Domain 1 and Some 2 Flashcards

1
Q

Many different customers accessing cloud resources hosted on shared hardware.

A

Multitenancy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Only Matthew’s company has access to any resources hosted on the same physical hardware.

A

Private cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Matthew’s organization is combining resources of public and private cloud computing.

A

Hybrid cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Resource use is limited to members of a particular group.

A

Community cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A strong sanitization technique that involves encrypting data with a strong encryption engine and then taking the keys generated in that process, encrypting them with a different encryption engine, and destroying the resulting keys of the second round of encryption.

A

Cryptographic erasure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Cryptographic erasure is effective on:

A

Magnetic and solid-state drives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

T/F: Degaussing and overwriting are not effective on SSDs

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

T/F: Containers provide easy portability.

A

False, because they are dependent on the host operating system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Hypervisors are used to:

A

Host virtual machines on a device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A platform as a service model that allows cloud customers to run their own code on the provider’s platform without provisioning servers.

A

Serverless computing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Virtual machines are self-contained and have their own internal operating system, which can be moved between:

A

different host operating systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Responsibilities of the customer

A

Use cloud services
perform service trials
monitor services
administer service security
provide billing and usage reports
handle problem reports
administer tenancies
perform business administration
select and purchase service
request audit reports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The ability of a system to dynamically grow and shrink based on the current level of demand.

A

Elasticity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The ability of a system to grow as demand increases but does not require the ability to shrink.

A

Scalability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Zero trust decisions are not based on network location, such as IP address. Instead, it’s based on:

A

User’s identity, the nature of the requested access, and the user’s geographic (not network!) location.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Bare-metal (Type 1) hypervisor is preferable to the hypervisor that runs off the OS (Type 2) because:

A

It will offer less attack surface.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Network security groups provide functionality equivalent to:

A

Network firewalls for cloud-hosted server instances.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

_____ restrict traffic that might reach a server instance.

A

Network Security Groups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

T/F Only cloud provider can modify network firewalls

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Restrict the geographic locations from which users may access the servers.

A

Geofencing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

_____ may be used to examine the traffic reaching the instance.

A

Traffic inspection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Susceptible to disk failures and user error that may unintentionally destroy or modify data.

Vulnerable to ransomware attacks that infect systems with access to the object store and then encrypt data stored on the service.

A

Object storage flaws

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Geofencing may be used to trigger actions, such as an alert, when:

A

a user or device leaves a defined geographic area.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Geotagging annotates log records or other data with:

