Cloud Concepts, Architecture, and Design

Question 1

What service model is an application like DropBox and Office 365?

Answer 1

SaaS

Question 2

What does the customer have access to in SaaS?

Answer 2

Enterprise apps, Desktop apps, and Mobile apps

Question 3

What service model is a platform like Windows Server?

Answer 3

PaaS

Question 4

What does the customer have access to in PaaS?

Answer 4

Development/runtime tools/environment

Question 5

What service model offers processing, storage, or networking resources like a vDC (Virtual Data Center)?

Answer 5

IaaS

Question 6

What does the customer have access to in IaaS?

Answer 6

CPU, disk drives, networks, and data centers

Question 7

What service category supports real-time interaction and collaboration? Examples include voice over IP (VoIP or Internet telephony), IM, collaboration and videoconference applications using fixed and mobile devices.

Answer 7

CaaS - Communications as a Service

Question 8

What service category supports processing resources to run software?

Answer 8

CompaaS - Compute as a service

Question 9

Concepts and objects related to software computation. Refers to processing power, memory, networking, storage, and other resources required for the computational success of any program.

Answer 9

Compute

Question 10

What can version control be used for?

Answer 10

Tracking versions worked on by developers and track configuration of systems and apps.

Question 11

What is it called when you have the ability to reverse original operations and a move?

Answer 11

Reversibility

Question 12

What is it called when you design workloads that don’t leverage vendor specific features?

Answer 12

Portability

Question 13

What is it called when a vendor can easily support solution integrations?

Answer 13

Interoperability

Question 14

What is it called when data science and statistics are used to uncover hidden knowledge in data accumulated each day?

Answer 14

Machine learning

Question 15

Uncover trends, categorize records, and run biz efficiently.

Answer 15

What ML analyzes data to do

Question 16

What are a collection of techniques designed to mimic human thought processes in computers?

Answer 16

AI

Question 17

What is descriptive analytics?

Answer 17

Describing data.

Question 18

Using existing data to predict future events.

Answer 18

Predictive analytics

Question 19

Optimizing our behavior by simulating many scenarios.

Answer 19

Prescriptive analytics

Question 20

Storing records to distribute among many different systems in a manner that prevents anyone from tampering with them in a ledger.

Answer 20

Blockchain technology

Question 21

What is connecting nontraditional devices to the internet for collection, analysis, and control?

Answer 21

IoT - Internet of Things

Question 22

What is a lightweight way to package an app to make it portable to move easily b/w hardware platforms?

Answer 22

Containers

Question 23

Instead of running hypervisors, systems supporting containers run a…

Answer 23

Containerization platform

Question 24

What is the major benefit of containers over virtual machines?

Answer 24

They don’t have their own OS kernel - they use the host’s OS kernel.

Question 25

What technology seeks to replace the binary 1 and 0 bits of digital computing?

Answer 25

Quantum computing

Question 26

What involves putting processing power on remote sensors and allowing them to perform the heavy lifting required to process data before transmitting a small subset of that data back to the cloud?

Answer 26

Edge computing

Question 27

What involves placing gateway devices out in the field to collect info from sensors and perform that correlation centrally at the remote location before returning data to the cloud?

Answer 27

Fog computing

Question 28

What are edge and fog computing for?

Answer 28

Increasing our ability to connect IoT devices to the cloud.

Question 29

Guarantee that no outside process can view or alter the data being handled within the environment.

Answer 29

What trusted execution environments (TEEs) do

Question 30

Enables scalability, reduces error through use of immutable servers, and makes testing easy.

Answer 30

3 things Infrastructure as Code does

Question 31

Broad network access, on-demand self-service, resource pooling, rapid elasticity and scalability, and metered service.

Answer 31

Common cloud characteristics

Question 32

When services are consistently accessible over the network.

Answer 32

Broad network access

Question 33

When customers can scale their compute and/or storage needs w/ little or no intervention from or prior communication with the provider.

Answer 33

On-demand self-service

Question 34

Allows CP to meet various demands from customers while remaining financially viable, and apportion resources as needed so resources aren’t underutilized or overtaxed.

Answer 34

Resource pooling

Question 35

What is rapid elasticity and scalability?

Answer 35

Allows customer to grow/shrink IT footprint to meet operational needs without excess capacity.

Question 36

All cloud activity is metered so you only pay for what you use.

Answer 36

Measured/metered service

Question 37

What is scalability?

Answer 37

Ability of system to grow as demand increases.

Question 38

What is elasticity?

