Pluralsight CCSP Domain 1

Question 1

Cloud Characterstics

Answer 1

BRROM

1. Broad Network Access - ability to access cloud anywhere
2. Rapid Elasticity - ability to scale up or down quickly (i.e. Cloud bursting (private cloud onto public cloud))
3. Resource Pooling - pool of resources available for customers to use (multi-tenant model); this includes equipment, staff, network, memory
4. On-Demand Self-Service - ability to get services with little interaction with CSP
5. Measured Service - pay for only what you use

Question 2

Benefits of Cloud Computing

Answer 2

1. Capital Cost Control
2. Flexibility
3. Access to Skilled Staff
4. Environmental Impact - i.e. 15 companies moved to cloud and removed back up batteries, diesel

Question 3

Service Orchestration
1. Define
2. What are the 3 layers

Answer 3

Question 4

Cloud Roles -
* Cloud Carrier
* Cloud Broker
* Reseller
* Cloud Access Security Broker
* Cloud Architect

Answer 4

A cloud carrier provides:
* Network Access
* Redundancy (Diverse Routing)
* Bandwidth

A Cloud broker:
* manages relationships between cloud customers and CSP (negotiate contracts, may represent several CSPs)

Reseller - Resells services of a CSP

CASB:
* Monitors cloud access and cloud sevices that are being used
* May manage relationship between cloud customers and CSP
* May manage access controls

Cloud Architect
* Designs cloud implementations and ensures that business requiremetns are met

Question 5

Cloud Deployment Models
1. Private
2. Public
3. Community Cloud
4. Hybrid

Answer 5

1. Private
   * One organization, no multi-tenancy
   * On or Off Premise
   * May be owned by organization, 3rd party, or both
2. Public
   * Use by public, multi-tenancy
   * On premise
3. Community Cloud
   * i.e. Universities, Hospitals, Government
   * Provisioned for exclusive use by specific community that have shared concerns
   * On or Off premise
   * may be managed by one member of community or by 3rd party
4. Hybrid
   * i.e. Business continuity/Disaster Recovery (i.e. normal operations on public cloud and backup is in private cloud)
   * two or more distincy cloud infrastructure that operate as seperate entities but are bound together by technology
   * Enables data portability (cloud bursting) (ability to easily move processing to another facility)
   *

Question 6

Cloud Service Models (Image) IPS

Answer 6

Question 7

Cloud Service Model
IaaS and the roles and responsibilities of CSP and cloud customer. What control does CSP and cloud customer have in regards to:
1. Application (i.e. Mail)
2. Middleware (i.e. Java)
3. Guest OS
4. Hypervisor
5. Hardware

Answer 7

Question 8

CIA Triad in the Cloud

Answer 8

1. Confidentiality - protection of information from unauthorized disclosure; more complex in cloud due to dependency on CSP
2. Integrity - protection of information from unauthorized modification; assurance of correct processing, storage, and use of information; the cloud introduces more layers and therefore more attack surfaces (i.e. APIs, infrastructure, hypervisor)
3. Availability - ensure system and data are accessible when needed; in the cloud, customer highly depends on CSP and therefore this is critical;

Question 9

• Ephemeral computing
• Serverless Technology
• VM Sprawl

Answer 9

• Ephemeral computing - the practice of creating a virtual computing environment as a need arises and then destroying that environment when the need is met, and the resources are no longer in demand. You pay only for what’s used when it’s used.
• Serverless Technology - CSP handles the server, customer trusts the CSP to provide resources and security of server
• VM Sprawl - when the number of virtual machines (VMs) on a network reaches a point where administrators can no longer manage them effectively

Question 10

• Data Lifecycle
• IAAA
• Seperation of duties

Answer 10

Data Lifecycle
1. Create
2. Store
3. Use
4. Share
5. Archive
6. Delete

IAAA
* Identification - identifying who has access
* Authentication - prove their identity
* Authorization - determine and grant access based on privileges
* Accounting / Audtiing - records

Seperation of Duties - no one person controls a sensitive transaction from start to finish to prevent mistakes or fraud

Question 11

• CSA Star
• SSAE 20
• ISO/IEC 27001
• UpTime Institute
• FISMA
• PCI-DSS
• ISO/IEC 15408
• FIPS 140-2

Answer 11

• CSA Star - Security Trust Assurance and Risk; framework that evaluates cloud providers; based on Cloud control matrix (CCM) and GDPR (privacy) (3 levels)
  Level 1 - Self-assessment- consensus assessments initiative questionaire (CAIQ); updates every 30 days for level 1

Level 2 - 3rd party audit
-Attestation - collaboration between AICPA and CSA to use CCM and SOC 2
-Certification - technology neutral certification; 3rd party audit; collab between CCM and ISO 27001
-C-STAR Assessment - 3rd party assessment for the greater china market;

