Flashcards in “CCSK: Certificate of Cloud Security Knowledge 6 of 6 Practice

Question 1

What are the Three Vs of big data according to the CSA?

A.High velocity, high volume, high variance
B.High velocity, high volume, high variety
C.High validation, high volume, high variety
D.High value, high variance, high velocity

Answer 1

B.High velocity, high volume, high variety

Explanation:
he Three Vs are high volume, high velocity, and high variety. This means a big data system has to process a high volume of data that is coming in at a high rate of speed and that can be in multiple formats (structured, unstructured, and streamed).

Question 2

Which of the following is not considered a serverless platform according to the CSA?

A.Load balancer
B.DNS Server
C.Notification service
D.Object storage

Answer 2

B.DNS Server

Explanation:
The DNS server is not a serverless option according to CSA. Hold on, because there’s a learning lesson to be had here. Providers may very well offer a DNS service to customers. That’s not what is written here, though. Take your time when reading questions on your exam to make sure you aren’t tricked by wording. You can absolutely build your own DNS server in an IaaS environment, or you can consume a DNS service if the provider offers one. The other possible answers are listed as serverless platforms.

Question 3

When should input validation be performed?

A.When using the cloud as the backend for mobile applications
B.When using the cloud as the backend for IoT devices
C.When using cloud services to support a big data system
D. All of these

Answer 3

D. All of these

Explanation:
It is a security best practice always to perform input validation on any incoming network traffic. This includes all the technologies listed.

Question 4

According to the CSA, what is an/are attribute(s) of the cloud that makes it ideal to support mobile applications?

A.Cost of running required infrastructure
B.Distributed geographical nature of cloud
C.Inherent security associated with cloud service
D.Both (Distributed geographical nature of cloud) and (Inherent security associated with cloud services)

Answer 4

B.Distributed geographical nature of cloud

Explanation:
The only listed attribute in the CSA Guidance regarding mobile application suitability for the cloud is the geographical nature of cloud. Yes, a cloud environment may be more secure, but this is, of course, a shared responsibility. You are never guaranteed that running in the cloud will be cheaper than running systems in your own data center.

Question 5

Which of the following is listed by ENISA as a way for SaaS or PaaS providers to protect their customers?

A.Provider should have redundant storage in place
B.Providers should have source code escrow agreement in place
C.Customers should have contractual agreements that list penalties for loss of code
D.All of these are correct

Answer 5

B.Providers should have source code escrow agreement in place

Explanation:
To ensure that SaaS or PaaS software is not orphaned or abandoned in the event of a provider’s failure, customers should seek to ensure that providers have a code escrow agreement in place with a third-party escrow agent. Although the other answers are good ideas for protecting customers, only code escrow agreements are listed in the ENISA documentation.

Question 6

According to the ENISA documentation, which of the following may be used in IaaS to address portability?

A.OVF
B.WAF
C.IAM
D.DAM

Answer 6

A.OVF

Explanation:
The ENISA document calls open virtualization format (OVF) as potentially beneficial to address portability in an IaaS environment.

Question 7

Why is data deletion considered a top security risk according to ENISA?

A.because of the shared nature of storage
B.Because of the inability to verify that data is adequately deleted
C.Because SSD drives cannot reliably wipe data
D.Both (Because of the shared nature of storage) and (Because of the inability to verify that data is adequately deleted)

Answer 7

D.Both (Because of the shared nature of storage) and (Because of the inability to verify that data is adequately deleted)

Explanation:
Insecure or incomplete data deletion is a risk in cloud because of the shared nature of storage and the inability to verify that data is adequately deleted. Although SSD wiping is possible (only with vendor-supplied tools), this is not listed as a reason in the document. It is also not true that all providers use SSD for storage of customer data.

Question 8

Select the unessential characteristic of cloud computing out of the given options.

A.Third Party Service
B.Broad Network Access
C.Rapid Elasticity
D.Measured Service

Answer 8

A.Third Party Service

Question 9

Logical design of data center might be affected by which of the following topics?

