Domain 7: Infrastructure Security

Question 1

For cloud providers, there are typically three different physical networks in a data center. Which of these is not one of the typical networks?
A. service
B. storage
C. management
D. review

Answer 1

Answer: D
There is no “review” network in typical cloud data centers. See page 78 of the CSA Cloud Security Guidance v4.

Question 2

What are the two general categories of network virtualization common in cloud environments? [select two]
A. perforated
B. VLAN (virtual local area network)
C. SaaS
D. hypervisor
E. SDN (software-defined networking)
F. TPS (total processing simulation)

Answer 2

Answer: B, E
VLAN and SDN are the two general categories of network virtualization used in modern cloud computing. See pages 78-79 of the CSA Cloud Security Guidance v4.
SaaS is a service model, not a type of network virtualization. A hypervisor is used to create virtual instances. “Perforated” is meaningless in this context. “TPS” is a fake term made up as a distractor.

Question 3

Software-defined networks (SDNs) decouple the control plane from the __________.
A. data plane
B. data center
C. customer
D. Internet

Answer 3

Answer: A
SDNs allow network abstraction away from the hardware and data stored therein. See page 79 of the CSA Cloud Security Guidance v4.
The network is still tethered to the data center and Internet, and the customer can still access the data through the SDN.

Question 4

Software-defined networks (SDNs) offer higher __________ and __________. [select two]
A. risk
B. cost
C. abridgement
D. flexibility
E. isolation
F. regulation

Answer 4

Answer: D, E
See page 79 of the CSA Cloud Security Guidance v4.
SDNs do not typically cost more than other cloud options (and may actually cost less), nor do they entail more risk or regulation. “Abridgement” has no meaning in this context and is only a distractor.

Question 5

Software-defined networks (SDNs) offer __________, allowing customers to extend existing networks into the cloud.
A. proprietary data formats
B. software definition of IP ranges
C. a homogenous hardware approach
D. limited interactivity with other networks

Answer 5

Answer: B
Customers can use SDNs to grow an existing (on-premise) network into the cloud by assigning IP addresses that use the existing range. See page 79 of the CSA Cloud Security Guidance v4.
SDNs do not typically use proprietary data formats or specific hardware, nor do they limit interaction with other networks (these would actually be detrimental to cloud usage, instead of aiding the effort).

Question 6

Software-defined networks often use __________ so that virtual machines and other assets do not require modification to the underlying network stack to communicate with each other.
A. alternating current (AC)
B. data leak protection (DLP) solutions
C. packet encapsulation
D. rarified prohibition

Answer 6

Answer: C
SDNs utilize encapsulation so that various assets can communicate across a networked environment without any other changes or customization. See page 79 of the CSA Cloud Security Guidance v4.
AC is a means to deliver electricity, not information. DLP is used to monitor data (not deliver it). “Rarified prohibition” is a nonsense term used as a distractor here.

Question 7

Perhaps the most significant difference between the traditional and cloud environments that will affect security.
A. connecting the customer’s network to the outside world (including the Internet)
B. the requirement of hardware to interact with software
C. the requirement of hardware to connect to other hardware elements
D. lack of customer access to the underlying physical hardware/network

Answer 7

Answer: D
Customers cannot get physical access to the network in most cloud computing arrangements, which severely limits the customer’s use of security controls typical in the traditional environment. See page 79 of the CSA Cloud Security Guidance v4.
All the other responses describe situations that exist in both the cloud and traditional environments, so don’t pose any novel difficulties.

Question 8

The use of virtual security appliances in a cloud environment may cause __________ because they must intercept all network traffic.
A. intermittent outages
B. end-user dissatisfaction
C. traffic slowdown
D. cost fluctuation

Answer 8

Answer: C
Virtual appliances used for security purposes may cause traffic bottlenecks, because they cannot fail open in the same manner a hardware security device would. See page 80 of the CSA Cloud Security Guidance v4.
The use of virtual appliances for security in the cloud environment should be transparent to end users, not affect availability of other systems, and come with a fixed price.

