Flashcards in “CCSK: Certificate of Cloud Security Knowledge 4 of 6 Practice

Question 1

Which of the following can the cloud provider implement to mitigate the credential compromise or theft?

A,Separation of roles and responsibilities
B.Automated inventory of all assets
C.Anomaly detection
D.Federated method of authentication
E.Hardening of virtual machines using industry standards

Answer 1

C.Anomaly detection

Explanation
Explanation CREDENTIAL COMPROMISE OR THEFT · Do you provide anomaly detection (the ability to spot unusual and potentially malicious IP traffic and user or support team behaviour)? For example, analysis of failed and successful logins, unusual time of day, and multiple logins, etc. · What provisions exist in the event of the theft of a customer’s credentials (detection, revocation, evidence for actions)?

Question 2

Which of the following is the most commonly used application programming interface?

A.JSON
B.HTTP
C.REST
D.SOAP

Answer 2

C.REST

Explanation
Most cloud APIs these days use REST (Representational State Transfer), which runs over the HTTP protocol, making it extremely well suited for Internet services. APIs are typically the underlying communications method for components within a cloud, some of which (or an entirely different set) are exposed to the cloud user to manage their resources and configurations. Most cloud APIs these days use REST (Representational State Transfer), which runs over the HTTP protocol, making it extremely well

Question 3

Which of the following WAN virtualization technology is used to create networks which span multiple base networks?

A.Virtual Private Networks
B.Network Peering
C.Virtual Private Cloud
D.Cloud Overlay Networks

Answer 3

D.Cloud Overlay Networks

Explanation
Cloud overlay networks are a special kind of WAN virtualization technology for created networks that span multiple “base” networks. For example, an overlay network could span physical and cloud locations or multiple cloud networks, perhaps even on different providers. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Cloud Overlay Networks Domain 8// VIRTUALIZATION AND CONTAINERS

Question 4

Cloud user does not require special permission to perform vulnerability assessment on its environment in cloud

A.CORRECT
B.INCORRECT

Answer 4

B.INCORRECT

Explanation
Certain types of customer technical assessments and audits (such as a vulnerability assessment) may be limited in the provider’s terms of service, and may require permission. This is often to help the provider distinguish between a legitimate assessment and an attack. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: How Cloud Changes Audit Management Domain 4 // COMPLIANCE AND AUDIT MANAGEMENT

Question 5

Which of the following is not one of the five key legal issues common across all scenarios?

A.Global Proliferation
B.Intellectual Property 
C.Professional Negligence
D.Confidentiality
E.Data Protection

Answer 5

A.Global Proliferation

Explanation
Explanation CLOUD COMPUTING – KEY LEGAL ISSUES Five key legal issues have been identified which are common across all the scenarios: 1. Data protection a. Availability and integrity b. Minimum standard or guarantee 2. Confidentiality 3. Intellectual property 4. Professional negligence 5. Outsourcing services and changes in control Source: enisa Topic: ANNEX I – CLOUD COMPUTING – KEY LEGAL ISSUES

Question 6

Which of the following is not an example of vendor lock-in?

A.Contracts with termination penalties
B.Provider exports data only in a proprietary format
C.Custom SaaS Applications
D.PaaS platforms that restrict available functions

Answer 6

C.Custom SaaS Applications

Explanation
All SaaS products are customized applications. This fact is not the source of vendor lock-in. What creates a lock-in situation with SaaS is the lack of ability to move data easily from one SaaS provider to another. If tools exist (generally they are limited) to move from one SaaS provider to another, vendor lock-in can be fairly easily dealt with. All the other answers are lock-in scenarios.

Question 7

VM hopping is an attack that is possible in the event of what failure?

A.Virtual Storage Control Failure
B.Hypervisor Segregation Failure
C.Hypervisor Isolation Failure
D.Inadequate Security Controls by the Customer

Answer 7

C.Hypervisor Isolation Failure

Explanation
Performing VM hopping is a result of hypervisor isolation failure. None of the other answers is correct. Remember that segregation is not the same as isolation.

Question 8

Which of the following could be considered a malicious insider as per ENISA “Top Security Risks”?

A.Customer Administrator
B.Provider’s Auditor
C.Customer’s Auditor
D.All of These

Answer 8

C.Customer’s Auditor

Explanation
The ENISA document lists provider employees and contractors as potential malicious insiders. As such, the only possible correct answer is the provider’s auditor.

