitative
C. Annualized Loss Expectancy
D. Single Loss Expectancy
B. Qualitative
Explanation:
Qualitative tools are often used in business impact assessment to capture the impact on intangible factors such as customer confidence, employee morale and reputation. Quantitative tools, such as the computation of annualized loss expectancies and single loss expectancies, are only appropriate for easily quantifiable risks
Robert is reviewing a system that has been assigned the EAL2 evaluation assurance level under the Common Criteria. What is the highest level of assurance that he may have about the system?
A. It has been functionally
B. It has been structurally tested
C. It has been formally verified, designed and tested
D. It has been semi formally designed and tested
B. It has been structurally tested
Explanation:
EAL2 assurance applies when the system been structurally tested. It is the second to lowest level of assurance under the Common Criteria
Jake would like to use a third party platform to automatically move workloads between cloud service providers. What type of tool would best meet this need?
A. Cloud access service
B. Database
C. Virtualization
D. Orchestration
D. Orchestration
Explanation:
Orchestration tools are designed to manage workloads and seamlessly shift them between cloud service providers. Virtualization platforms allow a cloud provider to host virtual server instance, but they do not provide the ability to migrate workloads between different providers. Databases are a cloud service offering that allows for the organized storage of relational data. Cloud access service brokers (CASBs) allow for the consistent enforcement of security policies across cloud providers
Robert is responsible for securing systems used to process credit card information. What security control framework should guide his action?
A. HIPAA
B. PCI DSS
C. SOX
D. GLBA
B. PCI DSS
Explanation:
The Payment Card Industry Data Security Standard (PCI DSS) governs the storage, processing and transmission of credit card information. HIPAA governs protected health information. The SOX Act regulates the funancial reporting of publicy traded corporations. The Gramm-Leach Billey Act (GLBA) protects personal financial information
What type of effort attempts to bring all of an organizations cloud activities under more centralized control?
A. Cloud access service broker
B. Cloud orchestration
C. Cloud governance
D. Cloud migration
C. Cloud governance
Explanation:
Cloud governane programs try to bring all of an organizations cloud activities under more centralized control. They server as a screening body helping to ensure that cloud services user by the organization meet technical, function and security requirements. They also provide a centralized point of monitoring for duplicative services, preventing different business units from spending money on similar services, preventing different business units from spending money on similar services when consolidation would reduce both costs and the complexity of the operating environment. Cloud orchestration tools are designed to manage workloads and seamlessly shift them between cloud service providers.
Chris is designing a cryptographic system for use within his company. The company has 1000 employees, and they plan to use an asymmetric encryption system. They would like the system to be set up so that any pair of arbitrary users may communication privately. How many total keys will they need?
A. 500
B. 1000
C. 2000
D. 4950
C. 2000
Explanation:
A symmetric cryptosystems use a pair of keys for each user. In this case, with 1000 users, the system will require 2000 keys
Erin is concerned about the risk that a cloud provider user by her organization will fail, so she is creating a strategy that will combine resources from multiple public cloud providers. What term best describes this strategy?
A. Community Cloud
B. Multicloud
C. Private Cloud
D. Hybrid cloud
B. Multicloud
Explanation:
The use of multiple public cloud providers to achieve diversity is known as a multicloud strategy. That is the scenario that Eric is creating. Community clouds are shared cloud resources open to members of an affinity group. Private cloud resources are limited to the use of a single organization. Hybrid
Which one of the following would normally be considered an application capability of a cloud service provider?
A. Network capacity
B. Hosted email
C. Block storage
D. Serverless computing
B. Hosted email
Explanation:
Email is an application level service that is offered by cloud providers as a SaaS capability. Block storage and network capacity are IaaS offerings and are infrastructure capabilities. Serverless computing is a PaaS offering and is a platform capability
What activity are cloud providers able to engage in because not all users will access the full capacitry of their service offering simultaneously?
