Cloud Security Flashcards
Which one of the following statements about cloud computing is incorrect?
A. Cloud computing offers ubiquitous, convenient access.
B. Cloud computing customers store data on hardware that is shared with other customers.
C. Cloud computing customers provision resources through the service provider’s sales team.
D. Cloud computing resources are accessed over a network.
Answer:
C. One of the key characteristics of cloud computing is that customers can access resources on-demand with minimal service provider interaction. Cloud customers do not need to contact a sales representative each time they wish to provision a resource but can normally do so on a self-service basis.
Under the shared responsibility model, in which tier of cloud computing is the customer responsible for securing the operating system?
A. IaaS
B. PaaS
C. SaaS
D. All of the above
Answer:
A. Under the shared responsibility model, the customer only bears responsibility for operating system security in IaaS environments. In all other environments, the service provider is responsible for securing the operating system.
Helen designed a new payroll system that she offers to her customers. She hosts the payroll system in AWS and her customers access it through the web. What tier of cloud computing best describes Helen’s service?
A. PaaS
B. SaaS
C. FaaS
D. IaaS
Answer:
B. Helen is using IaaS services to create her payroll product. She is then offering that payroll service to her customers as an SaaS solution.
Tony purchases virtual machines from Microsoft Azure and uses them exclusively for use by his organization. What model of cloud computing is this?
A. Public cloud
B. Private cloud
C. Hybrid cloud
D. Community cloud
Answer:
A. This is an example of public cloud computing because Tony is using a public cloud provider, Microsoft Azure. The fact that Tony is limiting access to virtual machines to his own organization is not relevant because the determining factor for the cloud model is whether the underlying infrastructure is shared, not whether virtualized resources are shared.
Amanda would like to run a security configuration scan of her Microsoft Azure cloud environment. Which one of the following tools would be most appropriate for her needs?
A. Inspector
B. ScoutSuite
C. Prowler
D. Pacu
Answer:
B. ScoutSuite is the only cloud assessment tool listed here that performs security scans of Azure environments. Inspector and Prowler are AWS-specific tools. Pacu is an exploitation framework used in penetration testing.
Kevin is using a service where a cloud provider offers a platform that executes his code in response to discrete events. He is billed based on the actual resources consumed during each code execution event. What term best describes this service?
A. PaaS
B. SaaS
C. FaaS
D. IaaS
Answer:
C. This is an example of function as a service (FaaS) computing, a subset of platform as a service (PaaS). Although both terms may be used to describe the service Kevin uses, the best answer is FaaS, because it is more specific.
Under the shared responsibility model, which component always remains the responsibility of the customer, regardless of the cloud service model used?
A. Application
B. Hardware
C. Datacenter
D. Data
Answer:
D. In the shared responsibility model, the customer always retains either full or partial responsibility for data security. Responsibility for hardware and physical datacenters is the cloud provider’s responsibility under all models. Responsibility for applications is the customer’s responsibility under IaaS, the provider’s responsibility under SaaS, and a shared responsibility under PaaS.
Which one of the following services is not an example of FaaS computing?
A. Lambda
B. DeepLens
C. Google Cloud Functions
D. Azure Functions
Answer:
B. AWS Lambda, Google Cloud Functions, and Microsoft Azure Functions are all examples of function as a service (FaaS) computing. AWS DeepLens is an AI-enabled camera.
Which cloud computing deployment model requires the use of a unifying technology platform to tie together components from different providers?
A. Public cloud
B. Private cloud
C. Community cloud
D. Hybrid cloud
Answer:
D. Hybrid cloud environments blend elements of public, private, and/or community cloud solutions. A hybrid cloud requires the use of technology that unifies the different cloud offerings into a single, coherent platform.
Which one of the following would not commonly be available as an IaaS service offering?
A. CRM
B. Storage
C. Networking
D. Computing
Answer:
A. Customer relationship management (CRM) packages offered in the cloud would be classified as software as a service (SaaS), since they are not infrastructure components. Storage, networking, and computing resources are all common IaaS offerings.
Which one of the following is a characteristic of DevOps approaches to technology?
A. Isolating operations teams from development teams
B. Requiring clear hand-offs between development and production
C. Increasing the frequency of application releases
D. Eliminating the need for developers to understand business requirements
Answer:
C. DevOps approaches to software development and technology operations increase the frequency of releases by automating software testing and release processes. The other options are characteristic of legacy approaches to technology.
Which one of the following is not an example of infrastructure as code?
A. Defining infrastructure in JSON
B. Writing code to interact with a cloud provider’s API
C. Using a cloud provider’s web interface to provision resources
D. Defining infrastructure in YAML
Answer:
C. Infrastructure as code is any approach that automates the provisioning, management, and deprovisioning of cloud resources. Defining resources through JSON or YAML is IaC, as is writing code that interacts with an API. Provisioning resources through a web interface is manual, not automated, and therefore does not qualify as IaC.
Which one of the following conditions is not likely to trigger an alert during an automated cloud security assessment?
A. Presence of an API key in a public repository
B. Unrestricted API keys
C. Transmission of an API key over unsecured channels
D. Sharing of API keys among different developers
Answer:
D. All of these issues are security vulnerabilities that should be addressed. Cloud assessment tools would be able to identify most of these issues, but they would have no way of knowing that two or more developers are sharing an API key.
Brian is selecting a CASB for his organization and he would like to use an approach that interacts with the cloud provider directly. Which CASB approach is most appropriate for his needs?
A. Inline CASB
B. Outsider CASB
C. Comprehensive CASB
D. API-based CASB
Answer:
D. API-based CASB solutions interact directly with the cloud provider through the provider’s API. Inline CASB solutions intercept requests between the user and the provider. Outsider and comprehensive are not categories of CASB solutions.
A coalition of universities banded together and created a cloud computing environment that is open to all member institutions. The services provided are basic IaaS components. What term best describes this cloud model?
A. Public cloud
B. Private cloud
C. Community cloud
D. Hybrid cloud
Answer:
C. Community cloud deployments may offer IaaS, PaaS, and/or SaaS solutions. Their defining characteristic is that access is limited to members of a specific community.