Cloud Security Fundamentals - Apprentice

Question 1

3 Properties of cloud technologies as defined by the Cloud Native Computing Foundation?

Answer 1

1. Container Packaged
2. Dynamically Managed
3. Microserviced

Question 2

Container Packaged

Answer 2

Running applications and processes in software containers as isolated units of application deployment, and as mechanisms to achieve high levels of resource isolation. Improves overall developer experience, fosters code and component reuse, and simplifies operations for cloud native applications.

Question 3

Dynamically Managed

Answer 3

Actively scheduled and actively managed by a central orchestrating process. Radically improves machine efficiency and resource utilization while reducing the cost associated with maintenance and operations.

Question 4

Microserviced

Answer 4

Loosely coupled with dependencies explicitly described (for example, through service endpoints). Significantly increases the overall agility and maintainability of applications. The foundation will shape the evolution of the technology to advance the state of the art for application management, and to make the technology ubiquitous and easily available through reliable interfaces.

Question 5

hypervisor

Answer 5

A hypervisor allows multiple, virtual (or guest) operating systems to run concurrently on a single physical host computer.

Question 6

Native (Type 1 or bare metal) Hypervisor

Answer 6

A native (also known as a Type 1 or bare metal) hypervisor runs directly on the host computer’s hardware.

Question 7

Hosted (type 2) Hypervisor

Answer 7

A hosted (also known as a Type 2) hypervisor runs within an operating system environment.

Question 8

What is the foundation of cloud computing?

Answer 8

Virtualization

Question 9

_______ software allows multiple, virtual guest operating systems to run concurrently on a single physical host computer.

Answer 9

Hypervisor

Question 10

Hypervisor functions between ______ and _______

Answer 10

Computer Operating Systems

Hardware Kernel

Question 11

VM Sprawl

Answer 11

Virtual environments can grow quickly, leading to a breakdown in change management processes and exacerbating security issues such as dormant VMs, hypervisor vulnerabilities, and intra-VM communications.

Question 12

Kubernetes

Answer 12

an open-source orchestration platform that provides an application programming interface (API) that enables developers to define container infrastructure in a declarative fashion, that is, infrastructure as code (IaC).

Question 13

Microservices

Answer 13

Microservices architecture is a software development technique that uses containers to break large enterprise application code into smaller chunks, called microservices, for programmers to work on. These microservices run on separate containers, and Kubernetes orchestrates these containers to run the entire application code.

Question 14

Hypervisors vs Containers

Answer 14

hypervisors abstract hardware and allow you to run operating systems.

Containers abstract the operating system to enable you to run applications.

Question 15

Micro-VM

Answer 15

Micro-VMs are scaled-down, lightweight virtual machines that run on hypervisor software. Micro-VMs contain only the Linux operating system kernel features necessary to run a container.

Question 16

Cloud Compute Service (AWS/Azure/GCP)

Answer 16

AWS - EC2

Azure - Azure VM

GCP - Computer Engine

Question 17

Cloud Object Storage Service (AWS/Azure/GCP)

Answer 17

AWS - S3

Azure - Blob Storage

GCP - Cloud Storage

Question 18

Cloud Database Service (AWS/Azure/GCP)

Answer 18

AWS - RDS

Azure - SQL Database

GCP - Cloud SQL

Question 19

Cloud Networking Service (AWS/Azure/GCP)

Answer 19

AWS - Direct Connect

Azure - Virtual Network

GCP - Cloud Interconnect

Question 20

Benefits for Serverless Model

Answer 20

Reduced Operational Overheard

Increased Agility

Reduced Costs

Question 21

DAST

Answer 21

Dynamic Application Security Testing

DAST tools will only provide testing coverage for HTTP interfaces. This limited capability poses a problem when testing serverless applications that consume input from non-HTTP sources or interact with backend cloud services.

Question 22

SAST

Answer 22

Static Application Security Testing

SAST tools rely on data-flow analysis, control flow, and semantic analysis to detect vulnerabilities in software. This is because serverless applications contain multiple distinct functions that are stitched together using event triggers and cloud services

Question 23

IAST

Answer 23

Interactive Application Security Testing

IAST tools have better odds at accurately detecting vulnerabilities in serverless applications when compared to both DAST and SAST.

Question 24

In which model do applications rely on managed services that abstract away the need to manage, patch, and secure infrastructure and virtual machines?

