CCSK: Certificate of Cloud Security Knowledge 3 of 6 Practice

Question 1

When is a party excused from presenting evidence in a court of law?

A.When it doesnt exist
B.When it is too expensive to retrieve
C.Never; a party must always present data when its requested by a judge
D.When its not reasonably accessible

Answer 1

D.When its not reasonably accessible

Explanation:
FRCP clause 26(b)(2)(B) permits data not being presented as evidence when it is not reasonably accessible. This may be applicable, for instance, when a bit-level copy of a drive is required when the data is stored in a cloud environment.

Question 2

What format should be used when presenting electronically stored information (ESI) in a court of law?

A.PDF
B.CSV
C.Standard Format
D.Native Format

Answer 2

C.Standard Format

Explanation:
The best answer is that evidence is most useful if it is presented in a standard format. Although both PDF and CSV can be considered standard formats, neither is the best answer here, because standard format is more accurate as a response. Presentation of native format may be required if metadata isn’t properly preserved as part of an export routine.

Question 3

Which of the following may lead to issues with validating that any data found is complete and accurate when stored in a cloud environment?

A.Transparency
B.Use of unknown hardware at provider location
C.There are no issues with validating data stored in the cloud
D.Lack of metadata in cloud environments

Answer 3

A.Transparency

Explanation:
Transparency issues may cause issues with validating that any data found is complete and accurate. Any issues must be identified as part of due diligence of the provider environment.

Question 4

Which of the following is the minimum retention period for any data that may be required in a court of law?

A.1 year
B. 5 years
C.Any data that may be considered evidence must be retained
D.There is no general minimum retention period of data

Answer 4

D.There is no general minimum retention period of data

Explanation:
-There are no mandated retention periods that are generically applied to all data sets. Different retention periods will be applied by laws or other means (such as standards, continued value to the company, and so on) based on the type of data. Although data that can be reasonably expected to serve as evidence in a court case should be preserved by an organization, there is no retention period mandated for these data sets.

Question 5

What is the most important item to consider when reviewing third-party audits and attestations?

A.The firm that performed the audit
B.The services being consumed by the customer
C.The location of services
D.The service provider certification

Answer 5

B.The services being consumed by the customer

Explanation:
The services being consumed by the customer is the most important item to consider when reviewing third-party audits and attestations. Although all of the other options are certainly valid, they are of little value if the services consumed are not part of the scope of the audit being reviewed

Question 6

What should a customer do when dealing with a non-negotiable contract where controls may be lacking?

A.Do not use the service provider
B.Identify any gaps and fill them with appropriate controls
C.Purchase cyber-insurance to mitigate the associated risk
D.Accept the risk the provider accepts

Answer 6

B.Identify any gaps and fill them with appropriate controls

Explanation:
The best answer is to identify potential gaps and implement controls to address perceived risk. Although risk response may include avoiding the risk by not using the provider, accepting the risk, and mitigating financial damages by purchasing cyberinsurance, the best answer is to identify the controls the provider is contractually required to supply, determine your requirements, and address gaps by deploying controls.

Question 7

The Australian Privacy Act requires that a breach disclosure be performed in which scenario?

A.When any data pertaining to a citizen is disclosed
B.When personally identifiable information is disclosed
C.When disclosure would be likely to cause serious harm to the individual
D.The Australian Privacy Act does not address breach notification requirements

Answer 7

C.When disclosure would be likely to cause serious harm to the individual

Explanation:
The Australian Privacy Act requires that a breach of security must be reported when personal information that may lead to serious harm is disclosed

Question 8

How must audits be conducted?

A.Always bu your company
B.Always by the provider
C.Always by an independent auditor
D.Always by a federal regulator

Answer 8

C.Always by an independent auditor

Explanation:
The key concept for audits is that they are performed by an independent auditor. This is true for all audits. Although you may want to conduct an audit of a provider yourself, the provider may view giving you access to a data center as a security issue, for example.

Question 9

A pass-through audit is a form of what?

A.Compliance inheritance
B.Demonstration of adherence by the provider to industry standards
C.A physical assessment that has taken place as part of the audit
D.A term used for all services being in scope for the audit engagement

Answer 9

A.Compliance inheritance

Explanation:
Pass-through audits are a form of compliance inheritance. The audit does not speak to the completeness of the audit scope itself. Rather, it certifies that the controls implemented and managed by the provider are compliant. Your organization is required to meet compliance for your systems and data in the provider’s environment.

Question 10

How do audits work with compliance?