Answer 38

Ability of system to dynamically grow/shrink based on current demand.

Question 39

Aspects of device, process, or employee that are not necessary for accomplishing task but desired.

Answer 39

Non-functional requirements

Question 40

Performance aspects of device, process, employee that are necessary for the business task to be accomplished.

Answer 40

Functional requirements

Question 41

Interviewing functional managers, users, senior mgmt., observing employees, surveying customers, collecting network traffic, inventorying assets, collecting financial/insurance records, marketing data and regulatory mandates.

Answer 41

Methods of gathering business requirements

Question 42

An assessment of the priorities given to each asset and process within the org and the effect harm or loss of asset has to org.

Answer 42

BIA

Question 43

What are important things to consider during BIA?

Answer 43

Critical paths and single points of failure.

Question 44

Routers and servers are examples of _____ assets.

Answer 44

Tangible

Question 45

Software code, ideas, and business methodologies are examples of _____ assets.

Answer 45

Intangible

Question 46

To gain an understanding of what benefits the org might derive from cloud migration and associated costs.

Answer 46

Purpose of a cost-benefit analysis

Question 47

When an organization can experience dramatic/rapid/significant demand without being overwhelmed, and allows customer to dictate volume of resource usage.

Answer 47

Rapid elasticity

Question 48

Augmenting internal/private data center capabilities with managed services during times of increased demand.

Answer 48

Cloud bursting

Question 49

To bring all an organization’s cloud activities under more centralized control, ensure services meet technical, functional, and security requirements, and monitor for duplicative services.

Answer 49

Purpose of a cloud governance program

Question 50

What is Shadow IT?

Answer 50

When BLs provision cloud services on their own to satisfy unmet technical needs.

Question 51

What is a personnel benefit of moving to the Cloud?

Answer 51

Not having to pay expensive salaries for Internal IT.

Question 52

The cloud benefit realized when CP offers holistic, targeted regulatory compliance packages.

Answer 52

Regulatory

Question 53

What’s true about PII?

Answer 53

You’re responsible for the data regardless of if you’re using a Cloud service and any breaches from negligence of CP.

Question 54

Cost-benefit calculations are driven by what?

Answer 54

Security concerns.

Question 55

How do you calculate ROI?

Answer 55

Net Profit/Net Assets

Question 56

What is the service category where the provider delivers an entire app – configuring servers – and customer just uses service?

Answer 56

SaaS

Question 57

What are some SaaS examples?

Answer 57

Google Apps, Microsoft Office 365, Dropbox

Question 58

What is the service category where the customer purchases basic computing resources to create customized IT solutions?

Answer 58

IaaS

Question 59

Compute capacity and data storage are things _____ vendors might provide.

Answer 59

IaaS

Question 60

What are the 4 largest IaaS vendors?

Answer 60

AWS, Azure, Google Compute Engine, and Alibaba.

Question 61

What are these: Virtualized server, block storage, object storage, networking capacity, orchestration of automation to administer the cloud infrastructure.

Answer 61

Types of infrastructure capability for IaaS

Question 62

What is the service category where customers can run their own app code w/out worrying about server config?

Answer 62

PaaS

Question 63

What is the common PaaS capability where customer creates specialized functions that run on a schedule or in response to events?

Answer 63

FaaS – Function as a Service

Question 64

What are the cloud deployment models?

Answer 64

Private, public, hybrid, multi-cloud, and community cloud.

Question 65

What is it called when many different customers share use of the same computing resources?

Answer 65

Multitenancy

Question 66

What is it when a CP can sell customers a total capacity that exceeds the physical capacity of their infrastructure b/c customers will never use all capacity simultaneously?

Answer 66

Oversubscription

Question 67

Multitenancy works because of…

Answer 67

Resource pooling.

Question 68

They offer some product or service that interacts with the primary offerings of a CSP.

Answer 68

Cloud service partner

Question 69

CSPs who offer managed IAM services to cloud customers that integrates security requirements across cloud services.

Answer 69

CASB

Question 70

Use cloud services, perform service trials, monitor services, administer service security, provide billing and usage reports, handle problem reports, administer tenancies, perform biz admin, select/purchase service, request audit reports.

Answer 70

Customer responsibilities

Question 71

Prepare systems and provide cloud services, monitor/administer services, manage assets/inventories, provide audit data, manage customer relationships and handle customer requests, perform peering w/ other cloud providers, ensure compliance, provide network connectivity.

Answer 71

CSP responsibilities

Question 72

Who fulfills the following: Design, create, maintain service component, test services, perform audits, set up legal agreements, acquire and assess customers, and assess marketplace.

