Domain 8: Virtualization and Containers

Question 1

What is the main reason process isolation in a cloud environment is so important?
A. regulatory requirement
B. cost
C. multitenancy
D. effi ciency

Answer 1

Answer: C
In a multitenant cloud environment, if one process could observe another process, or capture data from another process, one cloud customer might gain unauthorized access to other customers. See page 93 of the CSA Cloud Security Guidance v4.
Process isolation might, in fact, aid a cloud provider or customer with compliance for a given standard/regulation, but this is an outcome, not a reason. Process isolation, like all good security practices, will have a negative impact on cost and efficiency.

Question 2

All of the following are typical security controls available to cloud customers except __________.
A. monitoring and logging
B. cloud provider personnel reviews
C. image asset management
D. use o f dedicated hosting

Answer 2

Answer: B
Typically, cloud customers do not have access to personnel files for cloud provider employees. See pages 93-94 of the CSA Cloud Security Guidance v4.
All the other answers are examples of security controls commonly available to cloud customers.

Question 3

Which of the following is not considered a major virtualization category, according to the Cloud Security Alliance?
A . compute
B. networking
C. user
D. stor age

Answer 3

Answer: C
We cannot yet virtualize users in most environments. See pages 92, 94, and 97 of the CSA Cloud Security Guidance v4.

Question 4

One of the reasons software-defined networking (SDN) may be preferable to virtual local area networks (VLANs) in the cloud.
A. VLANs are more expensive
B. VLANs are not approved by regulators
C. VLANs may not provide sufficient isolation
D. VLANs are not as fast as SDNs

Answer 4

Answer: C
See page 94 of the CSA Cloud Security Guidance v4. Clouds are often multitenant environments, so process/data isolation is crucial.
There is no appreciable difference between VLANs and SDNs in terms of cost, regulatory restriction, and speed.

Question 5

A reason that traditional network monitoring devices deployed in a cloud environment may not work effectively.
A. communication between virtual machines on the same hardware device might not be routed through any physical network
B. auditors cannot review virtual images
C. regulators might insist that a certain process be hosted in a traditional environment
D. certain jurisdictions may outlaw this practice

Answer 5

Answer: A
This is a difficult question. While C may be true (some regulators might require sensitive processes to run in a traditional environment, or may disallow cloud operations), this is the cause of network monitoring devices having less effectiveness in the cloud. A is correct and true. See page 96 of the CSA Cloud Security Guidance v4.
Auditors can review any artifact that is presented to them, including virtualized instances. As far as I know, no jurisdiction has outlawed the use of network monitoring tools in cloud environments; again, this would not be a reason that those tools were less effective.

Question 6

Instead of using physical firewall appliances, which may not be as effective in the cloud environment, cloud customers may opt for using __________ to achieve the same purpose.
A . strong contract terms
B. the firewall solution(s) offered by the provider
C. digital rights management (DRM)
D. user training

Answer 6

Answer: B
Public cloud providers offer native, cloud-based firewall solutions to accomplish the monitoring tasks that physical firewalls are intended for; these may be a viable option for the cloud customer. See page 96 of the CSA Cloud Security Guidance v4.
While strong contract language is useful in any cloud arrangement, it does not accomplish the same goals that firewalls are meant to accomplish. Likewise, DRM and user training are good practices, and may be used in conjunction with firewalls for defense in depth, they do not offer network monitoring.

Question 7

Which of the following could be considered the top security priority for cloud providers?
A. protecting their own intellectual property
B. segregating and isolating customer traffic
C. providing maximum bandwidth
D. design ing application programming interfaces (APIs) that optimize customers’ business goals

Answer 7

Answer: B
In a multitenant environment, ensuring that customers cannot see each other’s traffic is absolutely essential. See page 96 of the CSA Cloud Security Guidance v4.
While maximum bandwidth and optimizing APIs are useful to customers, those typically are performance goals, not security goals. The provider protecting its own intellectual property is more about profitability for the provider, and not a paramount security function.

