Domain 6: Management Plane and Business Continuity

Question 1

According to the CSA Cloud Security Guidance v4, what is the single most significant security difference between cloud computing and traditional IT infrastructure?
A. virtualization
B. microprocessors
C. the user community
D. the management plane

Answer 1

Answer: D
All the other responses may exist in the traditional IT environment, but the management plane is unique to cloud computing. See page 67 of the CSA Cloud Security Guidance v4.

Question 2

As an analogy, gaining access to the management plane is like __________.
A. getting access to all personnel records
B. getting physical access to your building
C. getting access to all traffic entering and leaving your IT environment
D. getting unfettered access to your data center

Answer 2

Answer: D
This is particularly true for IaaS environments, which very much replicate the function and purpose of the traditional data center. See page 67 of the CSA Cloud Security Guidance v4.
Both access to personnel records and physical access to the building may result in damage to the organization, but are somewhat limited, and not nearly the level of threat posed by illicit access to the management plane. Monitoring inbound and outbound traffic poses a significant risk, but not nearly on the scale of what an attacker could by controlling the management plane.

Question 3

Who is responsible for securing and managing the credentials used to access the management plane?
A. the cloud provider
B. the cloud customer
C. regulators
D. the user

Answer 3

Answer: B
The customer creates the credentials used to access the management plane, and is responsible for securing and managing them. See page 68 of the CSA Cloud Security Guidance v4.

Question 4

Which of the following is not a main aspect of business continuity/disaster recovery (BCDR) in the cloud?
A. considering options for portability
B. preparing for and managing provider outages
C. ensuring continuity and recovery within a given cloud provider
D. lobbying legislators to create legal constraints for cloud providers

Answer 4

Answer: D
Trying to change or create laws is not a typical security activity. The other responses are the main aspects of cloud BCDR. See page 68 of the CSA Cloud Security Guidance v4.

Question 5

__________ is a cloud business continuity/disaster recovery (BCDR) feature that is not easily accomplished in a traditional (on-prem) IT environment.
A. regular backups
B. deploying virtual machines across multiple, distinct geographic availability zones
C. versioning of baseline operating system (OS) builds
D. personnel training

Answer 5

Answer: B
It is difficult to build multiple traditional data centers in different geographic areas, as physical property is very expensive. In the cloud, however, spreading virtual resources across different physical locations is efficient and cost-effective. See page 68 of the CSA Cloud Security Guidance v4.

Question 6

In which service model is the customer more likely to have the ability to architect the cloud environment for resiliency?
A. IaaS
B. PaaS
C. SaaS
D. public

Answer 6

Answer: A
In an IaaS cloud, the customer has much more authority and responsibility to configure the cloud environment. See page 69 of the CSA Cloud Security Guidance v4.
“Public” is a deployment model, not a service model.

Question 7

Which of the following are essential for a risk-based approach to business continuity/disaster recovery (BCDR) in the cloud? [select all that apply]
A. not all assets need equal continuity
B. you don’t need to plan for full provider outages; review the historical performance of the provider
C. try to design your environment to meet the same goals (recovery time objective [RTO] and recovery point objective [RPO]) you used for your traditional environment
D. always purchase the highest-cost provider package, to ensure the utmost availability

Answer 7

Answer: A, B, C
The most expensive service is not always optimum for your business goals. All the other responses are advised by the CSA. See page 69 of the CSA Cloud Security Guidance v4.

Question 8

What sort of interface does the cloud customer typically have with the management plane in an SaaS cloud model?
A. root-level access of the underlying hardware
B. an “admin” tab on the user panel
C. administrative access to the operating system the app runs on
D. physical access to the data center itself

Answer 8

Answer: B
In an SaaS model, the customer typically has minimal interaction with the environment, often typified by an “admin” or “settings” tab on the interface. See page 69 of the CSA Cloud Security Guidance v4.
The other responses are not at all typical for SaaS customers; A and D almost never are granted to customers, and C is usually restricted to PaaS and IaaS customers.