Answer 72

Cloud Service Partners

Question 73

When many different virtual servers make use of the same underlying hardware.

Answer 73

Virtualization

Question 74

Virtualization involves the use of…

Answer 74

A host machine that has physical hardware that then hosts several virtual guest machines.

Question 75

Manages the guest VMs and tricks them to think they’re running on its own hardware instead of shared hardware of host machine.

Answer 75

Hypervisors

Question 76

Also called a bare metal hypervisor, runs directly on top of the hardware and then hosts guest OS on top of that.

Answer 76

Type 1 hypervisor

Question 77

Physical machine runs an OS of its own and the hypervisor runs as a program on top of that OS.

Answer 77

Type 2 hypervisor

Question 78

When a hacker is able to break out of a virtualized guest operating system.

Answer 78

VM escape attack

Question 79

What is virtualization technology designed to do?

Answer 79

Strictly enforce isolation.

Question 80

What does virtualization make it easy to do?

Answer 80

Create new servers in a data center.

Question 81

What is it called when there are large numbers of unused and abandoned servers on the network?

Answer 81

VM sprawl

Question 82

Why is VM sprawl dangerous?

Answer 82

B/c unused and abandoned servers accumulate serious security vulns if they’re not properly patched.

Question 83

What is it called when you can create computing resources to solve a problem and then get rid of them when they’re no longer needed?

Answer 83

Ephemeral computing

Question 84

What is protecting assets from unauthorized access?

Answer 84

Confidentiality

Question 85

What is protecting assets against unauthorized modification?

Answer 85

Integrity

Question 86

What is ensuring assets are available for authorized use w/out disruption?

Answer 86

Availability

Question 87

Protecting personal info we store, process, and transmit

Answer 87

Privacy

Question 88

Working through existing and planned cloud relationships to ensure they comply with security, legal, business, and other constraints.

Answer 88

Governance

Question 89

When contracts specify customer has the right to audit cloud providers.

Answer 89

Auditability

Question 90

Ability of the cloud infrastructure to withstand disruptive events.

Answer 90

Resiliency

Question 91

Third party that can conduct an independent assessment of cloud services, information system operations, performance, and security of the cloud implementation.

Answer 91

Cloud Service Auditor

Question 92

An entity that manages the use, performance and delivery of cloud services and negotiates relationships between cloud providers (CSPs) and cloud consumers.

Answer 92

Cloud broker

Question 93

Service intermediation - enhances service
Service aggregation - combines and integrates services
Service arbitrage - choose services from multiple agencies

Answer 93

functions of cloud broker

Question 94

Responsible for business agreement, pricing for the cloud customer.

Answer 94

cloud service manager

Question 95

The ability of a system to automatically grow and shrink based on app demand

Answer 95

elasticity

Question 96

Ability to grow as demand increases.

Answer 96

scalability

Question 97

Number of minutes of virtual server compute time
Amount of disk space you consume
Number of function calls you make
Amount of network egress and ingress

Answer 97

common metrics for measured service

Question 98

5 building block technologies of the cloud

Answer 98

compute, databases, network, storage, orchestration

Question 99

CSP provides the server, storage, and networking hardware and its virtualization. Customer installs middleware and applications.

Answer 99

compute

Question 100

All virtualized to allow customers to design and customize to their needs. Enables customers to segment and restrict access however they would like.

Answer 100

network

Question 101

A network architecture approach that enables the network to be intelligently and centrally controlled, or ‘programmed,’ using software

Answer 101

storage defined network (sdn)

Question 102

3 layers of sdn

Answer 102

management, control, data

Question 103

The business applications that manage the underlying control plane are exposed with _____.

Answer 103

northbound interfaces

Question 104

Control of network functionality and programmability is made directly to devices at this layer.

Answer 104

control plane

Question 105

The network switches and routers located at this plane are associated with the underlying network infrastructure.

Answer 105

data plane

Question 106

Ensures only trusted, authorized applications access critical network resources.

Answer 106

Northbound interface

Question 107

OpenFlow protocol interfaces with devices through _____

Answer 107

southbound interfaces

Question 108

_____storage maps a logical unit number (LUN) on a storage area network (SAN) to a VM.

Answer 108

raw

Question 109

Offered by some CSPs, this is tailored to the needs of data archiving. This may include features like search, immutability, and data lifecycle management. Typically use either Volume or Object storage infrastructure.

