Question 1

NIST five (5) characteristic of cloud computing ``` Broad network access Resource pooling Rapid Elasticity On-demand self-service Measured service ```

Accepted Answer

Broad network access: services are accessed through the network (Internet) and usually available across a broad range of vectors. Resource pooling: services use common hardware / multi-tenancy -- i.e. a mix of applications and systems that coexist within the same set of physical and virtual resources. Rapid Elasticity: services are "burst-able" -- they can be rapidly scaled to match demand because of resource pooling (i.e. you can use all the hardware instead of just the hardware in your rack space). On-demand self-service: services can be requested, provisioned, utilized, and de-provisioned by the customer via the provider. Services are usually "pay-as-you-go." Measured service: pay-as-you-go / in most instances, resources are metered and logged for billing and utilization reporting. Note that ISO adds, 'Multitenancy' to this list: many customers using the same infrastructure.

Question 2

Four (4) building blocks of a cloud service

Accepted Answer

Regardless of service category (IaaS / PaaS / SaaS) or deployment model (private, public, community, or hybrid) the core components are: 1) Processor / CPU 2) Memory / RAM 3) Networking 4) Storage

Question 3

ISO/IEC 17789:2014 roles performed by the Cloud Service Customer Cloud service user Cloud service administrator Cloud service business manager Cloud service integrator

Accepted Answer

Cloud service user: uses the cloud service Cloud service administrator: tests cloud services, monitors services, administers services, provides service usage reports, and addresses problem reports Cloud service business manager: oversees business relationship, tracks billing for services, purchases new services, and requests audits when needed Cloud service integrator: connects and integrates customer side systems / services to the cloud

Question 4

ISO/IEC 17789:2014 roles performed by the Cloud Service Provider ``` Cloud service operations manager Cloud service deployment manager Cloud service manager Cloud service business manager Customer support and care representative Inter-cloud provider Cloud service security and risk manager Network provider ```

Accepted Answer

Cloud service operations manager: prepares systems for the cloud, administers services, monitors services, provides audit data when requested, and manages inventory of assets Cloud service deployment manager: gathers metrics on cloud services, manages deployment process, and defines the environment and process Cloud service manager: provisions and manages the cloud services Cloud service business manager: manages the customer relationship and processes financial transactions Customer support and care representative: manages cloud customer requests / provides tier one support Inter-cloud provider: peers to other cloud providers and manages federations and federated services Cloud service security and risk manager: manages security and security risks Network provider: provides network connectivity / provides and manages network services

Question 5

ISO/IEC 17789:2014 roles performed by the Cloud Service Partner Cloud service developer Cloud auditor Cloud service broker

Accepted Answer

Cloud service developer: develops cloud components and performs testing / validation of services Cloud auditor: preforms audits, prepares for external auditors, reports on system performance Cloud service broker: acquires new customers, surveys the marketplace, and secures contracts

Question 6

IaaS, overview of service category Infrastructure as a Service

Accepted Answer

Cloud provider maintains and controls the underlying architecture ensuring rapid provisioning, high availability, and rapid scaling. Customer controls users, data, services deployed within the cloud -- operating systems, storage, deployed applications -- and has limited control over network components.

Question 7

PaaS, overview of service category Platform as a Service

Accepted Answer

Cloud provider is responsible for the operating system (including provision and patching of systems) and hosting environment, including libraries, services, and tools. Customer is responsible for users, data, and deploying their applications within the provided platform infrastructure.

Question 8

SaaS, overview of service category Software as a Service

Accepted Answer

Cloud provider supplies a full cloud platform and software application to the customer with all activities outside of users and data falling to the cloud provider. Customer provisions user access and permissions to data for their requirements; customer has limited application configuration options.

Question 9

Public Cloud, General characteristics of

Accepted Answer

Available for use by the general public. Located on the premises of the cloud provider. May be owned by a private company, organization, academic institution, or a combination of owners.

Question 10

Hybrid Cloud, General characteristics of

Accepted Answer

Composed of two or more different cloud models: public, private, or community. Typically, this option is leveraged for load balancing, high availability, or disaster recovery -- e.g. public SaaS data backed up to private storage, etc.

Question 11

Private Cloud, General characteristics of

Accepted Answer

Owned and controlled by a single entity. Primarily used by that entity for their own purposes, but may be opened to collaborating organizations. Can be located on or off premises.

