Chapter 4 Implementing Cloud Security

Question 1

The process of organizing information into different tiers or categories is referred to as ___ ___ ?

Answer 1

Data Classification

Question 2

Dividing your cloud fleet of servers into smaller discrete areas for the purpose of applying a granular security policy is known as ___ ?

Answer 2

Segmentation

Question 3

Data that is obfuscated on a RAID 5 storage is ___ ___ encryption.

Answer 3

At rest

Question 4

Multifactor authentication includes something you ___ and something you ___.

Answer 4

know, have

Question 5

Hands-off programmatically driven cloud configuration change is commonly referred to as ___.

Answer 5

Automation

Question 6

___ allow for a defined machine-to-machine software interaction to enable automation.

Answer 6

API (application programming interface)

Question 7

The ___ ___ ___ is a user-friendly front end interface to a service’s APIs.

Answer 7

Graphical User Interface

Question 8

Network-based ___ ___ ___ take active security breach counter-measures.

Answer 8

Intrusion Prevention System

Question 9

Cloud-based security places a load on a virtual machine’s ___?

Answer 9

CPU

Question 10

Security ___ can allow code to replace many processes that had to be performed manually in the past

Answer 10

Automation

Question 11

Robert has been asked to create a security implementation that segments his employer's e-commerce design to allow for policy enforcement.  What are some of the the areas that he is investigating? (Choose three).
A.  Network
B.  Automation
C.  Storage
D. Compute
E.  APIs
F.  JSON/XML

Answer 11

Network, Storage, Compute

Cloud segmentation is the process of dividing up your cloud deployment into sections that allow for granular security. Common segments include compute, network, and storage.
APIs, JSON, and XML are software constructs to enable automation.

Question 12

MFA tokens can be obtained where?
(Choose two)
A.  Python app
B.  Smartphone app
C.  Automation systems
D.  Keyfob
E.  Cloud vendor management dashboard

Answer 12

Smartphone app, Keyfob

One-time numerical tokens are generated on keyfob hardware devices and smartphone soft-token applications.

Question 13

Hank just completed running some security automation scripts on his new fleet of application virtual machines.  After applying intrusion detection, virus, and malware protection on the Linux images, he notices an increase in which VM metric on his management dashboard?
A.  DMA
B.  BIOS
C.  CPU
D.  IPSec
E.  I/O

Answer 13

CPU

Applying security applications on a virtual server will cause an increase in CPU usage.

Question 14

What technology was instrumental in the growth of cloud services?
A.  XML
B.  Python
C.  Automation
D.  Authentication
E.  Scripting
F.  workflow services
G.  Encryption

Answer 14

Automation

Automation of cloud deployments was instrumental in the growth of cloud-based services.

Question 15

Carl is planning his cloud migration and must meet HIPPA requirements for confidential storage of cloud data at rest and in use in the cloud.  What services must be addressed by Carl?  (Choose two.)
A.  Virtual private network
B.  Storage
C.  Client-side
D.  Database

Answer 15

Storage, Database

Storage systems and database applications are both examples of data at rest or being processed in the cloud. While VPNs and client encryption are valid security systems, they are not associated with your internal cloud security posture.

Question 16

What is a common cloud-based GUI used to get an overview of your security operations?
A.  Puppet automation
B.  Gemalto system
C.  Dashboard
D.  Vendor-based security appliance

Answer 16

Dashboard

A dashboard is a graphical portal that provides updates and an overview of operations.

Question 17

Who does responsibility for stored data integrity in the cloud belong to?
A.  Cloud provider
B.  Compliance agency
C.  Cloud customer
D.  Shared responsibility

Answer 17

Cloud customer

Ultimately the responsibility for data in the cloud belongs to the organization that owns the data.

Question 18

What are complex software systems that automate cloud operations and are offered by companies such as Chef and Puppet called?
A.  Authentication
B.  Federations
C.  Orchestration
D.  Ephemeral

Answer 18

Orchestration

Orchestration systems are software packages or services that automate cloud operations.

Question 19

RESTful APIs using XML and JSON on southbound interfaces can be used to orchestrate and automate what cloud-based services? (Choose all that apply.)
A.  Firewalls
B.  Load balancers
C.  Virtual machines
D.  DNS servers
E.  Durable storage volumes

Answer 19

All of the above

All of these cloud services have APIs that can be accessed for configuration and monitoring using standard RESTful XML and/or JSON interfaces.