Answer 109

long-term storage

Question 110

Volume storage is also called:

Answer 110

block

Question 111

Examples of object storage

Answer 111

S3 and azure blob

Question 112

Ensures that all copies of the data have been duplicated among all relevant copies before finalizing the transaction to increase availability.

Answer 112

strict consistency

Question 113

Consistency of data is relaxed, which reduces the number of replicas that must be accessed during read and write operations before the transaction is finalized.

Answer 113

eventual consistency

Question 114

Where content is stored in object storage, then replicated to multiple geographically distributed nodes to improve internet consumption speed

Answer 114

content delivery network (cdn)

Question 115

Builds on the foundation of Infrastructure as Code (IaC), reducing manual admin tasks.

Answer 115

orchestration

Question 116

— virtual machines (VM)
— virtual desktop infrastructure (VDI)
— software defined networks (SDN)
— virtual storage area networks (SAN)

Answer 116

virtual assets

Question 117

T/F: Both hypervisors and VMs need to be patched

Answer 117

True

Question 118

The cloud service provider (CSP) provides the least amount of maintenance and security in the _____ model.

Answer 118

IaaS

Question 119

What hypervisor:
More secure if implemented properly
Commonly used for QA, load testing, and production scenarios
Typically, more expensive

Answer 119

Type 1: Bare metal

Question 120

What hypervisor:
Increased attack surface (due to the host operating system)
Commonly used for individual development and lab scenarios
Typically, less expensive

Answer 120

Type 2: Hosted

Question 121

Use cloud services
Perform service trials
Monitor services
Administer service security
Provide billing and usage reports
Handle problem reports
Administer tenancies
Perform business administration
Select and purchase service
Request audit reports

Answer 121

customer responsibilities

Question 122

Prepare systems and provide cloud services
Monitor and administer services
Manage assets and inventories
Provide audit data
Manage customer relationships
Handle customer requests
Perform peering with other cloud service providers
Ensure compliance
Provide network connectivity

Answer 122

csp responsibilities

Question 123

Design, create, and maintain service components
Test services
Perform audits
Set up legal agreements
Acquire and assess customers
Assess the marketplace

Answer 123

partner responsibilities

Question 124

Provides guidance in implementing and managing customer usage of a platform

Answer 124

partner

Question 125

Application capability types - reduced support costs and licensing fees
Platform capability types - reduces lock in
Infrastructure capability types - high reliability and resilience

Answer 125

benefits of public cloud

Question 126

CSP provides building blocks, like networking, storage and compute

Answer 126

IaaS

Question 127

Usage is metered
Eases scale (scale up, out, and down)
Reduced energy and cooling costs

Answer 127

benefits of IaaS

Question 128

Customer is responsible for deployment and management of apps
CSP manages provisioning, configuration, hardware, and OS

Answer 128

PaaS

Question 129

Core infrastructure updated by provider
Global collaboration for app development
Running multiple languages seamlessly

Answer 129

key benefits of PaaS

Question 130

Customer just configures features
CSP is responsible for management, operation, and service availability.

Answer 130

SaaS

Question 131

Limited administration responsibility
Limited skills required
Service always up to date
Global access

Answer 131

key benefits of SaaS

Question 132

Devs have to write code
No server management

Answer 132

things PaaS and Serverless have in common

Question 133

Less control over deployment environment
Application scales automatically
Application code only executes when invoked

Answer 133

Serverless

Question 134

More control over deployment environment
Application has to be configured to auto scale
Application takes a while to spin up

Answer 134

PaaS

Question 135

A cloud computing execution model where the cloud provider dynamically manages the allocation and provisioning of servers. Hosted as a pay as you go model based on use. Resources are stateless, servers ephemeral and often capable of being triggered.

Answer 135

serverless architecture

Question 136

Provisioning of multiple business services is combined with different IT services to provide a single business solution.

Answer 136

services integration

Question 137

Cloud is cost effective, global, secure, scalable, elastic, and always current

Answer 137

benefits of cloud computing

Question 138

Everything runs on your cloud provider’s hardware
Advantages include scalability, agility, PAYG, no maintenance, and low skills

Answer 138

public cloud

Question 139

A cloud environment in your own datacenter
A cloud environment dedicated to a single customer
Advantages include legacy support, control, and compliance

Answer 139

private cloud

Question 140

Combines public and private clouds, allowing you to run your apps in the right location. Advantages include flexibility in legacy, compliance, and scalability scenarios

Answer 140

hybrid cloud

Question 141

Similar to private clouds in that they are not open the general public
But they are shared by several related organizations in a common community

Answer 141

community cloud

Question 142

Combines resources from two or more public cloud providers
Allows orgs to take advantage of service and price differences, but at the cost of added complexity

Answer 142

multi cloud

Question 143

Access controls help ensure that only authorized subjects can access objects

Answer 143

confidentiality

Question 144

Ensures that data or system configurations are not modified without authorization

Answer 144

integrity

Question 145

Authorized requests for objects must be granted to subjects within a reasonable amount of time

Answer 145

availability

Question 146

Ability of one cloud service to interact with other cloud services by exchanging information according to a prescribed method and obtain predictable results.