Question 9

A company administrator determines that the best approach to dealing with any sudden increases in network traffic is to create an auto-scaling group that will create an unlimited number of web servers to meet increased demand. What has the administrator created?

A.The administrator has implemented an auto-scaling practice that is commonly performed to take advantage of the elastic nature of the cloud
B.The administrator has implemented an application load-balancing system
C.The administrator has implemented a network load-balancing system
D.The administrator has created an economic denial of service scenario if there is ever a denial of service attack against the company

Answer 9

D.The administrator has created an economic denial of service scenario if there is ever a denial of service attack against the company

Explanation
The administrator has created an economic denial of service scenario if there is ever a denial of service attack against the company. This is because of the measured service characteristic of cloud computing, where companies pay for the resources they use. Load balancing will distribute traffic across only an established amount of servers, so B and C do not address what the administrator has established. Finally, although auto-scaling groups are common, there needs to be a set limit to the amount of servers that will be created.

Question 10

Which of the following is not considered a vulnerability associated with the risk of loss of business reputation due to co-tenant activities?

A.Lack of resource isolation
B.Lack of reputational isolation
C.Hypervisor vulnerabilities
D.Object Storage

Answer 10

D.Object Storage

Explanation
Object storage is the only answer that is not listed as an associated vulnerability to the risk of loss of business reputation due to co-tenant activities.

Question 11

Which of the following is not listed in the ENISA documentation as a potential area that needs to be considered and protected from being exploited with regard to user provisioning?

A.Credentials that may be vulnerable to interception and replay
B.If the customer cannot control the providers provisioning process
C.If the identity of the customer may not be adequately verified upon registration
D.The customers ability to restrict access to the IAM system supplied by the provider to a specific range of IP addresses

Answer 11

D.The customers ability to restrict access to the IAM system supplied by the provider to a specific range of IP addresses

Explanation
The only possible answer not listed is that the customer can restrict access to the IAM system supplied by the provider to a specific range of IP addresses. This is because the IAM system is part of the management plane that can be accessed from anyone as part of the broad network access characteristic of the cloud. All other entries are listed as areas for consideration and protection.

Question 12

What should always be done to protect against possible management interface compromise where an attacker gains access to your cloud environment (select the best answer)?

A.Connect to the management interface via IPSec VPN
B.Protect connections through the use of TLS
C.Implement MFA on all privileged accounts
D.Create separate accounts for administrators with access to the management plane

Answer 12

C.Implement MFA on all privileged accounts

Explanation
Privileged accounts should always access the management plane with MFA. The management plane faces increased risk of compromise because it is globally accessible; therefore, implementing a VPN of any sort is not listed as a potential safeguard. All users accessing the management plane should always have separate accounts, but D addresses repudiation, not security of the accounts accessing the management plane. Although all connections should be protected in transit (such as with TLS), B is not the best answer.

Question 13

Which of the following is a key area of control for the cloud provider network architecture?

A.Host based intrusion prevention service (IPS)
B.Hardened virtualised image
C.DDOS
D.SANS Checklist
E.Anti Virus

Answer 13

C.DDOS

Explanation
distributed denial of service. Explanation NETWORK ARCHITECTURE CONTROLS · Define the controls used to mitigate DDoS (distributed denial–of-service) attacks. o Defence in depth (deep packet analysis, traffic throttling, packet black-holing, etc) o Do you have defences against ‘internal’ (originating from the cloud providers networks) attacks as well as external (originating from the Internet or customer networks) attacks? · What levels of isolation are used? For virtual machines, physical machin

Question 14

In which of the five main phases of secure application design and development, you perform Threat Modelling?

A.Design
B.Define
C.Test
D.Develop
E.Training

Answer 14

A.Design

Explanation
It is during the design phase that you perform threat modelling, which must also be cloud and provider/platform specific. Design: During the application design process, especially when PaaS is involved, the focus for security in cloud is on architecture, the cloud provider’s baseline capabilities, cloud provider features, and automating and managing security for deployment and operations. We find that there are often significant security benefits to integrating security into the application arch

Question 15

Which of the following is true about the pass-through audit which is a form of compliance inheritance?