A.Audit are the technical means to assess systems
B.Audits are the processes and procedures used to assess systems
C.Audits are a key tool for proving or disproving compliance
D.Audits are required for proper governance of cloud systems

Answer 10

C.Audits are a key tool for proving or disproving compliance

Explanation:
The most accurate and therefore the best answer is that audits are used to prove or disprove compliance with corporate governance.

Question 11

Which of the following statement regarding service administrator account is not true?

A.Service administrator accounts manage parts of the service
B.Service administrators accounts are more suited for common daily use
C.Service administrators help compartmentalize individual sessions
D.Service administrator accounts can expose the entire deployment

Answer 11

D.Service administrator accounts can expose the entire deployment

Explanation:
Service administrator accounts don’t necessarily expose the entire deployment if they are abused or compromised and thus are better for common daily usage. Your platform or provider may support lower-level administrative accounts that can only manage parts of the service. We sometimes call these “service administrators” or “day to day administrators”. These accounts don’t necessarily expose the entire deployment if they are abused or compromised and thus are better for common daily usage. They a`

Question 12

All assets in the cloud require same business continuity.

A.CORRECT
B.INCORRECT

Answer 12

B.INCORRECT

Explanation:
Overall, a risk-based approach is key: • Not all assets need equal continuity. • Don’t drive yourself crazy by planning for full provider outages just because of the perceived loss of control. Look at historical performance. • Strive to design for RTOs and RPOs equivalent to those on traditional infrastructure. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Architect for Failure Domain 6// MANAGEMENT PLANE AND BUSINESS CONTINUITY

Question 13

In the United States, a party is obligated to take reasonable steps to prevent the destruction or modification of data in its possession that it knows, is relevant to pending litigation or government investigation.

A.CORRECT
B.INCORRECT

Answer 13

A.CORRECT

Explanation:
In the United States, a party is generally obligated to undertake reasonable steps to prevent the destruction or modification of data in its possession, custody or control that it knows, or reasonably should know, is relevant either to pending or reasonably anticipated litigation or a government investigation. (This is often referred to as a “litigation hold” on document destruction.) Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Preservation Domain 3 // LE

Question 14

In which type of environment it is impractical to allow clients to conduct their own audits ?

A.Multi application environment
B.Dedicated environment
C.Multi tenant environment
D.Long Distance relationships
E.Multi-database environment

Answer 14

C.Multi tenant environment

Explanation:
Multi-tenant environment. Forensics: Bit-by-bit imaging of a cloud data source is generally difficult or impossible. For obvious security reasons, providers are reluctant to allow access to their hardware, particularly in a multitenant environment where a client could gain access to other clients’ data. Even in a private cloud, forensics may be extremely difficult, and clients may need to notify opposing counsel or the courts of these limitations. Luckily, this type of forensic analysis is rarel

Question 15

Cloud service providers leverage which of the following to manage costs and enable capabilities?

A.On demand self service
B.Broad network access
C.Measured service
D.Economies of scale
E.Resource pooling

Answer 15

D.Economies of scale

Explanation:
Cloud service providers try to leverage economies of scale to manage costs and enable capabilities. This means creating extremely standardized services (including contracts and service level agreements) that are consistent across all customers. Governance models can’t necessarily treat cloud providers the same way they’d treat dedicated external service providers, which typically customize their offerings, including legal agreements, for each client. Source: Security Guidance for Critical Areas

Question 16

Which of the following describes the cloud management plane?

A.It is a layer in which all types of devices and resources from different vendors are interconnected
B.Is a layer where the data center is the component element
C.APIs that are remotely accessible and those wrapped into a web based user interface
D.Is a layer consisting of plenty of vendors and third party applications

Answer 16

C.APIs that are remotely accessible and those wrapped into a web based user interface

Explanation;
APIs are both remotely accessible and wrapped into a web-based user Interface. This combination is the cloud management plane, since consumers use it to manage and configure the cloud resources, such as launching virtual machines (instances) or configuring virtual networks. Option B. is Infrastructure plane. Option C. is Cloud Control plane. Option D. is Application plane. Physical facilities and infrastructure hardware form the foundation of IaaS. With cloud computing we abstract and pool these

Question 17

Which of the following is not one of the benefits of Cloud Computing?

