Domain 11: Data Security and Encryption

Question 1

Which of the following is a crucial control for protecting and managing data in the cloud environment? [select all that apply]
A. architecture
B. encryption
C. access controls
D. monitoring/alerting
E. additional controls, such as data loss prevention (DLP)

Answer 1

Answer: A, B, C, D, E
All of these are crucial data security controls in a cloud environment, according to the CSA Cloud Security Guidance v4 (see pages 119-120).

Question 2

Which of the following is not a category of data security controls discussed in the CSA Cloud Security Guidance v4, Domain 11?
A. controlling which data goes into the cloud
B. protecting and managing data in the cloud
C. enforcing information lifecycle management
D. training users who access the cloud environment

Answer 2

Answer: D
While user training may aid in securing information in the cloud, it is not a major category discussed in Domain 11 of the CSA Cloud Security Guidance v4; the other three answers are (see pages 119-120).

Question 3

Which of the following are main data storage types in the cloud? [select all that apply]
A. object
B. volume
C. translucent
D. database

Answer 3

Answer: A, B, D
“Translucent” is not a data storage type; the term has no meaning in this context, and is only a distractor. All the other answers are major data storage types used in the cloud (see page 120 of the CSA Cloud Security Guidance v4).

Question 4

A redundant, durable data storage mechanism used in the cloud.
A. ephemeral
B. epiphany
C. data dispersion
D. RAM

Answer 4

Answer: C
Data dispersion is widely used in the cloud as a means to add resiliency and redundancy to data storage. See page 120 of the CSA Cloud Security Guidance v4.
Both ephemeral and RAM are temporary, not durable, storage types. “Epiphany” has no meaning here, and is only a distractor.

Question 5

Also known as a Cloud Security Gateway, this solution helps your organization determine how your users are consuming cloud services.
A. firewalls
B. security incident and event monitoring systems (SIEMs)
C. application programming interfaces (APIs)
D. cloud access security brokers (CASBs)

Answer 5

Answer: D
See page 121 of the CSA Cloud Security Guidance v4.
Firewalls are typically monitor and restrict traffic according to rules; firewall logs might be helpful for determining what cloud services your users are utilizing, but CASB is a better answer. The purpose of SIEMs is to centralize and analyze log data; again, this might be useful for learning about user consumption of services, but CASB is still a better answer. APIs are the tools used to access and use data in the cloud; they are not designed to aid in determining usage.

Question 6

Basically, a virtual hard drive for instances/virtual machines.
A. object storage
B. volume storage
C. content delivery network (CDN)
D. software-defined networking (SDN)

Answer 6

Answer: B
Volume storage allocates a portion of storage to the customer, which the customer can use for any purpose (to include executables and entire virtual machines). See page CSA Cloud Security Guidance v4.
Object storage, as it sounds, provides a storage location in the cloud for data objects (such as files); it is typically not used as a runtime environment. CDNs are used to enhance quality of service by putting data geographically proximate to the user. SDNs are used to abstract the networking functions away from the tangible underlying hardware/connections.

Question 7

Managing which data goes into the cloud is the responsibility of the __________.
A. regulator
B. provider
C. customer
D. administrator

Answer 7

Answer: C
Ultimately, the responsibility for which data is stored in the cloud is part of the customer’s role; the customer is the organization which owns and is legally liable for the protection of the data. See page 120 of the CSA Cloud Security Guidance v4.
This is not an easy question to answer, because part of the job function of both the regulator (A) and the administrator (D) is to supervise how the customer (C) handles sensitive/controlled/regulated data, including where it is stored. However, C is still a better answer, because it is ultimately the data owner (the customer) that has the legal and ethical responsibility to protect the data. The cloud provider is not responsible for which data the customer puts into cloud storage, except under extraordinary circumstances.

Question 8

Managing which data is put into the cloud is often as important, or more important, for __________ purposes than for security purposes.
A. financial
B. aesthetic
C. training
D. compliance

Answer 8

Answer: D
Restricting which data is stored in the cloud is often an element of complying with external mandates/standards; see page 120 of the CSA Cloud Security Guidance v4.
Financial considerations might be one aspect of an organization’s choice whether to store data in the cloud, but compliance is a much more crucial function. Data can generally presented in the same manner whether it is in the cloud or stored in a traditional environment; aesthetics are not typically considered when choosing where to store data. The choice of where to store data has nothing to do with training.