A

the geographic location of the user performing an action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
The Cloud Security Alliance (CSA) provides an enterprise architecture reference guide that offers vendor-neutral _____.
design patterns for cloud security
26
The use of an API is an example of accessing data programmatically during the _____ phase of the lifecycle
Use
27
Storage that is available as disk volumes.
Block storage
28
Object storage maintains files in:
Buckets
29
T/F Virtualized servers are storage capabilities.
F, Compute capabilities
30
Network capacity is used to connect _____ to each other
Servers
31
The sudo command allows a normal user account to execute administrative commands and is an example of
Privileged access
32
Service access is the access to resources by:
system services, rather than individual people
33
What protects against the risk of a lost device?
Confidentiality
34
________ is when the recipient of a message can prove the originator's identity to a third party.
Nonrepudiation
35
________ is a means of proving one's identity.
Authentication
36
_____ demonstrates that information has not been modified since transmission.
Integrity
37
_____ are often used in business impact assessment to capture the impact on intangible factors
Qualitative tools
38
Quantitative tools, such as the computation of annualized loss expectancies and single loss expectancies, are only appropriate for:
easily quantifiable risks.
39
EAL2 assurance applies when the system has been
structurally tested. It is the second-to-lowest level of assurance under the Common Criteria.
40
These tools manage workloads and seamlessly shift them between cloud service providers.
Orchestration
41
Virtualization platforms allow a cloud provider to host:
virtual server instances.
42
Databases are a cloud service offering that allows for
the organized storage of relational data.
43
Cloud access service brokers (CASBs) allow for the consistent enforcement of _____ across cloud providers.
security policies
44
Governs the storage, processing, and transmission of credit card information.
The Payment Card Industry Data Security Standard (PCI DSS)
45
Regulates the financial reporting of publicly traded corporations.
The Sarbanes–Oxley (SOX) Act
46
Protects personal financial information.
The Gramm–Leach–Bliley Act (GLBA)
47
Bring all of an organization's cloud activities under more centralized control. They serve as a screening body helping to ensure that cloud services used by the organization meet technical, functional, and security requirements. They also provide a centralized point of monitoring for duplicative services, preventing different business units from spending money on similar services when consolidation would reduce both costs and the complexity of the operating environment.
Cloud governance programs
48
use a pair of keys for each user.
Asymmetric cryptosystems
48
use a pair of keys for each user.
49
Hybrid cloud strategies combine public and private cloud resources,
not resources from multiple public cloud providers.
50
Email is an application-level service that is offered by cloud providers as a software as a
service (SaaS) capability.
51
Block storage and network capacity are infrastructure as a service
(IaaS) offerings and are infrastructure capabilities.
52
Serverless computing is a _____ offering.
PaaS
53
Occurs when a customer (not a service provider) purchases more capacity than they need.
Overprovisioning
54
a mix of public cloud and private cloud services. is an example of a
hybrid cloud environment.
54
a mix of public cloud and private cloud services. is an example of a
hybrid cloud environment.
55
In an infrastructure as a service environment, security duties are a _____.
shared responsibility
56
When Lucca reviews the RTO, he needs to ensure that the organization can recover from an outage in less than two hours based on _____.
the maximum tolerable downtime (MTD) of two hours.
57
How does the recipient of a message that was encrypted using asymmetric cryptography decrypt a message?
Using their own private key
58
The sender using asymmetric cryptography would have previously encrypted
using the recipient's public key.
59
organization that helps cloud service customers use the services offered by cloud service providers.
cloud service partner
60
cloud service providers who offer a managed identity and access management service to cloud customers that integrates security requirements across cloud services.
Cloud service brokers
61
applies specifically to the use of controlled unclassified information (CUI).
NIST 800-171
62
provide a certification process for hardware and software products.
Common Criteria (CC)
63
the Security Requirements for Cryptographic Modules. This guidance is specific to cryptographic requirements.
FIPS 140-2
64
Services should be able to integrate and work together
Interoperability
65
What is the highest level of assurance under the Common Criteria?
EAL7
66
What does EAL7 ensure?
A system has been formally verified, designed, and tested
67
Technology that uses cryptography to create a distributed immutable ledger.
Blockchain
68
Blockchain is the technical foundation behind ________.
Cryptocurrency
69
An emerging technology that uses principles of particle physics to perform computing.
Quantum computing
70
Moves compute power to IoT devices located at the edge of the network.
Edge computing
71
What's the difference b/w verification and certification?
Verification can involve a 3P testing service and compile results that may be trusted by many different organizations
72
An area of research into methods for protecting data in use through the protection provided by a trusted execution environment (TEE)
