Chapter 3 Cloud Security Compliance & Configurations

Question 1

Which of the following regulatory requirements concerns a business’s nonfinancial reporting controls for the availability, confidentiality, privacy, processing, integrity, and security of a system?

A. SOC 1
B. SOC 2
C. SOC 3
D. ISO 27001

Answer 1

SOC 2

The Service Organization Controls 2 (SOC2) reports concerns of business’s nonfinancial reporting controls for the availability, confidentiality, privacy, processing integrity, and security of a system.

The SOC1 report outlines the internal controls of financial reporting operations.

The SOC 3 report is for the public disclosure of financial controls and security reporting.

ISO 27001 is the International Organization for Standardization (ISO) standards for quality that ensure the cloud provider meets all regulatory and statutory requirements for its product and service offerings

Question 2

As a security administrator of an enterprise data center, you need to check the operating systems that are being used in the company. You find one of the operating systems originally loads with unneeded services such as printing, various networking services such as DHCP, and an FTP server enabled. These services might expose the operating system to potential malicious activity. What will you do to harden the operating system?

A. Remove the service that are not is use.
B. Disable the services that are not in use.
C. Install antivirus.
D. Implement host-based firewall security.

Answer 2

Disable the services that are not in use.

If an operating system originally loads with unneeded services such as printing, various networking services such a DHCP, and the web or FTP server enabled, they should be disabled so there is no longer any exposure for attacks on those entry points.

Removing the services is not an appropriate solution for the given scenario.

Antivirus software is an application that runs on a computer that can identify and remove viruses or malicious software from a system.

Implementing host-based firewall security would not solve the problem.

Question 3

Jarleen is a consultant tasked with migrating Health Med Records Inc. customer to cloud-based service offering a long-term archival system. Which U.S. compliance mandate must her company align with?

A. SOC3
B. HIPAA
C. MPAA
D. ISA 2701

Answer 3

HIPAA

The Health Insurance Portability and Accountability Act defines the standards for protecting medical data.

The Service Organization Control 3 (SOC3) reports are for public disclosure of financial controls and security reporting.

The Motion Picture Society of America Act (MPAA) published a set of best practices for storing, processing, and delivering protected media and content securely over the Internet.

The Internal Security At (ISA 2701) allows for detention without trial or criminal charges under limited, legally defined circumstances.

Question 4

Cathy is preparing her company’s migration plan from a private to a hybrid cloud. She wants to outline firewall and DDoS requirements. What document should she create?

A. DIACAP
B. Security policy
C. Service level agreement
D. SOC 2

Answer 4

Security Policy

The security policy outlines all aspect of your cloud security posture.

DIACAP (Department of Defense Information Assurance Certification and Accreditation Process) is the process for computer systems IT security.

The service level agreement is a document that outlines specific metrics and the minimum performance or availability level and outlines the penalties for failing to meet the metrics.

The SOC2 (Service Organization Controls 2) report concerns a business’s nonfinancial reporting controls for the availability, confidentiality, privacy, processing integrity, and a security of a system.

Question 5

Allison is working on her company's new e-commerce rollout at a large public cloud provider.  She wants to secure all web traffic between the client and her site when a user proceeds to checkout and places orders.  What security protocol would she be implementing?
'
A.  MDS
B.  SSL/TLS
C.  IPSec
D.  VPN

Answer 5

SSL/TLS

SSL/TLS is commonly used in browsers and smartphone applications for secure web access.

MD5 is a hash algorithm therefore, it does not apply to the question.

IPSec is a security framework, therefore, it does not apply to the question.

VPNs are not as common as SSL/TLS for the scenario given.

Question 6

You are a web server administrator of your company. You want to authenticate the end user for all the applications the user has been given rights to and eliminates further prompts when the user switches applications during the same session. Which approach of access control should you use?

A. Multifactor authentication
B. Single sign-on
C. Role-based access control
D. Mandatory access control

Answer 6

Single Sign-On (SS0)

You should use single sign-on (SSO), which is a session and user authentication service that permits a user to use one set of login credentials to access multiple applications. It authenticates the end user for all the application the user has been giver rights to and eliminates further prompts when the user switches applications during the same session. it is helpful for logging user activities as well as monitoring user accounts.

