(ISC)² Certified Cloud Security Professional Exam 2 (CCSP) Practice (Aris Athanasiou)

Question 1

Which of the following is not an essential cloud characteristic according to NIST?

A. Measured Service
B. Rapid Elasticity
C. Resilient Infrastructure
D. Broad Network Access

Answer 1

C. Resilient Infrastructure

Explanation:
Resilient infrastructure is not an essential cloud characteristic. The 5 characteristics are:

On-demand self-service

Broad network access

Resource pooling

Rapid elasticity

Measured Service

Question 2

What type of feature can we expect to find in any data center tier of any Uptime Institute tier?

A. All operational components
B. Twelve hours of on-site fuel storage
C. Full Power Capabilities
D. All Infrastructure

Answer 2

B. Twelve hours of on-site fuel storage

Explanation:
Twelve hours of on-site fuel storage is a requirement for all 4 tiers of the Uptime Institute.

Question 3

Which of the following is not an offering of a cloud service broker according to NIST’s cloud computing reference architecture?

A. Service Intermediation
B. Service Arbitrage
C. Service Aggregation
D. Service Refinement

Answer 3

D. Service Refinement

Explanation:
According to NIST, Cloud Service Brokers (CSBs) manage the use, performance, and delivery of cloud services and negotiate relationships between cloud providers and cloud consumers, the 3 types of services they offer are:

Service intermediation

Service aggregation

Service arbitrage

Question 4

Tokenization typically includes two distinct

A. Databases
B. Microservices
C. Hashing Functions
D. Encryption Keys

Answer 4

A. Databases

Explanation:
Tokenization is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token. Tokenization typically involves two databases, one with the original data as well as one holding the mapping between the tokens and the tokenized data.

Question 5

What does AAA stand in the information security context?

A. Authentication, Authorization, and Access
B. Authentication, Authorization, and Accounting
C. Administration, Authentication and Authorization
D. Administration, Authentication and Audit Trail

Answer 5

B. Authentication, Authorization, and Accounting

Explanation:
AAA stands for Authentication, Authorization and Accounting.

You can read more here.
https://en.wikipedia.org/wiki/AAA_(computer_security)

Question 6

What is the relationship between Organizational Normative Framework (ONF) and Application Normative Framework (ANF) in terms of multiplicity?

A. 1 to 1
B. Many to Many
C. 1 to Many
D. Many to 1

Answer 6

C. 1 to Many

Explanation:
The multiplicity relationship between ONF and ANF is 1 to N (1 to many).

Question 7

Which of the following is not a typical capability of a DRM tool?

A. Dynamic Policy Control
B. Automatic Expiration
C. Trapdoor permutation
D. Persistent Protection

Answer 7

C. Trapdoor permutation

Explanation:
Trapdoor permutation is a cryptographic term and is not a capability of a DRM tool. You can read more about trapdoor functions here.

Question 8

Software configuration management and versioning are necessary for application security. Which of the following is not an established configuration management tool?

A. Nexus
B. Puppet
C. SaltSack
D. Chef

Answer 8

A. Nexus

Explanation:
Nexus is an artifact repository and not a configuration management tool.

Question 9

A medium-size retailer decides to deploy a database activity monitoring (DAM) to protect their relational database holding customer data. Which attack can the DAM mitigate?

A. XSS
B. DBKill
C. SQLi
D. CSRF

Answer 9

C. SQLi

Explanation:
Database activity monitoring (DAM) is a database security technology for monitoring and analyzing database activity.

DAM can prevent SQL injection is by monitoring the application activity, generating a baseline behavior, and identifying a potential attack based on divergence from normal SQL queries and sequences.

Question 10

Which of the following is not true about elliptic-curve cryptography (ECC)?

A. It can provide the same level of security as RSA
B. It is a form of symmetric key cryptography
C. It uses smaller size keys compared to other similar cryptographic schemes
D. It relies on the discrete logarithm problem

Answer 10

B. It is a form of symmetric key cryptography

Explanation:
Elliptic-curve cryptography (ECC) is not a form of symmetric-key cryptography, all the other statements are true.

Question 11

How can the Consensus Assessments Initiative Questionnaire (CAIQ) help organisations with their cloud strategy/implementation?