A.Provider’s infrastructure is within the scope of customers audit/assessment
B.Providers infrastructure is not within the scope of customers audit/assessment
C.Everything the customer builds on top of Provider Infrastructure is out of scope
D.Customer is not responsible for maintaining the compliance as the Provider is already compliant

Answer 15

B.Providers infrastructure is not within the scope of customers audit/assessment

Explanation
A pass-through audit is a form of compliance inheritance. In this model all or some of the cloud provider’s infrastructure and services undergo an audit to a compliance standard. The provider takes responsibility for the costs and maintenance of these certifications. Provider audits, including pass-through audits, need to be understood within their limitations: • They certify that the provider is compliant. • It is still the responsibility of the customer to build compliant applications and serv

Question 16

The main difference between traditional virtualization and cloud computing and is abstraction.

A.CORRECT
B.INCORRECT

Answer 16

B.INCORRECT

Explanation
Virtualization abstracts resources, but it typically lacks the orchestration to pool them together and deliver them to customers on demand, instead relying on manual processes. The key techniques to create a cloud are abstraction and orchestration. We abstract the resources from the underlying physical infrastructure to create our pools, and use orchestration (and automation) to coordinate carving out and delivering a set of resources from the pools to the consumers. As you will see, these two t

Question 17

Logs, documentation, and other materials that are needed for audits and compliance and are used as evidence to support compliance activities are called as-

A.Audit Trail
B.Log Trail
C.Audit Evidence
D.Audit Proof
E.Artifacts

Answer 17

E.Artifacts

Explanation
Artifacts are the logs, documentation, and other materials needed for audits and compliance; they are the evidence to support compliance activities. Both providers and customers have responsibilities for producing and managing their respective artifacts. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: How Cloud Changes Audit Management Domain 4 // COMPLIANCE AND AUDIT MANAGEMENT

Question 18

Which of the following tools lists cloud security controls and maps them to multiple security and compliance standards. ?

A.Cloud Provider Contracts
B.Cloud Security Alliances STAR Registry
C.Supplier (cloud provider) Assessments
D.Cloud Control Matrix
E.Consensus Assessments Initiative Questionnaire

Answer 18

D.Cloud Control Matrix

Explanation
The Cloud Controls Matrix (CCM) lists cloud security controls and maps them to multiple security and compliance standards. The CCM can also be used to document security responsibilities. • The Cloud Controls Matrix (CCM), which lists cloud security controls and maps them to multiple security and compliance standards. The CCM can also be used to document security responsibilities. • The Consensus Assessments Initiative Questionnaire (CAIQ). A standard template for cloud providers to document thei

Question 19

What is the role of the Scope Applicability column in the CCM?

A.Applicability of controls in the domain
B.Overall applicability of the domain
C.Maps the existing industry standards to the controls in the domains
D.Shows architecture elements that are related to given control

Answer 19

C.Maps the existing industry standards to the controls in the domains

Explanation
Scope applicability column in CCM maps the existing industry standards like PCI DSS , NIST SP800-53 R3, ISO/IEC 27001-2005, HIPAA / HITECH Act, GAPP, ENISA IAF, COBIT etc to the controls in the domains Source: Cloud Controls Matrix Version 3.0.1

Question 20

Dedicated or private tenancy model is not possible in a cloud environment.

A.CORRECT
B.INCORRECT

Answer 20

B.INCORRECT

Explanation
In some environments dedicated/private tenancy is possible, but typically at a higher cost. With this model only designated workloads run on a designated physical server. Costs increase in public cloud as a consumer since you are taking hardware out of the general resource pool, but also in private cloud, due to less efficient use of internal resources. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: How Cloud Changes Workload Security Domain 7// INFRASTRUCTU

Question 21

What can be used to determine what actors are allowed to do and what they’re not allowed to do?

A.Entitlements
B.Information Classification
C.Information Governance
D.Contractual Controls

Answer 21

A.Entitlements

Explanation
Entitlements determine what actors are allowed to do and what they’re not allowed to do. Contractual controls are a legal tool, and information governance is much larger than determining what actors can and cannot do, so B and C are not the best answers. Classification of data may assist control selection, but, again, it is not the best answer.

Question 22

Moving to the cloud creates a greenfield opportunity to reexamine what?

A.How you manage information and find ways to improve things
B.Existing Security Policies
C.Existing Security Controls
D.Existing Information Classification Capabilities

Answer 22

A.How you manage information and find ways to improve things

Explanation
Moving to the cloud gives you the opportunity to look at how you manage information and find ways to improve things. This can include all the other answers as well, but since the first answer covers all the other options, it is the best answer.

