Domain 1 - Cloud Computing Concepts and Architectures

Question 1

True or False - taking an existing application or asset and simply moving it to a cloud provider without any changes will often reduce agility, resiliency, and even security, all while increasing costs.

Answer 1

True

Question 2

_____ is a new operational model and set of technologies for managing shared pools of
computing resources.

Answer 2

Cloud Computing

Question 3

_____ is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service
provider interaction.

Answer 3

NIST Cloud Computing Definition

Question 4

Paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual
resources with self-service provisioning and administration on-demand

Answer 4

ISO/IEC Cloud Computing Definition

Question 5

____ is the person or organization requesting and using the resources

Answer 5

Cloud User

Question 6

_____ is the person or organization who delivers the resources

Answer 6

Cloud Provider

Question 7

What are the key techniques to create a cloud?

Answer 7

Abstraction and Orchestration

Question 8

True or False - The difference between cloud computing and traditional virtualization is that virtualization abstracts resources, but it typically lacks the orchestration to pool them together and deliver them to
customers on demand, instead relying on manual processes.

Answer 8

True

Question 9

True or False - Clouds are multitenant by nature. Multiple different consumer constituencies share the same pool of resources but are segregated and isolated from each other

Answer 9

True

Question 10

_____ allows the cloud provider
to divvy up resources to the different groups, and _____ ensures they can’t see or modify each
other’s asset

Answer 10

Segregation , Isolation

Question 11

What is NIST 800-145?

Answer 11

NIST Working Definition of Cloud Computing

Question 12

NIST defines cloud computing by describing how many essential characteristics, how many cloud service models and how many cloud deployment models?

Answer 12

5 Essential Characteristics
3 Cloud Service Models
4 Cloud Deployment Models

Question 13

What are the 5 Essential Characteristics of Cloud Computing?

Answer 13

• Resource Pooling
• On Demand Self Service
• Broad Network Access
• Rapid Elasticity
• Measured Service

Question 14

ISO/IEC 17788 list 6 essential cloud characteristics. Five are the same with NIST. What is the added one?

Answer 14

Multi tenancy

Question 15

NIST 3 Cloud Service Models

Answer 15

• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)

Question 16

\_\_\_\_ is the most fundamental characteristic of Cloud. The provider abstracts resources and collects them into a pool, portions of which can be allocated to
different consumers (typically based on policies).

Resource Pooling
On Demand Self Service
Broad Network Access
Rapid Elasticity
Measured Service
Multi tenancy

Answer 16

Resource Pooling

Question 17

Consumers provision the resources from the pool using ______. They manage their resources themselves, without having to talk to a human administrator.

Resource Pooling
On Demand Self Service
Broad Network Access
Rapid Elasticity
Measured Service
Multi tenancy

Answer 17

On Demand Self Service

Question 18

It means that all resources are available over a network, without any need for direct physical access; the network is not necessarily part of the service.

Resource Pooling
On Demand Self Service
Broad Network Access
Rapid Elasticity
Measured Service
Multi tenancy

Answer 18

Broad Network Access

Question 19

This characteristic allows consumers to expand or contract the resources they use from the pool
(provisioning and deprovisioning), often completely automatically. This allows them to more closely match resource consumption with demand (for example, adding virtual servers as demand increases, then shutting them down when demand drops).

Resource Pooling
On Demand Self Service
Broad Network Access
Rapid Elasticity
Measured Service
Multi tenancy

Answer 19

Rapid Elasticity

Question 20

This meters what is provided, to ensure that consumers only use what they are allotted, and, if necessary, to charge them for it. This is where the term utility computing comes from, since computing resources can now be consumed like water and electricity, with the
client only paying for what they use.

Resource Pooling
On Demand Self Service
Broad Network Access
Rapid Elasticity
Measured Service
Multi tenancy

Answer 20

Measured Service

Question 21

Is a service model which is a full application that’s managed and hosted by the provider.
Consumers access it with a web browser, mobile app, or a lightweight client app.

IaaS
PaaS
SaaS

Answer 21

SaaS

Question 22

Is another service model that abstracts and provides development or application platforms, such as databases, application platforms (e.g. a place to run Python, PHP, or other code), file storage and collaboration, or even proprietary application processing (such as machine learning, big data processing, or direct Application Programming Interfaces (API) access to
features of a full SaaS application). The key differentiator is that, you don’t manage the underlying servers, networks, or other infrastructure.