A.Virtualization technology
B.Cloud management plane
C.Multi tenancy
D.All of the above

Answer 9

D.All of the above

Question 10

Which guideline/s of the following should be followed when utilizing encryption? 1. Encrypt using sufficiently durable encryption strengths 2. Use open, validated formats 3. Use proprietary encryption formats whenever possible

A.All of these
B.Only 1 and 3
B.Only 2 and 3
C.None of these
E.Only 1 and 2

Answer 10

E.Only 1 and 2

Question 11

Storage encryption provides protection against what?

A.Side channel attacks
B.APT
C.Hardware theft
D.SQL Injection

Answer 11

C.Hardware theft

Question 12

What is a Controller in the context of Privacy and Data Protection?

A.A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the Customer
B.The natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data
C.One who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specified to his/her physical, physiological, mental, economic, cultural or social identity

Answer 12

B.The natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data

Question 13

The “authentication” component of identity, entitlement and access management (IdEA) are best defined by which of the following?

A.The process of specifying and maintaining access policies
B.Establishing/asserting the identity to the application
C.Updating security protocols to the latest version
D.A guarantee that data in repository is 100% regulated

Answer 13

B.Establishing/asserting the identity to the application

Question 14

What is an ENISA: an example of a user provisioning vulnerability?

A.Credentials are vulnerable to interception and replay
B.Poorly managed backups or archival systems
C.Government access to biometric information
D.Remote access to management interface

Answer 14

A.Credentials are vulnerable to interception and replay

Question 15

To address application security in a Cloud Computing environment how should an SDLC be modified?

A.Updated threat and trust models
B.Integrated development environments
C.No modification needed
D.Just-in-time compilers

Answer 15

A.Updated threat and trust models

Question 16

How often should incident response testing occur?

A.Semi-annually
B.Quarterly
C.Monthly
D.Annually

Answer 16

D.Annually

Question 17

Which logical model holds the management plane that is exposed to customers?

A.Infostructure
B.Applistructure
C.Metastructure
D.Infrastructure

Answer 17

C.Metastructure

Explanation
The management plane is part of the metastructure logical model.

Question 18

You are running a web server in an IaaS environment. You get a call from a customer saying the server appears to have been compromised. Which logical model has been impacted?

A.Infostructure
B.Applistructure
C.Metastructure
D.Infrastructure

Answer 18

B.Applistructure

Explanation
The web server is part of the applistructure. The controls surrounding the web server would be implemented at the metastructure level, but the web server itself is at the applistructure level (and data is at the infostructure layer).

Question 19

Which of the following is NOT an essential characteristic of cloud as per NIST?

A.Multitenancy
B.Elasticity
C.Resource pooling
D.On-demand self-service

Answer 19

A.Multitenancy

Explanation
NIST doesn’t call out multitenancy as an essential characteristic. ISO, however, does call out multitenancy as part of the resource-pooling essential characteristics.

Question 20

In which logical model would you implement a virtual firewall?

A.Infostructure
B.Applistructure
C.Metastructure
D.Infrastructure

Answer 20

C.Metastructure

Explanation:
All controls in the virtual environment are performed at the metastructure layer. If the question asked about installing a firewall agent, that would occur at the applistructure layer.

Question 21

How is one consumer’s access tightly isolated from other consumers in a public cloud environment?

A.Strong passwords
B.RBAC
C.Policies at the provider side
D.Policies at the customer side

Answer 21

C.Policies at the provider side

Explanation:
Tenants are protected by policies at the provider side. Consider, for example, network sniffing. One tenant will never see network traffic destined for another tenant. As a general rule, one tenant should never know that another tenant even exists. Although consumers will also have their own policies in place, the provider must ensure that there is strong isolation of workloads and tenants. This makes C the best answer.

Question 22

Orchestration enables a controller to request resources from a pool of resources. How is this done?