A. Provides a list of questions cloud service providers can use to perform background checks on their employees, miming internal threat risk
B. Provides list of questions organized in control domains which can be used to allow cloud consumers and auditors to assess the security capabilities of a cloud service provider
C. Provides a list of questions cloud service providers can use to screen prospect cloud service consumers ensuring they dont pose a risk to other tenants
D. Provides a list of questions mapped to different regulatory frameworks which can be used by cloud consumers to assert if they are compliant

Answer 11

B. Provides list of questions organized in control domains which can be used to allow cloud consumers and auditors to assess the security capabilities of a cloud service provider

Explanation:
The CAIQ from CSA is a document that can be used to enable cloud consumers and auditors to assess the security capabilities of a cloud service provider.

Question 12

Which of the following is not a value included in the Agile manifesto?

A. Customer collaboration over contract negotiation
B. Individuals and interactions over processes and tools
C. Responding to change over following a plan
D. Comprehensive documentation over working software

Answer 12

D. Comprehensive documentation over working software

Explanation:
The Agile Manifesto is a brief document built on 4 values and 12 principles for software development. The 4 values are:

Individuals and interactions over processes and tools

Working software over comprehensive documentation

Customer collaboration over contract negotiation

Responding to change over following a plan

Comprehensive documentation over working software is not part of the Agile Manifesto.

Question 13

After Bob has proved his identity to an authentication platform he is assigned a JSON web token (JWT) token containing his Active Directory group memberships. He then sends that token to an API that is protected from an API gateway. The gateway intercepts the request and inspects group memberships in the token, it then blocks the user from accessing the API. In this instance, the API gateway acts as a?

A. Policy Enforcement Point (PEP)
B. Policy Information Point (PIP)
C. Service Provider
D. Identity Provider

Answer 13

A. Policy Enforcement Point (PEP)

Explanation:
In the above example, the API Gateway acts as the policy enforcement point.

Question 14

What does blind penetration testing refer to?

A. The pentesting team is provided with very limited information on the system, the incident response team of the organization is informed in advance about the attack
B. The pentesting team is not restricted to any automated vulnerability scanning and exploit tools, all the production instances are in scope
C. The pentesting t eam is provided with very limited information on the system, the incident response team of the organization is not informed in advance about the attack
D. The pentesting team is restricted from using any automated vulnerability scanning and exploit tools, the incident response team of the organization has turned off all technical security controls except logging

Answer 14

A. The pentesting team is provided with very limited information on the system, the incident response team of the organization is informed in advance about the attack

Explanation:
Blind penetration testing simulates the actions and procedures of a real attacker by limiting the information given to the team performing the test.

Question 15

An EU-based IT services provider recently decided to build a public cloud offering. They quickly attracted several clients which migrated workloads to the cloud and started storing customer data in both volume and object storage. In the above scenario, what is the data role of the IT services provider?

A. Data Subject
B. Data Owner
C. Data Controller
D. Data Processor

Answer 15

D. Data Processor

Explanation:
In this instance, the cloud service provider acts as the data processor while the cloud customer is the data owner.

Question 16

An EU-based IT services provider recently decided to build a public cloud offering. They quickly attracted several clients which migrated workloads to the cloud and started storing customer data in both volume and object storage. The registration process asks the cloud consumers to fill in a form with their details including the consumer’s name, address, etc. In the above scenario, who is considered the data owner for the latter data?

A. The cloud service consumer
B. The cloud regulator
C. The customers of the cloud service consumer
D. The cloud service provider

Answer 16

D. The cloud service provider

Explanation:
This is a tricky question, most of the time in a cloud context, the cloud service provider is the data processor and the cloud customer is the data owner. However, the question here is specifically about the data that the provider is collecting as part of the cloud service consumer registration. In this specific scenario, the data owner is the cloud service provider.

Question 17

An organisation based in Palo Alto, CA wants to ensure they protect their new HQ office which costs $1,000,000. By looking at statistics the CIO has determined that CA is impacted by approximately 20 earthquakes a year. By running earthquake simulation software the company determined that an earthquake would destroy about 25% of the building. In the above scenario, what is the single loss expectancy (SLE)?

A. $10,000,000
B. $1,000,000
C. $250,000
D. $5,000,000

Answer 17

C. $250,000

Explanation:
We can compute the Single Loss Expectancy (SLE) as follows SLE=AV*EF

In the above scenario, 25% * $1,000,000 = $250,000

Question 18

Which characteristic of hash functions is a rainbow table attack exploiting?

A. Collision Resistance
B. Deterministic Output
C. Arbitrary Input
D. One-Way Function

Answer 18

B. Deterministic Output

Explanation:
Due to its deterministic nature, the digest of a specific plaintext password will always result in the same digest value.