A.Agility
B.Economy
C.Vendor Lock In
D.Resiliency

Answer 17

C.Vendor Lock In

Explanation:
Vendor Lock-in could be a disadvantage of Cloud Computing. Cloud computing offers tremendous potential benefits in agility, resiliency, and economy. Organizations can move faster (since they don’t have to purchase and provision hardware, and everything is software defined), reduce downtime (thanks to inherent elasticity and other cloud characteristics), and save money (due to reduced capital expenses and better demand and capacity matching). We also see security benefits since cloud providers ha

Question 18

How can web security as a service be offered to the cloud customer?

A.Via the cloud using proxy or redirecting web traffic to the cloud provider
B.Either on premise through software and/or appliance installation
C.Both of these
D.None of these

Answer 18

C.Both of these

Explanation:
Explanation Web Security (Web Security Gateways) Web Security involves real-time protection, offered either on-premise through software and/or appliance installation, or via the Cloud by proxying or redirecting web traffic to the cloud provider (or a hybrid of both). This provides an added layer of protection on top of other protection, such as anti-malware software to prevent malware from entering the enterprise via activities such as web browsing. In addition, it can also enforce policy rules

Question 19

In which phase of the application design and development process, the focus is on architecture?

A.Test
B.Develop
C.Design
D.Training 
E.Define

Answer 19

C.Design

Explanation:
During the application design process, especially when PaaS is involved, the focus for security in cloud is on architecture. Design: During the application design process, especially when PaaS is involved, the focus for security in cloud is on architecture, the cloud provider’s baseline capabilities, cloud provider features, and automating and managing security for deployment and operations. There are often significant security benefits to integrating security into the application architecture s

Question 20

Which of the following is among the top security benefits?

A.Data Protection
B.Compatibility with consumer IT services and infrastructure
C.Lock-In
D.More timely, effective and efficient updates and default
E.Certifications and Accreditations

Answer 20

D.More timely, effective and efficient updates and default

Explanation:
More timely, effective and efficient updates and default is amongst one of the TOP SECURITY BENEFITS. Explanation MORE TIMELY, EFFECTIVE AND EFFICIENT UPDATES AND DEFAULTS: default virtual machine images and software modules used by customers can be pre-hardened and updated with the latest patches and security settings according to fine-tuned processes; IaaS cloud service APIs also allow snapshots of virtual infrastructure to be taken regularly and compared with a baseline. Updates can be rolled

Question 21

Which of the following tools provide a standard template for cloud providers to document their security and compliance controls ?

A.Cloud Security Alliance STAR Registry
B.Cloud Provider Contracts
C.Consensus Assessments Initiative Questionnaire
D.Cloud Control Matrix 
E.Supplier (Cloud Provider) Assessments

Answer 21

B.Cloud Provider Contracts
C.Consensus Assessments Initiative Questionnaire

Explanation:
The Consensus Assessments Initiative Questionnaire (CAIQ) is a tool from Cloud Security Alliance (CSA) that provides a standard template for cloud providers to document their security and compliance controls. The Consensus Assessments Initiative Questionnaire (CAIQ). A standard template for cloud providers to document their security and compliance controls. • The Consensus Assessments Initiative Questionnaire (CAIQ).

Question 22

Which of the following is an underlying vulnerability related to loss of Governance?

A.Lack of resource isolation
B.Lack of standard technologies and solutions
C.Lack of capacity planning
D.Unclear asset ownership
E.Lack of information on jurisdictions

Answer 22

D.Unclear asset ownership

Explanation:
Explanation Loss of Governance Vulnerabilities · Unclear roles and responsibilities · Poor enforcement of role definitions · Synchronizing responsibilities or contractual obligations external to cloud · SLA clauses with conflicting promises to different stakeholders · Audit or certification not available to customers · Cross-cloud applications creating hidden dependency · Lack of standard technologies and solutions · Storage of data in multiple jurisdictions and lack of transparency about THIS ·

Question 23

Which of the following is an important consideration in management plane usage?

A.Multi Factor Authentication
B.Segregation of Duties
C.Least Privilege
D.Authorization
E.Biometric Authentication

Answer 23

C.Least Privilege

Explanation:
Both providers and consumers should consistently only allow the least privilege required for users, applications, and other management plane usage. All privileged user accounts should use multi-factor authentication (MFA). If possible, all cloud accounts (even individual user accounts) should use MFA. It’s one of the single most effective security controls to defend against a wide range of attacks. This is also true regardless of the service model: MFA is just as important for SaaS as it is for

Question 24

Which of the following statement is true for orchestration?