Question 23

Extending information governance to include cloud services requires:

A.Security Controls
B.Contractual Controls
C.Both contractual and security controls
D.Provider supplying a written business associate agreement

Answer 23

C.Both contractual and security controls

Explanation
The best answer is that both security and contractual controls are required to extend information governance to the cloud. The business associate agreement is applicable only for HIPAA-regulated data, and it would be covered as a contractual control.

Question 24

What does an authorization determine?

A.The legally accountable party for security of end-user data
B.Whether data can be stored in a cloud environment
C.Permitted cloud service providers based on classification of data
D.Who is allowed to access certain information and/or data

Answer 24

D.Who is allowed to access certain information and/or data

Explanation
Authorizations determine who is allowed to access certain information and/or data and are part of information governance. The customer always retains legal accountability in the event of end-user data being compromised. Although we want to have information management assist in the selection of appropriate cloud providers and determine data classifications, these are not authorizations.

Question 25

What level of privileges should be assigned to a user account with access to the metastructure?

A.Read-Only
B.Administrative Access
C.Least privileges required to perform a job
D.Administrative access only to the system the user is using

Answer 25

C.Least privileges required to perform a job

Explanation
Least privileges should always be used. None of the other answers is applicable.

Question 26

How should the master account be used in a cloud environment?

A.It should be treated as any other privileged account
B.The password for the account should be shared only through encrypted email
C.It should be used only to terminate instances
D.It should have MFA assigned and be locked in a safe

Answer 26

D.It should have MFA assigned and be locked in a safe

Explanation
The master account should have a hardware MFA device assigned, and the credentials along with the MFA device should be locked in a safe to be used only in the event of an emergency.

Question 27

What layers of the logical stack should be considered as part of BCP/DR?

A.Infostructure
B.Metastructure
C.Infrastructure
D.All layers of the logical model

Answer 27

D.All layers of the logical model

Explanation
All layers of the logical model should be considered for BCP/DR.

Question 28

Which plane is used by consumers to launch virtual machines or configuring virtual networks?

A.Application Plane
B.Management Plane
C.Cloud Control Plane
D.Infrastructure Plane
E.Virtual Plane

Answer 28

B.Management Plane

Explanation
In most cases, those APIs are both remotely accessible and wrapped into a web-based user Interface. This combination is the cloud management plane, since consumers use it to manage and configure the cloud resources, such as launching virtual machines (instances) or configuring virtual networks. From a security perspective, it is both the biggest difference from protecting physical infrastructure (since you can’t rely on physical access as a control) and the top priority when designing a cloud se

Question 29

When it comes to securing the management plane, how are access identification, authentication, and authorization implemented?

A.Identity and Access management (IAM)
B.Authentication is based on your authentication provider and the cloud provides the access and authorization controls
C.Your directory service manages how your cloud providers are managed
D.Cloud providers provide the access layer, you must also have a directory service to get authentication

Answer 29

A.Identity and Access management (IAM)

Explanation
Explanation Securing the Management Plane Identity and Access Management (IAM) includes identification, authentication, and authorizations (including access management). This is how you determine who can do what within your cloud platform or provider. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Securing the Management Plane Domain 6 // MANAGEMENT PLANE AND BUSINESS CONTINUITY

Question 30

Attestations and certifications are activities that will be valid at any future point in time and providers must keep any published results readily available for quick reference.

A.CORRECT
B.INCORRECT

Answer 30

B.INCORRECT

Explanation
Attestations and certifications are point-in-time activities. It’s important to remember that attestations and certifications are point-in-time activities. An attestation is a statement of an “over a period of time” assessment and may not be valid at any future point. Providers must keep any published results current or they risk exposing their customers to risks of non-compliance. Depending on contracts, this could even lead to legal exposures to the provider. Customers are also responsible for

Question 31

Business Continuity and Disaster Recovery is not a shared responsibility and the cloud user is completely responsible for it.

A.CORRECT
B.INCORRECT

Answer 31

B.INCORRECT

Explanation
Like security and compliance, BC/DR is a shared responsibility. Like security and compliance, BC/DR is a shared responsibility. There are aspects that the cloud provider has to manage, but the cloud customer is also ultimately responsible for how they use and manage the cloud service. This is especially true when planning for outages of the cloud provider (or parts of the cloud provider’s service). Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Business Cont

Question 32

Which of the following statements regarding risk transfer is not true?