As a result of the digest value of common passwords will typically appear multiple times in the identity/credentials repository of an organisation. Hackers exploit this by creating rainbow tables by precomputing the hashes of common passwords. The above attack can be defeated with the use of salt.

Question 19

An organisation which has recently migrated all of their services to a newly-established cloud provider; was recently informed that they have 30 days to migrate their data before the cloud provider ceases its operation as a result of bankruptcy. Which of CSA’s treacherous 12 threats was the root cause behind?

A. Abuse and nefarious use of cloud services
B. Shared technology and vulnerabilities
C. Insufficient Due Diligence
D. Insufficient Market Research

Answer 19

C. Insufficient Due Diligence

Explanation:
The root cause was Insufficient due diligence, the decision-makers of the cloud customer should not have trusted a newly-established CSP without the necessary assurance for their financial sustainability

Question 20

Static application security testing (SAST) analyse application source code to determine vulnerabilities. What is another term for SAST?

A. White-box Testing
B. Black-Box Testing
C. Gray-Box Testing
D. Red-Box Testing

Answer 20

A. White-box Testing

Explanation:
SAST, also known as white-box testing, involves the inspection of the application’s source code in order to build a comprehensive understanding of the risks which might be exposed.

Question 21

An LDAP administrator has configured a directory server to store passwords using the SHA-2 hash function. Passwords need to be alphanumeric (symbols not allowed) with a fixed length of 6, and the salt consists of 8 bits. If the directory contains 50 accounts and their passwords, how many unique plaintext passwords can the above system support?

A. 2^8
B. 256
C. 2^6
D. 36^6

Answer 21

D. 36^6

Explanation:
In order to compute the number of unique plaintext passwords, we need to know the alphabet (possible characters in the characters) as well as the length of the password.

The number of unique plaintext passwords can be computed as: (password alphabet size)^password length. In the above example, we have alphanumeric passwords which imply an alphabet size of 26 letters (assuming the Latin alphabet) + 10 numbers (0-9).

Hence the correct answer is 36^6 or 2,176,782,336 unique passwords.

Question 22

Which of the following is not a common BCDR approach?

A. On-premise primary site, AWS tenant for DR site
B. AWS tenant primary site, On-premise DR site
C. AWS primary site, Azure tenant for DR site
D. AWS primary site, different AWS tenant for DR site

Answer 22

B. AWS tenant primary site, On-premise DR site

Explanation:
According to the CCSP CBK the 3 BCDR approaches for hybrid cloud systems are:

Primary on-premises site, using a cloud platform as BCDR

Primary site with a cloud provider, DR site within the same cloud provider

Primary site with a cloud provider, BCDR site with an alternative cloud provider

Question 23

Which of the following is a hypervisor attack?

A. Blue Pill
B. Purple Pill
C. Black Pill
D. Red Pill

Answer 23

A. Blue Pill

Explanation:
Blue Pill was a rootkit based on x86 virtualization, the rest of the options are just distractors.

Question 24

Which of the following is not a valid example of container-based virtualization?

A. Hyper-X
B. Docker
C. LXC
D. OpenVZ

Answer 24

A. Hyper-X

Explanation:
Hyper-X is not a valid container-based virtualization technology.

Question 25

The nature of cloud computing can pose challenges to e-discovery. Which of the following cloud characteristics provides the biggest challenge in regard to data collection?

A. Multitenancy
B. Portability
C. Broad network access
D. Always-on

Answer 25

A. Multitenancy

Explanation:
Multitenancy hinders e-discovery activities since computing resources are shared from multiple organisations/individuals. As a result data discovery efforts targeting a specific tenant may affect the confidentiality of customers hosting data in the same physical resource.

Question 26

An organisation has several applications deployed in a hybrid cloud architecture. At the moment each application handles its own authentication and authorisation by maintaining local user accounts and their entitlements. The CIO wants to improve the way the employees access the applications, increasing security, and productivity. The CIO decided to implement single-sign-on (SSO) between the application with tokens issued from a third-party cloud service. Which of the following roles best describe the third party?

A. Cloud Carrier
B. Cloud Key Escrow
C. Cloud Service Re-Seller
D. Cloud Access Security Broker

Answer 26

D. Cloud Access Security Broker

Explanation:
SSO is one of the typical capabilities of cloud access security brokers (CASBs)

Question 27

A large system integrator (SI) decided to start offering more services around cloud computing. Their business model is purchasing cloud services in bulk and then offering those services to their own customers with a 10% markup over the original price. Which of the following describes the SI’s customers?