Question 9

The use of virtual appliances for security in the cloud environment might negatively affect elasticity because product vendors might not support auto-scaling of __________.
A. appliance traffic
B. new product instances
C. additional users
D. licensing

Answer 9

Answer: D
If the vendors of the product do not allow the customer to replicate the appliance as needed under the licensing terms, the organization using that appliance may have limited elasticity. See page 80 of the CSA Cloud Security Guidance v4.
Virtual appliances used for security purposes should typically handle fluctuating traffic and user base, and have the technical capacity for creating new instances.

Question 10

Virtual appliances used for security in a cloud environment should monitor cloud assets according to __________.
A. IP address
B. network name
C. unique ID
D. region

Answer 10

Answer: C
In the cloud environment, IP addresses are subject to change far more frequently than in a traditional enterprise, so the use of unique IDs is preferable. See page 80 of the CSA Cloud Security Guidance v4.

Question 11

The use of firewalls in software-defined networks (SDNs), often referred to as “security groups,” allow for __________ control of traffic and access control.
A. simple
B. granular
C. expensive
D. immediate

Answer 11

Answer: B
Granular is the best option of these responses; SDN firewalls allow extreme specificity of traffic to or from particular assets in the environment, regardless of the physical location of the asset on the network. See page 80 of the CSA Cloud Security Guidance v4.
The use of SDN firewalls may or may not be simple, expensive, or immediate.

Question 12

Unlike physical network security appliances, firewalls in software-defined networking (SDN) are typically __________.
A. free of charge
B. set to default-deny
C. not effective
D. broad in effect

Answer 12

Answer: B
SDN firewalls are usually default-deny. See page 80 of the CSA Cloud Security Guidance v4.
SDN firewalls are not typically free of charge. They are, however, usually quite effective, and allow for granular control (as opposed to broad effect).

Question 13

One of the benefits of microsegmentation is that each __________ can exist on its own network.
A. data center
B. application
C. user
D. organization

Answer 13

Answer: B
Microsegmentation allows for application isolation in a cost-effective manner. See page 82 of the CSA Cloud Security Guidance v4.
There should be many virtual networks inside a data center and an organization. Putting each user on a distinct network has no real advantage.

Question 14

Having assets on separate networks promotes security by __________.
A. putting an extra layer of access control on data files
B. blocking external distributed denial of service (DDOS) attacks
C. protecting data from privileged account holders
D. reducing the potential impact if an attacker gets access to an asset

Answer 14

Answer: D
Colloquially referred to as “reducing the blast radius” in the CSA Cloud Security Guidance v4, this is discussed on page 84.
Microsegmentation doesn’t add an extra layer of access control on a file (that actually describes digital rights management)), or block DDOS attacks. It may help in limiting impact from a rogue or careless administrator, but D is the better answer.

Question 15

The use and implementation of microsegmentation may increase __________.
A. capital expenses
B. enterprise risk
C. regulatory oversight
D. operational expenses

Answer 15

Answer: D
Microsegmentation may require additional administrative and managerial efforts, which are operational expenses. See page 82 of the CSA Cloud Security Guidance v4.
Additional virtual network segments do not incur more investment, so is not a capital expenditure. Likewise, microsegmentation does not add more risk or regulation.

Question 16

Which of the following is not part of the software-defined perimeter (SDP) model, defined by the CSA SDP Working Group?
A. an asset that connects to the cloud
B. an SDP motivator
C. an SDP controller
D. an SDP gateway

Answer 16

Answer: B
There is no “SDP motivator” defined by the SDP Working Group. All the other responses are elements of the SDP model. See page 82 of the CSA Cloud Security Guidance v4.

Question 17

Which of the following is not a recommended tool for enforcing separation between private and public clouds in a hybrid cloud deployment?
A. firewalls
B. digital rights management (DRM)
C. routing
D. access controls

Answer 17

Answer: B
DRM is a file-based access control mechanism, and would not aid in network separation. The other options are all recommended by CSA. See page 83 of the CSA Cloud Security Guidance v4.

