CCSP Domain 1: Cloud Concepts, Architecture Mike Chappel 3rdEdition Flashcards
Matthew is reviewing a new cloud service offering that his organization plans to adopt. In this offering, a cloud provider will create virtual server instances under the multitenancy model. Each server instance will be accessible only to Matthews company. What cloud deployment model is being used?
A. Hybrid cloud
B. Public Cloud
C. Private cloud
D. Community Cloud
B. Public Cloud
Explanation:
The key to answering this questions is recognizing that the multi tenancy model involves many different customers accessing cloud resources hosted on shared hardware. That makes this a public cloud deployment, regardless of the fact that access to a particular server instance is limited to Matthews company. In a private cloud deployment, only Matthews company would have access to any resources hosted on the same physical hardware. This is not multi tenancy. There is no indication that Matthews organization is combining resources of public and private cloud computing, which would be a hybrid cloud, or that the resource use is limited to members of a particular group which would be a community cloud
Zeke is responsible for sanitizing a set of SSDs removed from servers in his organizations datacenter. The drives will be reused on a different project. Which of the following sanitization techniques would be most effective?
A. Cryptographic erasure
B. Physical destruction
C. Degaussing
D. Overwriting
A. Cryptographic erasure
Explanation:
A cryptographic erasure is a strong sanitization technique that involves encrypting the data with a strong encryption engine and then taking the keys generated in that process, encrypting them with a different encryption encryption engine, and destroying the resulting keys of the second round of encryption. This technique is effective on both magnetic and SSDs. Degaussing and overwriting are not effective on SSDs. Physical destruction would effectively sanitize the media but would prevent Zeke from reusing the drives
Tina would like to use technology that will allow her to bundle up workloads and easily move them between different operating systems. What technology would best meet this need?
A. Virtual machines
B. Serverless computing
C. Hypervisors
D. Containers
A. Virtual machines
Explanation:
Containers do not provide easy portability because they are dependent upon the host OS. Hypervisors are used to host virtual machines on a device, so that is another incorrect answer. Serverless computing is a PaaS model that allows customers to run their own code on the providers platform without provisioning servers, so that is also incorrect. Virtual machines are self contained and have their own internal OS, so it is possible to move them between different host OS
Under the cloud reference architecture, which one of the following activities is not generally part of the responsibilities of the customer?
A. Monitor services
B. Prepare systems
C. Perform business administration
D. Handle problem reports
B. Prepare systems
Explanation:
Under the cloud reference architecture, the activities of customers are to use cloud service, perform service trials, monitor services, administer service security, provide billing and usage reports, handle problem reports, administer tenancies, perform business administration, select and purchase service, and request audit reports. Preparing systems is one of the responsibilities of cloud service providers
Seth is helping his organization move their web server cluster to a cloud provider. The goal of this move is to provide the cluster with the ability to grow and shrink based on changing demand. What characteristic of cloud computing is Seth hoping to achieve?
A. Scalability
B. On Demand Self Service
C. Elasticity
D. Broad network access
C. Elasticity
Explanation:
The reality is that Seth will likely achieve all of these goals, but the most relevant one is elasticity. Elasticity refers to the ability of a system to dynamically grow and shrink based on the current level of demand. Scalability refers to the ability of a system to grow as demand increases but does not require the ability to shrink.
Sherry is deploying a zero trust network architecture for her organization. In this approach, which one of the following characteristics would be least important in validating a login attempt?
A. User Identity
B. IP Address
C. Geolocation
D. Nature of requested access
B. IP Address
Explanation:
The defining characteristic of zero trust network architecture is that trust decisions are not based on network location, such as IP address. It is appropriate to use other characteristics such as a users identity, the nature of the requested access, and the users geographic (not network) location
Which one of the following hypervisor models is the most resistant to attack?
A. Type 1
B. Type 2
C. Type 3
D. Type 4
A. Type 1
Explanation:
If a cloud provider is able to choose between types of hypervisors, the bare metal (Type 1) hypervisor is preferable to the hypervisor that runs off the OS (type 2) because it will offer less attack surface. Type 3 and 4 hypervisors do not exists
Joe is using a virtual server instance running on a public cloud provider and would like to restrict the ports on that server accessible from the internet. What security control would best allow him to meet this need?