A. Cloud Access Broker
B. Cloud Consumer
C. Cloud Broker
D. Cloud Integrator

Answer 27

C. Cloud Broker

Explanation:
According to the CCSP CBK, a cloud broker is defined as:

An entity that manages the use, performance, and delivery of cloud services, and negotiates relationships between cloud providers and cloud consumers.

Question 28

An LDAP administrator has configured a directory server and is considering different schemes for password storage. The business requirement they were given is that customers should be able to authenticate by providing only a few characters of their passwords. For example, by providing the 1st, 2nd, and last character of their passwords. Which of the following methods would be the most appropriate for handling the passwords and meeting the business criteria?

A. Hash the password using a fixed key using SHA-512
B. Store the password in plaintext
C. Encrypt all passwords using the same key and Triple DES
D. Hash the password without any key using SHA-512

Answer 28

C. Encrypt all passwords using the same key and Triple DES

Explanation:
Normally the best option for handling passwords is hashing because of their one-way nature. However, in the above scenario, we need a reversible operation so that we can compare the individual characters provided by the customer against the plaintext password. In this scenario, encrypting the password would be the best option.

Question 29

A medium-sized software house is going through the risk management process to ascertain threats to its flagship product, an ERP system. According to the statistics, the average number of significant vulnerabilities discovered in their product is 5 per year, with each vulnerability costing the company about $50,000 in terms of reputation, and $50,000 additional development efforts required to patch the system. Which of the following controls would be the best option for the company?

A. Hire an insurance company for $200,000 per year which will fully cover any associated cost with disclosed vulnerabilities
B. Hire public relations consultants to help with the company’s reputation for $50,000 per year which would reduce the impact to t he company’s reputation to $20,000 per security vulnerability
C. Hire specialized testing consultants for $100,000 per year which will reduce the average number of significant vulnerabilities to 3 per year
D. Accept the risk since all the identified potential risk responses would cost more

Answer 29

A. Hire an insurance company for $200,000 per year which will fully cover any associated cost with disclosed vulnerabilities

Explanation:
Let’s analyse the above 4 options:

Hire an insurance company: would cost $200,000

Hire specialised testing consultant: would cost 100.000$ and would reduce the number of vulnerabilities to 3, yielding a total cost of $100,000 + 3*($50,000+$50,000)=$400,000

Hire public relations consultants: would cost 50.000$ and would reduce the impact on the company’s reputation, yielding a total cost of $50,000+5*($50.000+2$0.000)=$400,000

Accept the risk: would cost 5*($50.000+$50.000)=$500,000

Hence hiring an insurance company would be the best option for the software house.

Question 30

What is the difference between Information Rights Management (IRM) and Digital Rights Management (DRM)?

A. IRM concerns sensitive business information, DRM refers to consumer media
B. DRM concerns sensitive business information, IRM refers to consumer media
C. DRM rules are defined from the data owners, IRM rules are defined from data custodians
D. IRM rules are defined from the data owners, DRM rules are defined from custodians

Answer 30

A. IRM concerns sensitive business information, DRM refers to consumer media

Explanation:
Information Rights Management (IRM): concerns the protection of sensitive information for business purposes — typically documents and emails. Keywords: enterprise, corporate, documents, emails

Digital rights management (DRM): a systematic approach to copyright protection for digital media. Keywords: consumer media, movies, audio, video-games

Question 31

Which is the most important protocol for accurate logging and monitoring?

A. SIEM
B. NTP
C. SSL/TLS
D. SMB

Answer 31

B. NTP

Explanation:
Network Time Protocol (NTP) which is responsible for clock synchronization between computer systems is the most important protocol for logging and monitoring. Time drift between distributed systems can make log monitoring and event correlation really difficult.

Question 32

Which is one of the benefits of a private cloud deployment model?

A. Extremely large number of available resources
B. Tailored Contract
C. No resource wastage
D. Relatively inexpensive to setup

Answer 32

B. Tailored Contract

Explanation:
Private cloud customers can negotiate a tailored contract since they are the sole consumer of the specific cloud service resources.

Question 33

Which of the following is not a valid cloud role?

A. Cloud Encryption Manager
B. Cloud Service Broker
C. Cloud Administrator
D. Cloud Integrator

Answer 33

A. Cloud Encryption Manager

Explanation:
Cloud encryption manager is not a valid cloud role.