A.ticketing system prioritizes clients based on support level
B.Through the use of REST APIs
C.Through the use of RPC
D.Via network calls

Answer 22

B.Through the use of REST APIs

Explanation:
Orchestration generally uses REST API calls. Although orchestration is, of course, performed across a network, the best answer is REST API calls. This is an example of the tricks that test writers like to pull on candidates.

Question 23

You are instructed to build a server with eight CPUs and 8GB of RAM. Which service model would you use?

A.SaaS
B.PaaS
C.IaaS
D.No cloud provider supports a machine with 8 CPUs

Answer 23

C.IaaS

Explanation:
This is a prime example of why you would use IaaS—access to core foundational computing.

Question 24

Your company is using a PaaS provider to host a Python 2.7–based application. One day, the provider sends you an e-mail stating they will no longer support the Python 2.7 platform and all applications must be upgraded to use Python 3.6 within two weeks. What is the first action you should take?

A.Test the application in Python 3.6
B.Tell the provider you cant meet this timeline
C.Providers are restricted by law from doing this
D.Launch a lawsuit against the provider for pain and suffering

Answer 24

A.Test the application in Python 3.6

Explanation:
When a platform is deprecated (no longer supported), the provider will generally give you access to a test environment where you can test your application using the new platform. As for the time provided in the question, it’s a bit extreme based on what I’ve experienced, but there is no law stopping a provider from giving you hours to migrate, let alone weeks.

Question 25

Chris is looking to procure a new CRM SaaS solution for his organization’s business unit. What is the first step Chris should take as part of performing a risk assessment of a potential vendor?

A.Determine monthly costs
B.Ask reference clients about their satisfaction with the product
C.Determine the level of sensitivity of data that will be stored in the application
D.Obtain and review supplier documentation

Answer 25

D.Obtain and review supplier documentation

Explanation:
The first step in performing a risk assessment is requesting documentation.

Question 26

Pat is looking for an industry standard set of controls that are cloud specific. What can Pat select controls from to create a baseline risk assessment process?

A.ISO 27001
B.NIST RMF
C.COBIT
D.CCM

Answer 26

D.CCM

Explanation
The CCM has a series of controls that are cloud specific. None of the other answers are applicable

Question 27

Your IaaS vendor assures you that your applications will be PCI compliant if you use their cloud offering. What is wrong with this statement?

A.The vendor has no idea what they are talking about
B.The vendor is lying to you
C.The vendor doesnt understand the shared responsibility model of cloud
D.All of these are true

Answer 27

D.All of these are true

Explanation:
All of the statements are applicable.

Question 28

How often should risk assessments be performed against a cloud service provider?

A.Upon initial assessment prior to on-boarding
B.Upon initial assessment and on an ongoing basis
C.providers dont allow customers to perform risk assessments
D.There are no risks associated with cloud services

Answer 28

B.Upon initial assessment and on an ongoing basis

Explanation:
Risk assessments should be performed prior to and throughout the use of a provider’s offering.

Question 29

Virtualization security in cloud computing is the responsibility of cloud provider.

A.INCORRECT
B.CORRECT

Answer 29

A.INCORRECT

Explanation:
Virtualization security in cloud computing follows the shared responsibility model. Virtualization security in cloud computing follows the shared responsibility model. The cloud provider will always be responsible for securing the physical infrastructure and the virtualization platform itself. Meanwhile, the cloud customer is responsible for properly implementing the available virtualized security controls and understanding the underlying risks, based on what is implemented and managed by the cl

Question 30

Which of the following statements regarding SDN (Software Defined Networking) is not CORRECT?

A.Abstracts the network management plane from physical infrastructure
B.Is defined using software settings and API calls
C.Does not overlay the overlapping addresses
D.Supports orchestration and agility
E.Segregates and isolates traffic properly

Answer 30

C.Does not overlay the overlapping addresses

Explanation:
You can overlay multiple virtual networks using SDN, even the ones that completely overlap their address ranges. SDN abstracts the network management plane from the underlying physical infrastructure, removing many typical networking constraints. For example, you can overlay multiple virtual networks, even ones that completely overlap their address ranges, over the same physical hardware, with all traffic properly segregated and isolated. SDNs are also defined using software settings and API cal

Question 31

Containers provide full security isolation and task segregation.