A. Oversubscription
B. Overprovisioning
C. Underprovisioning
D. Undersubscription
A. Oversubscription
Explanation:
Oversubscrpition means that cloud providers can sell customers a total capacity that exceed the actual physical capacity of their infrastructure, because in the big picture, customers will never use all of that capacity simultaneously. Undersubscription would be when a cloud provider does not sell all of their available capacity and this would not require that users not access services simultaneously. Overprovisioning occurs when a customer (not a service provider) purchases more capacity than they need. Similarly, underprovisioning occurs when a customer does not purchase enough capacity to meet their needs
Brian recently joined an organization that runs the majority of its services on a virtualization platform located in its own datancenter but also leverages an IaaS provider for hosting its web services and an SaaS email system. What term best describes the type of cloud environment this organization uses?
A. Public cloud
B. Dedicated cloud
C. Private cloud
D. Hybrid cloud
D. Hybrid cloud
Explanation:
The scenario describes a mix of public cloud and private cloud services. This is an example of a hybrid cloud environment
In an IaaS environment where a vendor supplies a customer with access to storage services, who is normally responsible for removing sensitive data from drives that are taken out of service?
A. Customers security team
B. Customers storage team
C. Customers vendor management team
D. Vendor
D. Vendor
Explanation:
In an IaaS environment, security duties follow a shared responsibility model. Since the vendor is responsible for managing the storage hardware, the vendor would retain responsibility for destroying or wiping drives as they are taken out of service. However, it is still the customers responsibility to validate that the vendors sanitization procedures meet their requirements prior to utilizing the vendors storage services
Lucca is reviewing his organizations disaster recovery process data and notes that the MTD for the business’s main website is two hours. What does he know about the RTO for the site when he does testing and validation?
A. It needs to be less than two hours
B. It needs to be at least two hours
C. The MTD is too short and needs to be longer
D. The RTO is too short and needs to be longer
A. It needs to be less than two hours
Explanation:
When Lucca reviews the recovery time objective (RTO) data, he needs to ensure that the organization can recover from an outage in less than two hours based on the maximum tolerable downtime (MTD) of two hours
Alice and Bob woud like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority.
When Bob receives an encrypted message from Alien, what key does he use to decrypt the plaintext messages contents?
A. Alice’s public key
B. Alice’s private key
C. Bob’s public key
D. Bobs private key
D. Bobs private key
Explanation:
The recipient of a message that was encrypted using asymmetric cryptography always decrypts that message using their own private key. The sender of the message previously encrypted it using the recipients public key. The senders public and private keys are not used in this process
Jen works for an organization that assist other companies in moving their operations from on premises datacenters to the cloud. Jen’s company does not operate their own cloud services but assists in the use of services offered by other organizations. What term best describes the role of Jen’s company?
A. Cloud service customer
B. Cloud service partner
C. Cloud service provider
D. Cloud Service broker
B. Cloud service partner
Explanation:
Jens organization is a cloud service partner - an organization that helps cloud service customers use the services offered by cloud service providers. In this case, Jebs clients are cloud service customers and they are moving to services offered by cloud service providers. Cloud service brokers and cloud service providers who offer a managed identity and access management service to cloud customers that integrates security requirements across cloud services
Carla is selecting a hardware security module (HSM) for use by her organization. She is employed by an agency of the US federal government and must ensure that the technology she chooses meets applicable federal standards for cryptographic systems. What publication would best help her determine these requirements?
A. NIST 800-53
B. NIST 800-171
C. Common Criteria
D. FIPS 140-2
D. FIPS 140-2
Explanation:
NIST 800-53 provides general cybersecurity standards for federal agencies, whereas NIST 800-171 applies specifically to the use of controlled unclassified information (CUI). The Common Criteria (CC) provide a certification process for hardware and software products. However, the most relevant standard are FIPS 140-2, the security requirements for cryptographic modules. THis guidance is specific to the cryptographic requirements of systems such as HSMs and would have the most directly relevant guidance
Ryan is reviewing the design of a new service that will use several offerings from a cloud service provider. The design depends on some unique features offered only by that provider. What should concern Ryan the most about the fact that these service features are not available from other providers?