Question 20

Jim has a critical server in the application tier of his cloud-based deployment.  He is looking at a device-specific security solution to add defense-in-depth capabilities to his currently deployed network-based security defenses.  He has been researching ways to mitigate potential hacking attempts.  What is a good solution for him?
A.  DMZ
B.  IDS
C.  IPS
D.  Classification automation
E.  HIDS

Answer 20

HIDS

A host intrusion detection system (HIDS) is a software that monitors the device on which it is installed to identify deviations from an established security policy.

Question 21

A constantly changing six-digit numerical token is used in what type of cloud service?
A.  XML
B.  TLS
C.  SSL
D.  MFA
E.  JSON

Answer 21

MFA

Multifactor authentication (MFA) services use a token that is generated on a schedule and can be a numerical value. The other answers offered are not valid to the question.

Question 22

Samantha has been asked to meet FedRamp compliance for her customer's new contract.  Where should she integrate compliance in her project?  (Choose four.)
A.  Hand-off
B.  Design
C.  Implementation
D.  Automation rollout
E.  Planning
F.  Validation
G.  HIDS
H.  JSON/XML scripting

Answer 22

Planning, Design, Implementation, Validation

All compliance requirements should be integrated into the complete life cycle of a project including the design, planning, implementation and validation phases of the project.

Question 23

Sharon is investigating a standards-based construct to enable automation on her load balancers.  What is a good lightweight data-interchange format standard that is easily readable and for computing systems to parse and to generate? (Choose two.)
A.  XML
B.  JSON
C.  REST
D.  Python

Answer 23

XML, JSON

Extensible Markup Language (XML) and JavaScript Object Notation (JSON) provide a flexible way to describe data and create information formats and electronically share structured data between computing systems. Both are lightweight data-interchange formats that are easily readable for computing systems to parse and to generate.

Question 24

Your company has purchased a specialized intrusion prevention system that is virtualized and designed for cloud-based network micro segmentation deployments. When reading the documentation, Sam notices a link to download a Java-based application to monitor and configure the IPS.  What kind of automation system is this?
A.  CLI
B.  GIU
C.  Vendor based
D.  API
E.  RESTful

Answer 24

Vendor based

Based on the information given, the description is for a vendor-based management application.

Vendors will publish a document detailing their APIs interfaces and how to interact with their products programmatically for automation and management.
(page 138)

Question 25

``` Hank works in his e-commerce company's IT security group and has been tasked to investigate options that will allow customers to securely access their personal records stored on the cloud deployment for their smartphones. What is the most common in-flight e-commerce security posture on the market? A. MD5 B. SSL/TLS C. IPSec D. VPN ```

Answer 25

SSL/TLS SSL/TLS security is the most common remote access encryption technology and is commonly used in browsers and smartphone applications. MD5 is a hash algorithm, and IPSec is a security framework; they do not apply to the question. VPNs are not as common as SSL/TLS for the scenario given.

Question 26

``` Cloud segmentation enhances security for cloud-based applications. What services is is a best practice to segment? A. Python B. Compute C. RAM D. VPN ```

Answer 26

Compute It is considered a best practice to group compute resources into like segments and apply security to the segment.

Question 27

``` What is a long-standing text-based interface that is used to configure network services both locally and remotely? A. GUI B. CLI C. REST D. SNMP E. API ```

Answer 27

CLI The command-line interface (CLI)is a text-based interface to most network services that allows for remote and local configurations.

Question 28

Sid is a security engineer at a large public cloud company. He is implementing a new security service that tracks activity across the network and actively shuts down malicious activity. What security application is he implementing?

Answer 28

Intrusion prevention system

Question 29

Charles wants to offer his user base a selection of two-factor authentication solutions. What two options are there?

Answer 29

Key fob and smartphone

Question 30

Beth is asking you if there is a website that shows a high-level overview of her cloud deployment. What is this called?

Answer 30

Dashboard

Question 31

Trevor is implementing a security application that operates in each web server that faces the Internet. He wants to track malicious attacks. What solution is he implementing?

Answer 31

Hot intrusion detection system

Question 32

What intrusion system will monitor but not act on Internet-based attack?

Answer 32

IDS Intrusion Detection system

Question 33

What is storage that does not survive a VM restart called?

Answer 33

Ephemeral

Question 34

What backend cloud systems allow for on-demand provisioning of services?

Answer 34

Automation

Question 35

What cloud service contains an ordered rule set that contains permit and deny statements and is used to protect cloud-based devices?

Answer 35

Firewall

Question 36

What is a software-controlled machine-to-machine interface called

Answer 36

Application programmable interface (API)