A.INCORRECT
B.CORRECT

Answer 31

A.INCORRECT

Explanation:
Containers don’t necessarily provide full security isolation, but they do provide task segregation. Containers don’t necessarily provide full security isolation, but they do provide task segregation. That said, virtual machines typically do provide security isolation. Thus you can put tasks of equivalent security context on the same set of physical or virtual hosts in order to provide greater security segregation.

Question 32

Which of the following refers to a model that allows customers to closely match resource consumption with demand?

A.Measured service
B.Rapid elasticity
C.Broad network access
D.On-demand Self-service
E.Resource Pooling

Answer 32

B.Rapid elasticity

Explanation
Rapid elasticity allows consumers to expand or contract the resources they use from the pool (provisioning and deprovisioning), often completely automatically. This allows them to more closely match resource consumption with demand (for example, adding virtual servers as demand increases, then shutting them down when demand drops). Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Essential Characteristics Domain 1 // Cloud Computing Concepts and Architectures

Question 33

Which of the following statements regarding cloud platform architecture is CORRECT?

A.Single cloud assets are traditional infrastructure should be combined together to provide more resilient infrastructure
B.Single cloud assets are equally resilient as traditional infrastructure
C.Single cloud assets are typically more resilient than the traditional infrastructure
D.SIngle cloud assets are typically less resilient than the traditional infrastructure

Answer 33

D.SIngle cloud assets are typically less resilient than the traditional infrastructure

Explanation:
Cloud platforms can be incredibly resilient, but single cloud assets are typically less resilient than in the case of traditional infrastructure. This is due to the inherently greater fragility of virtualized resources running in highly-complex environments. This mostly applies to compute, networking, and storage, since those allow closer to raw access, and cloud providers can leverage additional resiliency techniques for their platforms and applications that run on top of IaaS. Source: Security

Question 34

Infrastructure in the cloud cannot be defined and implemented through templates and automation.

A.INCORRECT
B.CORRECT

Answer 34

A.INCORRECT

Explanation:
-Infrastructure is more often in scope for application testing due to “infrastructure as code,” where the infrastructure itself is defined and implemented through templates and automation. Security testing should be integrated into the deployment process and pipeline. Testing tends to span this and the Secure Deployment phase, but leans towards security unit tests, security functional tests, Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST). Due to the ov

Question 35

CI/CD pipelines can enhance security through support of which of the following?

A.Immutable infrastructure
B.Manual security testing
C.Restricted logging on infrastructure
D.Restricted logging on application

Answer 35

A.Immutable infrastructure

Explanation:
CI/CD pipelines can enhance security through support of immutable infrastructure (fewer manual changes to production environments), automating security testing, and extensive logging of application and infrastructure changes when those changes run through the pipeline. When configured properly, logs can track every code, infrastructure, and configuration change and tie them back to whoever submitted the change and whoever approved it; they will also include any testing results. Source: Security

Question 36

You do not trust your SaaS provider and have chosen to encrypt all of your data. Which of the following is CORRECT is this situation?

A.You can continue with the provider as encrypting all the data will take care of the trust issue
B.You dont have to ensure the security of the device if you have encrypted the data
C.Encrypting everything may lead to INCORRECT sense of security
D.You have ensured the security of your data by encrypting it

Answer 36

C.Encrypting everything may lead to INCORRECT sense of security

Explanation:
Encrypting everything in SaaS because you don’t trust that provider at all likely means that you shouldn’t be using the provider in the first place. But encrypting everything is not a cure-all and may lead to a INCORRECT sense of security, e.g., encrypting data traffic without ensuring the security of the devices themselves. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Introduction Domain 10 // Data Security and Encryption

Question 37

Which of the following regarding customer managed keys is CORRECT?

