Domain 11: Data Security and Encryption Flashcards
Which of the following is a crucial control for protecting and managing data in the cloud environment? [select all that apply]
A. architecture
B. encryption
C. access controls
D. monitoring/alerting
E. additional controls, such as data loss prevention (DLP)
Answer: A, B, C, D, E
All of these are crucial data security controls in a cloud environment, according to the CSA Cloud Security Guidance v4 (see pages 119-120).
Which of the following is not a category of data security controls discussed in the CSA Cloud Security Guidance v4, Domain 11?
A. controlling which data goes into the cloud
B. protecting and managing data in the cloud
C. enforcing information lifecycle management
D. training users who access the cloud environment
Answer: D
While user training may aid in securing information in the cloud, it is not a major category discussed in Domain 11 of the CSA Cloud Security Guidance v4; the other three answers are (see pages 119-120).
Which of the following are main data storage types in the cloud? [select all that apply]
A. object
B. volume
C. translucent
D. database
Answer: A, B, D
“Translucent” is not a data storage type; the term has no meaning in this context, and is only a distractor. All the other answers are major data storage types used in the cloud (see page 120 of the CSA Cloud Security Guidance v4).
A redundant, durable data storage mechanism used in the cloud.
A. ephemeral
B. epiphany
C. data dispersion
D. RAM
Answer: C
Data dispersion is widely used in the cloud as a means to add resiliency and redundancy to data storage. See page 120 of the CSA Cloud Security Guidance v4.
Both ephemeral and RAM are temporary, not durable, storage types. “Epiphany” has no meaning here, and is only a distractor.
Also known as a Cloud Security Gateway, this solution helps your organization determine how your users are consuming cloud services.
A. firewalls
B. security incident and event monitoring systems (SIEMs)
C. application programming interfaces (APIs)
D. cloud access security brokers (CASBs)
Answer: D
See page 121 of the CSA Cloud Security Guidance v4.
Firewalls are typically monitor and restrict traffic according to rules; firewall logs might be helpful for determining what cloud services your users are utilizing, but CASB is a better answer. The purpose of SIEMs is to centralize and analyze log data; again, this might be useful for learning about user consumption of services, but CASB is still a better answer. APIs are the tools used to access and use data in the cloud; they are not designed to aid in determining usage.
Basically, a virtual hard drive for instances/virtual machines.
A. object storage
B. volume storage
C. content delivery network (CDN)
D. software-defined networking (SDN)
Answer: B
Volume storage allocates a portion of storage to the customer, which the customer can use for any purpose (to include executables and entire virtual machines). See page CSA Cloud Security Guidance v4.
Object storage, as it sounds, provides a storage location in the cloud for data objects (such as files); it is typically not used as a runtime environment. CDNs are used to enhance quality of service by putting data geographically proximate to the user. SDNs are used to abstract the networking functions away from the tangible underlying hardware/connections.
Managing which data goes into the cloud is the responsibility of the __________.
A. regulator
B. provider
C. customer
D. administrator
Answer: C
Ultimately, the responsibility for which data is stored in the cloud is part of the customer’s role; the customer is the organization which owns and is legally liable for the protection of the data. See page 120 of the CSA Cloud Security Guidance v4.
This is not an easy question to answer, because part of the job function of both the regulator (A) and the administrator (D) is to supervise how the customer (C) handles sensitive/controlled/regulated data, including where it is stored. However, C is still a better answer, because it is ultimately the data owner (the customer) that has the legal and ethical responsibility to protect the data. The cloud provider is not responsible for which data the customer puts into cloud storage, except under extraordinary circumstances.
Managing which data is put into the cloud is often as important, or more important, for __________ purposes than for security purposes.
A. financial
B. aesthetic
C. training
D. compliance
Answer: D
Restricting which data is stored in the cloud is often an element of complying with external mandates/standards; see page 120 of the CSA Cloud Security Guidance v4.
Financial considerations might be one aspect of an organization’s choice whether to store data in the cloud, but compliance is a much more crucial function. Data can generally presented in the same manner whether it is in the cloud or stored in a traditional environment; aesthetics are not typically considered when choosing where to store data. The choice of where to store data has nothing to do with training.
A data loss prevention (DLP) solution might not work properly if data is __________.
A. stored as plaintext
B. sent via email
C. encrypted
D. stored on magnetic media
Answer: C
DLP solutions often require the ability to view the content of messaging; encryption can hinder this ability. See page 121 of the CSA Cloud Security Guidance v4.
A good DLP solution should be able to function properly under the other conditions listed.
For migrating data to the cloud, the most secure of the following options is __________.
A. email the data to a virtual machine in the cloud
B. set up a secure file transfer protocol (SFTP) server in the cloud
C. send the provider a flashstick via the postal service
D. use the provider’s proprietary application programming interface (API)
Answer: D
Generally, the provider’s own services will be preferable to any other option. See page 122 of the CSA Cloud Security Guidance v4.
__________ is an essential security capability; if a provider does not offer this function, do not use that provider.
A. training and awareness of the customer
B. transport layer security (TLS)
C. secure sockets layer (SSL)
D. digital rights management (DRM)
Answer: B
According to the CSA, TLS is an essential security function that every cloud provider should have (see page 122 of the CSA Cloud Security Guidance v4).
The cloud provider is not responsible for the training and awareness of customers. SSL is a deprecated, earlier form of the TLS approach. DRM is a good way to add extra access control to a file, but it is not a fundamental security element.
If your organization must accept untrusted data into its cloud environment (such as public input), it is important to __________ the data first.
A. isolate and scan
B. encrypt
C. hash
D. save
Answer: A
Untrusted data should not be automatically admitted to the cloud environment. See page 122 of the CSA Cloud Security Guidance v4.
Encrypting or hashing data prior to its entry to the cloud environment does not actually serve to protect the environment. Saving the data is the same as allowing it into the environment, and is therefore not a secure practice.
According to the CSA Cloud Security Guidance v4, __________ and encryption are the core data security elements in the cloud.
A. training
B. physical controls
C. access controls
D. digital rights management (DRM)
Answer: C
According to the CSA Cloud Security Guidance v4 (page 122), these are the core data security elements in the cloud.
The other options are not core security elements, according to the CSA Cloud Security Guidance v4.
Access controls in the cloud should be implemented with a minimum of three layers in order to provide data security. Which of the following is not one of those layers?
A. management plane
B. public and internal sharing controls
C. physical controls
D. application level controls
Answer: C
While the cloud provider should obviously secure the physical data center itself, the CSA recommendations for cloud access control for data security include only the other three answers. See page 122 of the CSA Cloud Security Guidance v4.
Most cloud providers use a default __________ policy for management plane access control.
A. deny
B. delete
C. allow
D. overwrite
Answer: A
The default deny policy is fundamental to protecting the management plane. See page 122 of the CSA Cloud Security Guidance v4.
Default delete and overwrite are not real approaches to either operations or security, as they would create a situation where data is constantly being destroyed. Default allow would be a very permissive situation, and would result in frequent unauthorized access to the cloud environment.