A.Risks should be considered against the cost benefit received from the services
B.The level of risk may vary with the types of cloud architecture used
C.All risks can be transferred
D.It is possible for the cloud customer to transfer risk to the cloud provider

Answer 32

C.All risks can be transferred

Explanation
It is possible for the cloud customer to transfer risk to the cloud provider and the risks should be considered against the cost benefit received from the services. However not all risks can be transferred: if a risk leads to the failure of a business, serious damage to reputation or legal implications, it is hard or impossible for any other party to compensate for this damage. Source: enisa Topic: Risks

Question 33

In which of the following service models cloud consumer may only be able to manage authorization and entitlements?

A.IaaS
B.PaaS
C.SaaS
D.SaaS and PaaS

Answer 33

C.SaaS

Explanation
Software as a Service: The cloud provider is responsible for nearly all security, since the cloud user can only access and manage their use of the application, and can’t alter how the application works. For example, a SaaS provider is responsible for perimeter security, logging/monitoring/auditing, and application security, while the consumer may only be able to manage authorization and entitlements Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Cloud Securi

Question 34

Which of the following defines the ease with which application components are moved and reused elsewhere regardless of provider, platform, OS, infrastructure, location, storage, the format of data, or API’s?

A.Movability
B.Portability
C.Interoperability
D.Intraoperability

Answer 34

B.Portability

Explanation
Portability defines the ease of ability to which application components are moved and reused elsewhere regardless of provider, platform, OS, infrastructure, location, storage, the format of data, or API’s. Interoperability is the requirement for the components of a cloud eco-system to work together to achieve their intended result. In a cloud computing eco-system the components may well come from different sources, both cloud and traditional, public and private cloud implementations (known as hy

Question 35

All services from a particular provider meet the same audit/assessment standards

A.CORRECT
B.INCORRECT

Answer 35

B.INCORRECT

Explanation
All services from a particular provider may not meet the same audit/assessment standards. They can vary. Supplier Assessment Process Periodically review audits and assessments to ensure they are up to date: • Don’t assume all services from a particular provider meet the same audit/assessment standards. They can vary. • Periodic assessments should be scheduled and automated if possible Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Supplier Assessment Process

Question 36

If an attacker gets into your management plane, they have full remote access to your entire cloud environment.

A.CORRECT
B.INCORRECT

Answer 36

A.CORRECT

Explanation
If an attacker gets into your management plane, they potentially have full remote access to your entire cloud deployment. The combination of APIs that are both remotely accessible and wrapped into a web-based user Interface is called as the cloud management plane, since consumers use it to manage and configure the cloud resources, such as launching virtual machines (instances) or configuring virtual networks.

Question 37

The following list of controls belongs to which domain of the CCM? GRM 04 - Management Program GRM 05 - Support / Involvement GRM 06 – Policy GRM 07 – Policy Enforcement

A.Data Center Security
B.Business Continuity Management & Operational Resilience
C.Encryption and Key Management
D,Governance and Risk Management
E.Change Control and Configuration Management

Answer 37

D,Governance and Risk Management

Explanation
The following list of controls belong to “Governance and Risk Management” domain of CCM- GRM-01 Baseline Requirements GRM-02 Data Focus Risk Assessments GRM-03 Management Oversight GRM-04 Management Program GRM-05 Management Support/Involvement GRM-06 Management Policy GRM-07 Policy Enforcement GRM-08 Policy Impact on Risk Assessments GRM-09 Policy Reviews GRM-10 Risk Assessments GRM-11 Risk Management Framework Source: Cloud Controls Matrix Version 3.0.1

Question 38

SLA’s may limit a client’s ability to collect large volumes of data quickly and in a forensically sound manner.

A.CORRECT
B.INCORRECT

Answer 38

A.CORRECT

Explanation
In most cases, a client’s access to its data in the cloud will be determined by its SLA. This may limit its ability to collect large volumes of data quickly and in a forensically sound manner (i.e., with all reasonably relevant metadata preserved). Clients and cloud providers should consider this issue at the outset of their relationship, and establish a protocol (and cost) for extraordinary access in the case of litigation. Absent these agreements, clients are responsible for the extra time and

Question 39

Which of the following reflects the claim of an individual to have certain data deleted so that third persons can no longer trace them?