Question 9

A data loss prevention (DLP) solution might not work properly if data is __________.
A. stored as plaintext
B. sent via email
C. encrypted
D. stored on magnetic media

Answer 9

Answer: C
DLP solutions often require the ability to view the content of messaging; encryption can hinder this ability. See page 121 of the CSA Cloud Security Guidance v4.
A good DLP solution should be able to function properly under the other conditions listed.

Question 10

For migrating data to the cloud, the most secure of the following options is __________.
A. email the data to a virtual machine in the cloud
B. set up a secure file transfer protocol (SFTP) server in the cloud
C. send the provider a flashstick via the postal service
D. use the provider’s proprietary application programming interface (API)

Answer 10

Answer: D
Generally, the provider’s own services will be preferable to any other option. See page 122 of the CSA Cloud Security Guidance v4.

Question 11

__________ is an essential security capability; if a provider does not offer this function, do not use that provider.
A. training and awareness of the customer
B. transport layer security (TLS)
C. secure sockets layer (SSL)
D. digital rights management (DRM)

Answer 11

Answer: B
According to the CSA, TLS is an essential security function that every cloud provider should have (see page 122 of the CSA Cloud Security Guidance v4).
The cloud provider is not responsible for the training and awareness of customers. SSL is a deprecated, earlier form of the TLS approach. DRM is a good way to add extra access control to a file, but it is not a fundamental security element.

Question 12

If your organization must accept untrusted data into its cloud environment (such as public input), it is important to __________ the data first.
A. isolate and scan
B. encrypt
C. hash
D. save

Answer 12

Answer: A
Untrusted data should not be automatically admitted to the cloud environment. See page 122 of the CSA Cloud Security Guidance v4.
Encrypting or hashing data prior to its entry to the cloud environment does not actually serve to protect the environment. Saving the data is the same as allowing it into the environment, and is therefore not a secure practice.

Question 13

According to the CSA Cloud Security Guidance v4, __________ and encryption are the core data security elements in the cloud.
A. training
B. physical controls
C. access controls
D. digital rights management (DRM)

Answer 13

Answer: C
According to the CSA Cloud Security Guidance v4 (page 122), these are the core data security elements in the cloud.
The other options are not core security elements, according to the CSA Cloud Security Guidance v4.

Question 14

Access controls in the cloud should be implemented with a minimum of three layers in order to provide data security. Which of the following is not one of those layers?
A. management plane
B. public and internal sharing controls
C. physical controls
D. application level controls

Answer 14

Answer: C
While the cloud provider should obviously secure the physical data center itself, the CSA recommendations for cloud access control for data security include only the other three answers. See page 122 of the CSA Cloud Security Guidance v4.

Question 15

Most cloud providers use a default __________ policy for management plane access control.
A. deny
B. delete
C. allow
D. overwrite

Answer 15

Answer: A
The default deny policy is fundamental to protecting the management plane. See page 122 of the CSA Cloud Security Guidance v4.
Default delete and overwrite are not real approaches to either operations or security, as they would create a situation where data is constantly being destroyed. Default allow would be a very permissive situation, and would result in frequent unauthorized access to the cloud environment.

Question 16

Where possible, the customer should use a(n) __________ encryption key.
A. advanced encryption standard (AES)
B. symmetric
C. one-way
D. customer-managed

Answer 16

Answer: D
It is preferable that the customer manage their own keys, in order to reduce potential for exposure. See page 128 of the CSA Cloud Security Guidance v4.
While AES is a widely accepted encryption standard, CSA does not recommend any particular encryption scheme. Similarly, symmetric is a useful encryption method, but asymmetric is also useful. There is no such thing as one-way encryption; in order for encryption to be useful, it must be reversible.