A.Cloud customer and provider jointly manage the encryption engine and cloud customer manages their own encryption key
B.Cloud customer and provider jointly manage the encryption key and encryption engine
C.Cloud customer manages both the encryption key and the encryption engine
D.Provider manages the encryption key and cloud customer manages the encryption engine
E.Cloud customer manages the encryption key and the provider manages the encryption engine

Answer 37

E.Cloud customer manages the encryption key and the provider manages the encryption engine

Explanation:
-A customer-managed key allows a cloud customer to manage their own encryption key while the provider manages the encryption engine. For example, using your own key to encrypt SaaS data within the SaaS platform. Many providers encrypt data by default, using keys completely in their control. Some may allow you to substitute your own key, which integrates with their encryption system. Make sure your vendor’s practices align with your requirements. Source: Security Guidance for Critical Areas of Foc

Question 38

Which of the following is the most obvious form of provider lock-in?

A.Meta-data Lock-in
B.Infrastructure Lock-in
C.Application Lock-in
D.Data Lock-in

Answer 38

C.Application Lock-in

Explanation:
Application lock-in is the most obvious form of lock-in (although it is not specific to cloud services). SaaS providers typically develop a custom application tailored to the needs of their target market. SaaS customers with a large user-base can incur very high switching costs when migrating to another SaaS provider as the end-user experience is impacted (e.g., re-training is necessary). Where the customer has developed programs to interact with the providers API directly (e.g., for integration

Question 39

“Cloud Provider Acquisition” is which form of risk?

A.Compliance Risk
B.Policy and Organization Risk
C.Technical Risk
D. Legal Risk

Answer 39

B.Policy and Organization Risk

Explanation:
Policy and Organization risks cover the following- 1 LOCK-IN 2 LOSS OF GOVERNANCE 3 COMPLIANCE CHALLENGES 4 LOSS OF BUSINESS REPUTATION DUE TO CO-TENANT ACTIVITIES 5 CLOUD SERVICE TERMINATIONS OR FAILURE 6 CLOUD PROVIDER ACQUISITIONS 7 SUPPLY CHAIN FAILURES Source: enisa Topic: Risks

Question 40

Inability to provide sufficient capacity to a customer can lead to which of the following?

A.Data leakage
B.Denial of Service (DoS)
C.Resource exhaustion
D.Abuse of high privileged roles
E.Isolation failure

Answer 40

C.Resource exhaustion

Explanation:
RESOURCE EXHAUSTION (UNDER OR OVER PROVISIONING) There is a level of calculated risk in allocating all the resources of a cloud service, because resources are allocated according to statistical projections. Inaccurate modelling of resources usage - common resources allocation algorithms are vulnerable to distortions of fairness - or inadequate resource provisioning and inadequate investments in infrastructure can lead, from the CP perspective, to: · Service unavailability: failure in certain hig

Question 41

Which of the following defines the amount of risk that the leadership and stakeholders of an organization are willing to accept?

A.Risk Target
B.Residual Risk
C.Risk Tolerance
D.Risk Acceptance

Answer 41

C.Risk Tolerance

Explanation:
Risk tolerance is the amount of risk that the leadership and stakeholders of an organization are willing to accept. It varies based on asset and you shouldn’t make a blanket risk decision about a particular provider; rather, assessments should align with the value and requirements of the assets involved. Just because a public cloud provider is external and a consumer might be concerned with shared infrastructure for some assets doesn’t mean it isn’t within risk tolerance for all assets. Over tim

Question 42

Which of the following SecaaS solutions can be used to inspect HTTP traffic and can stop DDoS attacks?

A.BC/DR
B.WAF
C.CASB
D.Web Filtering

Answer 42

B.WAF

Explanation:
Web application firewalls (WAFs) can inspect network traffic at layer 7 and understand HTTP traffic as a result.