Multifactor authentication is an access control technique that requires several pieces of information to be granted access.

Role-based access control (RBAC) is a method in which access rights are granted to, or restricted from, users based on which roles they perform in an organization.

Mandatory access control (MAC) approach is often found in high-security environments where access to sensitive data needs to be tightly controlled

Question 7

Which of the following low-level security methods do the cloud provider use on their storage area network and storage head-end controllers?
Each correct answer represents a complete solution. Choose two.

A. ACL
B. VSAN
C. PKI
D. LUN Masking

Answer 7

VSAN, LUN Masking

Virtual storage area network (VSAN) is implemented at the SAN level and LUN masking is configured on storage controllers, and they are low-level storage access methods.

Access control list (ACL) is a set of data (usernames, passwords, time and date, IP address, MAC address, and so on) used to control access to a resource, such as a device, file, or network.

Public Key Infrastructure (PKI) is a standardized set of roles, policies, and procedures used to create, manage, distribute, use, store, and revoke digital certificates and manage public/private key encryption.

Question 8

Harry is the cloud administrator for a company that stores object-based data in a public cloud. Because of regulatory restrictions on user access to sensitive security data, what type of access control would you suggest he implement to meet his company’s security policies?

A. Discretionary
B. Mandatory
C. RBAC
D. Nondiscretionary

Answer 8

Mandatory

The mandatory access control approach is often found in high-security environments where access to sensitive data needs to be highly controlled. Using the mandatory access control approach, a user will authenticate, or log into, a system. Based on the user’s identity and security levels of the individual, access rights will be determined by comparing that data against the security properties of the system being accessed.

Discretionary access control is different from mandatory access control by giving users the ability to grant or assign rights to objects and make decisions for themselves as compared to the centrally controlled method used by mandatory access controls.

Role-based access control (RBAC) is a method in which access rights are granted to, or restricted from, users based on which roles they perform in an organization.

Nondiscretionary access control defines a set of rules to allow or deny access to an object, system, or service in the cloud.

Question 9

Brad has been tasked with encrypting data in flight into his e-commerce presence in a community cloud. He is investigating a standards-based secure solution that web customers can easily implement to ensure secure transactions. What is a good solution that you would recommend to Brad?

A. ARP
B. 3DES
C. SSL
D. IPSec

Answer 9

SSL

Secure Sockets Layer (SSL) makes up a protocol group that operates on top of TCP to provide an encrypted session between the client and the server. It is commonly seen on websites implemented as the Hypertext Transport Protocol Secure (HTTPS) protocol.

Address Resolution Protocol (ARP) is a communication protocol that performs the translation between IP and MAC addresses.

Triple-Data Encryption Standard (3DES) is a symmetric encryption algorithm that encrypts data by processing each block of data three times using a different key each time.

Internet Protocol Security (IPSec) is a protocol used to protect data flow between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

Question 10

What is the National Institute of Standards & Technology publication that coordinates the requirements and standards for cryptography modules?

A. FISMA
B. FedRAMP
C. FIPS 140-2
D. PCI-DSS

Answer 10

FIPS140-2

FIPS140-2 is a National Institute of Standards & Technology (NIST) publication that coordinates the requirements and standards for cryptography modules. Cryptographic systems can be either hardware or software created in the public sector and are registered in FIPS-140-2 as approved for US government use.

The Federal Information Security Management Act (FISMA) outlines the framework to protect federal government information, operations, and facilities.

The Federal Risk and Authorization Management Program (FedRAMP) outlines the standards for security assessments, authorization, and continuous monitoring for cloud products and services.

The Payment Card Industry Data Security Standard (PCI-DSS) sets the requirements to guarantee that companies that process, store, or transmit credit card information offer secure processing and handling of credit card data.

Question 11

What is a report for the public disclosure of financial controls and security reporting that does not contain sensitive and technical information called?

A. SOC 1
B. SOC 2
C. SOC 3
D. FISMA

Answer 11

SOC 3

The SOC 3 report is for the public disclosure of financial controls and security reporting. Since the SOC 2 report can contain sensitive and technical information, the SOC 3 report was created to offer a diluted, marketing-oriented, or nontechnical summary of the SOC 2 report.

