Domain 6: Management Plane and Business Continuity Flashcards

1
Q

According to the CSA Cloud Security Guidance v4, what is the single most significant security difference between cloud computing and traditional IT infrastructure?
A. virtualization
B. microprocessors
C. the user community
D. the management plane

A

Answer: D
All the other responses may exist in the traditional IT environment, but the management plane is unique to cloud computing. See page 67 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

As an analogy, gaining access to the management plane is like __________.
A. getting access to all personnel records
B. getting physical access to your building
C. getting access to all traffic entering and leaving your IT environment
D. getting unfettered access to your data center

A

Answer: D
This is particularly true for IaaS environments, which very much replicate the function and purpose of the traditional data center. See page 67 of the CSA Cloud Security Guidance v4.
Both access to personnel records and physical access to the building may result in damage to the organization, but are somewhat limited, and not nearly the level of threat posed by illicit access to the management plane. Monitoring inbound and outbound traffic poses a significant risk, but not nearly on the scale of what an attacker could by controlling the management plane.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Who is responsible for securing and managing the credentials used to access the management plane?
A. the cloud provider
B. the cloud customer
C. regulators
D. the user

A

Answer: B
The customer creates the credentials used to access the management plane, and is responsible for securing and managing them. See page 68 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is not a main aspect of business continuity/disaster recovery (BCDR) in the cloud?
A. considering options for portability
B. preparing for and managing provider outages
C. ensuring continuity and recovery within a given cloud provider
D. lobbying legislators to create legal constraints for cloud providers

A

Answer: D
Trying to change or create laws is not a typical security activity. The other responses are the main aspects of cloud BCDR. See page 68 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

__________ is a cloud business continuity/disaster recovery (BCDR) feature that is not easily accomplished in a traditional (on-prem) IT environment.
A. regular backups
B. deploying virtual machines across multiple, distinct geographic availability zones
C. versioning of baseline operating system (OS) builds
D. personnel training

A

Answer: B
It is difficult to build multiple traditional data centers in different geographic areas, as physical property is very expensive. In the cloud, however, spreading virtual resources across different physical locations is efficient and cost-effective. See page 68 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

In which service model is the customer more likely to have the ability to architect the cloud environment for resiliency?
A. IaaS
B. PaaS
C. SaaS
D. public

A

Answer: A
In an IaaS cloud, the customer has much more authority and responsibility to configure the cloud environment. See page 69 of the CSA Cloud Security Guidance v4.
“Public” is a deployment model, not a service model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following are essential for a risk-based approach to business continuity/disaster recovery (BCDR) in the cloud? [select all that apply]
A. not all assets need equal continuity
B. you don’t need to plan for full provider outages; review the historical performance of the provider
C. try to design your environment to meet the same goals (recovery time objective [RTO] and recovery point objective [RPO]) you used for your traditional environment
D. always purchase the highest-cost provider package, to ensure the utmost availability

A

Answer: A, B, C
The most expensive service is not always optimum for your business goals. All the other responses are advised by the CSA. See page 69 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What sort of interface does the cloud customer typically have with the management plane in an SaaS cloud model?
A. root-level access of the underlying hardware
B. an “admin” tab on the user panel
C. administrative access to the operating system the app runs on
D. physical access to the data center itself

A

Answer: B
In an SaaS model, the customer typically has minimal interaction with the environment, often typified by an “admin” or “settings” tab on the interface. See page 69 of the CSA Cloud Security Guidance v4.
The other responses are not at all typical for SaaS customers; A and D almost never are granted to customers, and C is usually restricted to PaaS and IaaS customers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The management plane is instrumental for enabling and enforcing __________ and __________ in multitenancy. [select two]
A. refraction
B. implementation
C. isolation
D. separation
E. navigation
F. compensation

A

Answer: C, D
IaaS architecture can be used to enhance logical separation and process/system isolation. See page 69 of the CSA Cloud Security Guidance v4.
The management plane does not aid with refraction or navigation, which are terms with no meaning in this context. The management plane does not aid in compensation (payment); payment is usually based on performance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The management plane includes the interfaces for __________ and also the interfaces for __________. [select two]
A. building and managing the cloud itself
B. allowing auditors access to inspect the environment
C. permitting regulators to review the cloud architecture
D. end users to enter the physical data center
E. government agents to surveil web traffic
F. cloud customers to manage their own allocated resources in the cloud

A

Answer: A, F
See page 69 of the CSA Cloud Security Guidance v4. The management plane will be used by the cloud provider to set up and optimize the cloud infrastructure, and also by the cloud customer, to apportion the IT resources they’ve paid to access.
The management plane is not typically accessed by auditors, government agents, or regulators, and end users do not typically get physical access to the cloud data center.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the two typical ways cloud providers deliver management plane access to customers? [select two]
A. overnight shipping
B. web consoles
C. APIs
D. add-ins to operating systems (OSs)
E. portable media

A

Answer: B,C
See page 69 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Web consoles for accessing the cloud management plane are managed by the __________.
A. cloud provider
B. cloud customer
C. regulator
D. programmer

A

Answer: A
See page 70 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The web console’s __________ might be customized to a particular customer’s organization, to create that organization’s own “version” of the console.
A. color scheme
B. logo
C. domain name
D. preferred browser

