Domain 11: Data Security and Encryption Flashcards

1
Q

Which of the following is a crucial control for protecting and managing data in the cloud environment? [select all that apply]
A. architecture
B. encryption
C. access controls
D. monitoring/alerting
E. additional controls, such as data loss prevention (DLP)

A

Answer: A, B, C, D, E
All of these are crucial data security controls in a cloud environment, according to the CSA Cloud Security Guidance v4 (see pages 119-120).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following is not a category of data security controls discussed in the CSA Cloud Security Guidance v4, Domain 11?
A. controlling which data goes into the cloud
B. protecting and managing data in the cloud
C. enforcing information lifecycle management
D. training users who access the cloud environment

A

Answer: D
While user training may aid in securing information in the cloud, it is not a major category discussed in Domain 11 of the CSA Cloud Security Guidance v4; the other three answers are (see pages 119-120).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following are main data storage types in the cloud? [select all that apply]
A. object
B. volume
C. translucent
D. database

A

Answer: A, B, D
“Translucent” is not a data storage type; the term has no meaning in this context, and is only a distractor. All the other answers are major data storage types used in the cloud (see page 120 of the CSA Cloud Security Guidance v4).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A redundant, durable data storage mechanism used in the cloud.
A. ephemeral
B. epiphany
C. data dispersion
D. RAM

A

Answer: C
Data dispersion is widely used in the cloud as a means to add resiliency and redundancy to data storage. See page 120 of the CSA Cloud Security Guidance v4.
Both ephemeral and RAM are temporary, not durable, storage types. “Epiphany” has no meaning here, and is only a distractor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Also known as a Cloud Security Gateway, this solution helps your organization determine how your users are consuming cloud services.
A. firewalls
B. security incident and event monitoring systems (SIEMs)
C. application programming interfaces (APIs)
D. cloud access security brokers (CASBs)

A

Answer: D
See page 121 of the CSA Cloud Security Guidance v4.
Firewalls are typically monitor and restrict traffic according to rules; firewall logs might be helpful for determining what cloud services your users are utilizing, but CASB is a better answer. The purpose of SIEMs is to centralize and analyze log data; again, this might be useful for learning about user consumption of services, but CASB is still a better answer. APIs are the tools used to access and use data in the cloud; they are not designed to aid in determining usage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Basically, a virtual hard drive for instances/virtual machines.
A. object storage
B. volume storage
C. content delivery network (CDN)
D. software-defined networking (SDN)

A

Answer: B
Volume storage allocates a portion of storage to the customer, which the customer can use for any purpose (to include executables and entire virtual machines). See page CSA Cloud Security Guidance v4.
Object storage, as it sounds, provides a storage location in the cloud for data objects (such as files); it is typically not used as a runtime environment. CDNs are used to enhance quality of service by putting data geographically proximate to the user. SDNs are used to abstract the networking functions away from the tangible underlying hardware/connections.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Managing which data goes into the cloud is the responsibility of the __________.
A. regulator
B. provider
C. customer
D. administrator

A

Answer: C
Ultimately, the responsibility for which data is stored in the cloud is part of the customer’s role; the customer is the organization which owns and is legally liable for the protection of the data. See page 120 of the CSA Cloud Security Guidance v4.
This is not an easy question to answer, because part of the job function of both the regulator (A) and the administrator (D) is to supervise how the customer (C) handles sensitive/controlled/regulated data, including where it is stored. However, C is still a better answer, because it is ultimately the data owner (the customer) that has the legal and ethical responsibility to protect the data. The cloud provider is not responsible for which data the customer puts into cloud storage, except under extraordinary circumstances.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Managing which data is put into the cloud is often as important, or more important, for __________ purposes than for security purposes.
A. financial
B. aesthetic
C. training
D. compliance