The SOC 1 report outlines the internal controls of financial reporting operations.

The SOC 2 report concerns a business’s nonfinancial reporting controls for the availability, confidentiality, privacy, processing integrity, and security of a system.

The Federal Information Security Management Act (FISMA) outlines the framework to protect federal government information, operation and facilities.

Question 12

To secure data center interconnect between your company’s Sydney and Berlin regions, you are being asked what a common solution is that allows interoperability between the various vendor’s firewalls and routers in each region. What is a good solution for securing interconnects over the Internet between dissimilar hardware and software security devices?

A. AES
B. SOC 3
C. IPSec
D. RC5

Answer 12

IPSec

IPSec implementation are found in routers and firewalls with VPN services to provide a secure connection over an insecure network such as the Internet and are standards based to allow for interoperability.

AES is the Advanced Encryption Standard which is a symmetrical block cipher that has options to use three lengths, including 128, 192, and 256 bits.

SOC 3 (Service Organization Controls 3) reports are for public disclosure of financial controls and security reporting.

RC5 (Rivest Cipher 5) is the replacement for RC 4. It is also a symmetrical block cipher algorithm that uses a variable-length key.

Question 13

Which US federal government policy and standard would you focus on to help secure information systems (computers and networks)?

A. FedRAMP
B. RMF
C. FISMA
D. Section 405.13 for DoD rule A286

Answer 13

RMF

The Risk Management Framework (RMF) is a US federal government policy and standards to help secure information systems (computers and networks) developed by National Institute of Standards & Technology (NIST).

The Federal Risk & Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Federal Information Security Management Act (FISMA) is a US federal law that outlines the framework to protect federal government information, operations, and facilities.

Department of Defense (DoD) rule outsources commercial interconnections to the DoD and other systems.

Question 14

James has allowed access to a development server for certain hours of the day, granting another user complete control over a server fleet or storage system for administrative purposes. What type of access control is this?

A. Discretionary Access Control
B. Nondiscretionary Access Control
C. Mandatory Access Control
D. Role-Based Access Control

Answer 14

Nondiscretionary Access Control

The given scenario is an example of nondiscretionary access. Nondiscretionary access control defines a set of rules to allow or deny access to an object, system, or service in the cloud. It is a method of access control that allows the objects to be accessed based on rules, privileges, and roles that define access.

Discretionary access controls differ from mandatory access controls by giving users the ability to grant or assign rights to objects and make decisions for themselves as compared to the centrally controlled method used by the mandatory access controls.

The mandatory access control (MAC) approach is often found in high security environments where access to sensitive data needs to be tightly controlled.

The role-based access control (RBAC) is a method in which access rights are granted to or restricted from users based on which roles they perform in an organization.

Question 15

Fluentes is a security consultant for a day trading company that must implement strong encryption of data at rest for their storage tiers. What is the best option that meets most security regulations for the encryption of stored data?

A. 3DES
B. RSA
C. AES-256
D. Rivest Cipher 5

Answer 15

AES-256

Advanced Encryption Standard is a symmetrical block cipher that has option to use three lengths, including 128, 192, and 256 bits. AES-256 is a very secure standard, and it would take an extremely long time and a lot of processing power to even come close to breaking the code.

3DES is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block.

RSA is an asymmetrical encryption implementation that uses private key an a public key.

Rivest Cipher 5 is the replacement for RC4. It is also a symmetrical block cipher algorithm that uses a variable-length key.

Question 16

Which of the following types of deployment is referred to as multi-availability zone architecture?

A. Storage segmentation
B. Cloud segmentation
C. Computing segmentation
D. Multifactor segmentation

Answer 16

Cloud Segmentation

Cloud segmentation is the process of dividing your cloud deployment into sections to allow for granular security policies to be applied. It is referred to as a multi-availability zone architecture.

Storage segmentation is used to separate cloud data stores and storage offerings to meet customer’s requirements.

Computing segmentation is commonly referred to as three-tier architecture.

There is no such type of multifactor segmentation.

Question 17

Who is responsible for all regulatory and security compliance requirements for a cloud deployment when implementing operations in the cloud?

A. Cloud provider
B. Cloud customer
C. Third-party agency
D. Service provider

Answer 17

Cloud customer

When implementing your operations in the cloud, the cloud customer is responsible for all regulator and security compliance requirements for his cloud deployment.