Level 3 continuous auditing 3rd party

• SSAE-20 (previously SAS-70, SSAE-18, SSAE-20) [Statement on Standards for Attestation Engagements created by American Institute of Certified Public Accountants (AICPA) - with each implementation, there is improvement with lessons learned from each document
  1. Main component is SOC (System and organizational controls) report - generated once SSAE evaluation has been completed;
• SSAE-20 SOC 1 - financial reporting of organization; this ensures financial report is accurate and organization will not bankrupt soon
• SSAE-20 SOC 2 - detailed report primarily for internal use. evaluation of CSP based on WebTrust and SysTrust relevant to (security, privacy, process integrity, confidentiality, availability)
• SSAE-20 SOC 3 - most organizations will share this report; summary of SOC 2 without the details (used for marketing)
• Type 1 assessment - conducted at a point in time
• Type 2 assessment - conducted over a period of time (~6 months, but may be continuous)
• ISO/IEC 27001 - defines standards for information security management system (ISMS) or organization
• UpTime Institute - looks at data center design (back-up power), construction, and on-going operations (ensures high availability of data center if that’s what the organiztion needs)
• FISMA
• PCI-DSS
• ISO/IEC 15408 - aka common criteria. evaluation for IT products
• FIPS 140-2 - evaluation of crypto devices

Question 12

Due Care vs Due Diligence
Define non-repudiation
Define Chain of Custody

Answer 12

Due Care - focuses on whether someone is doing what they’re supposed to be doing (in your policies procedures etc); the actions taken by a reasonable person to protect others from unreasonable harm

Due Diligence - focuses on if someone did what other reasonable people would do; the enforcement of the actions of due care

Non-Repudiation - the ability to link actions to an individual entity

Chain of custody - documented record of all actions related to evidence thrgouhout evidence lifecycle

Question 13

CSP vs MSP

Answer 13

CSP sets governance whereas for MSP, the organization sets governance

MSP is a third party that executes organizations tech and operational procedures

Question 14

• Compliance as a Service
• Networking as a Service
• Data Science as a Service

Answer 14

Question 15

• Which cloud model is a proper segmentation of resources an issue?
• Security issue with SaaS
• Which cloud model encourages shared access and needs robust IAM?
• What is XaaS?

Answer 15

Question 16

• Which technology has had the impact of making the cloud intelligent?
• Quantum Computing
• Containers
• IoT

Answer 16

Question 17

• SLA
• MOU
• LOI
• Contract

Answer 17

Question 18

Cloud supply chain, vendor management process, and risks associated with them

Answer 18

• Cloud carriers - the ISPs between customer and CSP
• platform providers - the vendors supplying the operatinrs systems used in the cloud
• application providers - the vendors supplying the software used in the cloud service

These can all make up the suppply chain. If any of these become unavailable for some reason, the customer faces an outage as well

Question 19

• Common Criteria Assurance Framework (ISO 15408)

Answer 19

• Common Criteria Assurance Framework (ISO 15408) - universal standard to provide customers with assurance that security products they purchase have been thoroughly tested by independent 3rd party testers; it only verifies vendor’s claims regarding security are true, not whether they meet regulatory compliance or customer’s needs;

Question 20

Interoperability vs Portability

Answer 20

Question 21

Answer 21

Question 22

• ECC
• AES
• DES
• Triple DES

Answer 22

Question 23

Application Orchestration

Answer 23

Question 24

• SQL Injection
• DoS
• XSS
• CSRF

Answer 24

Question 25

• Cloud Working Group (CWG)
• NIST
• FIPS
• CSA Trusted Cloud Initiative (TCI)

Answer 25

Question 26

Answer 26

Question 27

TLS and IPsec

Answer 27

Question 28

OSI Layers (People don’t need to see paula abdul)

Answer 28

Question 29

• VLAN
• DHC
• DNS
• VPN
• Subnet
• Blacklist

Answer 29

• VLAN - logical isolation of segments at both layer 2 (data) and layer 3 (network); even though all machines may be physically connected to the same switch, devices in a VLAN can only communicate directly with other members of the same VLAN, unless the traffic first passes through a portal/gateway leading outside the VLAN
• DHCP - when assigning IP addresses to devices, we can use permanent address for a given device (static addressing) an alternative to static addressing is assigning an IP to a specific device temporarily (dynamic); DHCP is an environment with a pool of IP addresses that are assigned to specific devices; when that device is terminated, the IP returns to the pool and gets reassigned to another device
• DNS - how computers translate IP addresses to domain names;
• VPN - remote access to network
• Subnet - can be used to seperate devices in the cloud, but only at layer 3 (network)
• Blacklist - deny access to a variety of resources