A.Orchestration allows the cloud provider to divvy up resources to different groups
B.Orchestration is used to coordinate carving out and delivering a set of resources from the pools to the consumers
C.Orchestration is used to coordinate carving out and delivering a set of resources from the pools to the consumers
D.Orchestration ensures that different groups cant see or modify each other assets

Answer 24

C.Orchestration is used to coordinate carving out and delivering a set of resources from the pools to the consumers

Explanation:
Orchestration is done (and automation) to coordinate carving out and delivering a set of resources from the pools to the consumers. The key techniques to create a cloud are abstraction and orchestration. We abstract (abstraction) the resources from the underlying physical infrastructure to create our pools, and use orchestration (and automation) to coordinate carving out and delivering a set of resources from the pools to the consumers. As you will see, these two techniques create all the essent

Question 25

The nature of contracts with cloud providers will often preclude things like on-premises audits. What options does the customer have in this situation?

A.Service Level Agreement
B.Third Party Certification
C.Third Party Attestation
D.Non Disclosure Agreement
E.Remote Audit of provider services

Answer 25

C.Third Party Attestation

Explanation:
Some cloud customers may be used to auditing third-party providers, but the nature of cloud computing and contracts with cloud providers will often preclude things like on-premises audits. Customers should understand that providers can (and often should) consider on-premises audits a security risk when providing multitenant services. Multiple on-premises audits from large numbers of customers present clear logistical and security challenges, especially when the provider relies on shared assets t

Question 26

How can a single administrator access multiple service administrator accounts with just the privileges they need for that particular action?

A.Using Provider Policies
B.Using Groups
C.Using Custom Policies
D.Using Roles
E.Using Assertions

Answer 26

D.Using Roles

Explanation:
Single human administrator can access multiple service administrator accounts using roles. Your platform or provider may support lower-level administrative accounts that can only manage parts of the service. We sometimes call these “service administrators” or “day to day administrators”. These accounts don’t necessarily expose the entire deployment if they are abused or compromised and thus are better for common daily usage. They also help compartmentalize individual sessions, so it isn’t unusua

Question 27

Which of the following is a form of a compliance inheritance in which all or some of the cloud provider’s infrastructure and services undergo an audit to a compliance standard?

A.Third Party Audit
B.Compliance Audit
C.Policy Audit
D.Pass Through Audift

Answer 27

D.Pass Through Audift

Explanation;
Many cloud providers are certified for various regulations and industry requirements, such as PCI DSS, SOC1, SOC2, HIPAA, best practices/frameworks like CSA CCM, and global/regional regulations like the EU GDPR. These are sometimes referred to as pass-through audits. A pass-through audit is a form of compliance inheritance. In this model all or some of the cloud provider’s infrastructure and services undergo an audit to a compliance standard. The provider takes responsibility for the costs and m

Question 28

What is true about an attestation?

A.Attestation is another term for an audit
B.Attestation is a legal statement from a third party
C.Attestation is testimony in a court of law
D.Attestations can be performed only by a CPA

Answer 28

B.Attestation is a legal statement from a third party

Explanation:
Attestations are legal statements from a third party. They are used as a key tool when customers evaluate and work with cloud providers, because customers often are not allowed to perform their own assessments. Attestations differ from audits in that audits are generally performed to collect data and information, whereas an attestation checks the validity of this data and information to an agreed-upon procedure engagement (such as SOC). Attestations can be performed by certified public accountants (CPAs), but this answer doesn’t properly address the question.

Question 29

What is the purpose of audit management?

A.Manages the frequency of audits
B.Manages the auditors and their awareness of systems
C.Manages the scope of audits
D.Ensures that audit directives are implemented properly

Answer 29

D.Ensures that audit directives are implemented properly

Explanation:
Audit management ensures that audit directives are implemented properly. All the other possible answers form part of this activity, but the best answer is that all of these directives are implemented properly.

Question 30

What should you pay particular attention to when reviewing previously performed audit reports given to you by a provider?

A.The services and jurisdictions in the audit scope
B.The firm that performed the audit
C.The date of the audit report
D.The auditors stated opinion

Answer 30

A.The services and jurisdictions in the audit scope

Explanation:
Although all the answers are not necessarily incorrect, CSA best practice recommends that particular attention be paid to the services and jurisdictions that are part of the audit scope, so this is the best answer.

Question 31

What should a customer do when they cannot collect evidence of compliance on their own?

A.Tailor the scope of reporting to reflect lack of evidence
B.Accept the risk of not demonstrating compliance to regulators
C.Evidence not made available to a cloud customer is removed from regulatory oversight
D.Such data should be supplied to the customer by the provider

Answer 31

D.Such data should be supplied to the customer by the provider

Explanation:
Providers should supply customers with evidence of compliance and artifacts when customers cannot generate these themselves. All the other answers are just plain wrong.