Question 8

A special kind of wide area network (WAN) virtualization technology used to span multiple “base” networks.
A. virtual local area network (VLAN)
B. Wifi
C. overlay network
D. maximal netw orking

Answer 8

Answer: C
This is the definition of an overlay network. See page 97 of the CSA Cloud Security Guidance v4.
VLANs are used to segment networks. Wifi is a term used to describe the IEEE standard 802.11 for wireless networking (and is actually a trademark of the Wi-Fi Alliance). “Maximal networking” is only a distractor, and has no meaning in this context.

Question 9

Two common forms of storage virtualization in traditional (on-prem) IT environments. [select two]
A. hypertext transfer protocol (HTTP)
B. virtual local area network (VLAN)
C. storage-area network (SAN)
D. Hippo
E. Apache
F. network-attached storage (NAS)

Answer 9

Answer: C, F
Both SAN and NAS are often used in traditional enterprises. See page 97 of the CSA Cloud Security Guidance v4.
HTTP is used for Web traffic. VLANs are used to segment networks. “Hippo” is purely invented, and has no meaning in this context. Apache is a Web server technology.

Question 10

What method is commonly used to ensure that swapping out a storage drive won’t inadvertently reveal data?
A. watermarking
B. encryption
C. superimposition
D. steganography

Answer 10

Answer: B
This is one of the many purposes of encryption. See page 97 of the CSA Cloud Security Guidance v4.
Watermarking does not prevent data from being revealed; instead, it is used to assert ownership rights when data is revealed. “Superimposition” is only a distractor, and has no meaning in this context. Steganography is embedding a message of one medium in another, often to convey the message in plain sight.

Question 11

Which of the following is a highly portable code execution environment?
A. container
B. web server
C. Kerberos
D. OAuth

Answer 11

Answer: A
This is a definition of a container. See page 97 of the CSA Cloud Security Guidance v4.
Web servers host and portray web content. Kerberos is a single sign-on solution.
OAuth is an identity federation standard.

Question 12

Containers typically provide runtime environments that share a common __________.
A . vernacular
B. operating system (OS)
C. molecular bond
D. kernel

Answer 12

Answer: D
Containers provide isolated areas for individual users, but share the same underlying kernel. See page 97 of the CSA Cloud Security Guidance v4.
“Vernacular” has no meaning in this context; “molecular bond” is a chemistry term– both are used here only as distractors. Containers do not typically include an entire OS.

Question 13

If data is encrypted at the virtual layer, the data may not be protected from exposure to __________.
A . users
B. external attackers
C. the cloud provider
D. regulato rs

Answer 13

Answer: C
Data encrypted at the virtualization layer may still be exposed to the cloud provider, because the provider has access to the underlying infrastructure, and possibly the encryption mechanism. See page 97 of the CSA Cloud Security Guidance v4.
We generally aren’t using encryption to protect data from users; users need access to the data in order to be productive. Data encrypted at the virtualization layer should be protected from external attack. We also don’t typically use encryption to protect data from regulators, because they need to see some data.

Question 14

Which of the following is not a component of typical software container systems?
A . the execution environment
B. a GUI interface for user interaction
C. an orchestration and scheduling controller
D. a reposi tory for the container images or code to execute

Answer 14

Answer: B
A GUI is not one of the typical crucial components of a software container system; all the other answers are. See page 98 of the CSA Cloud Security Guidance v4.

Question 15

Which of the following is not a required security measure for containers, regardless of the type of container?
A. physical security of the underlying hardware
B. securing the management plane
C. properly securing the image repository
D. encrypting the code of the container as it runs

Answer 15

Answer: D
Typically, code is not encrypted as it runs. All the other answers are security measures that should be used to protect containerized environments. See page 98 of the CSA Cloud Security Guidance v4.