Answer 24

Serverless

Question 25

What are scaled-down, lightweight virtual machines that run on hypervisor software and contain only the Linux operating system kernel features necessary to run a container?

Answer 25

Micro VMs

Question 26

IAM

Answer 26

IAM is a framework of business processes, policies, and technologies that facilitates the management of electronic or digital identities.

Question 27

Technical Debt

Answer 27

Technical debt is a software development concept, which also has been applied more generally to IT, in which additional future costs are anticipated for rework due to an earlier decision or course of action that was necessary for agility but was not necessarily the most optimal or appropriate decision or course of action.

Question 28

Distributed Workforce

Answer 28

Distributed workforce is a workforce that reaches beyond the restrictions of a traditional office environment. A distributed workforce is dispersed geographically over a wide area, domestically or internationally.

Question 29

Cloud Cybersecurity Infrastructure

Answer 29

Cloud cybersecurity refers to the tools, data, and infrastructure that protect cloud-based products from malicious actors.

Question 30

On-Premise

Answer 30

On-premises is a solution hosted in-house and usually supported by a third party.

Question 31

RBAC

Answer 31

Role-based access control (RBAC) is a method of restricting network and resource access based on the roles of individual users within an enterprise.

Question 32

DevOps

Answer 32

DevOps is a set of practices that combines software development (Dev) and IT operations (Ops).

Question 33

OS

Answer 33

An operating system is system software that manages computer software resources and hardware peripheral devices, and provides common services for computer programs.

Question 34

VM

Answer 34

A virtual machine is an emulation of a computer system that runs in the form of software and, like a physical computer, runs an operating system and applications.

Question 35

App Software

Answer 35

Application (app for short) software is a program or group of programs designed to help end users be more productive.

Question 36

Runtime

Answer 36

In computer programming, a runtime environment primarily implements portions of an execution model. Most programming languages have some form of runtime environment in which programs run.

Question 37

Shift-Left

Answer 37

Shift-left seeks to move security activities from the end of the workflow to activities that are earlier in the development process. This can improve security impacts and lower costs by finding issues earlier in the CI/CD process.

Question 38

Three Computing Service Models

Answer 38

SaaS PaaS IaaS

Question 39

Software as a Service (SaaS)

Answer 39

Customers are provided access to an application, such as Google Docs, running on a cloud infrastructure and the application is accessible from internet-connected client devices. The customer does not manage the application or underlying cloud infrastructure that delivers the application. The customer can only create and store user specific data using the provided SaaS application. The customer is responsible for securing user-specific data created using the SaaS application.

Question 40

Platform as a Service (PaaS)

Answer 40

Using PaaS, customers can deploy supported applications onto the Cloud Service provider’s (CSP) infrastructure without the burden of fully managing and controlling the underlying cloud infrastructure. Most CSPs offer databases as a PaaS. The database can be used to store customer information, for example, product inventory. Customers can avoid the tasks of installing and updating database software by choosing database PaaS.

Question 41

Infrastructure as a Service (IaaS)

Answer 41

Using IaaS, customers securely configure, manage, and deploy the virtual environment running their applications. Customers are responsible for securing their virtual machines, the virtual machine operating systems, operating system runtime environments, application software, and application data. CSPs are responsible for securing the physical computers running the virtual environment.

Question 42

NIST defined cloud deployment models

Answer 42

Public Private Hybrid Community

Question 43

Public Cloud

Answer 43

Public cloud is a cloud infrastructure that is open to use by the general public. It’s owned, managed, and operated by a third party (or parties), and it exists on the cloud provider’s premises. Examples of public CSPs are Amazon Web Services (AWS), Google Cloud, and Microsoft Azure.

Question 44

Community Cloud

Answer 44

Community cloud is a cloud infrastructure that is used exclusively by a specific group of organizations.

Question 45

Private Cloud

Answer 45

Private cloud is a cloud infrastructure that is used exclusively by a single organization. It may be owned, managed, and operated by the organization or a third party (or a combination of both), and it may exist on-premises or off-premises.

Question 46

Hybrid Cloud

Answer 46

Hybrid cloud is a cloud infrastructure that comprises two or more of these deployment models and is, therefore, the best of both worlds: private data center for static, older workloads and public cloud for newer apps, agility, and scalability.