Question 43

Which of the following SecaaS solutions can be used to enforce your policies using someone else’s systems?

A.WAF
B.Web Filtering
C.E-mail security
D.All of these

Answer 43

D.All of these

Explanation:
All of these is the correct answer. SecaaS generally enables you to enforce your policies using your provider’s systems.

Question 44

You ask your SecaaS provider for an export of web filtering log data. They tell you that you can access the data using only their tools. What is the problem with this?

A.This may be a lock-in scenario
B.You need to be able to export data in a CSV format for analytical purposes
C.Data cannot be ingested into a SIEM
D.All of these are correct

Answer 44

A.This may be a lock-in scenario

Explanation:
-If a vendor forces you to use their platform to read log data, this will likely lead to a lock-in scenario. You will be required to maintain the relationship to access data that you will likely need to demonstrate compliance and/or satisfy legal requirements. The other answers may or may not be true.

Question 45

What criteria must a SecaaS meet?

A.Must have a security product or service delivered as a cloud service
B.Must have a SOC 2 report and/or ISO/IEC 27001 certification
C.Must meet the essential characteristic of cloud computing
D.Both (must have a security product or service delivered as a cloud service) and (Must meet the essential characteristics of cloud computing)

Answer 45

D.Both (must have a security product or service delivered as a cloud service) and (Must meet the essential characteristics of cloud computing)

Explanation:
In order to be considered a SecaaS service, the provider must have a security product or service delivered as a cloud service and must meet the essential characteristics of the cloud. SOC or ISO/IEC is not listed as a requirement.

Question 46

What is NOT listed as a benefit of SecaaS?

A.Insulation of clients
B.Cost savings
C.Deployment flexibility
D.Intelligence sharing

Answer 46

B.Cost savings

Explanation:
Yes, this is a tricky answer. Note the “cost” benefit doesn’t say you will save money using a SecaaS service. It says you can “pay as you grow.” Does this mean SecaaS is cheaper? Not necessarily. In fact, it could be more expensive than internal systems you use today.

Question 47

Which of the following best defines the IDS/IPS SecaaS?

A.Local agents are installed on workstations
B.Local agents are installed on servers
C.Agents feed data to the cloud provider instead of local servers
D.All of these are correct

Answer 47

C.Agents feed data to the cloud provider instead of local servers

Explanation:
IDS/IPS systems ingest data from agents and analyze such data in the provider’s environment.

Question 48

What can be performed by security assessment SecaaS?

A.Traditional network assessment
B.Assessment of server instances in a cloud
C.Assessment of applications
D.All of these

Answer 48

D.All of these

Explanation:
All of the listed activities can be performed as by a security assessment SecaaS.

Question 49

What does a web security gateway SecaaS solution do?

A.Inspects web traffic
B.Limits web sites that users can access
C.Encrypts connections
D.Both (inspects web traffic) and (Limits web sites that users can access)

Answer 49

D.Both (inspects web traffic) and (Limits web sites that users can access)

Explanation:
Web security gateways offer a protective control that can inspect web traffic for malware and limit the web sites that users can access. They do not perform encryption.

Question 50

What is NOT a disadvantage associated with SecaaS?

A.Lack of multi tenancy
B.Handling of regulated data
C.Migrating to SecaaS
D.Lack of visibility

Answer 50

A.Lack of multi tenancy

Explanation:
Strong multitenancy is something you should check for when performing due diligence of a provider, because a lack of it could cause issues, specifically if other tenant data is compromised as a result of an e-discovery request against another tenant.

Question 51

How can data transfers be sped up when using BC/DR SecaaS?

A.Using compression supplied by the provider
B.Implementing a local gateway device
C.Using de-duplication techniques supplied by the provider
D.Both (Using compression supplied by the provider) and (Using de-duplication techniques supplied by the provider)

Answer 51

B.Implementing a local gateway device

Explanation:
The correct answer is to implement a local gateway device. Though a local gateway may speed up data transfers by using the other techniques, they are not identified directly.