Confidential computing
73
The act of management formally accepting (not evaluating) an evaluating system
Accreditation
74
Verification and certification process both
validate security controls
75
What is one of the core capabilities of IaaS?
providing servers on a vendor-managed virtualization platform.
76
Web-based payroll and email systems are examples of
SaaS
77
Does the CP's brand influence the cost-benefit analysis?
No
78
An application platform managed by
79
T/F: The provider absorbs the cost when the customer requests a modification of the SLA.
False. The customer pays for all costs associated w/ modifications to the SLA. These are chargeable expenses.
80
Creating computer resources to solve a particular problem and then getting rid of them when you no longer need them.
Ephemeral computing
81
Guaranteeing that the service will be available 99% of the time
availability committment
82
Ability of a system to withstand failures
resiliency
83
Why do users have the most control over the environments hosted on IaaS?
because they are able to manually adjust the resources assigned to an application
84
What standard provides the security controls that should be implemented by cloud service providers
ISO 27017
85
What standard provides the security controls that should be implemented for a cybersecurity program
ISO 27001
86
What standard provides the security controls that should be implemented to provide control guidance for privacy programs?
ISO 27701
87
What standard provides a cloud reference architecture and does not offer specific security guidance?
ISO 17789
88
Who oversees the PCI DSS
Payment Card Industry Security Standards Council (PCI SSC)
89
Cloud computing where the customer only provides application code for execution on a vendor-supplied computing platform are examples of
PaaS
90
Providing fully functional application to customers as a cloud service
SaaS
91
CaaS is a subcategory of ____
IaaS
92
In risk acceptance strategy:
the org does nothing but document the risk
93
Purchasing insurance is what type of risk strategy
Risk transference
94
Relocating a data center would be what kind of risk strategy
risk avoidance
95
Reengineering a facility would be what kind of risk strategy
risk mitigation
96
Using existing data to predict future events
Predictive analytics
97
A style of analytics that describes data
Descriptive analytics
98
A style of analytics that optimizes our behavior by simulating scenarios
Prescriptive analytics
99
What allows CPs to meet various demands from customers while remaining financially viable?
Resource pooling
100
The model that allows customers to scale their compute and/or storage needs w/ little or no intervention the provider
On-demand self service
101
Documents, in formal terms, expectations for availability, performance, or other parameters.
SLAs
102
An internal agreement b/w service organizations
OLA
103
The ability to back out of a change.
Reversibiity
104
Capability to move workloads easily between environments
Portability
105
T/F: The customer has no access to or ability to maintain the operating system in the PaaS environment.
True
106
What is block storage used for?
To provide disk volumes.
107
What is object storage used for?
To store individual files. But they cannot be mounted as a disk.
108
When should archival storage be used?
Only in cases where data does not need to be frequently accessed.
109
What is the least disruptive type of disaster recovery test?
Checklist review.
110
Each team member reviews the content of their disaster recovery checklist and suggest necessary changes.
Checklist review
111
Team members come together and walk through a scenario without making any changes to information systems.
tabletop exercise
112
The team activates the disaster recovery site for testing while primary site remains operational.
parallel test
113
Team takes down primary site and confirms the disaster recovery site is capable of handling regular operations. Most thorough test but also most disruptive.
full interruption test
114
In SaaS solution, the vendor manages:
the physical infrastructure and complete application stack so customer accesses a fully managed application.
115
PaaS offerings provide customers with an environment where customers can:
execute their own code.
116
CaaS is a subcategory of IaaS for:
computing resources provided as a service.
117
Security baselines provide a:
starting point to scope and tailor security controls to your orgs needs.
118
T/F: Security baselines ensure systems are always secure and prevent liability.
False
119
Integrating software development, operations, and quality assurance.
DevOps
120
What is ITIL?
A collection of best practices for managing IT orgs.
121
T/F: Customers should have access to underlying infrastructure in a PaaS environment.
False. But IaaS offers.
122
What is RPO?
The amount of data loss that's acceptable due to an incident.
123
The amount of downtime that the business can safely withstand.
MTO - maximum tolerable outage
124
What is OpenID Connect?
An authentication layer that works w/ OAuth 2.0 as its underlying authorization framework. Used widely by CSPs.
125
SAML, RADIUS, and Kerberos are:
authentication technologies but don't have the same seamless integration w/ OAuth.
126
A vendor offering a fully functional application as a web-based service is an example of:
SaaS
127
The customer provides their own software in:
IaaS, Compute as a Service (CaaS), and PaaS
128
Where does edge computing service model place computing power?
At the sensor, minimizing the data that is sent back to the cloud over limited connectivity network links.
129
What is the best choice for providing authentication and authorization information?