Question 32

What is the benefit of continuous compliance to a customer of cloud services?

A.The customer is supplied with real-time updates to changes in a providers environment
B.Any changes made to the providers environment are supplied within one week
C.There are no benefits because customers should only be concerned with a provider being ISO certified
D.An increased audit frequency lowers the chance of unknown deviation of security posture in the providers environment

Answer 32

D.An increased audit frequency lowers the chance of unknown deviation of security posture in the providers environment

Explanation:
An increased audit frequency lowers the chance of unknown deviation of the security posture in the provider’s environment. Continuous doesn’t mean real-time, and it does not imply any set schedule. It means that any changes or findings are discovered between certification cycles, usually through the use of automation.

Question 33

What should a customer do if a provider’s artifacts of compliance are insufficient?

A.File for a scoping exclusion request
B.Create and collect their own artifacts
C.Dont use the provider
D.Do nothing

Answer 33

B.Create and collect their own artifacts

Explanation:
If a provider’s artifacts of compliance are insufficient, customers should collect their own. There’s no such thing as a scoping exclusion request.

Question 34

What can be done to avoid potential confusion when auditing a cloud service provider?

A.Work with auditors who have their CCSK certification
B.Work with auditors supplied by providers
C.Work with CPAs
D.Work with auditors certified by the Institute of Certified Auditors

Answer 34

A.Work with auditors who have their CCSK certification

Explanation:
When selecting auditors, you always want to work with auditors that have knowledge of cloud computing. The CCSK certification validates an auditor’s understanding of cloud services.

Question 35

The data security lifecycle considers which of the following?

A.Location
B.How to configure security controls
C.Who can access data
D.Service models

Answer 35

A.Location

Explanation:
The data security lifecycle differs from the information management lifecycle in that it takes location into account. As a result, multiple locations can lead to your managing multiple data security lifecycles. Although the data security lifecycle does address security controls at each stage, it does not dictate how these are to be created or who should be allowed to access what data. Entitlements are used to determine who should have access to particular data. The data security lifecycle doesn’t address the service models at all.

Question 36

Which of the following can be used to determine whether or not information should be held in a cloud?

A.Privacy Policy
B.Information Classification
C.Data Security Lifecycle
D.Acceptable Use Policy

Answer 36

B.Information Classification

Explanation:
The best answer is information classification. An acceptable use policy may make the determination of what data classification level is allowed to be stored, but this relies on having classification to begin with. The data security lifecycle can be used to determine what controls should be applied based on the stage of the lifecycle, so C is not the best answer for this particular question. As with the acceptable use policy, the privacy policy may state how data is to be handled, and as such there may be restrictions in place over PII being stored in a cloud—but, again, the information classification is the best answer for this question.

Question 37

Which of the following locations are considered part of the data security lifecycle?

A.Location of data
B.Location of access device
C.Location of the data center
D.Both (location of data) and (Location of access device)

Answer 37

D.Both (location of data) and (Location of access device)

Explanation
I’m sorry for the trick question. The data security lifecycle considers the locations of the data and the access device. Now does that mean the location of the data center is implied as a result? Maybe, maybe not. One could argue the location of the data center would determine the jurisdiction and therefore dictate what controls need to be applied, but there’s nobody to argue with when you’re taking your exam.

Question 38

What is the goal of information governance (select the best answer)?

A.Ensure that appropriate personnel have access to required data
B.Ensure that data is stored in approved locations
C.Formally manage data throughout the enterprise
D.Create and manage information security policies

Answer 38

C.Formally manage data throughout the enterprise

The best answer is that information governance exists to formally manage data throughout the enterprise. The other answers are true statements, but information governance deals with more than just those individual statements. Therefore, the best answer is C.

Question 39

Which of the following is considered a tool to implement data governance?

A.Security policies
B.Security controls
C.Information Classification
D.All of these

Answer 39

B.Security controls

Explanation
Security controls are considered a tool to implement data governance. Policies themselves don’t do anything to implement data governance. Yes, they are absolutely needed, but they are statements (directive controls), not actual preventative controls to stop someone from doing something. Classification is also required for strong governance, but again, classification itself isn’t going to stop an actor from performing a function.

Question 40

What is a legal tool to ensure that appropriate governance requirements are implemented and followed by the cloud provider?

