Describe security and compliance concepts

Question 1

What is the Shared Responsibility Model in cloud computing?

Answer 1

The Shared Responsibility Model defines which security tasks are managed by the cloud service provider and which are handled by the customer, varying with different types of cloud services like SaaS, PaaS, and IaaS.

Question 2

In an on-premises datacenter, who is responsible for security?

Answer 2

In an on-premises datacenter, the organization is responsible for 100% of the security, including physical security, software, devices, accounts, and data security.

Question 3

What does Infrastructure as a Service (IaaS) entail in terms of security responsibilities?

Answer 3

With IaaS, the customer manages the operating systems, network controls, applications, and data protection, while the cloud provider handles the physical infrastructure like hardware, network, and datacenter security.

Question 4

How does the responsibility change with Platform as a Service (PaaS)?

Answer 4

In PaaS, the cloud provider manages the underlying infrastructure, including hardware and operating systems. The customer is responsible for the applications they deploy and their data.

Question 5

Describe the customer’s role in Software as a Service (SaaS) under the Shared Responsibility Model.

Answer 5

In SaaS, the customer’s responsibilities are limited to data, devices, accounts, and identities.

Question 6

List the responsibilities always retained by the customer in any cloud deployment type.

Answer 6

• Information and Data
• Devices (like mobile and PCs)
• Accounts and Identities

Question 7

What are the benefits of understanding the Shared Responsibility Model?

Answer 7

It clarifies responsibilities, helping organizations to focus on security aspects they are responsible for, ensuring no gaps in security coverage, and optimizing resource allocation.

Question 8

What is Defense in Depth in cybersecurity?

Answer 8

Defense in Depth is a security strategy that uses multiple layers of security controls to protect valuable data and systems. If one layer fails, subsequent layers provide additional security barriers to stop attackers.

Question 9

Name the seven layers of security in a Defense in Depth strategy.

Answer 9

7) Physical Security
6) Identity and Access Controls
5) Perimeter Security
4) Network Security
3) Compute Layer Security
2) Application Layer Security
1) Data Layer Security

Question 10

Explain how Physical Security fits into Defense in Depth.

Answer 10

Physical security involves measures like access controls to datacenters, ensuring only authorized personnel can enter areas where critical systems or data are stored.

Question 11

What does Identity and Access Security entail?

Answer 11

It includes mechanisms like multifactor authentication and condition-based access to ensure only authorized users can access infrastructure or make changes.

Question 12

How does Perimeter Security protect against attacks?

Answer 12

Perimeter security, like DDoS protection, filters out large-scale attacks before they can affect the availability of network services.

Question 13

Describe Network Security in Defense in Depth.

Answer 13

Network security includes segmentation and access controls to limit and control communication between resources, reducing the risk of lateral movement by attackers.

Question 14

What is the role of Compute Layer Security?

Answer 14

This layer secures virtual machines by implementing security measures like closing unnecessary ports, ensuring only necessary services are exposed.

Question 15

Why is Application Layer Security important?

Answer 15

It ensures that software applications are free from vulnerabilities, with practices like secure coding, regular updates, and secure configuration.

Question 16

Explain Data Layer Security.

Answer 16

Data layer security involves managing access to data and encrypting data at rest or in transit to protect it from unauthorized access or tampering.

Question 17

What does CIA stand for in cybersecurity?

Answer 17

CIA stands for Confidentiality, Integrity, and Availability, which are core goals for protecting information:

• Confidentiality ensures data is only accessible to authorized users.
• Integrity ensures data is accurate and unaltered.
• Availability ensures data is accessible when needed.

Question 18

What is the Zero Trust model?

Answer 18

Zero Trust is a security concept based on the principle “trust no one, verify everything,” assuming all networks are potentially hostile, even internal ones.

Question 19

Why is Zero Trust necessary?

Answer 19

Traditional security models based on perimeter defense are insufficient against modern cyber threats that can bypass conventional access controls. Zero Trust strengthens security by not relying on network location for trust.

Question 20

List the three guiding principles of Zero Trust.

Answer 20

Verify explicitly - Always authenticate and authorize using multiple data points.
Least privilege access - Grant only necessary access for the shortest duration possible.
Assume breach - Operate under the assumption that a breach has already occurred or will occur.

Question 21

How does Zero Trust implement “Verify Explicitly”?

Answer 21

By authenticating and authorizing based on user identity, location, device health, service/workload, data classification, and behavioral anomalies.

Question 22

Explain “Least Privilege Access” in Zero Trust.

Answer 22

This involves limiting access to resources through just-in-time and just-enough access, adaptive policies based on risk, and data protection measures.

Question 23

What does “Assume Breach” mean in the context of Zero Trust?

Answer 23

This principle involves segmenting access, encrypting data, and using analytics for visibility and threat detection, assuming that some level of compromise might already exist.

