Domain 13: Security as a Service Flashcards
In order to be considered security-as-a-service (SecaaS) according to the Cloud Security Alliance (CSA), the technology must __________.
A. reside entirely within one jurisdiction
B. serve cloud environments
C. be certified according to the CSA Security, Trust, Assurance, and Risk (STAR) Registry Level 3
D. be delivered as a cloud service
Answer: D
According to the CSA Cloud Security Guidance v4 (page 140), a technology must be delivered as a cloud service in order to be considered SecaaS.
The technology does not have to exist inside a single jurisdiction, service cloud customers, or be certified according to the STAR program in order to be considered SecaaS.
In order to be considered security-as-a-service (SecaaS) according to the Cloud Security Alliance (CSA), the technology must __________.
A. meet the NIST definition of a cloud service
B. be accessed via virtual private networks (VPNs)
C. use transport layer security (TLS)
D. satisfy GDPR (General Data Protection Regulation) requirements
Answer: A
According to the CSA Cloud Security Guidance v4 (page 140), a technology must be satisfy the NIST defintion of a cloud service in order to be considered SecaaS.
The technology does not have to use VPNs or TLS, or satisfy GDPR in order to be considered SecaaS.
All of the following are potential benefits of security-as-a-service (SecaaS), except __________. [choose all that apply]
A. reduced capital investment
B. data leakage
C. expertise
D. intelligence-sharing
E. insulation of clients
Answer: B
Data leakage is a potential risk associated with SecaaS, not a potential benefit. See page 141-142 of the CSA Cloud Security Guidance v4.
All of the following are potential benefits of security-as-a-service (SecaaS), except __________ . [choose all that apply].
A. scaling
B. cost
C. cloud-computing benefits
D. changing providers
E. migration
Answer: D and E
The challenge of changing providers and migrating to a cloud security provider are potential concerns associated with SecaaS, not potential benefits. See pages 141-142 of the CSA Cloud Security Guidance v4.
Why might security-as-a-service (SecaaS) providers have difficulty meeting the regulatory requirements of potential customers?
A. cloud is global
B. customers won’t pay for it
C. providers are uneducated
D. regulators hate the cloud
Answer: A
Cloud customers might exist across many different jurisdictions, each with their own regulatory restrictions; it is difficult for a single provider to meet the needs of every customer on the planet. See page 142 of the CSA Cloud Security Guidance v4.
Price, education, and the emotions of regulators are not usually limiting factors.
Which term describes a cloud security gateway?
A. the Security, Trust, Assurance, and Risk (STAR) Registry
B. a Cloud Access Security Broker (CASB)
C. the Cloud Controls Matrix (CCM)
D. the General Data Protection Regualtion (GDPR)
Answer: B
“CASB” is a term describing a cloud security gateway. See page 143 of the CSA Cloud Security Guidance v4.
The STAR Registry is a list of STAR-compliant providers; the CCM is a table of controls mapped against regulations and standards; and the GDPR is a European law.
__________ is one type of security-as-a-service (SecaaS).
A. transparent encryption
B. Type 2 hypervisor
C. federated identity brokers
D. remote meetings
Answer: D
See page 143 of the CSA Cloud Security Guidance v4.
User training is not typically considered an SecaaS offering. AES is an encryption standard, not a technology/service. A flotation device is used for water safety.
Security-as-a-service (SecaaS) providers might offer strong authentication capabilities, such as mobile device applications and __________.
A. user training and awareness
B. AES encryption
C. flotation devices
D. tokens for multifactor authentication
Answer: D
See page 143 of the CSA Cloud Security Guidance v4.
User training is not typically considered an SecaaS offering. AES is an encryption standard, not a technology/service. A flotation device is used for water safety.
Cloud-based security-as-a-service (SecaaS) offerings for web security gateways might include both proxy capabilities and __________.
A. redirecting web traffic
B. deep packet inspection
C. heuristic algorithms
D. the Turing test
Answer: A
See page143 of the CSA Cloud Security Guidance v4.
Deep packet inspection and heuristic algorithms are typically elements of a firewall or IDS/IPS device. The Turing test is used to determine whether artificial intelligence can approximate human responses– this is not part of the CCSK exam or the information security industry.
Security-as-a-service providers might offer all the following types of solutions except __________. [select all that apply]
A. security management
B. financial oversight
C. business continuity and disaster recovery (BCDR)
D. distributed denial of service (DDOS) protection
E. legal advice
F. encryption and key management
Answer: B and E
SecaaS vendors should not be offering financial or legal consulting; those are typically areas best handled by accountants/auditors and attorneys. All the other answers are services offered by SecaaS providers. See pages 144-145 of the CSA Cloud Security Guidance v4.