Being compliant with all laws and regulations that apply to the deployment is the responsibility of cloud customer and not the cloud provider’s.

Many third-party agencies and service providers are available to assist in the process of meeting your specific regulatory requirements when migrating to the cloud.

Question 18

Randy is developing a new application that will be deployed in an IaaS-based public cloud. He builds a test image and deploys a test. VM in his private cloud’s development zone. When he restarts one of the Linux-based servers, he notices that his storage volume data is missing. what type of storage did he implement?

A.  Durable
B.  RAID
C.  Ephemeral
D.  Nondurable
E.  Block
F.  Object

Answer 18

Ephemeral
Nondurable

Temporary storage volumes that are in existence when the VM is deployed are referred to as ephemeral or nondurable storage.

Durable storage volumes do not get deleted and retains data even if the virtual machine is stopped or terminated.

RAID is a hardware storage family of redundancy types.

Block storage offers a high utilization rate.

Object-based storage is highly utilized at the large cloud companies as a fully managed and cost-effective service.

Question 19

Bill is a security engineer at your firm and is involved in a multifactor authentication project. What options do you suggest he offer to his user base to access their login tokens?

A.  Python app
B.  Smartphone app
C.  Automation systems
D.  Keyfob
E.  Cloud vendor management dashboard

Answer 19

Smartphone app
Keyfob

One-time numerical tokens are generated on keyfob hardware devices or smartphone soft-token software applications.

One-time numerical tokens are not generated on python app, automation systems, and Cloud vendor management dashboard.

Question 20

Which of the following automation tools is defined means to programmatically access, control, and configure a device between different and discrete software components?

A. Application Programming Interface
B. Vendor-Based Solution
C. Command Line
D. Web Graphical User Interface

Answer 20

Application Programming Interface

An application programming interface (API) is a defined means to programmatically access, control, and configure a device between different and discrete software components. The API defines how software components interact with each other. APIs provide the means to enable automation of the complete stack from the physical devices to the applications and everything in between.

Vendors and suppliers of virtualized cloud services offer internally developed automation tools and configuration examples as part of their offerings.

A command-line interface is a text-based interface tools used to configure, manage, and troubleshoot devices and allows devices to be automated through configuration scripts.

A graphical user interface (GUI) is a web-based interface that is usually your first introduction to a cloud provider’s system.

Question 21

Louis is a DevOps engineer and is exploring the different options available to him to automate VM troubleshooting in a private cloud. What are common interfaces that you would suggest he investigate?

Each correct answer represents a complete solution. Choose three.

A. GUI
B. SNMP
C. API
D. CLI

Answer 21

GUI, API, CLI

Application programmable interfaces (API), command-line interfaces (CLI), and graphical user interface (GUI) are all commonly used tools to migrate, monitor, mange, and troubleshoot cloud-based resources.

SNMP and PaaS are not the tools which are used to migrate, monitor, manage, and troubleshoot cloud-based resources.

Question 22

What technology has been instrumental in the growth of on-demand cloud services?

A. XML
B. Python
C. Automation
D. Authentication

Answer 22

Automation

The automation of cloud deployments has been instrumental in the growth of on-demand cloud-based services.

The other options are widely implemented in cloud architectures but are not the best answer to the question given.

Question 23

Hank is researching the methods that his network operations center can use to access the Berlin hosted servers operating in a hybrid cloud configuration. Which of the following are not viable methods?
Each correct answer represents a complete solution. Choose all that apply?

A.  RDP
B.  Telnet
C.  IDS/IPS
D.  DNS
E.  SSH

Answer 23

IDS/IPS
DNS

Common remote access protocol includes RDP, SSH, and Telnet. IDSs/IPSs are for intrusion detection and DNS is for domain name to IP address mappings and is not a utility for remote access.

RDP, Telnet, and SSH are viable methods for remote access.

Question 24

When installing a new virtualized intrusion prevention system that is designed for cloud-based network micro-segmentation deployments, the management application requires you to download a Java configuration utility. What kind of automation system is this?

A.  CLI
B.  GUI
C.  Vendor Based
D.  API
E.  RESTful

Answer 24

Vendor Based

Based on the information given, the description if for a vendor-based management application.