A. Geofencing
B. Traffic inspection
C. Network firewall
D. NSGs
D. NSGs
Explanation:
NSGs provide functionality equivalent to network firewalls for cloud hosted server instances. They allow the restriction of traffic that may reach a server instance. Joe would not be able to modify the network firewall rules because those are only available to the cloud provider.
Geofencing would restrict the geographic locations from which users may access the servers, which is not Joes requirement.
Traffic inspection may be used to examine the traffic reaching the instance but is not normally used to create port based restrictions
Which of the following cybersecurity threats is least likely to directly affect an object storage service?
A. Disk failure
B. User error
C. Ransomware
D. Virus
D. Virus
Explanation:
Object storage services are susceptible to disk failures and user error that may unintentionally destroy or modify data. They are also vulnerable to ransomware attacks that infect systems with access to the object store and then encrypt data stored on the service. They are unlikely to be affected by traditional viruses because they do not have a runtime environment
Vince would like to be immediately alerted whenever a user with access to a sensitive cloud service leaves a defined physical area. What type of security control should he implement?
A. Intrusion prevention system
B. Geofencing
C. Firewall Rule
D. Geotagging
B. Geofencing
Explanation:
Geofencing may be used to trigger actions, such as an alert, when a user or device leaves a defined geographic area. Firewalls and intrusion prevention systems may incorporate geographic information into their decision making processes but would not provide the immediate notification that Vince desires. Geotagging simply annotates log records or other data with the geographic location of the user performing an action but does not directly provide alerting based on geographic location
Which of the following characteristics is not a component of the standard definition of cloud computing?
A. Broad network access
B. Rapid provisioning
C. Multitenancy
D. On Demand Self Service
C. Multitenancy
Explanation:
Cloud computing is a model for enabling ubiquitous, convenient on demand network access to a shared pool of configurable computing resources (ie networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This definition does not include multitenancy, which is a characteristic of public cloud computing but not all cloud computing models
Which one of the following sources providers a set of vendor neutral design patterns for cloud security?
A. Cloud Security Alliance
B. AWS
C. Microsoft
D. ICS^2
A. Cloud Security Alliance
Explanation:
CSA provides an enterprise architecture reference guide that offers vendor netural design patterns for cloud security. AWS and Microsoft do provide cloud patterns but they are specific to the service offerings of those vendors.
Lori is using an API to access sensitive information stored in a cloud service. What cloud secure data lifecycle activity is Lori engage in?
A. Store
B. Use
C. Destroy
D. Create
B. Use
Explanation:
The use of an API is an example of accessing data programmatically during the Use phase of the lifecycle. If Lori were simply placing data into a cloud service or maintaining data there, that would be an example of the Store phase. Lori is not creating or destroying data; she is simply using the data that is already stored in the cloud service
Helen would like to provision a disk volume in the cloud that is mountable from a server. What cloud capability does she want?
A. Virtualized server
B. Object storage
C. Network capacity
D. Block storage
D. Block storage
Explanation:
This is an example of block storage, storage that is available as disk volumes. Object storage maintains files in buckets. Virtualized servers are compute capabilities, not storage capabilities. Network capacity is used to connect servers to each other and the internet and is not used for the storage of data
Ben is using the sudo command to carry out operations on a Linux server. What type of access is he using?
A. Service access
B. Unauthorized access
C. User access
D. Privileged Access
D. Privileged Access
Explanation:
The sudo command allows a normal user account to execute administrative commands and is an example of privileged access, not standard user access. There is no indication in the scenario that Ben lacks proper authorization for this access. Service access is the access to resources by system services, rather than individual people
Which one of the cryptographic goals protects against the risks posed when a device is lost or stolen?