SAML
130
What is used to exchange user information for SSO?
SPML
131
What is XACML used for?
access control policy markup
132
T/F: In IaaS, the customer is not responsible for server security operations
False
133
T/F: In SaaS, a fully developed and hosted application is provided to the customer.
True
134
Managing security settings, host firewalls, and configuring server access controls are examples of what?
Server security operations
135
T/F: In PaaS, the customer provides application code for execution on a vendor-supplied computing platform.
True
136
T/F: IaaS provides complex infrastructure building blocks to customers?
False, it's basic building blocks
137
Function as a Service is a subcategory of _____ for ______
PaaS for serverless computing applications
138
What are more traditional methods of software development that aren't commonly used with DevOps and DevSecOps
waterfall, modified waterfall, spiral models
139
What's the purpose of a CASB?
to enforce security policies consistently across cloud services
140
Are DLP and DRM solutions effective at consistently enforcing security policies across cloud platforms?
No
141
IPS are designed to:
detect and block malicious activity
142
What is the vendor responsible for in IaaS?
hardware and network related responsibilities
143
Configuring network firewalls, maintaining the hypervisor, and managing physical equipment are the responsibility of:
Vendor
144
In IaaS, who's responsible for patching OS on VMs?
Customer
145
What is it called when a single platform is shared among many different customers?
Multitenancy
146
T/F: IaaS allows you to set up infrastructure as quickly as you can deploy and pay for it?
True
147
T/F: Security groups are different from firewall rules for IaaS?
False
148
T/F: You cannot configure IaaS networking.
False, it's done thru use of network security groups and bandwidth provisioning.
149
Who has responsibility for configuring OS securely in serverless computing?
Vendor
150
What is the framework created by government to assess security of systems?
NIST 800-37
151
What is the list of security controls created by government?
NIST 800-53
152
What is the payment card industry's framework of compliance for all entities accepting credit cards?
PCI DSS
153
What is portability?
The capability to move workloads easily b/w environments
154
T/F: Services that are scalable are always elastic?
F: Services that are elastic are scalable but scalable not always elastic b/c scalability doesn't shrink
155
In IaaS, the customer has to maintain the
OS
156
T/F: Additional security means measurable less operational capability
True, there's always a tradeoff b/w security and productivity
157
The minimal amount of effort required to perform your duty to others. This is care a cloud customer is required to demonstrate to protect the data it owns.
Due care
158
T/F: Due diligence and due care are the same thing.
False, due diligence is activity taken in support of furthering due care.
159
Confidential computing protects data in use by
using a TEE - Trusted Execution Environment. Can also use TPMs, HSMs, and PKIs, but they don't protect date in use.
160
What provides a general certification process for computing hardware?
The common criteria
161
What provides certification process for hardware but is not specific to cryptographic models or used for generalized hardware?
FIPS 140-2
162
What provides a certification process for cloud computing services?
FedRAMP
163
What is the nomenclature for all entries in an LDAP environment?
The distinguished name (DN)
164
Databases are used to store collected info into
related tables
165
Are networking and virtualization technologies used to store data?
No.
166
What is confidential computing designed to support?
The protection of data actively stored in memory
167
T/F: The cloud customer is ultimately responsible for all legal repercussions involving data security and privacy.
True
168
What service model allows an org to retain the most control of their IT assets in the cloud?
IaaS
169
In IaaS, what is the customer responsible for?
OS, apps, and data
170
What model allows org to retain greatest degree of governance?
Private
171
Placing IoTs on a dedicated subnet or network prevents what?
Other users from accessing the devices directly.
172
Does public cloud use vendor datacenters?
Yes
173
Hypervisors enforce isolation b/w:
VMs and are susceptible to escape attacks
174
HSMs and Trusted Platform Modules:
store and manage cryptographic keys
175
Are databases vulnerable to escape attacks?
No.
176
What allows examination of contents of encrypted HTTPS traffic and detect sensitive info?
Traffic inspection
177
Can port blocking detect a security violation?
No.
178
T/F: Cloud minimizes DR costs?
True, you can configure but not activate resources until needed
179
Verifying a user is who they claim to be:
Authentication
180
Granting access based on user identity:
Authorization
181
Not allowing a participant in a transaction to deny they particpated:
Non-repudiation
182
T/F: In symmetric encryption, all data is encrypted and decrypted with the same key.
True
183
How do you validate the authenticity of a digital certificate?
By using the CA's public key
184
Using computing assets on a temporary basis:
Ephemeral computing
185
Confidential computing uses ____ to protect data in ____
TEE, use
186
Parallel computing uses ______ ________ to perform _________.
multiple processors, different parts of a calculation simultaneously
187
Business continuity ensures
business can function during disruptive event
188
Support the return to normal operations
Disaster recovery
189
T/F: BC and DR use RTO and RPO as metrics to determine success.