IaaS
PaaS
SaaS

Answer 22

PaaS

Question 23

Is a service model that offers access to a resource pool of fundamental computing infrastructure, such as compute, network, or storage.

IaaS
PaaS
SaaS

Answer 23

IaaS

Question 24

What are the four NIST/ISO/IEC Cloud Deployment Models

Answer 24

• Public Cloud
• Private Cloud
• Community Cloud
• Hybrid Cloud

Question 25

Is a cloud deployment model where the cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

Public Cloud
Private Cloud
Community Cloud
Hybrid Cloud

Answer 25

Public Cloud

Question 26

Is a cloud deployment model where the cloud infrastructure is operated solely for a single organization. It may be managed by the organization or by a third party and may be located on-premises or off-
premises.

Public Cloud
Private Cloud
Community Cloud
Hybrid Cloud

Answer 26

Private Cloud

Question 27

Is a cloud deployment model where The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g. mission, security requirements, policy, or
compliance considerations). It may be managed by the organizations or by a third party and may be located on-premises or off-premises.

Public Cloud
Private Cloud
Community Cloud
Hybrid Cloud

Answer 27

Community Cloud

Question 28

Is a cloud deployment model where The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). Hybrid is also commonly used to describe a non-cloud data center bridged directly to a cloud provider.

Public Cloud
Private Cloud
Community Cloud
Hybrid Cloud

Answer 28

Hybrid Cloud

Question 29

True or False - Deployment models are defined based on the cloud user—that is, who uses the cloud

Answer 29

True

Question 30

What are the cloud logical model that helps identify different layers based on functionality?

Answer 30

• Infrastructure
• Metastructure
• Infostructure
• Applistructure

Question 31

A cloud logical model that defines the core components of a computing system: compute, network, and storage.
The foundation that everything else is built on. The moving parts.

Infrastructure
Metastructure
Infostructure
Applistructure

Answer 31

Infrastructure

Question 32

A cloud logical model that defines the protocols and mechanisms that provide the interface between the
infrastructure layer and the other layers. The glue that ties the technologies and enables
management and configuration

Infrastructure
Metastructure
Infostructure
Applistructure

Answer 32

Metastructure

Question 33

A cloud logical model that defines the data and information. Content in a database, file storage, etc.

Infrastructure
Metastructure
Infostructure
Applistructure

Answer 33

Infostructure

Question 34

A cloud logical model that defines the applications deployed in the cloud and the underlying application services used to build them. For example, Platform as a Service features like message queues, artificial
intelligence analysis, or notification services.

Infrastructure
Metastructure
Infostructure
Applistructure

Answer 34

Applistructure

Question 35

What is the key difference between cloud and traditional computing?

Infrastructure
Metastructure
Infostructure
Applistructure

Answer 35

Metastructure

Cloud metastructure includes the management plane
components, which are network-enabled and
remotely accessible. Another key difference is
that, in cloud, you tend to double up on each
layer. Infrastructure, for example, includes
both the infrastructure used to create the
cloud as well as the virtual infrastructure used
and managed by the cloud user. In private
cloud, the same organization might need to
manage both; in public cloud the provider
manages the physical infrastructure while the
consumer manages their portion of the virtual
infrastructure.

Question 36

True or False - At a high level, security responsibility maps to the degree of control any given actor has over the architecture stack:

Answer 36

True

Question 37

In this service or architecture model, The cloud provider is responsible for nearly all security, since the
cloud user can only access and manage their use of the application, and can’t alter how the
application works. For example, a SaaS provider is responsible for perimeter security, logging/
monitoring/auditing, and application security, while the consumer may only be able to manage
authorization and entitlements.

IaaS
PaaS
SaaS

Answer 37

SaaS

Question 38

In this service or architecture model, The cloud provider is responsible for the security of the platform,
while the consumer is responsible for everything they implement on the platform, including
how they configure any offered security features. The responsibilities are thus more evenly
split. For example, when using a Database as a Service, the provider manages fundamental
security, patching, and core configuration, while the cloud user is responsible for everything
else, including which security features of the database to use, managing accounts, or even
authentication methods.