A. Nonrepudiation
B. Authentication
C. Integrity
D. Confidentiality
D. Confidentiality
Explanation:
The greatest risk when a device is lost or stolen is that sensitive data contained on the device will fall into the wrong hands. Confidentiality protects against the risk. Nonrepudiation is when the recipient of a message can prove the originators identity to a third party. Authentication is a means of proving ones identity. Integrity demonstrates that information has not been modified since transmission
What type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence?
A. Quantitative
B. Qualitative
C. Annualized Loss Expectancy
D. Single Loss Expectancy
B. Qualitative
Explanation:
Qualitative tools are often used in business impact assessment to capture the impact on intangible factors such as customer confidence, employee morale and reputation. Quantitative tools, such as the computation of annualized loss expectancies and single loss expectancies, are only appropriate for easily quantifiable risks
Robert is reviewing a system that has been assigned the EAL2 evaluation assurance level under the Common Criteria. What is the highest level of assurance that he may have about the system?
A. It has been functionally
B. It has been structurally tested
C. It has been formally verified, designed and tested
D. It has been semi formally designed and tested
B. It has been structurally tested
Explanation:
EAL2 assurance applies when the system been structurally tested. It is the second to lowest level of assurance under the Common Criteria
Jake would like to use a third party platform to automatically move workloads between cloud service providers. What type of tool would best meet this need?
A. Cloud access service
B. Database
C. Virtualization
D. Orchestration
D. Orchestration
Explanation:
Orchestration tools are designed to manage workloads and seamlessly shift them between cloud service providers. Virtualization platforms allow a cloud provider to host virtual server instance, but they do not provide the ability to migrate workloads between different providers. Databases are a cloud service offering that allows for the organized storage of relational data. Cloud access service brokers (CASBs) allow for the consistent enforcement of security policies across cloud providers
Robert is responsible for securing systems used to process credit card information. What security control framework should guide his action?
A. HIPAA
B. PCI DSS
C. SOX
D. GLBA
B. PCI DSS
Explanation:
The Payment Card Industry Data Security Standard (PCI DSS) governs the storage, processing and transmission of credit card information. HIPAA governs protected health information. The SOX Act regulates the funancial reporting of publicy traded corporations. The Gramm-Leach Billey Act (GLBA) protects personal financial information
What type of effort attempts to bring all of an organizations cloud activities under more centralized control?
A. Cloud access service broker
B. Cloud orchestration
C. Cloud governance
D. Cloud migration
C. Cloud governance
Explanation:
Cloud governane programs try to bring all of an organizations cloud activities under more centralized control. They server as a screening body helping to ensure that cloud services user by the organization meet technical, function and security requirements. They also provide a centralized point of monitoring for duplicative services, preventing different business units from spending money on similar services, preventing different business units from spending money on similar services when consolidation would reduce both costs and the complexity of the operating environment. Cloud orchestration tools are designed to manage workloads and seamlessly shift them between cloud service providers.
Chris is designing a cryptographic system for use within his company. The company has 1000 employees, and they plan to use an asymmetric encryption system. They would like the system to be set up so that any pair of arbitrary users may communication privately. How many total keys will they need?
A. 500
B. 1000
C. 2000
D. 4950
C. 2000
Explanation:
A symmetric cryptosystems use a pair of keys for each user. In this case, with 1000 users, the system will require 2000 keys
Erin is concerned about the risk that a cloud provider user by her organization will fail, so she is creating a strategy that will combine resources from multiple public cloud providers. What term best describes this strategy?
A. Community Cloud
B. Multicloud
C. Private Cloud
D. Hybrid cloud
B. Multicloud
Explanation:
The use of multiple public cloud providers to achieve diversity is known as a multicloud strategy. That is the scenario that Eric is creating. Community clouds are shared cloud resources open to members of an affinity group. Private cloud resources are limited to the use of a single organization. Hybrid
Which one of the following would normally be considered an application capability of a cloud service provider?
A. Network capacity
B. Hosted email
C. Block storage
D. Serverless computing
B. Hosted email
Explanation:
Email is an application level service that is offered by cloud providers as a SaaS capability. Block storage and network capacity are IaaS offerings and are infrastructure capabilities. Serverless computing is a PaaS offering and is a platform capability