Question 12

Community Cloud, General characteristics of

Accepted Answer

Owned by a group of organizations with a shared purpose for use within the group -- a consortium model. (Very similar to Private Cloud.)

Question 13

Impact of related technologies: AI Artificial Intelligence

Accepted Answer

AI allows machines to learn from experiences, to adjust to new data inputs and sources, and, ultimately, to perform human-like analysis and adaptation. Three (3) main types of AI: analytical, human-inspired, and humanized. Analytical: cognitive-based, data-set bound, it focuses on the ability of systems to analyze data from past experiences and to extrapolate ways to make better future decisions. Human-Inspired: expands on the analytical approach by incorporating emotional intelligence -- adds consideration of emotional responses to the decision making process. Humanized: strives to incorporate all elements of human intelligence -- e.g. a system that can pass the Turing test.

Question 14

Impacts of related technologies: Machine Learning

Accepted Answer

Machine learning uses scientific and statistical data models and algorithms to allow machines to adapt to situations and perform functions that they have not been explicitly programmed to perform. This often involves training on "seed data" such as in intrusion detection systems (IDS), e-mail filtering, and virus scanning.

Question 15

Impacts of related technologies: blockchain

Accepted Answer

The blockchain is a list of records linked together by cryptography to form a ledger of transactions that are distributed across multiple systems. Blockchain may be applied to interactions between the distributed resources within cloud services to audit and persist transactions.

Question 16

Impacts of related technologies: MDM Mobile Device Management

Accepted Answer

MDM allows for configuration and zoning (such as setting up sandbox environments) on "mobile" assets such as workstations / laptops, smart phones, and tablets; MDM is essential for businesses that support BYOD (bring your own device) or that wish to enforce security benchmarks while not limited the modes of access to cloud services.

Question 17

Impacts of related technologies: IoT Internet of Things

Accepted Answer

Integration of IoT data by cloud providers is on the rise as the industry explores how IoT can be leveraged to improve services -- e.g. use of IoT on a production line to create continuous time-and-motion analysis of the production process.

Question 18

Impacts of related technologies: Containers

Accepted Answer

A container is a wrapper that contains all of the code, configurations, and libraries needed for an application to operate, packaged inside of a single unit. For the Cloud Security Professional, abstractions (like Containers) must be verified before trusted -- i.e. containers and the configurations used by the firm must be risk assessed and approved to ensure they are fit for use.

Question 19

Impacts of related technologies: Quantum Computing

Accepted Answer

Quantum Computing is an emergent technology that applies quantum phenomena to achieve significant increases to computational capacity; for the Cloud Security Professional, the primary concern is that Quantum Computing eliminates a fundamental cloud control, encryption, due to its ability to force decrypt existing encryption processes.

Question 20

Cryptography, Relevance to cloud

Accepted Answer

Encryption is a critical mitigation for the risk of disclosure of data; it is frequently required by hi-trust regulations (like HIPPA); it is essential to mitigation of the risks associated with multitenancy (a near ubiquitous 'feature' of cloud services); and, it is relied upon as the primary method of data destruction (as cryptographic erasure is used to proxy degaussing or physical destruction of media). Cryptography design must consider: encryption for data in transit (e.g. TLS, VPN, and like), encryption for data at rest (e.g. full disk encryption via AES 256), encryption for data in use (e.g. homomorphic encryption), and key management (remote and client-side).

Question 21

Access Control, Relevance to cloud Account Provisioning Directory Services Administrative & Privileged Access Authorization

Accepted Answer

Access Control / IAM (identity & access management) combines authentication, authorization, and accounting of utilization of both authentication and authorization by users. Four (4) main areas: 1) Account Provisioning: the process of issuing credentials (both authentication and authorization) to properly vetted users -- i.e. ensuring that you are only giving access to users who should have access; this process should be consistent across the user population and auditable. 2) Directory Services: the collection of information needed by applications to ensure they are making proper authentication and authorization decisions -- e.g. LDAP / Lightweight Directory Access Protocol. 3) Administrative & Privileged Access: enhanced policy and controls for users that can control and configure critical functions such as access roles, application configurations, underlying operating systems, and the like. Additional network and authentication controls should be considered for Administrative & Privileged users. 4) Authorization: the process by which the appropriate (i.e. least privilege) roles and rights are issued to users of a system -- i.e. ensuring that a user can do what they need to do on the system but not more than they need to do (i.e. separation of roles and responsibilities).