Question 47

SaaS Model

Answer 47

Customer Responsible for: Data

Question 48

PaaS Model

Answer 48

Customer Responsible for: Data Applications

Question 49

IaaS Model

Answer 49

Customer Responsible for: Data Applications Runtime Middleware OS

Question 50

Multi-Tenancy Cloud Environments

Answer 50

In multi-tenancy (multiple customers of a cloud vendor are using the same computing resources) cloud environments, particularly in SaaS models, the customer controls and resources are limited by the cloud provider.

Question 51

Dynamic Environment

Answer 51

In a dynamic environment, pools of computing resources are available to support application workloads that can be accessed anywhere, anytime, from any device. Security remains a significant challenge when you embrace this new dynamic, cloud-computing fabric environment. Many of the principles that make cloud computing attractive may go against network security best practices.

Question 52

Software composition analysis (SCA

Answer 52

safely enables developers to leverage open source packages without exposing organizations to unnecessary vulnerabilities or legal and compliance issues.

Question 53

Bolted On Feature Sets

Answer 53

Bolted-on feature sets are used to describe products and systems that can be quickly but securely attached to an existing operating system or website.

Question 54

Continuous Ports

Answer 54

Contiguous ports permit or deny firewall traffic through sequential ports in order, such as TCP ports 20-25.

Question 55

Bursty Demand Load

Answer 55

A bursty demand load is a configuration set up between a private cloud and a public cloud to handle peaks in IT demand. When a private cloud configuration reaches 100 percent of its resource capacity, the overflow traffic is directed to a public cloud so there’s no interruption of services.

Question 56

Form Factor

Answer 56

A form factor is an aspect of design that defines and prescribes the size, shape, and other physical specifications of hardware components.

Question 57

Active/Passive Mode

Answer 57

In an active/passive mode, one firewall actively manages traffic while the other is synchronized and ready to transition to the active state should a failure occur. In this mode, both firewalls share the same configuration settings, and one actively manages traffic until a path, link, system, or network failure occurs.

Question 58

Hybrid Cloud Security Evolution

Answer 58

Phase 1 - Considating Servers within trust levels Phase 2 - Consolidating Servers Across Trust Levels Phase 3 - Selective Network Security Virutalization Phase 4 - Dynamic Computing Fabric

Question 59

Organizations are using which resource to expand their on-premises private cloud compute capacity?

Answer 59

PUblic Cloud

Question 60

Which cloud infrastructure comprises two or more cloud deployment models, bound by standardized or proprietary technology that enables data and application portability?

Answer 60

Hybrid

Question 61

Which value can be achieved by the ability to pool resources in cloud computing?

Answer 61

economies of scale and agility

Question 62

Which cloud solution is hosted in-house and usually is supported by a third party?

Answer 62

on-prem

Question 63

Which software development concept that also has been applied more generally to IT says that additional future costs for rework are anticipated due to an earlier decision or course of action that was necessary for agility but was not necessarily the most optimal or appropriate decision or course of action?

Answer 63

technical debt

Question 64

In which cloud service model are customers responsible for securing their virtual machines and the virtual machine operating systems, and for operating system runtime environments, application software, and application data?

Answer 64

IaaS

Question 65

Which phased approach of hybrid cloud security requires networking and security solutions that not only can be virtualized but also are virtualization-aware and can dynamically adjust as necessary to address communication and protection requirements, respectively?

Answer 65

Dynamic Computing Fabric

Question 66

CNSP

Answer 66

Cloud Native Security Platform The cloud native approach takes the best of what cloud has to offer – scalability, deployability, manageability, and limitless on-demand compute power – and applies these principles to software development, combined with CI/CD automation, to radically increase productivity, business agility, and cost savings.

Question 67

CI/CD

Answer 67

Continuous Integration/Continuous Delivery Application development methodologies are moving away from the traditional “waterfall” model toward more agile continuous integration/continuous delivery (CI/CD) processes with end-to-end automation.

Question 68

"Cloud native”

Answer 68

refers to a methodology of software development that is essentially designed for cloud delivery and exemplifies all the benefits of the cloud by nature.

Question 69

DevOps

Answer 69

DevOps teams are a collaboration between the development teams and IT operations. Traditionally, IT operations did not understand the specific technical and process requirements of the software development process. DevOps teams have a closer relationship with software development teams in order to facilitate the release of applications.