True
190
What is paramount in all security efforts?
Health and human safety.
191
What is MTD in disaster recovery?
Maximum tolerable downtime.
192
Identifying the key, user, and how it is used would support what?
Accountability for usage
193
What is the issue with overwriting SSDs and volumes?
Remnant data
194
Tokenization relies on:
two databases, one with tokenized data and one with actual data
195
T/F: Tokenization requires id practices, encryption, and specifies FIPS 140 requirements.
False, it does not
196
What is FIPS 140?
The 140 series of Federal Information Processing Standards are U.S. government computer security standards that specify requirements for cryptographic modules.
197
T/F: You can tokenize data by hashing
True
198
What is tokenizing data?
The process of substituting a sensitive data element with a non-sensitive equivalent.
199
What helps you see how data is created, moves, and is used thru org?
Dataflow diagrams
200
Classification, creation, and date/time are all captured in:
Data labeling
201
Data types, fields/names, services, systems, ports, protocols, and security detail are all included in:
Dataflow diagrams
202
Includes retention periods, reg/comp requirements, data classification impacts on retention, how/when data should be deleted, archiving/retrieval processes.
Retention policies
203
An IRM should maintain a:
certificate revocation list
204
What is an IRM system?
IT security technology used to protect documents containing sensitive information from unauthorized access.
205
How does an IRM system perform provisioning?
Provides rights based on roles and responsibilities.
206
What does a business impact analysis determine?
What data is needed to continue the operations of the business. An assessment of data criticality.
207
Data mapping matches:
fields in databases.
208
BIAs assess:
the importance of data to an organization's work
209
Data classification describes:
Data based on things like sensitivity, jurisdiction, and criticality
210
Installing a local agent for an IRM system ensures data is properly handled on _____.
Endpoint systems
211
What is a local agent?
A program that collects information or performs a task in the background at a particular schedule.
212
Examples of unstructured data
images, audio, video, word processing files
213
T/F: Ingress and egress fees are cheap
False
214
T/F: Working with the original drive is a best practice.
False, not a forensic best practice
215
T/F: IRM cannot prevent copying, printing, and making copies
False, this is what it does.
216
T/F: Discovery can be conducted using local tools in each region.
True
217
It is common to archive data to a _____ storage tier
lower cost and lower performance
218
The ____ phase often includes modification of data.
Use
219
What is the encryption protocol of choice for web app traffic?
TLS - Transport layer security (replaced SSL)
220
MD5 and SHA-1 are _______ algorithms.
Hashing
221
Uses both asymmetric and symmetric encryption to protect the confidentiality and integrity of data-in-transit
TLS
222
Used to establish a secure session between a client and a server. Public key cryptography.
asymmetric encryption
223
What is symmetric encryption?
Used to exchange data within a secured session created by asymmetric encryption. You use the same key to encrypt and decrypt.
224
How does asymmetric encryption work?
Uses a mathematically related pair of keys for encryption and decryption: a public key and a private key. If the public key is used for encryption, then the related private key is used for decryption. If the private key is used for encryption, then the related public key is used for decryption.
225
What is a public key?
A key made available to anyone to encrypt data.
226
What is a piece of information used for scrambling data so that it appears random; often represented by a large number, or string of numbers and letters?
Key
227
What's another word for unencrypted data?
Plaintext
228
What is a private key?
The key used to put encrypted information back into plaintext.
229
Plaintext + key =
Ciphertext
230
Where can you find a public key?
In a website's SSL/TLS certificate
231
Where is the private key installed?
On the origin server
232
What uses public key cryptography to authenticate the identity of the origin server and exchange data that is used for generating the session keys.
TLS handshake
233
How are bad actors prevented from decrypting communications, even if they identify or steal one of the session keys from a previous session?
Clients and servers agree upon new session keys for each communication session
234
What is spreading data across different storage areas and potentially different cloud providers spread across geographic boundaries?
Data dispersion
235
What is the technique of splitting up and storing encrypted information across different cloud storage services?
Bit splitting. Used by criminals to hide data across the cloud and makes it extremely difficult for forensics to find and obtain.
236
Ephemeral storage is wiped and reclaimed for reallocation only when:
An instance is terminated, not just shut down. For shut downs, it's retained until the system is reactivated.
237
Ephemeral data is kept for ______ periods of time?
Short (like 45 days)
238
What does it take to complete the destruction process for crypto-shredding?
Securely erasing all copies of the encryption key. Just erasing the key deletes all data associated with it.
239
Deleting replicated data (especially in a relational database - which could accidentally delete a lot of unintentional data), data in a backup, and deleting the right data are all problems solved by _____.
crypto-shredding
240
What is cloud security?