Question 22

Data and media sanitation, Relevance to cloud Data portability Data removal / sanitization

Accepted Answer

Data portability / Avoiding vendor lock-in: portability is the ability to move data from one cloud provider to another (e.g. from AWS to Azure); the easier it is to port your data to another cloud provider the less the risk of "lock-in" with providers exerting pricing power to increase cost to the consumer. Data removal / Data Sanitization: de-provisioning a cloud provider includes removing your data from that cloud service; given the unique constraints of cloud services we are limited to overwriting (e.g. zeroing out data, etc.) and cryptographic erasure (e.g. destruction of encryption keys with overwriting assumed over time).

Question 23

Network security, Relevance to cloud Physical layer considerations Logical considerations

Accepted Answer

Physical layer to the environment: needs to be reviewed with the cloud provider to understand and ensure proper security controls are in place. Logical environment: the methods and division of responsibilities between cloud provider and cloud customer must be understood with regard to creating and maintaining segregation between tenants and the scaling process for resource consumption.

Question 24

Virtualization security, Relevance to cloud Hypervisors, Type 1 vs. Type 2 Container Security

Accepted Answer

Virtualization is critical to cloud services and the hypervisor is critical to virtualization as the hypervisor creates and runs virtual machines. Hypervisor, Type 1: is tied to the underlying hardware and hosts virtual machines (VM) on top of it -- i.e. it operates as the only layer between the hardware (bare metal) and the host (virtual server). VMware ESXI is an example of a Type 1 Hypervisor. As Type 1 Hypervisors are proprietary, with vendors in full control of upgrades and patches, they are more difficult to compromise as the opportunities for malicious code injection are limited. Hypervisor, Type 2: is software based -- it resides on the host system and runs within an operating system as software. VMware Workstation is an example of a Type 2 Hypervisor. Given the dependency between a Type 2 Hypervisor and the OS of the host system, it is more vulnerable to attack than a Type 1 Hypervisor (though, as a class of goods, hypervisors are highly secure products). Cloud Security Professionals should focus on configuration and patch management of Type 2 Hypervisors to ensure that they are fit for use within your firm. Container Security: a container is a wrapper that contains all of the code, configurations, and libraries needed for an application to operate, packaged inside of a single unit. Cloud Security Professionals should focus on ensuring the integrity of vendor images (i.e. that they've not been tampered with or altered / check that checksum), patch management of containers, and securing access to containers and the methods to update and deploy containers.

Question 25

Data breaches [ Threat profile, Solution profile] Common Threats, The Treacherous Twelve

Accepted Answer

Applies to IaaS, PaaS, and SaaS. Threat profile: the unauthorized exposure or sensitive and private data to a party that is not entitled to have it. Solution profile: information classification (to sort sensitive from other classes of data), encryption, tokenization of sensitive data, authorization (limit access to sensitive data), and network security (limit locations that can access sensitive data or create conditions like VPN required) may be used to mitigate the threat.

Question 26

Insufficient identity, credential, and access management [ Threat profile, Solution profile] Common Threats, The Treacherous Twelve

Accepted Answer

Applies to IaaS, PaaS, and SaaS. Threat profile: poor account provisioning, overly permissive authorization roles, authentication practices, or accounting / monitoring gives attackers opportunity to access the system. Solution profile: do not embed passwords or certificates in source code or configuration objects, use quality passwords (e.g. NIST 800-63), apply two-factor authentication to privileged accounts, and harden and monitor authentication and authorization services.

Question 27

Insecure interfaces and APIs [ Threat profile, Solution profile] Application Program Interfaces Common Threats, The Treacherous Twelve

Accepted Answer

Applies to IaaS, PaaS, and SaaS. Threat profile: APIs are critical to auto-scaling and IAM / identity and access management within cloud services; as such, they represent an important source of potential vulnerabilities and attack surfaces for the adversary -- i.e. if you can access or control APIs you can do a lot. Solution profile: Apply strong encryption and authorization access to APIs and connectivity.

Question 28

System vulnerabilities [ Threat profile, Solution profile] Common Threats, The Treacherous Twelve

Accepted Answer

Applies to IaaS, PaaS, and SaaS. Threat profile: exposures in the operating systems or application environment that may be exploited to cause harm. Solution profile: patch management -- regular scanning, patching, and monitoring of systems.