Question 70

SecOps

Answer 70

SecOps team are essentially IT operations team with a focus on security. Historically, IT operations and security were separate teams. SecOps teams directly integrate security into the IT operations.

Question 71

DevSecOps

Answer 71

DevSecOps teams have a more specific focus on ensuring security than DevOps and SecOps teams. They focus on applying application and infrastructure security automation and processes across the CI/CD pipeline.

Question 72

Which one of the four Prisma Cloud pillars enforces machine learning-based runtime protection to protect applications and workloads in real time?

Answer 72

CWP

Question 73

Which term refers to a methodology of software development that is essentially designed for cloud delivery and exemplifies all the benefits of the cloud by nature.

Answer 73

Cloud native

Question 74

Which team has a more specific focus on applying application and infrastructure security automation in the CI/CD pipeline?

Answer 74

DevSecOps

Question 75

Which area is a security parameter that focuses on improving cloud security entitlement risk?

Answer 75

IAM Security

Question 76

loosely coupled

Answer 76

means they are not hardwired to any infrastructure components, thus allowing developers to make changes frequently without affecting other pieces of the application or other team members’ projects across technology boundaries such as public, private, and multicloud deployments.

Question 77

"Cloud native”

Answer 77

refers to a methodology of software development that is essentially designed for cloud delivery and exemplifies all the benefits of the cloud by nature.

Question 78

CNSP and it's functions

Answer 78

Cloud Native Security Platform Visibility Integration Automation

Question 79

Why is CI/CD pipeline in a loop?

Answer 79

Teams can use the feedback from the other stages to plan their next set of code changes. Thus Continuous Improvement

Question 80

CI/CD Pipeline

Answer 80

Workflow when the processes that go into delivering software are integrated.

Question 81

Characteristics of DevOps

Answer 81

1. Collab Teams 2. Culture 3. Strategy 4. More than Automation

Question 82

Continuous integration

Answer 82

Continuous integration requires developers to integrate code into a repository several times per day for automated testing.

Question 83

Continuous delivery

Answer 83

Continuous delivery means that the CI pipeline is automated, but the code must go through manual technical checks before it is implemented in production.

Question 84

Continuous deployment

Answer 84

Continuous deployment takes continuous delivery one step further. Instead of requiring manual checks, the code passes automated testing and is automatically deployed, giving customers instant access to new features.

Question 85

CNAPP

Answer 85

CLOUD NATIVE APPLICATION PROTECTION provide a unified cloud security solution to help security teams scan, identify, and remediate security vulnerabilities.

Question 86

SDLC

Answer 86

Software Development Lifecycle refers to a methodology with clearly defined processes for creating high-quality software.

Question 87

CNCF

Answer 87

Cloud Native Computing Foundation is a Linux OS Foundation project that was founded in 2015 to help advance container technology and align the tech industry around its evolution.

Question 88

Distributed cloud

Answer 88

Distributed cloud is an execution environment where application components are placed at appropriate geographically dispersed locations chosen to meet the requirements of the application.

Question 89

CNAPP Core Security Protections

Answer 89

Cloud Security Posture Management Cloud Workload Protection Cloud Code Security Cloud Infrastructure Entitlement Management

Question 90

CSPM Key Areas

Answer 90

Visibility Governance Compliance

Question 91

CSPM Compliance Requirements

Answer 91

Real-Time Discovery Config Governance Access Governance Compliance Auditing Seamless UX

Question 92

CWP

Answer 92

Cloud Workload Protection provides consistent visibility and control, including vulnerabilities scanning in the development process, workload protection at runtime, application control, memory protection, behavioral monitoring, host-based intrusion prevention and optional anti-malware protection.

Question 93

CIEM

Answer 93

Cloud Infrastrcture Entitlement Manager the process of managing identities and privileges in cloud environments.

Question 94

Purpose of CIEM

Answer 94

The purpose of CIEM is to understand which access entitlements exist across cloud and multicloud environments, and then identify and mitigate risks resulting from entitlements that grant a higher level of access than they should.

Question 95

Four C's of Cloud Native Security

Answer 95

Cloud Clusters Containers Code

Question 96

Cloud Workload Protection (CWP) protects

Answer 96

Cloud Workloads Servers VMs Containers DBs Storage APIs Service Layers