Domain 6: Management Plane and Business Continuity Flashcards
According to the CSA Cloud Security Guidance v4, what is the single most significant security difference between cloud computing and traditional IT infrastructure?
A. virtualization
B. microprocessors
C. the user community
D. the management plane
Answer: D
All the other responses may exist in the traditional IT environment, but the management plane is unique to cloud computing. See page 67 of the CSA Cloud Security Guidance v4.
As an analogy, gaining access to the management plane is like __________.
A. getting access to all personnel records
B. getting physical access to your building
C. getting access to all traffic entering and leaving your IT environment
D. getting unfettered access to your data center
Answer: D
This is particularly true for IaaS environments, which very much replicate the function and purpose of the traditional data center. See page 67 of the CSA Cloud Security Guidance v4.
Both access to personnel records and physical access to the building may result in damage to the organization, but are somewhat limited, and not nearly the level of threat posed by illicit access to the management plane. Monitoring inbound and outbound traffic poses a significant risk, but not nearly on the scale of what an attacker could by controlling the management plane.
Who is responsible for securing and managing the credentials used to access the management plane?
A. the cloud provider
B. the cloud customer
C. regulators
D. the user
Answer: B
The customer creates the credentials used to access the management plane, and is responsible for securing and managing them. See page 68 of the CSA Cloud Security Guidance v4.
Which of the following is not a main aspect of business continuity/disaster recovery (BCDR) in the cloud?
A. considering options for portability
B. preparing for and managing provider outages
C. ensuring continuity and recovery within a given cloud provider
D. lobbying legislators to create legal constraints for cloud providers
Answer: D
Trying to change or create laws is not a typical security activity. The other responses are the main aspects of cloud BCDR. See page 68 of the CSA Cloud Security Guidance v4.
__________ is a cloud business continuity/disaster recovery (BCDR) feature that is not easily accomplished in a traditional (on-prem) IT environment.
A. regular backups
B. deploying virtual machines across multiple, distinct geographic availability zones
C. versioning of baseline operating system (OS) builds
D. personnel training
Answer: B
It is difficult to build multiple traditional data centers in different geographic areas, as physical property is very expensive. In the cloud, however, spreading virtual resources across different physical locations is efficient and cost-effective. See page 68 of the CSA Cloud Security Guidance v4.
In which service model is the customer more likely to have the ability to architect the cloud environment for resiliency?
A. IaaS
B. PaaS
C. SaaS
D. public
Answer: A
In an IaaS cloud, the customer has much more authority and responsibility to configure the cloud environment. See page 69 of the CSA Cloud Security Guidance v4.
“Public” is a deployment model, not a service model.
Which of the following are essential for a risk-based approach to business continuity/disaster recovery (BCDR) in the cloud? [select all that apply]
A. not all assets need equal continuity
B. you don’t need to plan for full provider outages; review the historical performance of the provider
C. try to design your environment to meet the same goals (recovery time objective [RTO] and recovery point objective [RPO]) you used for your traditional environment
D. always purchase the highest-cost provider package, to ensure the utmost availability
Answer: A, B, C
The most expensive service is not always optimum for your business goals. All the other responses are advised by the CSA. See page 69 of the CSA Cloud Security Guidance v4.
What sort of interface does the cloud customer typically have with the management plane in an SaaS cloud model?
A. root-level access of the underlying hardware
B. an “admin” tab on the user panel
C. administrative access to the operating system the app runs on
D. physical access to the data center itself
Answer: B
In an SaaS model, the customer typically has minimal interaction with the environment, often typified by an “admin” or “settings” tab on the interface. See page 69 of the CSA Cloud Security Guidance v4.
The other responses are not at all typical for SaaS customers; A and D almost never are granted to customers, and C is usually restricted to PaaS and IaaS customers.
The management plane is instrumental for enabling and enforcing __________ and __________ in multitenancy. [select two]
A. refraction
B. implementation
C. isolation
D. separation
E. navigation
F. compensation
Answer: C, D
IaaS architecture can be used to enhance logical separation and process/system isolation. See page 69 of the CSA Cloud Security Guidance v4.
The management plane does not aid with refraction or navigation, which are terms with no meaning in this context. The management plane does not aid in compensation (payment); payment is usually based on performance.
The management plane includes the interfaces for __________ and also the interfaces for __________. [select two]
A. building and managing the cloud itself
B. allowing auditors access to inspect the environment
C. permitting regulators to review the cloud architecture
D. end users to enter the physical data center
E. government agents to surveil web traffic
F. cloud customers to manage their own allocated resources in the cloud
Answer: A, F
See page 69 of the CSA Cloud Security Guidance v4. The management plane will be used by the cloud provider to set up and optimize the cloud infrastructure, and also by the cloud customer, to apportion the IT resources they’ve paid to access.
The management plane is not typically accessed by auditors, government agents, or regulators, and end users do not typically get physical access to the cloud data center.
What are the two typical ways cloud providers deliver management plane access to customers? [select two]
A. overnight shipping
B. web consoles
C. APIs
D. add-ins to operating systems (OSs)
E. portable media
Answer: B,C
See page 69 of the CSA Cloud Security Guidance v4.
Web consoles for accessing the cloud management plane are managed by the __________.
A. cloud provider
B. cloud customer
C. regulator
D. programmer
Answer: A
See page 70 of the CSA Cloud Security Guidance v4.
The web console’s __________ might be customized to a particular customer’s organization, to create that organization’s own “version” of the console.
A. color scheme
B. logo
C. domain name
D. preferred browser
Answer: C
While the customization may include the organization’s color scheme and logo, it’s the domain name that actually directs that organization’s users to a customized interface for the web console. See page 70 of the CSA Cloud Security Guidance v4.
Cloud management plane web consoles should not be browser-dependent.
Cloud management plane APIs are typically created with __________.
A. care
B. representational state transfer (REST)
C. simple object access protocol (SOAP)
D. extensible markup language (XML)
Answer: B
According to page 70 of the CSA Cloud Security Guidance v4, “REST is easy to implement over the Internet.” SOAP (a protocol based on XML) can also be used to create APIs, but is not as modern as REST.
REST APIs run over __________, and therefore work well across diverse environments.
A. fiber lines
B. all obstacles
C. wifi
D. HTTP/S
Answer: D
Both REST and HTTP were created by the same person, Roy Fielding. See page 70 of the CSA Cloud Security Guidance v4.
Fiber and wifi are communications media; most protocols can run over most media. “All obstacles” is a distractor here.