A.Right to be forgotten
B.Right to be deleted
C.Right to non disclosure
D.Right to privacy
E.Right to be erased

Answer 39

A.Right to be forgotten

Explanation
The right to be forgotten “reflects the claim of an individual to have certain data deleted so that third persons can no longer trace them.” Data Subjects’ Rights: Data subjects have rights to information regarding the processing of their data: the right to object to certain uses of their personal data; to have their data corrected or erased; to be compensated for damages suffered as a result of unlawful processing; the right to be forgotten; and the right to data portability. The existence of t

Question 40

PaaS needs to be built on top of IaaS and it cannot be a custom designed stand-alone architecture

A.INCORRECT
B.CORRECT

Answer 40

A.INCORRECT

Explanation
PaaS doesn’t necessarily need to be built on top of IaaS; there is no reason it cannot be a custom designed stand-alone architecture. PaaS doesn’t necessarily need to be built on top of IaaS; there is no reason it cannot be a custom designed stand-alone architecture. The defining characteristic is that consumers access and manage the platform, not the underlying infrastructure (including cloud infrastructure). Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: P

Question 41

The data and information like content in database or file storage are part of which layer of Logical Model?

A.Metastructure
B.Applistructure
C.Infostructure
D.Infrastructure

Answer 41

C.Infostructure

Explanation
The data and information. Content in a database, file storage, etc. is part of Infostructure. At a high level, both cloud and traditional computing adhere to a logical model that helps identify different layers based on functionality. This is useful to illustrate the differences between the different computing models themselves: • Infrastructure: The core components of a computing system: compute, network, and storage. The foundation that everything else is built on. The moving parts. • Metastru

Question 42

Who manages the web console which is one of the ways the management plane is delivered?

A.Cloud Provider
B.Cloud Access Security Broker
C.Cloud User
D.Super Admin User

Answer 42

A.Cloud Provider

Explanation
Web consoles are managed by the provider. They can be organization-specific [typically using Domain Name Server (DNS) redirection tied to federated identity]. For example, when you connect to your cloud file-sharing application you are redirected to your own “version” of the application after you log in. This version will have its own domain name associated with it, which allows you to integrate more easily with federated identity. Source: Security Guidance for Critical Areas of Focus in Cloud C

Question 43

Which of the following statements regarding SDN (Software Defined Networking) is not true?

A.SDN Firewalls apply to single assets or groups of assets
B.SDN Firewalls apply to more flexible criteria than hardware based firewalls
C.SDN firewalls define rules that can apply to a specific network location only (within a given virtual network)
D.SDN Firewall can define both ingress and egress rules
E.SDN firewall rules can be applied to any asset or group of assets with a particular

Answer 43

C.SDN firewalls define rules that can apply to a specific network location only (within a given virtual network)

Explanation
SDN firewalls are typically policy sets that define ingress and egress rules that can apply to single assets or groups of assets, regardless of network location. SDN firewalls (e.g., security groups) can apply to assets based on more flexible criteria than hardware-based firewalls, since they aren’t limited based on physical topology. (Note that this is true of many types of software firewalls, but is distinct from hardware firewalls). SDN firewalls are typically policy sets that define ingress

Question 44

Which of the following allows you to create an infrastructure template to configure all or some aspects of a cloud deployment?

A.Infrastructure
B.Infostructure
C.Applistructure
D.Software-Defined Infrastructure
E.Metastructure

Answer 44

D.Software-Defined Infrastructure

Explanation
Software-Defined Infrastructure allows you to create an infrastructure template to configure all or some aspects of a cloud deployment. Software-Defined Infrastructure allows you to create an infrastructure template to configure all or some aspects of a cloud deployment. These templates are then translated natively by the cloud platform or into API calls that orchestrate the configuration. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Business Continuity Wi

Question 45

Identity and Access Management (IAM) includes which of the following?

A.Identification, Authentication and Authorization
B.Identification, Authentication, Authorization and Deletion
C.Identification, Authentication, Authorization and Delegation
D.Identification, Authentication, Authorization and Non-repudiation
E.Identification, Authentication, Authorization and Encryption

Answer 45

A.Identification, Authentication and Authorization

Explanation
Identity and Access Management (IAM) includes identification, authentication, and authorizations (including access management). This is how you determine who can do what within your cloud platform or provider. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Securing the Management Plane Domain 6// MANAGEMENT PLANE AND BUSINESS CONTINUITY

Question 46

The key difference between cloud and traditional computing is the infrastructure.

A.INCORRECT
B.CORRECT

Answer 46

A.INCORRECT

Explanation
The key difference between cloud and traditional computing is the metastructure. Metastructure is the protocols and mechanisms that provides the interface between the infrastructure layer and the other layers. The glue that ties the technologies and enables management and configuration. Cloud metastructure includes the management plane components, which are network-enabled and remotely accessible. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Logical Model

Question 47

Which of the following leverages virtual network topologies to run smaller, and more isolated networks without incurring additional hardware costs?