A

Answer: D
Restricting which data is stored in the cloud is often an element of complying with external mandates/standards; see page 120 of the CSA Cloud Security Guidance v4.
Financial considerations might be one aspect of an organization’s choice whether to store data in the cloud, but compliance is a much more crucial function. Data can generally presented in the same manner whether it is in the cloud or stored in a traditional environment; aesthetics are not typically considered when choosing where to store data. The choice of where to store data has nothing to do with training.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A data loss prevention (DLP) solution might not work properly if data is __________.
A. stored as plaintext
B. sent via email
C. encrypted
D. stored on magnetic media

A

Answer: C
DLP solutions often require the ability to view the content of messaging; encryption can hinder this ability. See page 121 of the CSA Cloud Security Guidance v4.
A good DLP solution should be able to function properly under the other conditions listed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

For migrating data to the cloud, the most secure of the following options is __________.
A. email the data to a virtual machine in the cloud
B. set up a secure file transfer protocol (SFTP) server in the cloud
C. send the provider a flashstick via the postal service
D. use the provider’s proprietary application programming interface (API)

A

Answer: D
Generally, the provider’s own services will be preferable to any other option. See page 122 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

__________ is an essential security capability; if a provider does not offer this function, do not use that provider.
A. training and awareness of the customer
B. transport layer security (TLS)
C. secure sockets layer (SSL)
D. digital rights management (DRM)

A

Answer: B
According to the CSA, TLS is an essential security function that every cloud provider should have (see page 122 of the CSA Cloud Security Guidance v4).
The cloud provider is not responsible for the training and awareness of customers. SSL is a deprecated, earlier form of the TLS approach. DRM is a good way to add extra access control to a file, but it is not a fundamental security element.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

If your organization must accept untrusted data into its cloud environment (such as public input), it is important to __________ the data first.
A. isolate and scan
B. encrypt
C. hash
D. save

A

Answer: A
Untrusted data should not be automatically admitted to the cloud environment. See page 122 of the CSA Cloud Security Guidance v4.
Encrypting or hashing data prior to its entry to the cloud environment does not actually serve to protect the environment. Saving the data is the same as allowing it into the environment, and is therefore not a secure practice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

According to the CSA Cloud Security Guidance v4, __________ and encryption are the core data security elements in the cloud.
A. training
B. physical controls
C. access controls
D. digital rights management (DRM)

A

Answer: C
According to the CSA Cloud Security Guidance v4 (page 122), these are the core data security elements in the cloud.
The other options are not core security elements, according to the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Access controls in the cloud should be implemented with a minimum of three layers in order to provide data security. Which of the following is not one of those layers?
A. management plane
B. public and internal sharing controls
C. physical controls
D. application level controls

A

Answer: C
While the cloud provider should obviously secure the physical data center itself, the CSA recommendations for cloud access control for data security include only the other three answers. See page 122 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Most cloud providers use a default __________ policy for management plane access control.
A. deny
B. delete
C. allow
D. overwrite

A

Answer: A
The default deny policy is fundamental to protecting the management plane. See page 122 of the CSA Cloud Security Guidance v4.
Default delete and overwrite are not real approaches to either operations or security, as they would create a situation where data is constantly being destroyed. Default allow would be a very permissive situation, and would result in frequent unauthorized access to the cloud environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Where possible, the customer should use a(n) __________ encryption key.
A. advanced encryption standard (AES)
B. symmetric
C. one-way
D. customer-managed

A

Answer: D
It is preferable that the customer manage their own keys, in order to reduce potential for exposure. See page 128 of the CSA Cloud Security Guidance v4.
While AES is a widely accepted encryption standard, CSA does not recommend any particular encryption scheme. Similarly, symmetric is a useful encryption method, but asymmetric is also useful. There is no such thing as one-way encryption; in order for encryption to be useful, it must be reversible.