Question 29

Account hijacking [ Threat profile, Solution profile] Common Threats, The Treacherous Twelve

Accepted Answer

Applies to IaaS, PaaS, and SaaS. Threat profile: any of a range of exploits (from replay of your credentials to session highjacking) that allows the adversary to monitor your activities or grants your authorizations to them for use. Solution profile: quality account provisioning process, access management, and the use of multi-factor authentication all serve to mitigate Account Hijacking.

Question 30

Malicious insiders [ Threat profile, Solution profile] Common Threats, The Treacherous Twelve

Accepted Answer

Applies to IaaS, PaaS, and SaaS. Threat profile: abuse of legitimately derived access for unauthorized purposes or system exploit. (Note that within cloud, malicious insiders may exist within the organizations of the cloud customer or the cloud provider.) Solution profile: access management (e.g. separation of duties / least privilege / four eyes), monitoring, and business continuity planning may be used for mitigation.

Question 31

Advanced persistent threats [ Threat profile, Solution profile] Common Threats, The Treacherous Twelve

Accepted Answer

Applies to IaaS, PaaS, and SaaS. Threat profile: any of a range of attacks involving well funded and well educated adversaries (such as Nation-State actors) seeking significant access over a long period of time. Solution profile: defense in depth, with an emphasis on monitoring and hunting within the environment.

Question 32

Data loss [ Threat profile, Solution profile] Common Threats, The Treacherous Twelve

Accepted Answer

Applies to IaaS, PaaS, and SaaS. Threat profile: data becomes lost, unavailable, or is destroyed when it should not have been. Solution profile: encryption and business continuity (back-up) planning.

Question 33

Insufficient due diligence [ Threat profile, Solution profile] Common Threats, The Treacherous Twelve

Accepted Answer

Applies to IaaS, PaaS, and SaaS. Threat profile: lack of prior preparation leads to piss poor performance -- i.e. risks can be created, especially when moving from a traditional data center to the cloud, by insufficiently understanding the deltas between traditional and cloud environments. Solution profile: avoid rushed transitions between environments, do the planning work required, apply audits to the environments to identify non-conformities, and brief the firm on risks being taken when the aforementioned are not applied.

Question 34

Abuse and nefarious use of cloud services [ Threat profile, Solution profile] Common Threats, The Treacherous Twelve

Accepted Answer

Applies to IaaS and PaaS. Threat profile: largely a cloud provider threat with near term consequences for a cloud customer, this attack involves gaining access to the cloud service and repurposing resources for gain by the attacker -- e.g. running a bit mining process within a cloud customer's environment, using the cloud service to launch a DoS attack, etc. Solution profile: monitor for resource utilization changes and apply defense in depth practices.

Question 35

DoS [ Threat profile, Solution profile] Denial of Service Common Threats, The Treacherous Twelve

Accepted Answer

Applies to IaaS, PaaS, and SaaS. Threat profile: any of a range of methods designed to degrade, disrupt, or deny access to an application or system often by flooding the resource with automatically generated requests. Solution profile: auto-scaling by the cloud provider and MPLS / multi-protocol label switching and like network security methods.

Question 36

Shared technologies issues [ Threat profile, Solution profile] Common Threats, The Treacherous Twelve

Accepted Answer

Applies to IaaS, PaaS, and SaaS. Threat profile: scaling resources scale vulnerabilities which can lead to cascading failures or compromises. Solution profile: monitor critical components (such as the hypervisor and containers), apply orchestration for rapid redeployment / changes, practice defense in depth.

Question 37

Cloud Secure Data Lifecycle ``` Create Store Use Share Archive Destroy ```

Accepted Answer

Create: data is either created from scratch, generated, inputted, or modified into a new form and value. Store: data is placed into a storage system. This includes but is not limited to databases, files, and spreadsheets. This is typically done as part of the previous operation or immediately thereafter. Use: data is read by the application or users. Note that any modification of data is considered to occur in Create. Share: data is used in an application where it is viewable to users, customers, administrators, and so on. Note that any modification of data is considered to occur in Create. Destroy: data is permanently removed and sanitized and is no longer accessible or useable.

Brainscape's Knowledge GenomeTM

CCSP Domain 1: Cloud Concepts, Architecture, and Design Flashcards

Brainscape's Knowledge Genome^TM