A.Virtual Private Cloud
B.Microsegmentation
C.Converged Networking
D.Virtual Private Networks
E.VLANS

Answer 47

B.Microsegmentation

Explanation
microsegmention. Microsegmentation (also sometimes referred to as hypersegregation) leverages virtual network topologies to run more, smaller, and more isolated networks without incurring additional hardware costs that historically make such models prohibitive. Since the entire networks are defined in software without many of the traditional addressing issues, it is far more feasible to run these multiple, software-defined environments. Source: Security Guidance for Critical Areas of Focus in Cl

Question 48

The Cloud Security Alliance STAR Registry is used for which of the following purposes?

A.To public release certifications and attestations
B.Used by cloud providers to keep all the service contracts and service level agreements
C.List all cloud security controls mapped to multiple security standards
D.Used by cloud providers to document their security and compliance controls

Answer 48

A.To public release certifications and attestations

Explanation
Cloud providers should understand that customers still need assurance that the provider meets their contractual and regulatory obligations, and should thus provide rigorous third-party attestations to prove they meet their obligations, especially when the provider does not allow direct customer assessments. These should be based on industry standards, with clearly defined scopes and the list of specific controls evaluated. Publishing certifications and attestations (to the degree legally allowed

Question 49

Which communication method is used by customers to access database information using a web console?

A.Extensible Markup Language (XML)
B.Software Development Kits (SDKs)
C.Cross-Origin Resource Sharing (CORS)
D,Application Programming Interface (API)
E.Security Assertion Markup Language (SAML)

Answer 49

D,Application Programming Interface (API)

Explanation
The customer manages the database via API (and a web console) and accesses it either through the normal database network protocols, or, again, via API. One option, frequently seen in the real world is to build a platform on top of IaaS. A layer of integration and middleware is built on IaaS, then pooled together, orchestrated, and exposed to customers using APIs as PaaS. For example, a Database as a Service could be built by deploying modified database management system software on instances run

Question 50

Which of the following is a key tool in enabling and enforcing separation and isolation in multi-tenancy environment?

A.Infrastructure
B.Infostructure
C.Applistructure
D.Metastructure

Answer 50

D.Metastructure

Explanation
The management plane is a key tool for enabling and enforcing separation and isolation in multitenancy. Limiting who can do what with the APIs is one important means for segregating out customers, or different users within a single tenant. Resources are in the pool, out of the pool, and where they are allocated. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Management Plane Security Domain 6// MANAGEMENT PLANE AND BUSINESS CONTINUITY

Question 51

The management plane controls and configures which of the following-

A.Metastructure
B.Infrastructure
C.Applistructure
D.Infostructure

Answer 51

A.Metastructure

Explanation
The management plane controls and configures the metastructure, and is also part of the metastructure itself. As a reminder, cloud computing is the act of taking physical assets (like networks and processors) and using them to build resource pools. Metastructure is the glue and guts to create, provision, and de-provision the pools. The management plane includes the interfaces for building and managing the cloud itself, but also the interfaces for cloud users to manage their own allocated resourc

Question 52

How will you ensure that you have provided sufficient encryption protection to your data in the cloud?

A.Encrypt the data only as it leaves the cloud
B.Encrypt the data at rest when it is stored in the cloud
C.None of these
D.Ensure that you are encrypting your data as it moves to the cloud
E.Do not encrypt the data when it is close to the cloud

Answer 52

D.Ensure that you are encrypting your data as it moves to the cloud

Explanation Ensure that you are protecting your data as it moves to the cloud. This necessitates understanding your provider’s data migration mechanisms, as leveraging provider mechanisms is often more secure and cost effective than “manual” data transfer methods. Use the appropriate encryption option based on the threat model for your data, business, and technical requirements. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Securing Cloud Data Transfers Dom

Question 53

Which of the following governance domain focuses on proper and adequate incident detection, response, notification and remediation?

A.Compliance and Audit Management
B.Incident Response
C.Information Governance
D.Information Governance and Enterprise Risk Management
E.Infrastructure Security

Answer 53

B.Incident Response

Explanation
The Incident Response Lifecycle as defined in the NIST 800-61rev2 document includes the following phases and major activities: Preparation: “Establishing an incident response capability so that the organization is ready to respond to incidents.” Detection and Analysis • Alerts [endpoint protection, network security monitoring, host monitoring, account creation, privilege escalation, other indicators of compromise, SIEM, security analytics (baseline and anomaly detection), and user behaviour anal

Question 54

Which of the following statement about CSA’s CCM and Security Guidance is not true?