Answer 146

interoperability

Question 147

Process for cloud service customers to retrieve their data and application artifacts AND for the CSP to delete all cloud service customer data and contractually specified cloud service derived data after an agreed period.

Answer 147

reversibility

Question 148

Policy - interoperate while complying w/ gov laws/regs
Behavioral - results of exchanged info matches expected outcome
Transport - commonality of communication b/w cloud consumer, provider, and other providers
Syntactic - two or more system understand other system’s structure of exchanged info thru encoding syntaxes
Semantic Data - ability of systems exchanging info to understand meaning of data model w/in context

Answer 148

5 facets of cloud interoperability

Question 149

Syntactic - using formats that can be decoded
Semantic - data model is understood
Policy - laws/regs/mandates followed

Answer 149

3 facets of cloud data portability

Question 150

Ability of a cloud services data center and its associated components, including servers, storage, and so on, to continue operating in the event of a disruption.

Answer 150

resiliency

Question 151

A discrete market, typically containing two or more regions, that preserves data residency and compliance boundaries

Answer 151

geography

Question 152

A set of datacenters deployed within a latency defined perimeter and connected
through a dedicated regional low latency network.

Answer 152

regions

Question 153

A relationship between 2 Azure Regions within the same geographic region for disaster recovery purposes.

Answer 153

region pairs

Question 154

Unique physical locations within a region with independent power, network, and cooling. Comprised of one or more datacenters Tolerant to datacenter failures via redundancy and isolation

Answer 154

availability zones

Question 155

The duty to ensure private information is kept secret to the extent possible. A legal obligation in regulatory scenarios, and a due care obligation in U.S. law

Answer 155

confidentiality - focus on data

Question 156

The right of an individual to have some control over how their personal information (PII,PHI) is collected, used, and potentially disclosed.

Answer 156

privacy - focus on rights of person

Question 157

Ability of a service to remain responsive to requests to that service with an acceptable level of response latency or processing time.

Answer 157

performance

Question 158

Enforcement of security policies and regulatory requirements, often through policy controls and regular audits.

Answer 158

governance

Question 159

Ability to provide clear documentation of the actions in a data event.

Answer 159

auditability

Question 160

Ability to determine who caused the event. This is known sometimes called “identity attribution”.

Answer 160

Accountability

Question 161

Ability to track down all events related to the investigated event.

Answer 161

traceability

Question 162

A technical or contractual constraint that prevents a customer from moving from a provider.

Answer 162

vendor lock-in

Question 163

The practice of applying data science to prevent, detect, and remediate cybersecurity threats. Data is collected from selected cyber security sources and then analyzed to provide timely, data driven patterns at scale.

Answer 163

cybersecurity data science

Question 164

To create a new block on the chain, the computer that wishes to add the block solves a cryptographic puzzle and sends the solution to the other computers participating in that blockchain.

Answer 164

proof of work

Question 165

A class of devices connected to the internet in order to provide automation, remote control, or AI processing in a home or business setting

Answer 165

internet of things

Question 166

wearables, facility automation, sensors

Answer 166

internet of things

Question 167

Examples include Docker and Kubernetes

Answer 167

containerization

Question 168

A lightweight, granular, and portable way to package applications for multiple platforms. Reduces overhead of server virtualization by enabling containerized apps to run on a shared OS kernel. Share many concerns of server virtualization: isolation
at host, process, network, and storage levels

Answer 168

containerization

Question 169

Replaces the binary one and zero bits of digital computing with multidimensional quantum bits known as qubits.

Answer 169

quantum computing

Question 170

The practice of harnessing the principles of quantum mechanics to improve security and to detect whether a third party is eavesdropping on communications. Leverages fundamental laws of physics such as the observer effect, which states that it is impossible to identify the location of a particle without changing that particle.

Answer 170

quantum cryptography

Question 171

The most common example of quantum cryptography. By transferring data using photons of light instead of bits, a confidential key transferred between two parties cannot be copied or intercepted secretly.