17
Q

The cloud customer should not rely entirely on encryption and access controls for data security but should also consider __________.
A. user training
B. secure architecture
C. inverse proportions
D. physical mechanisms

A

Answer: B
Customers should consider building security into the architecture of the cloud environment to promote data security. See page 128 of the CSA Cloud Security Guidance v4.
User training is also a very useful tool, but probably not as effective as secure architecture techniques. “Inverse proportions” has no meaning in this context, and is only used here as a distractor. The cloud customer has no means to apply physical security controls to the cloud environment.

18
Q

__________ should not be included in the test environment.
A. code under development
B. new systems
C. security
D. raw production data

A

Answer: D
Because the test environment utilizes systems/applications that have not been fully tested, and therefore may not be secure, raw production data should not be included there. See page 127 of the CSA Cloud Security Guidance v4.
New systems and code currently under development are exactly the elements that should be in a test environment. Security can (and should) also be applied to the test environment.

19
Q

Digitals rights management (DRM) solutions are tools used to secure data by placing additional access control on specific files; unfortunately, DRM relies on __________, so use of DRM may reduce certain functionality offered by cloud providers.
A. user awareness
B. encryption
C. creativity
D. administrative rights

A

Answer: B
Certain features in a cloud environment might not be able to process encrypted data (like files under a DRM scheme), and may therefore not work properly. See page 127 of the CSA Cloud Security Guidance v4.
DRM does not rely on user awareness, creativity, or administrative rights.

20
Q

Data loss prevention (DLP) solutions are not typically deployed in __________, so it works better in SaaS than PaaS or IaaS.
A. remote locations
B. the cloud
C. commercial websites
D. data centers

A

Answer: D
Data centers are not the typical place to install DLP solutions; instead, they are usually placed at locations accessible to users (endpoints, servers, etc.). See page 126 of the CSA Cloud Security Guidance v4.
DLP solutions can be placed in remote locations, commercial websites, and the cloud.

21
Q

Logs from monitoring solutions should be stored in __________.
A. the cloud
B. a secure location
C. an on-prem storage option
D. underground bunkers

A

Answer: C
Logs must be stored securely, to ensure integrity. This might include the cloud, an on-prem option, or underground bunkers; B is the best answer because it includes the others. See page 126 of the CSA Cloud Security Guidance v4.

22
Q

When the cloud provider manages cryptographic keys, the key storage and production environments are generally separate, reducing the possibility keys are exposed. However, keys might still be exposed by __________.
A. user error
B. misconfiguration
C. governmental request
D. failure of the physical infrastructure

A

Answer: C
A government disclosure order may force the provider to disclose either the keys or the data (or both). See page 126 of the CSA Cloud Security Guidance v4.
Oddly, this is one situation where users are prevented from creating problems; the user does not typically have direct access to the keys, and could not therefore expose them. In both misconfiguration and failure of physical systems, it is much more likely that all access will be prevented (fail secure) instead of the keys being exposed.

23
Q

Which of the following is not a typical option for managing encryption keys in the cloud?
A. hardware security module (HSM)/appliance
B. virtual appliance/software
C. cloud provider service
D. regulator storage

A

Answer: D
Regulators do not typically store encryption keys for the entities they oversee. All the other answers are encryption key management options. See page 125 of the CSA Cloud Security Guidance v4.

24
Q

Which of the following is not one of the main considerations of key management in the cloud?
A. performance
B. latency
C. security
D. visibility

A

Answer: D
The main considerations of key management in the cloud are performance, latency, security, and accessibility. See page 125 of the CSA Cloud Security Guidance v4.

25
Q

When data is stored as objects in the back-end of an application, the encryption engine for encrypting the data should be located in the application or __________.
A. cloud
B. physical device
C. client
D. portable device

A

Answer: C
According to the CSA Cloud Security Guidance v4 (page 124), object storage used for application back-ends should be encrypted by engines in the client or application itself.
“Cloud” is too general an answer to be correct. CSA does not recommend the engine be located on specific hardware devices, probably because the cloud requires more flexibility, as customer instances will be spread across many devices. We typically don’t locate encryption engines on portable devices.