Question 17

The cloud customer should not rely entirely on encryption and access controls for data security but should also consider __________.
A. user training
B. secure architecture
C. inverse proportions
D. physical mechanisms

Answer 17

Answer: B
Customers should consider building security into the architecture of the cloud environment to promote data security. See page 128 of the CSA Cloud Security Guidance v4.
User training is also a very useful tool, but probably not as effective as secure architecture techniques. “Inverse proportions” has no meaning in this context, and is only used here as a distractor. The cloud customer has no means to apply physical security controls to the cloud environment.

Question 18

__________ should not be included in the test environment.
A. code under development
B. new systems
C. security
D. raw production data

Answer 18

Answer: D
Because the test environment utilizes systems/applications that have not been fully tested, and therefore may not be secure, raw production data should not be included there. See page 127 of the CSA Cloud Security Guidance v4.
New systems and code currently under development are exactly the elements that should be in a test environment. Security can (and should) also be applied to the test environment.

Question 19

Digitals rights management (DRM) solutions are tools used to secure data by placing additional access control on specific files; unfortunately, DRM relies on __________, so use of DRM may reduce certain functionality offered by cloud providers.
A. user awareness
B. encryption
C. creativity
D. administrative rights

Answer 19

Answer: B
Certain features in a cloud environment might not be able to process encrypted data (like files under a DRM scheme), and may therefore not work properly. See page 127 of the CSA Cloud Security Guidance v4.
DRM does not rely on user awareness, creativity, or administrative rights.

Question 20

Data loss prevention (DLP) solutions are not typically deployed in __________, so it works better in SaaS than PaaS or IaaS.
A. remote locations
B. the cloud
C. commercial websites
D. data centers

Answer 20

Answer: D
Data centers are not the typical place to install DLP solutions; instead, they are usually placed at locations accessible to users (endpoints, servers, etc.). See page 126 of the CSA Cloud Security Guidance v4.
DLP solutions can be placed in remote locations, commercial websites, and the cloud.

Question 21

Logs from monitoring solutions should be stored in __________.
A. the cloud
B. a secure location
C. an on-prem storage option
D. underground bunkers

Answer 21

Answer: C
Logs must be stored securely, to ensure integrity. This might include the cloud, an on-prem option, or underground bunkers; B is the best answer because it includes the others. See page 126 of the CSA Cloud Security Guidance v4.

Question 22

When the cloud provider manages cryptographic keys, the key storage and production environments are generally separate, reducing the possibility keys are exposed. However, keys might still be exposed by __________.
A. user error
B. misconfiguration
C. governmental request
D. failure of the physical infrastructure

Answer 22

Answer: C
A government disclosure order may force the provider to disclose either the keys or the data (or both). See page 126 of the CSA Cloud Security Guidance v4.
Oddly, this is one situation where users are prevented from creating problems; the user does not typically have direct access to the keys, and could not therefore expose them. In both misconfiguration and failure of physical systems, it is much more likely that all access will be prevented (fail secure) instead of the keys being exposed.

Question 23

Which of the following is not a typical option for managing encryption keys in the cloud?
A. hardware security module (HSM)/appliance
B. virtual appliance/software
C. cloud provider service
D. regulator storage

Answer 23

Answer: D
Regulators do not typically store encryption keys for the entities they oversee. All the other answers are encryption key management options. See page 125 of the CSA Cloud Security Guidance v4.

Question 24

Which of the following is not one of the main considerations of key management in the cloud?
A. performance
B. latency
C. security
D. visibility

Answer 24

Answer: D
The main considerations of key management in the cloud are performance, latency, security, and accessibility. See page 125 of the CSA Cloud Security Guidance v4.

Question 25

When data is stored as objects in the back-end of an application, the encryption engine for encrypting the data should be located in the application or __________.
A. cloud
B. physical device
C. client
D. portable device

Answer 25

Answer: C
According to the CSA Cloud Security Guidance v4 (page 124), object storage used for application back-ends should be encrypted by engines in the client or application itself.
“Cloud” is too general an answer to be correct. CSA does not recommend the engine be located on specific hardware devices, probably because the cloud requires more flexibility, as customer instances will be spread across many devices. We typically don’t locate encryption engines on portable devices.