Domain 12: Identity, Entitlement and Access Management Flashcards
Which party solely manages the identity and access management (IAM) responsibilities in the cloud?
A. the cloud provider
B. no single party
C. the cloud customer
D. the regulator
Answer: B
Unlike in traditional IT environments, no single party solely manages IAM in the cloud; instead, the provider and customer must share the responsibility and implementation. See page 129 of the CSA Cloud Security Guidance v4.
Which of the following is not a crucial component of the identity and access management relationship between customer and provider?
A. trust relationships
B. legal framework
C. designation of responsibilities
D. technical mechanics of implementation
Answer: B
While the legal framework will almost certainly inform the shared IAM responsibilities between the customer and provider, the other three answers are included in all cloud relationships. See page 129 of the CSA Cloud Security Guidance v4.
The primary tool used to provision identities across multiple cloud platforms/services/systems.
A. digital rights management (DRM)
B. data loss prevention (DLP)
C. federation
D. virtualization
Answer: C
Identity federation allows multiple organizations/providers to share identity and access control. See page 130 of the CSA Cloud Security Guidance v4.
DRM is used to create an additional layer of access control to objects/files; DLP is egress monitoring. Virtualization is used to share resources across multiple users, not for sharing identity information.
The process/mechanism used to confirm that an identity assertion belongs to the entity presenting it.
A. identification
B. authentication
C. authorization
D. auditing
Answer: B
This is the definition of authentication. See page 131 of the CSA Cloud Security Guidance v4.
A common authentication factor.
A. the CCSK certification
B. gainful employment
C. security clearance
D. password
Answer: D
Passwords are commonly used as authentication factors. See page 131 of the CSA Cloud Security Guidance v4. None of the other answers provide authentication.
An identity assertion must be __________.
A. confidential
B. shared
C. neglected
D. unique
Answer: D
The identity assertion must be unique for every entity, so that each entity can be granted appropriate access rights. See page 131 of the CSA Cloud Security Guidance v4.
Identity assertions do not have to be kept secret; in fact, they are often publicized (such as email addresses). Nor do they have to be shared. “Neglected” has no meaning in this context, and is only a distractor.
An XML-based OASIS federation standard.
A. SAML (Security Assertion Markup Language)
B. CANT (Coordinated Access Networking Topology)
C. Linux
D. REST (REpresentational State Transfer)
Answer: A
SAML is based on XML, created by OASIS, an open standard consortium. See page 132 of the CSA Cloud Security Guidance v4.
CANT does not exist; I made it up as a distractor for this question. Linux is an operating system. REST is a design approach for creating application programming interfaces (APIs).
Which of the following is not an element of SAML?
A. identity assertions
B. reverse party
C. identity provider
D. relying party
Answer: B
There is no reverse party in SAML; this is only a distractor, as the term has no meaning. See page 132 of the CSA Cloud Security Guidance v4.
All the other answers are SAML elements. I highly, highly recommend the Wikipedia entry for SAML, which is incredibly detailed and extensive.
The current version of SAML (according to the CSA Cloud Security Guidance v4).
A. 1.0
B. 1.2
C. 2.0
D. 3.1
Answer: C
See page 132.
OAuth is designed to work with which communications protocol?
A. SMTP (Simple Mail Transfer Protocol)
B. IMDB (Internet Movie Database)
C. ICMP (Internet Control Message Protocol)
D. HTTP (Hypertext Transfer Protocol)
Answer: D
See page 132 of the CSA Cloud Security Guidance v4.
A federation standard based on HTTP, using URLs to provide identity assertions.
A. OpenID Connect
B. Prime Directive
C. SOAP (Simple Object Access Protocol)
D. TCP/IP (Transmission Control Protocol/Internet Protocol)
Answer: A
This describes OpenID Connect. See page 132 of the CSA Cloud Security Guidance v4.
Answer B is a Star Trek reference, used here as a distractor. SOAP is a design protocol for application programming interfaces (APIs). TCP/IP is a networking communications protocol.
What is the challenge when cloud customers manage all the identities in the cloud environment?
A. processing capacity
B. memorization
C. storage capacity
D. scalability
Answer: D
Manually managing identities is difficult for organizations of any appreciable size. See page 134 of the CSA Cloud Security Guidance v4.
Modern major cloud providers should have little difficulty providing necessary amounts of processing and storage capacity for most customers. Identity management should not require memorization.
Cloud computing affects the way identity and access management (IAM) is handled, in ways that are quite different than the traditional IT environment. According to the CSA Cloud Security Guidance v4, the biggest impact cloud has on IAM is a greater need for __________ and __________. [select two]
A. user training
B. threat intelligence
C. strong authentication
D. the use of multiple authentication factors
E. deployment of hardware tokens
F. reliance on biometric authentication
Answer: C, D
See page 136. While A and B are very useful for cloud security, they’re not essential to IAM efforts. While E and F may aid IAM efforts, they are very specific technologies, where C and D are foundational approaches.
A tool used to map out access rights and permissions against authenticated identity assertions and characteristics.
A. attribute portal
B. entitlement matrix
C. facet corollary
D. digital rights management (DRM)
Answer: B
An entitlement matrix helps the data owner ascribe permissions to specific entities under particular conditions. See page 138 of the CSA Cloud Security Guidance v4.
A and C are only distractors; these are terms with no meaning in our industry. DRM is used to add an extra layer of access control on files/objects.
The __________ is responsible for enforcing access controls and authorizations.
A. cloud customer
B. cloud provider
C. regulator
D. user
Answer: B
The cloud customer will define permissions and grant authorizations, but the provider will be responsible for enforcing these. See page 138 of the CSA Cloud Security Guidance v4.