A. Vendor lock-in
B. Interoperability
C. Auditability
D. Confidentiality
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 7). Wiley. Kindle Edition.
A. Vendor lock-in
Explanation:
The grestest risk in the situation is that the service offering will depend on features provided only by a single vendor, preventing Ryans organization from moving to a different vendor and locking them into their current provider. Interoperability is the concern that services should be able to integrate and work well together. There is no indication that interoperability is at risk in this scenario. There is also no inidcation that the use of this vendor creates any special auditability or confidentiality concerns
Colin is reviewing a system that has been assigned the EAL7 evaluation assurance level under the Common Criteria. What is the highest level of assurance that he may have about the system?
A. It has been functionally tested.
B.It has been methodically tested and checked.
C. It has been methodically designed, tested, and reviewed.
D . It has been formally verified, designed, and tested.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.
D . It has been formally verified, designed, and tested.
Explanation:
EAL7 is the highest level of assurance under the Common Criteria. It applies when a system has been formally verified, designed and tested
Which one of the following technologies provides the capability of creating a distributed, immutable ledger?
A. Quantum computing
B. Blockchain
C. Edge computing
D. Confidential computing
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.
B. Blockchain
Explanation:
The blockchain is technology that uses cryptography to create a distributed immutable ledger. It is the technical foundation behind cryptocurrency and many other applications
Which one of the following systems assurance processes provides an independent third-party evaluation of a system’s controls that may be trusted by many different organizations?
A. Planning
B. Definition
C. Verification
D. Accreditation
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.
C. Verification
Explanation:
The veridication process is similar to the certification process in that it validates controls. Verification may go a step further by involving a third party testing service and compiling results that may be trusted by many different organizations.
Accreditation is the act of management formally accepting an evaluating system, not evaluating the system itself.
Which one of the following would be considered an example of infrastructure as a service cloud computing?
A. Payroll system managed by a vendor and delivered over the web
B. Application platform managed by a vendor that runs customer code
C. Servers provisioned by customers on a vendor-managed virtualization platform
D. Web-based email service provided by a vendor
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.
C. Servers provisioned by customers on a vendor-managed virtualization platform
Explanation:
One of the core capabilities of IaaS is providing servers on a vendor managed virtualization platform.
Which of the following is not a factor an organization might use in the cost–benefit analysis when deciding whether to migrate to a cloud environment?
A. Pooled resources in the cloud
B. Shifting from IT investment as capital expenditures to operational expenditures
C. The time savings and efficiencies offered by the cloud service
D. Branding associated with which cloud provider might be selected
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.
D. Branding associated with which cloud provider might be selected
Explanation:
The brnad associated with the cloud provider should not influence the cost benefit analysis; the cloud providers brand ( and even which cloud provider an organizes uses) will most likely not even be known to the consumers who have a business relationship with the organization
Barry has a temporary need for massive computing power and is planning to use virtual server instances from a cloud provider for a short period of time. What term best describes the characteristic of Barry’s workload?
A. Quantum computing
B. Confidential computing
C. Ephemeral computing
D. Parallel computing
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.
C. Ephemeral computing
Explanation:
Ephemeral computing means that you can create computing resources, such as servers and storage spaces, to solve a particular problem then get rid of them as soon you no longer need them.
You are reviewing a service-level agreement (SLA) and find a provision that guarantees 99.99% uptime for a service you plan to use. What term best describes this type of provision?
A. Availability
B. Security
C. Privacy
D. Resiliency
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.
A. Availability
Explanation:
This type of provision is best described as an availability commitment because the service provider is guaranteeing that the service will be available 99.9% of the time. It could also be described as a security provision because availability is a subset of security, but availability is the better answer in this case.
Carlton is selecting a cloud environment for an application run by his organization. He needs an environment where he will have the most control over the application’s performance. What service category would be best suited for his needs?
A. SaaS
B. FaaS
C. IaaS
D. PaaS
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.
C. IaaS
Explanation:
Users have the most control over environment hosted on an IaaS platform because they are able to manually adjust the resources assigned to the application