Question 16

Container solutions should, at a minimum, support role-based access controls and __________, for security purposes.
A. strong authentication
B. biometric physical security
C. personnel background checks
D. elliptic -curve encryption

Answer 16

Answer: A
Role-based access controls and strong authentication are considered the bare minimum security features that should be included in container solutions. See page 98 of the CSA Cloud Security Guidance v4.
All the other answers are examples of good security practices, but which might not be included with (or enforced by) containers.

Question 17

In-depth understanding of container solutions is predicated on a thorough understanding of __________.
A. security fundamentals
B. policy promulgation
C. operating system internals
D. encryption methodologies

Answer 17

Answer: C
In order to totally comprehend containers, you must have a thorough knowledge of operating system mechanisms. See page 99 of the CSA Cloud Security Guidance v4.
The other answers are topics which are worth knowing, but which do not necessarily aid in deep knowledge of container technology.

Question 18

Which of the following is not an element of the operating system?
A. namespaces
B. divestiture
C. memory
D. network port mapping

Answer 18

Answer: B
Divestiture is a management function, where a business unit is sold or otherwise released from the organization. All the other answers are elements of an operating system. See page 99 of the CSA Cloud Security Guidance v4.

Question 19

Whose responsibility is it to implement virtualization features with a secure-by-default configuration?
A. the cloud customer
B. the regulator
C. the cloud provider
D. the auditor

Answer 19

Answer: C
See page 99 of the CSA Cloud Security Guidance v4.

Question 20

Whose responsibility is it to configure hypervisors to isolate virtual machines from each other?
A. the cloud customer
B. the regulator
C. the cloud provider
D. the auditor

Answer 20

Answer: C
See page 99 of the CSA Cloud Security Guidance v4.

Question 21

Whose responsibility is it to group containers of the same security context on the same physical and/or virtual hosts?
A. the cloud customer
B. the regulator
C. the cloud provider
D. the auditor

Answer 21

Answer: A
See page 100 of the CSA Cloud Security Guidance v4.

Question 22

Whose responsibility is it to implement appropriate role-based access controls and strong authentication for all container and repository management?
A. the cloud customer
B. the regulator
C. the cloud provider
D. the auditor

Answer 22

Answer: A
See page 100 of the CSA Cloud Security Guidance v4.

Question 23

Whose responsibility is it to determine compliance with a given standard/regulation, from an objective perspective?
A. the cloud customer
B. the regulator
C. the cloud provider
D. the auditor

Answer 23

Answer: D
This is the definition of the purpose of auditing.

Question 24

Which of the following is not a crucial security responsibility typically expected of the cloud provider?
A. use secure hypervisors and implement a patch management process to keep them up to date
B. secure the credentials used by customers to access the management plane
C. configure hypervisors to isolate virtual machines from each other
D. implement processes to prevent administrative access to running virtual machines or volatile memory

Answer 24

Answer: B
Cloud customers are expected to keep their own credentials secure. All the other answers are typical security responsibilities for the cloud provider. See page 99 of the CSA Cloud Security Guidance v4.

Question 25

In order to reduce the possibility that administrators working for the cloud provider get access to customer data, the cloud provider should __________.
A. isolate encryption services from data-management functions
B. ensure all cloud customer employees are trained in the most current security tools
C. make digital rights management (DRM) solutions available to customers
D. ensure that only approved, known, secure container images or code can be deployed

Answer 25

Answer: A
This is essential to protecting customer data from malicious/rogue cloud administrators; if the provider is providing encryption services to the customer, these services must be distinct from the data-management function. See page 100 of the CSA Cloud Security Guidance v4.
The cloud provider is not responsible for training cloud customer personnel; B is incorrect. DRM would not prevent cloud provider administrators from accessing customer data stored in the cloud; C is incorrect. D is a responsibility of the cloud customer (and would not necessarily protect the data from cloud provider employees).