Question 18

Which of the following is not one of the challenges created by hybrid cloud deployments?
A. increased routing complexity
B. additional costs for registering domain names
C. reduces the ability to run multiple cloud networks with overlapping IP ranges
D. complicates security because of the need to harmonize controls

Answer 18

Answer: B
The cost of registering domain names is not significantly increased by hybrid cloud deployments. All the other options are challenges involved with hybrid clouds. See page 83 of the CSA Cloud Security Guidance v4.

Question 19

How does a “bastion” or “transit” virtual network architecture assist in a hybrid cloud deployment?
A. the second-level networks are not peered to each other, and therefore effectively segregated
B. users are kept from accessing the public cloud, reducing overall risk
C. throttling of traffic eliminates the possibility of denial of service (DOS/DDOS) attacks
D. authentication of each service is increased in general

Answer 19

Answer: A
Each second-level network can only connect to the data center through the dedicated bastion/transit network/VPN, and therefore isolated from each other. See page 84 of the CSA Cloud Security Guidance v4.
Users are still able to reach the cloud (otherwise the cloud would be kind of pointless). Bastion/transit virtual networks don’t really aid in preventing DOS/DDOS attacks, nor in authentication.

Question 20

Which of the following might be considered a cloud “workload”? [Select all that apply.]
A. an element of credit card data
B. an individual user
C. a virtual machine
D. a private business
E. a container
F. a nation-state

Answer 20

Answer: C, E
Workloads are units of processing (see page 84 of the CSA Cloud Security Guidance v4). This can include any abstracted assets, including containers and virtual machines.
Workloads are not data, files, companies, people, or people.

Question 21

Workloads always __________ and __________ [select two]
A. run on a processor
B. consume memory
C. cross international borders
D. cause user error

Answer 21

Answer: A, B
As abstracted processing assets, workloads will always consume memory and run on processors. See page 84 of the CSA Cloud Security Guidance v4.
Workloads may or may not cross borders, depending on how the cloud architecture is deployed in the cloud environment. Workloads aren’t typically the cause of user error (but may be impacted by it).

Question 22

One reason containers can launch quickly.
A. they are always loaded from solid-state drives (SSDs)
B. they do not have to boot operating systems (OSs)
C. they have neutrino memory
D. there are very many of them in the public cloud

Answer 22

Answer: B
Containers use the kernel of an existing OS, and therefore don’t need to boot another OS to launch. See page 85 of the CSA Cloud Security Guidance v4.
Containers may or may not use SSDs; they can use other media as well. “Neutrino memory” is only a distractor here, and has no actual meaning. The popularity of containers does not make them fast; the opposite is probably true (the speed of containers makes them popular).

Question 23

Who is responsible for creating and enforcing segregation in the hardware stack of cloud computing?
A. the user
B. the cloud customer
C. the cloud provider
D. regulators

Answer 23

Answer: C
This is the job of the cloud provider. See page 86 of the CSA Cloud Security Guidance v4.

Question 24

One of the characteristics of immutable workloads.
A. no need to patch individual virtual machines
B. users cannot make any errors
C. legal in all jurisdictions
D. immune to malware

Answer 24

Answer: A
In an environment using immutable workloads, patches are not applied to individual virtual machines; instead, the core (“golden”) image is updated, and new versions of that image are instantiated in place of the old instances, which are destroyed. See page 86 of the CSA Cloud Security Guidance v4.
Immutability may or may not be “legal” (and is rarely a matter of law), and does not make images/instances unsusceptible to malware infection. Unfortunately, nothing in the world can prevent user error.

Question 25

__________ is essential to proper management of an immutable environment.
A. consistency in the image creation process
B. highly-paid engineers
C. the proper geophysical location
D. auditor approval

Answer 25

Answer: A
All instances/workloads will be formed during the creation (and updating) of the golden image; therefore, the golden image must be consistently and regularly updated with all current patches and fixes in order to ensure the environment is properly protected. See page 87 of the CSA Cloud Security Guidance v4.
What you pay your engineers or where you are located should not necessarily have direct impact on immutable environments. Auditors do not approve architectures; auditors ensure compliance with a standard.