IaaS
PaaS
SaaS

Answer 38

PaaS

Question 39

In this service or architecture model, Just like PaaS, the provider is responsible for foundational security,
while the cloud user is responsible for everything they build on the infrastructure. Unlike
PaaS, this places far more responsibility on the client. For example, the IaaS provider will likely
monitor their perimeter for attacks, but the consumer is fully responsible for how they define
and implement their virtual network security, based on the tools available on the service.

IaaS
PaaS
SaaS

Answer 39

IaaS

Question 40

True or False - the most important security consideration is knowing exactly who is responsible for what in any given
cloud project.

Answer 40

True

Question 41

CSA two recommendations for a Shared Security model:

Answer 41

• • Cloud providers should clearly document their internal security controls and customer security
features so the cloud user can make an informed decision. Providers should also properly
design and implement those controls.

• • Cloud users should, for any given cloud project, build a responsibilities matrix to document
who is implementing which controls and how. This should also align with any necessary
compliance standards.

Question 42

A standard template for

cloud providers to document their security and compliance controls.

Answer 42

The Consensus Assessments Initiative Questionnaire (CAIQ)

Question 43

Which lists cloud security controls and maps them to
multiple security and compliance standards. This can also be used to document security
responsibilities.

Answer 43

Cloud Control Matrix ( CCM )

Question 44

Tools to help guide security decisions

Cloud Security Models
Reference Architectures
Design Patterns
Orchestration

Answer 44

Cloud Security Models

Question 45

What are the 4 clouds security models?

Answer 45

• Conceptual Models or frameworks
• Control Models or frameworks
• Reference Architectures
• Design Patterns

Question 46

Is a cloud security model that include visualizations and descriptions used to explain cloud
security concepts and principles, such as the CSA logical model in this document.

Cloud Security Models
Reference Architectures
Design Patterns
Orchestration

Answer 46

Conceptual Models or frameworks

Question 47

Is a cloud security model that categorizes and detail specific cloud security controls or
categories of controls, such as the CSA CCM.

Cloud Security Models
Reference Architectures
Design Patterns
Orchestration

Answer 47

Controls Model or framework

Question 48

Is a cloud security model which are templates for implementing cloud security, typically generalized (e.g.
an IaaS security reference architecture). They can be very abstract, bordering on conceptual,
or quite detailed, down to specific controls and functions.

Cloud Security Models
Reference Architectures
Design Patterns
Orchestration

Answer 48

Reference Architectures

Question 49

Is a cloud security model which are are reusable solutions to particular problems. In security, an example is IaaS log management. As with reference architectures, they can be more or less abstract or
specific, even down to common implementation patterns on particular cloud platforms.

Cloud Security Models
Reference Architectures
Design Patterns
Orchestration

Answer 49

Design Patterns

Question 50

There are relatively straightforward and high level processes for managing cloud security. What are these?

Answer 50

• Identify necessary security and compliance requirements, and any existing controls.
• Select your cloud provider, service, and deployment models.
• Define the architecture.
• Assess the security controls.
• Identify control gaps.
• Design and implement controls to fill the gaps.
• Manage changes over time.

Question 51

CSA provides two tools to help meet shared responsibility requirements. What are these?

Answer 51

Consensus Assessments Initiative Questionnaire (CAIQ)

Cloud Control Matrix

Question 52

describes automated arrangement, coordination, and management of complex computer systems, and services.

Orchestration
Abstraction

Answer 52

Orchestration

Question 53

enables the rapid deployment of applications and data to reduce the cost and complexity of providing the underlying infrastructure, which also simplifies operations.

Orchestration
Abstraction

Answer 53

Abstraction

Question 54

Since physical access is not an area of concern for cloud, what is the top security concern?

Answer 54

cloud management plane

From a security perspective, it is both the biggest difference from protecting physical infrastructure (since you can’t rely on physical access as a control) and the top priority when designing a cloud security program.

If an attacker gets into your management plane, they potentially have full remote access to your entire cloud deployment.

Question 55

What does an IAAS consist of? (5 things)

Answer 55

IaaS consists of:

• a facility
• hardware
• an abstraction layer
• an orchestration (core connectivity and delivery) layer to tie together the abstracted resources
• APIs to remotely manage the resources and deliver them to consumers.