How cloud affects confidentiality, integrity, and availability
241
What does an IRM system rely on to identify systems?
Certificates
242
What can be issued centrally, managed, and used for digital signatures and encryption?
Certificates
243
What is a unique, digitally signed document which authoritatively identifies the identity of an individual or organization.
Certificate
244
________ uses a one-way cryptographic function to replace data with values that can be referenced without exposing the actual data.
Hashing
245
What is long-term storage often used for?
Logs and data storage
246
What storage is allocated as a virtual drive/device w/in cloud?
Volume-based storage
247
What is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes.
DevOps
248
What is a code used to identify and authenticate an application or user?
An API key
249
What are processes used to restore the service if the system becomes unavailable for reasons other than regular maintenance?
Break-glass process
250
1. Automated backups in place and executed regularly based on # of secrets and their lifecycle 2. Frequently test the restore procedures 3. Encrypt backups and place on secure, monitored storage
OWASP's requirements for break-glass secrets backup
251
What is the amount of time before data can be accessed?
Retrieval time
252
What compares two strings to determine if they're the same?
String comparison
253
What allows IRM to apply rules appropriately?
Tagging and labeling
254
What's one of the most important things to understand before selecting archival storage?
Data access patterns
255
What influences cost of storage?
Volume of data and amount of time it needs to be stored
256
How are data owners defined?
By data classification policies
257
What do data custodians do?
Be responsible for the data, ensure access control, proper storage, and other operational controls
258
Who processes data as part of a business process?
Data processors
259
Are tokens encrypted?
No
260
T/F: Versioning takes up very little space.
False
261
T/F: Daily backups, recurring snapshots, and archiving processes are able to be quickly restored.
False
262
T/F: You can use least privilege for secrets.
True
263
What type of discovery searches for specific terms in unstructured data?
Content-based
264
What type of discovery relies on data labels?
Label-based
265
What type of discovery uses metadata information?
Metadata-based
266
What can help DLP manage data without relying on pattern matching?
Tagging
267
T/F: Tags are unique allowing events to be tracked to an instance.
True
268
Which sanitization technique is best for solid-state drives (SSDs)?
Cryptographic erasure
269
T/F: Cryptographic erasure is good for SSD and magnetic drives?
True
270
With zero trust architecture, trust decisions are not based on _________.
Network location, like IP address.
271
What is geolocation?
The geographic location of a user or computing device.
272
What security control is best to restrict ports on a server?
Network security groups - they're like firewalls for cloud server instances.
273
Can a customer modify network firewall rules?
No
274
What restricts locations from which users can access servers?
Geofencing
275
Does geofencing trigger alerts?
Yes
276
What EAL assurace level provides the system has been structurally tested?
EAL2
277
They offer a managed IAM service to customers that integrate security requirements across cloud services.
cloud brokers
278
What's the highest level of assurance under Common Criteria?
EAL7 - verified, designed, and tested
279
Functionally tested
EAL1
280
Structurally tested
EAL2
281
Methodically tested and checked
EAL3
282
EAL4
Methodically designed, tested, and reviewed
283
EAL5
Semi-formally designed and tested
284
Semi-formally verified, designed, and tested
EAL6
285
Formally verified, designed, and tested
EAL7
286
What optimizes our behavior by simulating many scenarios?
Prescriptive analytics
287
______ storage is used to provide disk volumes, which are storage areas with a single file system.
Block
288
Storage that will be used as a disk attached to a server instance?
Block storage
289
What is used to store individual files but can't be mounted as a disk?
Object storage
290
OpenID Connect works with ________.
OAuth 2.0
291
A _____ is a condition that must be present for an event to occur.
Necessary condition
292
A _______ is a condition or set of conditions that will produce the event.
Sufficient condition
293
In IaaS, the provider is responsible for hardware and _____ related responsibilities.
Network - this includes configuring firewalls, maintaining hypervisor, and managing physical equipment
294
FedRAMP provides a certification process for ____________.
Cloud computing services
295
Common Criteria provides what?
General certification process for computing hardware that might be used in government applications
296
In a LDAP environment, each entry in a directory server is identified by a ______.
Distinguished name (DN)
297
What does confidential computing protect?
Data actively stored in memory
298
What's the most cost effective DR approach?
Using a cloud site without activating resources until needed.
299
What are the 3 categories of infrastructure?
1. compute - where processors are 2. storage - object, block, file 3. network - how everything talks
300
GPU
graphics processor for ml/ai
301
Compute
general purpose computing needs, web/app server
302
HPC
high performance computing - things that require lots of power in small footprint
303
Object storage
lower performance but inexpensive, general purpose storage - pictures, documents, data/graphics on web server, etc.
304
Block storage
network storage, attaches iscuzi
305
File storage
attaches with nfs