Question 24

What are the six foundational pillars of the Zero Trust model?

Answer 24

Identities - Verification and least privilege for users, services, or devices.
Devices - Monitoring for health and compliance.
Applications - Managing permissions and discovering all used applications.
Data - Classification, labeling, and encryption.
Infrastructure - Ensuring secure configurations and real-time monitoring.
Networks - Segmenting networks and employing real-time threat protection.

Question 25

How does Zero Trust handle identity verification?

Answer 25

Every identity must be strongly authenticated and access permissions should adhere to the principle of least privilege.

Question 26

What role does device management play in Zero Trust?

Answer 26

Devices are monitored to ensure they comply with security standards, reducing the attack surface by ensuring only healthy, compliant devices have access.

Question 27

In Zero Trust, why is application management crucial?

Answer 27

To control who can access which applications and to manage potential unauthorized or unmanaged applications (Shadow IT).

Question 28

What is encryption used for in cybersecurity?

Answer 28

Encryption is used to make data unreadable and unusable to unauthorized viewers by converting it into a coded format which can only be accessed with a decryption key.

Question 29

What are the two main types of encryption?

Answer 29

Symmetric Encryption: Uses the same key for encryption and decryption.
Asymmetric Encryption: Uses a public key for encryption and a private key for decryption.

Question 30

Describe Symmetric Encryption.

Answer 30

Symmetric encryption involves using the same key to both encrypt and decrypt the data. It’s fast and efficient for large amounts of data but requires secure key distribution.

Question 31

Explain Asymmetric Encryption.

Answer 31

Asymmetric encryption uses two keys: a public key for encryption, which can be shared, and a private key for decryption, which must be kept secret. It’s used for secure communication over the internet, like HTTPS.

Question 32

What does encrypting data “at rest” mean?

Answer 32

Encryption at rest refers to securing data stored on physical devices like servers or databases, making it unreadable without the decryption keys.

Question 33

How is data “in transit” protected through encryption?

Answer 33

Data in transit is encrypted while it moves across networks, ensuring that if intercepted, it remains confidential. Examples include using HTTPS for web traffic.

Question 34

What is the purpose of encrypting data “in use”?

Answer 34

Encryption in use aims to protect data while it’s being processed or temporarily stored in memory, using technologies like secure enclaves to keep data encrypted in CPU caches or RAM.

Question 35

Define hashing in the context of data security.

Answer 35

Hashing converts data into a fixed-length value or hash using an algorithm. It’s used for verifying data integrity or storing passwords securely, where the hash is compared rather than the original data.

Question 36

How does hashing differ from encryption?

Answer 36

Hashing does not require keys, and the process is one-way; you cannot reverse hash back to the original data, unlike encryption where data can be decrypted.

Question 37

What is “salting” in password hashing?

Answer 37

Salting involves adding a random value to the data before hashing to prevent brute-force attacks by creating unique hashes for the same password, making precomputed attacks (like rainbow tables) ineffective.

Question 38

What does GRC stand for in the context of organizational management?

Answer 38

GRC stands for Governance, Risk, and Compliance. It’s a structured approach to aligning IT with business objectives, managing risk, and ensuring compliance with regulations.

Question 39

Define Governance in GRC.

Answer 39

Governance refers to the system of rules, practices, and processes by which an organization is directed and controlled, often in response to external standards and expectations.

Question 40

What is Risk Management in the GRC framework?

Answer 40

Risk Management is the identification, assessment, and response to threats or events that could adversely affect organizational or customer objectives, stemming from both external and internal sources.

Question 41

Explain the concept of Compliance in GRC.

Answer 41

Compliance involves adhering to laws, regulations, and standards relevant to the organization’s operations, particularly in how data is handled, processed, and protected.

Question 42

How does Compliance differ from Security?

Answer 42

Compliance focuses on meeting the minimum legal requirements, while security encompasses all measures to protect data, which often goes beyond what compliance mandates.

Question 43

What is Data Residency?

Answer 43

Data Residency refers to regulations specifying where data must physically reside, affecting how and when data can be stored, transferred, or accessed internationally.

Question 44

Describe Data Sovereignty.

Answer 44

Data Sovereignty is the principle that data is subject to the laws of the country/region where it is collected, stored, or processed, adding complexity to multi-jurisdictional data management.

Question 45

What does Data Privacy entail?

Answer 45

Data Privacy involves the protection of personal data, ensuring transparency in how data is collected, used, shared, and processed, adhering to privacy laws and regulations.

Question 46

Why is understanding GRC important for organizations?

Answer 46

Understanding GRC is crucial for organizations to effectively manage their operations in line with legal requirements, reduce risks, enhance decision-making, and protect stakeholder interests.

Question 47

What are some common sources of risk in an organization?

Answer 47

External: Economic conditions, natural disasters, pandemics, security breaches.
Internal: Data leaks, theft of intellectual property, fraud, insider trading.