Answer 171

Quantum Key Distribution

Question 172

Cryptographic algorithms (usually public key algorithms) that are thought to be secure against an attack by a quantum computer. Post quantum cryptography focuses on preparing for the era of quantum computing by updating existing mathematical based algorithms and standards.

Answer 172

Post quantum cryptography

Question 173

Post quantum algorithms are sometimes called _____ cryptographic algorithms

Answer 173

“quantum resistant”

Question 174

Some compute operations require processing activities to occur locally, far from the cloud. All the processing of data storage is closer to the sensors rather than in the cloud data center.

Answer 174

edge computing

Question 175

Complements cloud computing by processing data from IoT devices. Often places gateway devices in the field to collect and correlate data centrally at the edge. Generally, brings cloud computing nearer to the sensor to process data closer to the device.

Answer 175

fog computing

Question 176

Sensitive data must be encrypted in memory before an app can process it, leaving the data vulnerable is a problem that ____ solves by isolating sensitive data in a protected _____ during processing - also called a _____.

Answer 176

confidential computing / CPU enclave / trusted execution environment (TEE)

Question 177

This is the management of cloud infrastructure (networks, VMs, load balancers, and connection topology) described in code. Just as the same source code generates the same binary, code in this model results in the same environment every time it is applied. This is a key DevOps practice and is used in conjunction with CI/CD.

Answer 177

IaC

Question 178

A chip that resides on the motherboard of the device. Multi purpose, like storage and management of keys used for full disk encryption (FDE) solutions. Provides the operating system with access to keys, but prevents drive removal and data access

Answer 178

trusted platform module

Question 179

A physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions.

Answer 179

hardware security module

Question 180

generation - in secure cryptographic module
distribution - encrypt key w/ separate encryption key
storage - keys protected at rest
use
revocation
destruction

Answer 180

encryption key lifecycle

Question 181

In PKI, you would revoke the certificate on the issuing

Answer 181

Certificate Authority (CA)

Question 182

Encryption keys must be secured _____ as the data they protect.

Answer 182

at the same level of control or higher

Question 183

A _____ is anything that you want to control access to, such as API keys, passwords, certificates, tokens, or cryptographic keys.

Answer 183

secret

Question 184

Something you know (pin or password)
Something you have (trusted device)
Something you are (biometric)

Answer 184

mfa

Question 185

— Phishing
— Spear phishing
— Keyloggers
— Credential stuffing
— Brute force and reverse brute force attacks
— Man in the middle (MITM) attacks

Answer 185

all prevented by mfa

Question 186

A _____ is a type of administrator account used to run an application.

Answer 186

service account

Question 187

A solution that helps protect the privileged accounts within a tenant, preventing attacks

Answer 187

privileged access management

Question 188

erasing, clearing (overwriting), purging

Answer 188

less secure data destruction

Question 189

most secure data destruction

Answer 189

crypto shredding

Question 190

Data cannot be recovered from any remnants.
High CPU and performance overhead

Answer 190

pro and con of crypto shredding

Question 191

degaussing, shredding, pulverizing

Answer 191

hard drive media destruction methods - not reusable or recoverable

Question 192

Act as a virtual firewall for virtual networks and resource instances. Carries a list of security rules (IP and port ranges) that allow or deny network traffic to resource instances. Provides a virtual firewall for a collection of cloud resources with the same security posture.

Answer 192

network security group

Question 193

Restricting services that are permitted to access or be accessible from other zones using rules to control inbound/outbound traffic. Rules are enforced by the IP address ranges of each subnet. Within a virtual network, this can be used to achieve
isolation .

Answer 193

segmentation

Question 194

Port filtering through a network security group

Answer 194

example of segmentation

Question 195

What is the modern approach to writing web service APIs.

Answer 195

Representational State Transfer (REST)

Question 196

Enables multi language support, can handle multiple types of calls, return different data formats. APIs published by an organizations should include encryption, authentication, rate limiting, throttling, and quotas.

Answer 196

API inspection and integration

Question 197

Traffic is often sent direct to resources and promiscuous mode on a VM NIC not possible or effective.
EXAMPLES: Network Watcher (Azure), VPC traffic mirroring (AWS)

Answer 197

traffic inspection

Question 198

Uses the Global Positioning System (GPS) or RFID to define geographical boundaries. Once the device is taken past the defined boundaries, the security team will be alerted.

Answer 198

geofencing

Question 199

Treats user identity as the control plane. Assumes compromise / breach in verifying every request.