A.Security Controls
B.Contractual Controls
C.Strong change management
D.Entitlements

Answer 40

B.Contractual Controls

Explanation
The only legal tool to ensure that appropriate governance requirements are implemented and followed by the cloud provider is contractual controls. None of the other options are legal tools.

Question 41

How should BCP/DR be architected in the cloud?

A.Architect for failure
B.Architect using a single cloud provider
C.Architect using multiple cloud providers
D.Architect using real-time replication for all data

Answer 41

A.Architect for failure

Explanation
You should always architect for failure when dealing with BCP/DR.

Question 42

Which of the following is not the potential option of handling key management?

A.Cloud Provider Service
B.Proxy
C.Hybrid
D.Virtual Appliances
E.HSM

Answer 42

B.Proxy

Explanation
There are four potential options for handling key management HSM/appliance, Virtual appliance/software, Cloud provider service, and Hybrid. There are four potential options for handling key management: • HSM/appliance: Use a traditional hardware security module (HSM) or appliance-based key manager, which will typically need to be on-premises, and deliver the keys to the cloud over a dedicated connection. • Virtual appliance/software: Deploy a virtual appliance or software-based key manager in th

Question 43

The hub and spoke architecture uses internal identity providers or sources connected directly to cloud provider

A.CORRECT
B.INCORRECT

Answer 43

B.INCORRECT

Explanation
Hub and spoke- internal identity providers/sources communicate with a central broker or repository that then serves as the identity provider for federation to cloud providers. When using federation, the cloud user needs to determine the authoritative source that holds the unique identities they will federate. This is often an internal directory server. The next decision is whether to directly use the authoritative source as the identity provider, use a different identity source that feeds Source

Question 44

You cannot have a cloud without virtualization.

A.CORRECT
B.INCORRECT

Answer 44

A.CORRECT

Explanation
At its most basic, virtualization abstracts resources from their underlying physical assets. You can virtualize nearly anything in technology, from entire computers to networks to code. As mentioned in the introduction, cloud computing is fundamentally based on virtualization: It’s how we abstract resources to create pools. Without virtualization, there is no cloud.Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0Topic: Overview Domain 8 // VIRTUALIZATION AND CONTAINE

Question 45

In Federation which party makes assertions to which party?

A.Identity broker makes assertions to identity provider
B.Relying party makes assertions to identity broker
C.Relying party makes assertions to identity provider after building a trust relationship
D.Identify provider makes assertions to a relying party after building a trust relationship

Answer 45

D.Identify provider makes assertions to a relying party after building a trust relationship

Explanation
Federation involves an identity provider making assertions to a relying party after building a trust relationship. How Federated Identity Management Works: Federation involves an identity provider making assertions to a relying party after building a trust relationship. At the heart are a series of cryptographic operations to build the trust relationship and exchange credentials. A practical example is a user logging in to their work network, which hosts a directory server for accounts. That use

Question 46

ISO/IEC 17788 lists six key characteristics for cloud, the first five of which are identical to the NIST characteristics. Which is the additional one?

A.Repaid Elasticity
B.Measured Service
C.On-demand self service
D.Multi-tenancy
E.Broad Network Access

Answer 46

D.Multi-tenancy

Explanation
ISO/IEC 17788 lists six key characteristics, the first five of which are identical to the NIST characteristics. The only addition is multitenancy, which is distinct from resource pooling. ISO/IEC 17788 lists six key characteristics, the first five of which are identical to the NIST characteristics. The only addition is multitenancy, which is distinct from resource pooling. NIST defines cloud computing by describing five essential characteristics, three cloud service models, and four cloud deploy

Question 47

When there are gaps in network logging data, what step could be taken?

A.Encrypt the logs; keep the log digest along with the original files
B.Work with cloud provider and fix the gaps
C.Instrument the technology stack with your own logging
D.Keep the log digest along with the original log files
E.Kepp the logs in one location

Answer 47

C.Instrument the technology stack with your own logging

Explanation
Where there are gaps you can sometimes instrument the technology stack with your own logging. Cloud platform logs are not universally available. Ideally they should show all management-plane activity. It’s important to understand what is logged and the gaps that could affect incident analysis. Is all management activity recorded? Do they include automated system activities (like auto-scaling) or cloud provider management activities? In the case of a serious incident, providers may have other log

Question 48

Which statement best describes the options for PaaS encryption?