Question 9

The management plane is instrumental for enabling and enforcing __________ and __________ in multitenancy. [select two]
A. refraction
B. implementation
C. isolation
D. separation
E. navigation
F. compensation

Answer 9

Answer: C, D
IaaS architecture can be used to enhance logical separation and process/system isolation. See page 69 of the CSA Cloud Security Guidance v4.
The management plane does not aid with refraction or navigation, which are terms with no meaning in this context. The management plane does not aid in compensation (payment); payment is usually based on performance.

Question 10

The management plane includes the interfaces for __________ and also the interfaces for __________. [select two]
A. building and managing the cloud itself
B. allowing auditors access to inspect the environment
C. permitting regulators to review the cloud architecture
D. end users to enter the physical data center
E. government agents to surveil web traffic
F. cloud customers to manage their own allocated resources in the cloud

Answer 10

Answer: A, F
See page 69 of the CSA Cloud Security Guidance v4. The management plane will be used by the cloud provider to set up and optimize the cloud infrastructure, and also by the cloud customer, to apportion the IT resources they’ve paid to access.
The management plane is not typically accessed by auditors, government agents, or regulators, and end users do not typically get physical access to the cloud data center.

Question 11

What are the two typical ways cloud providers deliver management plane access to customers? [select two]
A. overnight shipping
B. web consoles
C. APIs
D. add-ins to operating systems (OSs)
E. portable media

Answer 11

Answer: B,C
See page 69 of the CSA Cloud Security Guidance v4.

Question 12

Web consoles for accessing the cloud management plane are managed by the __________.
A. cloud provider
B. cloud customer
C. regulator
D. programmer

Answer 12

Answer: A
See page 70 of the CSA Cloud Security Guidance v4.

Question 13

The web console’s __________ might be customized to a particular customer’s organization, to create that organization’s own “version” of the console.
A. color scheme
B. logo
C. domain name
D. preferred browser

Answer 13

Answer: C
While the customization may include the organization’s color scheme and logo, it’s the domain name that actually directs that organization’s users to a customized interface for the web console. See page 70 of the CSA Cloud Security Guidance v4.
Cloud management plane web consoles should not be browser-dependent.

Question 14

Cloud management plane APIs are typically created with __________.
A. care
B. representational state transfer (REST)
C. simple object access protocol (SOAP)
D. extensible markup language (XML)

Answer 14

Answer: B
According to page 70 of the CSA Cloud Security Guidance v4, “REST is easy to implement over the Internet.” SOAP (a protocol based on XML) can also be used to create APIs, but is not as modern as REST.

Question 15

REST APIs run over __________, and therefore work well across diverse environments.
A. fiber lines
B. all obstacles
C. wifi
D. HTTP/S

Answer 15

Answer: D
Both REST and HTTP were created by the same person, Roy Fielding. See page 70 of the CSA Cloud Security Guidance v4.
Fiber and wifi are communications media; most protocols can run over most media. “All obstacles” is a distractor here.

Question 16

REST API authentication commonly uses __________ or __________ . [select two]
A. ticket-granting tickets (TGT)
B. HTTP request signing
C. quad processors
D. OAuth
E. large fonts

Answer 16

Answer: B, D
Both of these use cryptography to enhance authentication. See page 70 of the CSA Cloud Security Guidance v4.
Ticket-granting tickets are a characteristic of Kerberos. “Quad processors” and “large fonts” are just distractors in this context.

Question 17

Identity and access (IAM) typically includes all of the following except __________.
A. identification
B. isolation
C. authentication
D. authorization

Answer 17

Answer: B
Isolation is not an element of IAM. See page 70 of the CSA Cloud Security Guidance v4.