Answer 199

zero trust security

Question 200

verify explicitly
use lease privilege access
assume breach

Answer 200

zero trust principles

Question 201

Network Security Group (NSG)
Network Firewalls
Inbound and outbound traffic filtering
Inbound and outbound traffic inspection
Centralized security policy management and enforcement

Answer 201

zero trust network architecture

Question 202

Orchestration/scheduling controller
Network, storage
Container host
Container images
Container registry

Answer 202

Core components in a container platform (Docker, Kubernetes)

Question 203

Container security shares many of the concerns of server virtualization, but must enforce _____ of network, data, storage access at container level.

Answer 203

isolation

Question 204

These are cloud-based VMs where containers run

Answer 204

container hosts

Question 205

Use API gateways as security buffers (to avoid DDoS attacks)
Configure secure authentication (Oauth, SAML, OpenID Connect, MFA)
Separate dev and prod environments, implement least privilege

Answer 205

serverless technology

Question 206

REST uses the _____ protocol for web communications to offer API end points

Answer 206

HTTPS

Question 207

Security mechanisms for _____ include API gateway, authentication, IP filtering, throttling, quotas, data validation

Answer 207

APIs

Question 208

When attacks are designed to steal or wedge themselves into the middle of a
conversation in order to gain control.

Answer 208

traffic hijacking

Question 209

Process/effort to collect and analyze information before making a decision or conducting a transaction.

Answer 209

due diligence

Question 210

Doing what a reasonable person would do in a given situation. It is sometimes called the “prudent person rule”.

Answer 210

due care

Question 211

do detect is ______ and do correct is _____

Answer 211

due diligence / due care

Question 212

Research
Planning
Evaluation

Answer 212

due diligence

Question 213

Implementation
Operation (upkeep)
Reasonable measures

Answer 213

due care

Question 214

Knowledge and research of:
Laws and Regulations
Industry standards
Best practices

Answer 214

due diligence

Question 215

Delivery or execution including:
* Reporting security incidents
* Security awareness training
* Disabling access in a timely way

Answer 215

due care

Question 216

Helps reduce outages or weakened security from unauthorized changes to the baseline configuration

Answer 216

Change Management

Question 217

Uses a labeling or numbering system to track changes in updated versions of baseline (image, application, system,

Answer 217

Versioning

Question 218

Performed to determine whether a particular patch or update applies to a system.

Answer 218

applicability assessment

Question 219

To ensure it’s handled properly, it’s important to ensure data is _____ as soon as possible.

Answer 219

classified

Question 220

Data should be protected by adequate security controls based on its _____.

Answer 220

classification

Question 221

Refers to anytime data is in use or in transit over a network

Answer 221

share

Question 222

Commonly protected with TLS or tunneled through VPN

Answer 222

data in transit

Question 223

In storage (on disk, in database, etc) and protected through encryption

Answer 223

data at rest

Question 224

In memory. Should be flushed from memory when transaction is complete or system is powered down

Answer 224

data in use

Question 225

Helps you encrypt Windows and Linux IaaS VMs disks using BitLocker (Windows) and
dm crypt feature of Linux to encrypt OS and data disks.

Answer 225

full disk encryption

Question 226

Helps protect SQL Database and data warehouses against threat of malicious activity
with real time encryption and decryption of database, backups, and transaction log
files at rest without requiring app changes.

Answer 226

Transparent data encryption (TDE)

Question 227

Ensure the data’s context and meaning are understood, and business
rules governing the data’s usage. Use that knowledge to ensure the data they are responsible for is used as intended.

Answer 227

data steward

Question 228

The person or entity that controls processing of the data.

Answer 228

data controller

Question 229

A natural or legal person, public authority, agency, or other body, which processes personal data solely on behalf of the data controller.

Answer 229

data processor

Question 230

Responsible for day-to-day: safe custody, transport, and storage of data, and implementation of business rules, technical controls. Does not decide what controls are needed, but does implement controls for data owner

Answer 230

data custodian

Question 231

focuses on the whole business

Answer 231

bcp

Question 232

focuses more on the technical aspects of recovery

Answer 232

drp

Question 233

T/F: BCP is an umbrella policy and DRP is part of it

Answer 233

True

Question 234

addresses site level failure

Answer 234

region pairs

Question 235

These address datacenter failures within a cloud region.

Answer 235

Availability zones

Question 236

address rack level failures within a regional datacenter

Answer 236

availability sets

Question 237

Contains two important items:
✓ a cost-benefit analysis (CBA) AND
✓ a calculation of the return on investment (ROI)

Answer 237

BIA

Question 238

Can be strictly quantitative: adding the financial benefits and subtracting the associated costs to determine whether a decision will be profitable.