A.PaaS is very diverse and may include client/application, database and proxy encryption as well as other options
B.PaaS would most likely include file/folder encryption and enterprise digital rights management
C.PaaS is limited to client/application and database encryption
D.PaaS is limited to hybrid networks only
E.PaaS encryption is limited to APIs built into the platform, external encryption services and other variations

Answer 48

A.PaaS is very diverse and may include client/application, database and proxy encryption as well as other options

Explanation
PaaS is very diverse and may include client/application, database, and proxy encryption as well as other options. PaaS Encryption PaaS is very diverse; the following list may not cover all potential options: § Client/application encryption. Data is encrypted in the PaaS application or the client accessing the platform. § Database encryption. Data is encrypted in the database using encryption built in and supported by the database platform. § Proxy encryption. Data passes through an encryption pr

Question 49

How can you monitor and filter data in a virtual network when traffic might not cross the physical network?

A.Route Traffic to a virtual network monitoring or filtering tool on the same hardware & Route it to a virtual appliance on the same virtual network
B.Route the traffic through a virtual network interface
C.Route traffic to the physical network device for capturing
D.Route Traffic to a virtual network monitoring or filtering tools on the same hardware
E.Route it to a virtual appliance on the same virtual network

Answer 49

A.Route Traffic to a virtual network monitoring or filtering tool on the same hardware & Route it to a virtual appliance on the same virtual network

Explanation
In particular, monitoring and filtering (including firewalls) change extensively due to the differences in how packets move around the virtual network. Resources may communicate on a physical server without traffic crossing the physical network. For example, if two virtual machines are located on the same physical machine there is no reason to route network traffic off the box and onto the network. Thus, they can communicate directly, and monitoring and filtering tools inline on the network (or

Question 50

Which of the following is not a reason for public cloud provider to maintain a higher baseline security?

A.Maintaining a higher baseline security is a shared responsibility and should be handled accordingly
B.Higher baseline security is needed to attract customers
C.Cloud providers are subject to a wider range of regulatory and industry compliance requirements
D.Not maintaining a baseline will undermine the trust that a public cloud provider need
E.Cloud providers have significant economic incentives to maintain higher baseline security

Answer 50

A.Maintaining a higher baseline security is a shared responsibility and should be handled accordingly

Explanation
Cloud computing mostly brings security benefits to applications, but as with most areas of cloud technology, it does require commensurate changes to existing practices, processes, and technologies that were not designed to operate in the cloud. At a high level, this balance of opportunities and challenges includes: Opportunities • Higher baseline security. Cloud providers, especially major IaaS and PaaS providers, have significant economic incentives to maintain higher baseline security than mos

Question 51

Which security advantage considers that anything that goes into the production is created by the CI/CD pipeline on approved code and configuration templates?

A.SecDevOps/DevSecOps and Rugged DevOps
B.Improved auditing and change management
C.Immutable infrastructure
D.Automated Testing
E.Standardization

Answer 51

E.Standardization

Explanation
Standardization: With DevOps, anything that goes into production is created by the CI/CD pipeline on approved code and configuration templates. Dev/Test/Prod are all based on the exact same source files, which eliminates any deviation from known-good standards. · Automated testing: As discussed, a wide variety of security testing can be integrated into the CI/ CD pipeline, with manual testing added as needed to supplement. • Immutable: CI/CD pipelines can produce master images for virtual machin

Question 52

Which security advantage can produce master images for virtual machines, containers, and infrastructure stacks very quickly and reliably by using CI/CD pipelines?

A. SecDevOps/DevSecOps and Rugged DevOps
B.Improved auditing and change management
C.Immutable
D.Automated Testing
E.Standardization

Answer 52

C.Immutable

Explanation
Immutable- CI/CD pipelines can produce master images for virtual machines, containers, and infrastructure stacks very quickly and reliably. · Standardization: With DevOps, anything that goes into production is created by the CI/CD pipeline on approved code and configuration templates. Dev/Test/Prod are all based on the exact same source files, which eliminates any deviation from known-good standards. · Automated testing: As discussed, a wide variety of security testing can be integrated into the

Question 53

Leveraging “manual” data transfer methods such as Secure File Transfer Protocol (SFTP) is often more secure and cost effective than mechanism provided by cloud provider mechanisms to transfer data. This statement is correct or incorrect ?

A.INCORRECT
B.CORRECT

Answer 53

A.INCORRECT

Explanation
Sending data to a provider’s object storage over an API is likely much more reliable and secure than setting up your own SFTP server on a virtual machine in the same provider. Ensure that you are protecting your data as it moves to the cloud. This necessitates understanding your provider’s data migration mechanisms, as leveraging provider mechanisms is often more secure and cost effective than “manual” data transfer methods such as Secure File Transfer Protocol (SFTP).