Question 34

A medium-sized retailer is going through the risk management process to ascertain threats to its e-shop. According to the statistics, they are subject to 100 cyber-attacks per year. Only 20% of the attacks are successful with each attack costing an average of $25,000. The annual revenue of the shop alone is $500,000 with a net profit of $250,000. Which of the following controls would be the best option for the company?

A. Deploy a next generation Web Application Firewall (WAF) for $50,000/year which would prevent 50% of the currently successful attacks on average
B. Accept the risk since all the identified potential risk responses would cost more
C.Shut down the e-shop and focus on their high street shops
D. Hire an insurance company for $275,000 per year which will fully cover any associated cost with cyber attacks

Answer 34

C.Shut down the e-shop and focus on their high street shops

Explanation:
Let’s analyse the above 4 options. The company suffers 20 successful attacks per year with an average cost of 25.000£ for an Annualised Loss Expectancy (ALE) of $500,000.

Hiring the insurance company would cost more than the net-profit which means it is not a good option.

The WAF would reduce the ALE to $250,000 while costing $50,000, bringing the total cost to $300,000, which is higher than the net profit of the e-shop. This is not a good option either.

Accepting the risk would cause the company to lose $250,000 ($250,000 - $500,000) after subtracting the ALE.

The net profit of the e-shop is lower than the ALE which means and none of the controls can balance out the potential damage, shutting down the e-shop would be the best option in this case.

Question 35

The “Trust Services Principles and Criteria” include confidentiality, processing integrity, availability, privacy, and?

A. Non-Repudiation
B. Authenticity
C. Security
D. Resiliency

Answer 35

C. Security

Explanation:
The 5 Trust Services Principles and Criteria defined by AICPA are:

confidentiality

processing integrity

availability

privacy

security

Question 36

Which of the following is true about All-or-Nothing-Transform with Reed-Solomon (AONT-RS)?

A. Data is split into m fragments, while they key remains intact. Data reconstruction requires all m fragments and the encryption key
B. Data is split into m fragments, while they key remains intact. The original data can be reconstructed by accessing n out of 5 fragments (lower than n) and providing the encryption key
C. Both the data and the encryption key are split into m fragments. The original data can be reconstructed by accessing n out of 5 fragments (lower than n)
D. Both the data and the encryption keys are split into m fragments. Data reconstruction requires all m fragments.

Answer 36

D. Both the data and the encryption keys are split into m fragments. Data reconstruction requires all m fragments.

Explanation:
As the name implies, the All-or-nothing transform requires all m fragments for data recovery.

Question 37

A user attempts to log in to a customer relationship management (CRM) application offered as a SaaS. The user provides his username and password. The system retrieves the hashed password stored for that user, computes the hash over the password the user just provided, and compares the two. Which of the following best describes the above?

A. Authentication
B. Verification
C. Authorization
D. Identification

Answer 37

A. Authentication

Explanation:
Authentication: validating your credentials (username, password, token, biometrics, etc) to verify your identity

Authorisation: occurs after authentication, determine whether an action on a resource from the authenticated actor is allowed in this context.

The correct answer to the above question is authentication.

Question 38

Which is not included in the OWASP Top 10 (2021)?

A. Security Logging and Monitoring Failures
B. Account Hijacking
C. Vulnerable and Outdated Components
D. Cryptographic Failures

Answer 38

B. Account Hijacking

Explanation:
Account hijacking is not part of the OWASP Top 10 (2021). The full list includes:

Broken Access Control

Cryptographic Failures

Sensitive Data Exposure

Injection

Insecure Design

Security Misconfiguration

Vulnerable and Outdated Components

Identification and Authentication Failures

Software and Data Integrity Failures

Security Logging and Monitoring Failures

Server-Side Request Forgery

Question 39

Which cloud service model is related to Cloud Application Management for Platforms (CAMP)?

A. IaaS
B. SaaS
C. DaaS
D. PaaS

Answer 39

D. PaaS

Explanation:
Cloud application management for platforms (CAMP) is a specification developed for the management of applications specifically in Platform as a Service (PaaS) based cloud environments. The CAMP specification provides a framework for enabling application developers to manage their applications through open-source API structures based on representation state transfer (REST).

https://en.wikipedia.org/wiki/Cloud_Application_Management_for_Platforms

Question 40

Which of the following is not a valid use of a privacy level agreement (PLA)?