Question 18

The cloud customer’s root account, which can be used to create or destroy the entire configuration, should have all the following qualities except __________.
A. enterprise-owned
B. almost never used
C. secured
D. easy to recover

Answer 18

Answer: D
Typically, recovery of lost accounts (or credentials) should involve a complicated process that includes identity challenges and additional authorization confirmation. See page 71 of the CSA Cloud Security Guidance v4.

Question 19

All privileged accounts should use __________.
A. extensible markup language (XML)
B. multifactor authentication
C. alphanumeric passphrases with special characters
D. 16 character-credentials

Answer 19

Answer: B
See page 71 of the CSA Cloud Security Guidance v4.
Alphanumeric passphrases with special characters that are 16-characters long are good, but multiple factors for authentication is a better means to achieve security. XML is a distractor in this context.

Question 20

__________ is one of the single most effective security controls to defend against a wide variety of attacks.
A. A firewall
B. Infrared camera surveillance
C. Egress monitoring
D. Multifactor authentication

Answer 20

Answer: D
See page 71 of the CSA Cloud Security Guidance v4. MFA addresses many kinds of attacks.
Firewalls typically protect against hostile inbound logical attacks. Cameras only protect against physical attacks. Egress monitoring typically protects against data exfiltration.

Question 21

Virtualizing resources into pools typically creates an environment where resiliency is decreased for __________.
A. any single virtual asset/machine
B. international customers
C. fiber networks
D. ISO-certified systems

Answer 21

Answer: A
A pooled environment is typically complex, and any particular virtual instance/workload/machine may be prone to loss or failure. See page 73 of the CSA Cloud Security Guidance v4.
This should not have any effect (or be affected by) the location of the customers, the communications/networking media used, or the certification of the systems.

Question 22

__________ allows the cloud customer to create an infrastructure template to configure all or some aspects of a cloud deployment.
A. REST APIs
B. artificial intelligence (AI)
C. intrinsic motivation
D. software-defined infrastructure (SDI)

Answer 22

Answer: D
BCDR is one of the purposes for using SDI. See page 73 of the CSA Cloud Security Guidance v4.
APIs and AI don’t necessarily aid in the use/creation of templates. “Intrinsic motivation” is a nonsense term in this context.

Question 23

What is probably the most significant barrier to implementing cloud business continuity/disaster recovery (BCDR) architecture across multiple geographic locations?
A. cost
B. legal prohibitions
C. loss of users
D. nonrepeatability of the web console’s color scheme

Answer 23

Answer: A
Replicating cloud assets across multiple geographic regions is typically more expensive that hosting a cloud environment in a single location. See page 74 of the CSA Cloud Security Guidance v4.
Laws may or may not restrict cross-border data transfer, but BCDR replication can be done within a single country/jurisdiction. The location of cloud assets should be irrelevant to users. The color scheme of the web console is of very little importance (usually) when planning BCDR responses.

Question 24

What is the term used to describe a security methodology that tests the overall resilience of the environment by selectively disabling components?
A. inventive pragmatism
B. structural adherence
C. plaintive wailing
D. chaos engineering

Answer 24

Answer: D
This methodology was pioneered and popularized by Netflix, which created a series of automated agents called the SIMian Army, including a Chaos Monkey and a Chaos Gorilla ( https://netflixtechblog.com/the-netflix-simian-army-16e57fbab116?gi=e48688837c22 ) . Netflix has since made these tools available to the public, for free ( https://github.com/Netflix/SimianArmy ). See page 74 of the CSA Cloud Security Guidance v4.
All of the other responses are terms I just made up, and used as distractors.

Question 25

Prepare for __________ in case of a provider outage.
A. bankruptcy
B. graceful failure
C. cataclysmic results
D. legal repercussions

Answer 25

Answer: B
Because loss of availability is always a possibility, the cloud customer should design the architecture for graceful failure– that is, no additional impact should be realized after the outage occurs. See page 76 of the CSA Cloud Security Guidance v4.
If BCDR response is planned appropriately, loss of availability should not lead to bankruptcy, cataclysm, or legal action.