A.CSAs CCM tells you what to do. CSA’s Security Guidance tells HOW to do it
B.CSA’s Security Guidance provides a set of best practices and recommendations
C.CSA’s CCM provides a set of controls and maps them to multiple security and compliance standards
D.CSA’s Security Guidance tells you WHAT to do,. The CCM tells you how to do it

Answer 54

D.CSA’s Security Guidance tells you WHAT to do,. The CCM tells you how to do it

Explanation
The Cloud Controls Matrix (CCM), lists cloud security controls and maps them to multiple security and compliance standards. The CCM can also be used to document security responsibilities (WHAT to do). CSA’s Security Guidance provides a set of best practices and recommendations. (HOW to do it). Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Cloud Security Scope, Responsibilities, and Models Domain 1 // CLOUD COMPUTING CONCEPTS AND ARCHITECTURE

Question 55

Which of the following is a cloud infrastructure that is shared by several organizations and supports a specific group that has shared concerns?

A.Common Cloud
B.Community Cloud
C.Public Cloud
D.Private Cloud
E.Hybrid Cloud

Answer 55

B.Community Cloud

Explanation
Community Cloud is the cloud infrastructure that is shared by several organizations and supports a specific community that has shared concerns (e.g. mission, security requirements, policy, or compliance considerations). Community Cloud - The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g. mission, security requirements, policy, or compliance considerations). It may be managed by the organizations or by a third party and may

Question 56

When entrusting a third party to process the data on its behalf, who remains responsible for the collection and processing of the data?

A.Data Protector
B.Data Controller
C.Data Processor
D.Data Analyzer

Answer 56

B.Data Controller

Explanation
When entrusting a third party to process data on its behalf (a data processor), a data controller remains responsible for the collection and processing of that data. The data controller is required to ensure that any such third parties take adequate technical and organizational security measures to safeguard the data. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Legal Frameworks Governing Data Protection and Privacy Domain 3 // LEGAL ISSUES, CONTRACTS AND

Question 57

What is meant by “lock-in”?

A.Lock-in applies when you are contractually unable to export your data
B.Exporting data out of a provider would require significant effort
C.Data exported can be used only with the original providers services
D.All of these are correct

Answer 57

D.All of these are correct

Explanation
Lock-in occurs when you cannot easily change providers and export data. It can be addressed only through strong due diligence processes for adopting cloud service providers.

Question 58

Which of the following needs to be part of business continuity planning by the customer?

A.Determining how to guarantee availability in the DR region by discussing your DR plans with the vendor
B.Determining how the IaaS provider will fix any availability issues in your application
C.Using contracts to ensure that DR does not result in a different jurisdiction being used to store and process data
D.Implementing chaos engineering

Answer 58

A.Determining how to guarantee availability in the DR region by discussing your DR plans with the vendor

Explanation
You need to consult your vendor to determine guaranteed availability in the region. Not all regions have the same amount of capacity and may be over-subscribed in the event of failure in another region. An IaaS provider will not address issues with your own applications. Although data residency regulations may be critical to some companies in certain lines of business, not all companies will face this issue, so C is not the best answer. Chaos engineering may not be for everyone.

Question 59

What is infrastructure as code (IaC)?

A.IaC uses templates to build your virtual network infrastructure
B.IaC uses templates to build an entire virtual infrastructure, ranging from networking through to systems
C.IaC is a ticketing system through which additional instances are requested from the provider
D.IaC is a ticketing system through which limit increases are requested from the provider

Answer 59

B.IaC uses templates to build an entire virtual infrastructure, ranging from networking through to systems

Explanation
The best answer is that IaC uses templates to build an entire virtual infrastructure, ranging from networking through to systems. Using IaC, you can not only build an entire infrastructure, including server instances based off configured images, but some IaaS providers go so far as supporting the configuration of servers at boot time. It is not a ticketing system.

Question 60

What is the release cycle for new functionality?

A.API functionality is released first, followed by CLI, followed by web console
B.CLI functionality is released first, followed by API, followed by web console
C.Web console and API functionality are released first, following by CLI
D.The method used to expose new capabilities is determined by the provider

Answer 60

D.The method used to expose new capabilities is determined by the provider

Explanation
Connection and functionality exposed to customers are always dependent on the provider. They may expose new functionalities in many different ways.