A. A cloud customer can get contractual protection against possible financial damages due to lack of compliance
B. A cloud service provider can use a PLA to communicate the level or personal data protection they provide
C. A cloud customer can use a PLA to assess the level of a cloud service providers compliance with data protection legislative requirements
D. A cloud service provider can use a PLA to delegate accountability for data protection to the cloud customer

Answer 40

D. A cloud service provider can use a PLA to delegate accountability for data protection to the cloud customer

Explanation:
Accountability for data protection can not be delegated, the data owner is always accountable for protecting its data.

Question 41

What of the following is not a benefit of Infrastructure-as-a-service (IaaS)?

A. Reduced Cost of Ownership
B. Energy and Cooling Efficiencies
C. Operating System Abstraction
D. Measured Service

Answer 41

C. Operating System Abstraction

Explanation:
In IaaS, the customer is responsible for maintaining and patching the operating system, hence the OS is not abstracted. The OS is abstracted in PaaS and SaaS.

Question 42

Which OSI layers are associated with Platform as a service (PaaS)?

A. Presentation and Application
B. Transport and Session
C. Network and Transport
D. Session and Presentation

Answer 42

D. Session and Presentation

Explanation:
According to the CCSP CBK the OSI layers map to the cloud service models as follows:

Layer 1: Physical Layer - IaaS

Layer 2: Data-Link Layer - IaaS

Layer 3: Network Layer - IaaS

Layer 4: Transport Layer - IaaS

Layer 5: Session Layer - PaaS

Layer 6: Presentation Layer - PaaS

Layer 7: Application Layer - SaaS

Question 43

Which of the following is not a valid supplier category in terms of importance to an organisation?

A. Specialized Suppliers
B. Tactical Suppliers
C. Strategic Suppliers
D. Commodity Suppliers

Answer 43

A. Specialized Suppliers

Explanation:
The supply chain vendors can be categorised as:

Commodity suppliers

Tactical suppliers

Strategic suppliers

Operational suppliers

Question 44

A large enterprise recently defined, implemented and fully tested its Business Continuity (BC)/Disaster Recovery (DR) procedures. Which of the following was most likely used as input to the BC/DR strategy design?

A. The Data Retention Directive
B. Common Criteria
C. Tabletop exercise
D. Business Impact Analysis (BIA)

Answer 44

D. Business Impact Analysis (BIA)

Explanation:
The Business Impact Analysis (BIA) can help an organisation understand the criticality of its assets and prioritise them accordingly in their Business Continuity (BC)/Disaster Recovery (DR) processes.

Question 45

Which FIPS 140-2 security level provides immediate zeroization of all plaintext critical security parameters upon tampering detection?

A. Security Level 3
B. Security Level 4
C. Security Level 2
D. Security Level 1

Answer 45

B. Security Level 4

Explanation:
FIPS-4 which is the highest security level provides immediate zeroization of all plaintext critical security parameters upon tampering detection.

Question 46

A new start-up company has recently got funded to develop a new product. They want to use a cloud service which despite its expensive startup cost, will provide the lowest costs for ongoing support and operations. Which cloud service model should they use?

A. IDaaS
B. IaaS
C. SaaS
D. PaaS

Answer 46

C. SaaS

Explanation:
Selecting the SaaS option would provide the lowest cost for support and operations and is the right choice.

Question 47

Which of the following characteristics is the most important for a hybrid cloud deployment?

A. Interoperability
B. On-Demand Self Service
C. Elasticity
D. Reversibility

Answer 47

A. Interoperability

Explanation:
Interoperability is the most important characteristic of a hybrid deployment, as it incorporates two different cloud deployment models that need to be integrated.

Question 48

Which of the following is not a valid cloud storage type?

A. Database
B. Elastic Disc
C. Volume Storage
D. Content Delivery Network (CDN)

Answer 48

B. Elastic Disc

Explanation:
Volume, CDN, and Databases are all valid cloud storage types.

Elastic disk is not a valid storage mechanism, do no get confused with Elasticsearch.

Question 49

Which of the following is not one of the security domains presented in CSA’s cloud controls matrix (CCM)?

A. Interoperability & Portability
B. Penetration Testing
C. Data Center Security
D. Identity and Access Management

Answer 49

B. Penetration Testing

Explanation:
Penetration testing is not one of the security domains in CSA’s cloud controls matrix (CCM).

Question 50

Which if the following frameworks/regulations/standards Cloud Controls Matrix (CCM) does not have a mapping with?

A. COBIT
B. FedRAMP
C. HIPPA/HITECH
D. GDPR

Answer 50

D. GDPR

Explanation:
The General Data Protection Regulation (GDPR) does not have a mapping with CCM.