CLI is a means of interacting with a computer program where a user issues commands to the program in the form of successive lines of text.

GUI is used for screen scraping, automated testing, automated data entry, application integration, and content migration.

API offers programmatic access, control, and configuration of a device between different and discrete software components.

RESTful is used to create a user account at a user’s site.

Question 25

A company wants to ensure that their cloud infrastructure is secure but fully available. they want to be alerted in the even of security breach, but chose a response for each alert. Which of the following solutions would meet these requirements?

A. DMZ
B. WPAN
C. HTTP
D. IDS

Answer 25

IDS

Intrusion Detection System (IDS) is used to detect possible malicious incursions into a network to monitor and audit suspected and known attack signature and behavior. It scans, audits and monitors the security infrastructure for signs of attacks in progress and automates the intrusion detection process.

Question 26

A public cloud provider recently updated one of its services to provide a new type of application load balancer. The cloud administrator is tasked with building out a proof-of-concept using this new service type. The administrator sets out to update the scripts and notices the cloud provider does not list the load balancer as an available option type of deploying this service. which of the following is most likely the reason?

A. The administrator can deploy the new load balancer via the cloud provider’s web console.
B. The administrator is not using the correct cloud provider account.
C. The administrator needs to update the version of the CLI tool.
D. The administrator needs to write a new script function to call this service.

Answer 26

The administrator needs to update the version of the CLI tool.

A command-line interface is a text-based interface tool used to configure, manage, and troubleshoot devices. It allows devices to be automated through configuration scripts. Users who become familiar with the CLI interface of a device are proficient in extracting detailed and specific data and effective configurations much more quickly than is possible when using a web browser.

Question 27

James a network administrator is implementing a private cloud that will be used as a test environment. To limit the number of guests per subnet of a maximum of 14, he implemented a /20 network. Which of the following should he use to assign the networks?

A. NAT
B. DNS
C. DHCP
D. IPSec

Answer 27

DHCP

Dynamic Host Configuration Protocol (DHCP) is a networking protocol that provides the dynamic mapping and assignments of logical Layer 3 IP addresses of a network device to the physical Layer 2 MAC addresses of a network device. It provides automatic assignment of IP addresses and other TCP/IP configuration information. DHCP uses port 68 as the default port.

Question 28

James a cloud architect created a new delivery controller for a large VM farm to scale up according to organizational needs. The old and new delivery controllers now form a cluster. However, the new delivery controller returns an error when entering the license code. Which of the following is the most likely cause?

A. Telnet
B. SSL
C. DHCP
D. Firewall

Answer 28

Firewall

A firewall is any software or hardware device that protects a system or network by blocking unwanted network traffic. Firewalls generally are configured to stop suspicious or unsolicited incoming traffic through a process called implicit deny - all incoming traffic is blocked by default, except for traffic explicitly allowed by the firewall (i.e., a whitelist). At the same time, firewalls permit most types of outgoing traffic. The types of traffic blocked or permitted through a firewall are configured using predefined rule sets. Information about the incoming or outgoing connections can be saved to a log, and used for network monitoring or hardening purposes.

Question 29

A company security policy mandates education and training for new employees. The policy must include the controls attempt to get the system back to normal if any damage caused by an incident. Given these requirements, which of the following security controls is best suited?

A. Corrective
B. Detective
C. Preventive
D. Physical

Answer 29

Corrective

Corrective security control is a security measure that controls attempt to get the system back to normal. This is intended to limit the extent of any damage caused by the incident by recovering the organization to normal working status as efficiently as possible. It include restoring operating system or data from a recent backup, updating an outdated antivirus, and installing a fix.

Question 30

In an IaaS environment, the security team issues a new signature file to prevent specific malware threats from infiltrating the company network. Which of the following describes where the security team should deploy the updated signatures?

A. DMZ
B. SSH
C. WAF
D. IDS

Answer 30

WAF

A web application firewall (WAF) is a firewall that is deployed to secure an organization’s web applications and other application-based infrastructure from attackers. It monitors, filters or blocks data packets as they travel to and from a Web application. It can be either network-based or cloud-based and is often deployed through proxy and placed in front of one of more Web applications.