Question 52

What is the authoritative source of identity?

A.The system from which identified are propagated
B.HR System
C.Directory Services System
D.Cloud providers IAM system

Answer 52

A.The system from which identified are propagated

Explanation:
The authoritative source of identities can be any system. It is the system in which user accounts are created and then propagated out to others. This could be the directory server in some environments, or it could be the HR system in others. You never want the cloud service with which you are creating a federated link to be the authoritative source or the identity provider.

Question 53

When creating federated identity with an IaaS provider, which party is the relying party and which is the identity provider?

A.The organization is the relying party and the IaaS provider is the identity provider
B.The organization is the identity provider and the IaaS provider is the relying party
C.The organization is both the identity provider and the relying party because it is reliant on the cloud provider to implement federation
D.The cloud provider is both the identity provider and the relying party in a federated model

Answer 53

B.The organization is the identity provider and the IaaS provider is the relying party

Explanation:
The organization is the identity provider, and the IaaS provider is the relying party. You always want to retain the role of the identity provider when establishing federation.

Question 54

Which standard uses the concepts of policy decision points (PDPs) and policy enforcement points (PEPs)?

A.SAML
B.OAuth
C.XACML
D.SCIM

Answer 54

C.XACML

Explanation:
XACML uses the concepts of policy decision and policy enforcement points. XACML is used for more fine-grained access control decisions and can work with SAML or OAuth. XACML implementations are rare.

Question 55

What is the difference between an identity and a persona?

A.Your identity is your username, your persona is the group you are a member of
B.Your identity is your username; your persona is your identity and all other attributes associated with you in a specific situation
C.Your identity is used to authorized you; your persona is used to authenticate you
D.Your identity is used to authenticate you; your persona is used to authorized you

Answer 55

B.Your identity is your username; your persona is your identity and all other attributes associated with you in a specific situation

Explanation;
Your identity is your username, and your persona is your identity and all other attributes in a specific situation.

Question 56

Where should encryption of data be performed in a big data system?

A.Primary Storage
B.Intermediary Storage
C.In memory
D.Both (Primary storage) and (intermediary storage)

Answer 56

D.Both (Primary storage) and (intermediary storage)

Explanation:
Encryption (if required) of big data must be performed at all storage locations, including primary and intermediary locations.

Question 57

What is Spark used for in big data?

A.Spark is a big data storage file system
B.Spark is a machine learning module
C.Spark is a big data processing module
D.Spark is for storing big data

Answer 57

C.Spark is a big data processing module

Explanation:
Spark is a processing module for Hadoop that is considered the next generation of MapReduce. Although Hadoop was discussed only as part of a big data backgrounder, it is specifically called out in the core text of this book and CSA Guidance as a big data processing module.

Question 58

Which of the following has led to IoT device security issues in the past?

A.Embedding of credentials in the device
B.Lack of encryption
C.Lack of update mechanisms for IoT devices
D.All of these

Answer 58

D.All of these

Explanation
All of the answers listed have led to security issues in the past for IoT devices

Question 59

Why may entitlement matrices be complicated when using them for big data systems?

A.Multiple components are associated with big data implementations
B.Several components do not allow for granular entitlements
C.Cloud environment components are being leveraged as part of a big data implementation
D.Both (Multiple components are associated with big data implementations.) and (Cloud environment components are being leveraged as part of a big data implementation)

Answer 59

D.Both (Multiple components are associated with big data implementations.) and (Cloud environment components are being leveraged as part of a big data implementation)

Explanation:
CSA states that entitlement matrices can be complicated by both the number of components in a big data system as well as the cloud resources that may be leveraged as part of a big data implementation.

Question 60

What are the common components associated with a big data system?

A.Distributed Collection
B.Distributed Storage
C.Distributed Processing
D. All of these

Answer 60

D. All of these

Explanation:
A big data system consists of distributed collection, distributed storage, and distributed processing.