A

Answer: C
While the customization may include the organization’s color scheme and logo, it’s the domain name that actually directs that organization’s users to a customized interface for the web console. See page 70 of the CSA Cloud Security Guidance v4.
Cloud management plane web consoles should not be browser-dependent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Cloud management plane APIs are typically created with __________.
A. care
B. representational state transfer (REST)
C. simple object access protocol (SOAP)
D. extensible markup language (XML)

A

Answer: B
According to page 70 of the CSA Cloud Security Guidance v4, “REST is easy to implement over the Internet.” SOAP (a protocol based on XML) can also be used to create APIs, but is not as modern as REST.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

REST APIs run over __________, and therefore work well across diverse environments.
A. fiber lines
B. all obstacles
C. wifi
D. HTTP/S

A

Answer: D
Both REST and HTTP were created by the same person, Roy Fielding. See page 70 of the CSA Cloud Security Guidance v4.
Fiber and wifi are communications media; most protocols can run over most media. “All obstacles” is a distractor here.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

REST API authentication commonly uses __________ or __________ . [select two]
A. ticket-granting tickets (TGT)
B. HTTP request signing
C. quad processors
D. OAuth
E. large fonts

A

Answer: B, D
Both of these use cryptography to enhance authentication. See page 70 of the CSA Cloud Security Guidance v4.
Ticket-granting tickets are a characteristic of Kerberos. “Quad processors” and “large fonts” are just distractors in this context.

17
Q

Identity and access (IAM) typically includes all of the following except __________.
A. identification
B. isolation
C. authentication
D. authorization

A

Answer: B
Isolation is not an element of IAM. See page 70 of the CSA Cloud Security Guidance v4.

18
Q

The cloud customer’s root account, which can be used to create or destroy the entire configuration, should have all the following qualities except __________.
A. enterprise-owned
B. almost never used
C. secured
D. easy to recover

A

Answer: D
Typically, recovery of lost accounts (or credentials) should involve a complicated process that includes identity challenges and additional authorization confirmation. See page 71 of the CSA Cloud Security Guidance v4.

19
Q

All privileged accounts should use __________.
A. extensible markup language (XML)
B. multifactor authentication
C. alphanumeric passphrases with special characters
D. 16 character-credentials

A

Answer: B
See page 71 of the CSA Cloud Security Guidance v4.
Alphanumeric passphrases with special characters that are 16-characters long are good, but multiple factors for authentication is a better means to achieve security. XML is a distractor in this context.

20
Q

__________ is one of the single most effective security controls to defend against a wide variety of attacks.
A. A firewall
B. Infrared camera surveillance
C. Egress monitoring
D. Multifactor authentication

A

Answer: D
See page 71 of the CSA Cloud Security Guidance v4. MFA addresses many kinds of attacks.
Firewalls typically protect against hostile inbound logical attacks. Cameras only protect against physical attacks. Egress monitoring typically protects against data exfiltration.

21
Q

Virtualizing resources into pools typically creates an environment where resiliency is decreased for __________.
A. any single virtual asset/machine
B. international customers
C. fiber networks
D. ISO-certified systems

A

Answer: A
A pooled environment is typically complex, and any particular virtual instance/workload/machine may be prone to loss or failure. See page 73 of the CSA Cloud Security Guidance v4.
This should not have any effect (or be affected by) the location of the customers, the communications/networking media used, or the certification of the systems.

22
Q

__________ allows the cloud customer to create an infrastructure template to configure all or some aspects of a cloud deployment.
A. REST APIs
B. artificial intelligence (AI)
C. intrinsic motivation
D. software-defined infrastructure (SDI)

A

Answer: D
BCDR is one of the purposes for using SDI. See page 73 of the CSA Cloud Security Guidance v4.
APIs and AI don’t necessarily aid in the use/creation of templates. “Intrinsic motivation” is a nonsense term in this context.

23
Q

What is probably the most significant barrier to implementing cloud business continuity/disaster recovery (BCDR) architecture across multiple geographic locations?
A. cost
B. legal prohibitions
C. loss of users
D. nonrepeatability of the web console’s color scheme

A

Answer: A
Replicating cloud assets across multiple geographic regions is typically more expensive that hosting a cloud environment in a single location. See page 74 of the CSA Cloud Security Guidance v4.
Laws may or may not restrict cross-border data transfer, but BCDR replication can be done within a single country/jurisdiction. The location of cloud assets should be irrelevant to users. The color scheme of the web console is of very little importance (usually) when planning BCDR responses.

24
Q

What is the term used to describe a security methodology that tests the overall resilience of the environment by selectively disabling components?
A. inventive pragmatism
B. structural adherence
C. plaintive wailing
D. chaos engineering

A

Answer: D
This methodology was pioneered and popularized by Netflix, which created a series of automated agents called the SIMian Army, including a Chaos Monkey and a Chaos Gorilla ( https://netflixtechblog.com/the-netflix-simian-army-16e57fbab116?gi=e48688837c22 ) . Netflix has since made these tools available to the public, for free ( https://github.com/Netflix/SimianArmy ). See page 74 of the CSA Cloud Security Guidance v4.
All of the other responses are terms I just made up, and used as distractors.

25
Q

Prepare for __________ in case of a provider outage.
A. bankruptcy
B. graceful failure
C. cataclysmic results
D. legal repercussions

A

Answer: B
Because loss of availability is always a possibility, the cloud customer should design the architecture for graceful failure– that is, no additional impact should be realized after the outage occurs. See page 76 of the CSA Cloud Security Guidance v4.
If BCDR response is planned appropriately, loss of availability should not lead to bankruptcy, cataclysm, or legal action.