Domain 7: Infrastructure Security Flashcards
For cloud providers, there are typically three different physical networks in a data center. Which of these is not one of the typical networks?
A. service
B. storage
C. management
D. review
Answer: D
There is no “review” network in typical cloud data centers. See page 78 of the CSA Cloud Security Guidance v4.
What are the two general categories of network virtualization common in cloud environments? [select two]
A. perforated
B. VLAN (virtual local area network)
C. SaaS
D. hypervisor
E. SDN (software-defined networking)
F. TPS (total processing simulation)
Answer: B, E
VLAN and SDN are the two general categories of network virtualization used in modern cloud computing. See pages 78-79 of the CSA Cloud Security Guidance v4.
SaaS is a service model, not a type of network virtualization. A hypervisor is used to create virtual instances. “Perforated” is meaningless in this context. “TPS” is a fake term made up as a distractor.
Software-defined networks (SDNs) decouple the control plane from the __________.
A. data plane
B. data center
C. customer
D. Internet
Answer: A
SDNs allow network abstraction away from the hardware and data stored therein. See page 79 of the CSA Cloud Security Guidance v4.
The network is still tethered to the data center and Internet, and the customer can still access the data through the SDN.
Software-defined networks (SDNs) offer higher __________ and __________. [select two]
A. risk
B. cost
C. abridgement
D. flexibility
E. isolation
F. regulation
Answer: D, E
See page 79 of the CSA Cloud Security Guidance v4.
SDNs do not typically cost more than other cloud options (and may actually cost less), nor do they entail more risk or regulation. “Abridgement” has no meaning in this context and is only a distractor.
Software-defined networks (SDNs) offer __________, allowing customers to extend existing networks into the cloud.
A. proprietary data formats
B. software definition of IP ranges
C. a homogenous hardware approach
D. limited interactivity with other networks
Answer: B
Customers can use SDNs to grow an existing (on-premise) network into the cloud by assigning IP addresses that use the existing range. See page 79 of the CSA Cloud Security Guidance v4.
SDNs do not typically use proprietary data formats or specific hardware, nor do they limit interaction with other networks (these would actually be detrimental to cloud usage, instead of aiding the effort).
Software-defined networks often use __________ so that virtual machines and other assets do not require modification to the underlying network stack to communicate with each other.
A. alternating current (AC)
B. data leak protection (DLP) solutions
C. packet encapsulation
D. rarified prohibition
Answer: C
SDNs utilize encapsulation so that various assets can communicate across a networked environment without any other changes or customization. See page 79 of the CSA Cloud Security Guidance v4.
AC is a means to deliver electricity, not information. DLP is used to monitor data (not deliver it). “Rarified prohibition” is a nonsense term used as a distractor here.
Perhaps the most significant difference between the traditional and cloud environments that will affect security.
A. connecting the customer’s network to the outside world (including the Internet)
B. the requirement of hardware to interact with software
C. the requirement of hardware to connect to other hardware elements
D. lack of customer access to the underlying physical hardware/network
Answer: D
Customers cannot get physical access to the network in most cloud computing arrangements, which severely limits the customer’s use of security controls typical in the traditional environment. See page 79 of the CSA Cloud Security Guidance v4.
All the other responses describe situations that exist in both the cloud and traditional environments, so don’t pose any novel difficulties.
The use of virtual security appliances in a cloud environment may cause __________ because they must intercept all network traffic.
A. intermittent outages
B. end-user dissatisfaction
C. traffic slowdown
D. cost fluctuation
Answer: C
Virtual appliances used for security purposes may cause traffic bottlenecks, because they cannot fail open in the same manner a hardware security device would. See page 80 of the CSA Cloud Security Guidance v4.
The use of virtual appliances for security in the cloud environment should be transparent to end users, not affect availability of other systems, and come with a fixed price.
The use of virtual appliances for security in the cloud environment might negatively affect elasticity because product vendors might not support auto-scaling of __________.
A. appliance traffic
B. new product instances
C. additional users
D. licensing
Answer: D
If the vendors of the product do not allow the customer to replicate the appliance as needed under the licensing terms, the organization using that appliance may have limited elasticity. See page 80 of the CSA Cloud Security Guidance v4.
Virtual appliances used for security purposes should typically handle fluctuating traffic and user base, and have the technical capacity for creating new instances.
Virtual appliances used for security in a cloud environment should monitor cloud assets according to __________.
A. IP address
B. network name
C. unique ID
D. region
Answer: C
In the cloud environment, IP addresses are subject to change far more frequently than in a traditional enterprise, so the use of unique IDs is preferable. See page 80 of the CSA Cloud Security Guidance v4.
The use of firewalls in software-defined networks (SDNs), often referred to as “security groups,” allow for __________ control of traffic and access control.
A. simple
B. granular
C. expensive
D. immediate
Answer: B
Granular is the best option of these responses; SDN firewalls allow extreme specificity of traffic to or from particular assets in the environment, regardless of the physical location of the asset on the network. See page 80 of the CSA Cloud Security Guidance v4.
The use of SDN firewalls may or may not be simple, expensive, or immediate.
Unlike physical network security appliances, firewalls in software-defined networking (SDN) are typically __________.
A. free of charge
B. set to default-deny
C. not effective
D. broad in effect
Answer: B
SDN firewalls are usually default-deny. See page 80 of the CSA Cloud Security Guidance v4.
SDN firewalls are not typically free of charge. They are, however, usually quite effective, and allow for granular control (as opposed to broad effect).
One of the benefits of microsegmentation is that each __________ can exist on its own network.
A. data center
B. application
C. user
D. organization
Answer: B
Microsegmentation allows for application isolation in a cost-effective manner. See page 82 of the CSA Cloud Security Guidance v4.
There should be many virtual networks inside a data center and an organization. Putting each user on a distinct network has no real advantage.
Having assets on separate networks promotes security by __________.
A. putting an extra layer of access control on data files
B. blocking external distributed denial of service (DDOS) attacks
C. protecting data from privileged account holders
D. reducing the potential impact if an attacker gets access to an asset
Answer: D
Colloquially referred to as “reducing the blast radius” in the CSA Cloud Security Guidance v4, this is discussed on page 84.
Microsegmentation doesn’t add an extra layer of access control on a file (that actually describes digital rights management)), or block DDOS attacks. It may help in limiting impact from a rogue or careless administrator, but D is the better answer.
The use and implementation of microsegmentation may increase __________.
A. capital expenses
B. enterprise risk
C. regulatory oversight
D. operational expenses
Answer: D
Microsegmentation may require additional administrative and managerial efforts, which are operational expenses. See page 82 of the CSA Cloud Security Guidance v4.
Additional virtual network segments do not incur more investment, so is not a capital expenditure. Likewise, microsegmentation does not add more risk or regulation.