Question 54

Which of the following statement is not true for the mechanisms that are used to secure the data storage at-rest?

A.Tokenization stores the original and randomized version in a secure database
B.Encryption results in a ciphertext
C.Tokenization replaces the data with a fixed value
D.Encryption “scrambles” the data
E.Encryption and tokenization are seperate technologies

Answer 54

C.Tokenization replaces the data with a fixed value

Explanation
Tokenization takes the data and replaces it with a random value. Encryption and tokenization are two separate technologies. Encryption protects data by applying a mathematical algorithm that “scrambles” the data, which then can only be recovered by running it through an unscrambling (decryption) process with a corresponding key. The result is a blob of ciphertext. Tokenization, on the other hand, takes the data and replaces it with a random value. It then stores the original and the randomized v

Question 55

Which of the following are the types of “Volume Storage Encryption”?

A.Instance-managed encryption and Internally managed encryption
B.Proxy-encryption
C.Client side encryption and server side encryption
D.Instance-managed encryption and Externally managed encryption

Answer 55

D.Instance-managed encryption and Externally managed encryption

Explanation
Instance-managed encryption and Externally managed encryption are the types of Volume storage encryption. IaaS volumes can be encrypted using different methods, depending on your data. Volume storage encryption • Instance-managed encryption: The encryption engine runs within the instance, and the key is stored in the volume but protected by a passphrase or keypair. • Externally managed encryption: The encryption engine runs in the instance, but the keys are managed externally and issued to the i

Question 56

In proxy encryption, the proxy handles all crypto operations and may keep keys either internally or externally.

A.CORRECT
B.INCORRECT

Answer 56

A.CORRECT

Explanation
Proxy encryption: In this model, you connect the volume to a special instance or appliance/ software, and then connect your instance to the encryption instance. The proxy handles all crypto operations and may keep keys either onboard or externally. Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: IaaS Encryption, Object and file storage Domain 11 // DATA SECURITY AND ENCRYPTION

Question 57

Which of the following should be the main consideration for key management?

A.Performance, availability, speed, security
B.Performance, access control, speed, non-repudiation
C.Performance, accessibility, latency, security
D.Performance, access control, latency, non-repudiation

Answer 57

C.Performance, accessibility, latency, security

Explanation
The main considerations for key management are performance, accessibility, latency, and security. Key Management (Including Customer-Managed Keys) The main considerations for key management are performance, accessibility, latency, and security. Can you get the right key to the right place at the right time while also meeting your security and compliance requirements? Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0 Topic: Key Management (Including Customer-Managed Ke

Question 58

When data or operations are transferred to a cloud, the responsibility for protecting and securing the data typically remains with the collector or custodian of that data.

A.CORRECT
B.INCORRECT

Answer 58

A.CORRECT

Explanation
When data or operations are transferred to a cloud, the responsibility for protecting and securing the data typically remains with the collector or custodian of that data, even if in some circumstances this responsibility may be shared with others. Even when it relies on a third party to host or process its data, the custodian of the data remains liable for any loss, damage, or misuse of the data. It is therefore prudent, and may be required by law or regulation, that the data custodian and the

Question 59

Virtual machines abstract the running of the code, not including the operating systems, from the underlying hardware.

A.CORRECT
B.INCORRECT

Answer 59

A.CORRECT

Explanation
The Virtual Machine Manager (hypervisor) also abstracts an operating system from the underlying hardware. Virtual machines: Virtual machines are the most-well known form of compute abstraction, and are offered by all IaaS providers. They are commonly called instances in cloud computing since they are created (or cloned) off a base image. The Virtual Machine Manager (hypervisor) abstracts an operating system from the underlying hardware.

Question 60

Which of the following statements is not true about Security Assertion Markup Language (SAML) 2.0?

A.Supports only authentication and not authorization
B.Assertions can contain authorization decision statements
C.Assertions can contain authentication statements and attribute statements
D.Use XML to make assertions between an identify provider and a relying party
E.OASIS standard for federated identity management

Answer 60

A.Supports only authentication and not authorization

Explanation
SAML assertions can contain authentication statements; attribute statements, and authorization decision statements. Security Assertion Markup Language (SAML) 2.0 is an OASIS standard for federated identity management that supports both authentication and authorization. It uses XML to make assertions between an identity provider and a relying party. Assertions can contain authentication statements; attribute statements, and authorization decision statements. SAML is very widely supported by both