Answer 238

CBA

Question 239

Define a system or its component and specifies what it must do. Captured in use cases, defined at a component level .

Answer 239

Functional security requirements

Question 240

Specify the system’s quality, characteristics, or attributes. Apply to the whole system (system level)

Answer 240

Non functional security requirements

Question 241

VM attacks
Virtual network
Hypervisor attacks
VM-based rootkits
Virtual switch attacks
Colocation
DoS attack

Answer 241

security considerations for IaaS

Question 242

System and Resource Isolation
User-Level Permissions
Access Management
Protection Against Malware, Backdoors, and Trojans

Answer 242

security considerations for PaaS

Question 243

Data Segregation
Data Access and Policies
Web Application Security

Answer 243

security considerations for SaaS

Question 244

When unmanaged VMs have been deployed on your network. Because IT doesn’t know it is there, it may not be patched and protected, and thus more vulnerable to attack

Answer 244

vm sprawl

Question 245

Enforcement of security policies for adding VMs to the network, as well as periodic scanning to identify new virtualization hosts is how to avoid _____.

Answer 245

vm sprawl

Question 246

Ensure patches and hypervisor and VMs are always up to date, guest privileges are low. Server level redundancy and HIPS/HIDS protection also effective.

Answer 246

how to protect against vm escape

Question 247

Freely available on the internet and exploit known vulnerabilities in various operating systems enabling attackers to elevate privilege.

Answer 247

Rootkit (escalation of privilege) - avoid by keeping security patches up
to date, anti malware software, EDR/XDR

Question 248

Undocumented command sequences that allow individuals with knowledge of the back door to bypass normal access restrictions. Often used in development and debugging.

Answer 248

back door - counter with firewalls, anti malware, network monitoring, code review

Question 249

Volume based attacks targeting flaws in network protocols, often using botnets,
using techniques such as UDP, ICMP flooding, or SYN flooding (TCP based).

Answer 249

network DDoS

Question 250

Exploit weaknesses in the application layer (Layer 7) by opening connections and
initiating process and transaction requests that consume finite resources like disk
space and available memory.

Answer 250

application DDoS

Question 251

Targets the weaknesses of software and hardware devices that control systems in factories, power plants, and other industries, such as IoT devices.

Answer 251

operational technology (ot) DDoS

Question 252

These are countermeasures for _____ IDS, IPS, rate limiting, firewall ingress/egress filters

Answer 252

DDoS

Question 253

Automated software scanning
Automated vulnerability scanning
Web application firewall
Software dependency management
Access and activity logging
Application performance management
Are all _____ technical controls.

Answer 253

DevOPS

Question 254

Developer application security training
Documented policies and procedures
Code review, approval gates

Answer 254

DevOPS admin controls

Question 255

Provides guidelines for information security controls applicable to the provision and use of cloud services. Provides cloud based guidance on several ISO/IEC 27002 controls, along with seven cloud controls that address:
1) Who is responsible for what between the cloud service provider and the cloud
customer
2) The removal/return of assets when a contract is terminated
3) Protection and separation of the customer’s virtual environment
4) Virtual machine configuration
5) Administrative operations and procedures associated with the cloud environment
6) Customer monitoring of activity within the cloud
7) Virtual and cloud network environment alignment

Answer 255

ISO 27017

Question 256

> a secure network must be maintained in which transactions can be conducted
cardholder information must be protected wherever it is stored
systems should be protected against the activities of malicious hackers
cardholder data should be protected physically as well as electronically.
networks must be constantly monitored and regularly tested
a formal information security policy must be defined, maintained, and followed

Answer 256

PCI DSS objectives

Question 257

Ensures customers that security products they purchase have been thoroughly tested by independent third-party testers and meets customer requirements.

Answer 257

ISO 15408

Question 258

– Level 1: Lowest level of security.
– Level 2: Specifies the security requirements for cryptographic modules that protect sensitive information.
– Level 3: Requires physical protections to ensure a high degree of confidence that any attempts to tamper are evident and detectable

Answer 258

FIPS 140-2 security levels

Question 259

AWS Well Architected Framework
Azure Well Architected Framework
Google Cloud Architecture Framework

Answer 259

cloud provider architecture reference

Question 260

Microsoft Cybersecurity Reference Architecture
AWS Security Reference Architecture
Google Cloud Security Foundations Guide

Answer 260

cloud provider security reference