WGU C838 – MANAGING CLOUD SECURITY
EXAM QUESTIONS AND ANSWERS
What are the 4 characteristics of cloud computing? - ANSWER-Broad network access
On-demand services
Resource Pooling
Measured or "metered" service
What NIST publication number defines cloud computing? - ANSWER-800-145
What ISO/IEC standard provides information on cloud computing? - ANSWER-17788
What is another way of describing a functional business requirement? - ANSWER-
necessary
What is another way of describing a nonfunctional business requirement? - ANSWER-
not necessary
What is the greatest driver pushing orgs to the cloud? - ANSWER-Cost savings
What is cloud bursting? - ANSWER-Ability to increase available cloud resources on
demand
What are 3 characteristics of cloud computing? - ANSWER-Elasticity
Simplicity
Scalability
What is a cloud customer? - ANSWER-Anyone purchasing cloud services
What is a cloud user? - ANSWER-Anyone using cloud services
What are the three cloud computing service models? - ANSWER-SaaS(Software as a
service)
PaaS(Platform as a service)
IaaS(Infrastructure as a service)
What is IaaS (Infrastructure as a Service)? - ANSWER-Cloud provider provides all the
physical capability and administration, while the customer is responsible for logical
resources.
What is PaaS (Platform as a Service)? - ANSWER-A cloud computing service that
provides the hardware and the operating system and is responsible for updating and
maintaining both.
,What is SaaS (Software As A Service)? - ANSWER-Cloud provider manages
everything.
What are the four cloud deployment models? - ANSWER-Public
Private
Community
Hybrid
What cloud model is owned by a single organization? - ANSWER-Private
What cloud model is an arrangement of two or more cloud servers? - ANSWER-Hybrid
What cloud model is a shared setup between orgs? - ANSWER-Community
What cloud model is open for free usage? - ANSWER-Public
What is a cloud service provider? - ANSWER-Cloud service provider manages and
provides entire hosting ability
What is a Cloud Access Security Broker? - ANSWER-Third-party acting as an
intermediary for identity and access management
What do regulators do? - ANSWER-Ensure organizations are in compliance with
regulatory framework.
What word in the CIA triad describes: What protects information from unauthorized
access/dissemination? - ANSWER-Confidentiality
What word in the CIA triad describes: Ensuring that information is not subject to
unauthorized modification? - ANSWER-Integrity
What word in the CIA triad describes: Ensuring that authorized users can access the
information when they are permitted to do so? - ANSWER-Availability
What is a cloud architect? - ANSWER-Expert in cloud computing
What is cloud os also known as? - ANSWER-PaaS
NIST standard number that lists accredited and outmoded cryptosystems - ANSWER-
FIPS 140-2
customer may be unable to leave, migrate, or transfer to an alternate provider due to
technical or non-technical constraints. - ANSWER-vendor lock-m
What is cloud migration? - ANSWER-Process of transitioning part of a company's data
or services from onsite premises to the cloud
,What is cloud portability? - ANSWER-Move applications and data between cloud
providers
What offers a degree of assurance that nobody w/o authorization will be able to access
other's data? - ANSWER-Encryption
If a cloud customer wants a secure, isolated sandbox in order to conduct software
development and testing, which cloud service model would probably be best? -
ANSWER-PaaS
What technology has NOT made cloud service viable? - ANSWER-Smart hubs
What determines the critical paths, processes, and assets of an organization? -
ANSWER-BIA
Fully-operational environment with very little maintenance or administration necessary,
which cloud service model would probably be best? - ANSWER-PaaS
customer is unable to recover or access their own data due to the cloud provider going
into bankruptcy or otherwise leaving the market. - ANSWER-Vendor lock-out
What are four examples of things to know to decide how to handle risks within an org? -
ANSWER-Inventory of all assets
Valuation of each asset
Critical paths, processes, and assets
Clear understanding of risk appetite
T/F: Assets are only tangible items. - ANSWER-False. Assets are everything owned or
controlled by an org.
The process of evaluating assets? - ANSWER-Business Impact Analysis(BIA)
What is criticality? - ANSWER-Something an org could not operate or exist without
What are 5 examples of criticality for an org - ANSWER-Tangible assets
Intangible assets
Processes
Data paths
Personnel
In risk, what is the avoidance method? - ANSWER-Avoiding high risk
In risk, what is the acceptance method? - ANSWER-Acceptable level of risk
In risk, what is an example of the avoidance method? - ANSWER-Insurance
, In risk, what is the mitigation method? - ANSWER-Controls or countermeasures
Assets can be what? - ANSWER-Tangible
Intangible
Personnel
What does Business Impact Analysis do? - ANSWER-Defines which of the assets
provide the intrinsic value of an organization.
What is risk appetite - ANSWER-Level, Amount, or Type of risk that an org finds
acceptable
What is the IaaS boundary? - ANSWER-The provider is responsible for connectivity and
power and the customer is in charge for installation of software.
What is the PaaS boundary? - ANSWER-The provider is responsible for updates and
administration of the OS and the customer monitors and reviews software events.
What is the SaaS boundary? - ANSWER-The provider is responsible for system
maintenance and the customer supplies and processes data to and in the system.
What should encryption be used for in a cloud datacenter? - ANSWER-Long-term
storage/archiving
Protecting near-term stored files, such as snapshots of virtualized instances
Preventing unauthorized access to specific datasets by authorized personnel
What should encryption be used for in communications between cloud providers and
users? - ANSWER-Creating secure sessions
Ensuring the integrity and confidentiality of data in transit
What are 4 controls/mechanisms a cloud provider should play a role in in layered
defense? - ANSWER-Strong personnel controls
Technological controls
Physical controls
Governance mechanisms
In cloud layered defense what are examples of personnel controls? - ANSWER-
background checks
continual monitoring
In cloud layered defense what are examples of technological controls? - ANSWER-
encryption
event logging
access control enforcement
EXAM QUESTIONS AND ANSWERS
What are the 4 characteristics of cloud computing? - ANSWER-Broad network access
On-demand services
Resource Pooling
Measured or "metered" service
What NIST publication number defines cloud computing? - ANSWER-800-145
What ISO/IEC standard provides information on cloud computing? - ANSWER-17788
What is another way of describing a functional business requirement? - ANSWER-
necessary
What is another way of describing a nonfunctional business requirement? - ANSWER-
not necessary
What is the greatest driver pushing orgs to the cloud? - ANSWER-Cost savings
What is cloud bursting? - ANSWER-Ability to increase available cloud resources on
demand
What are 3 characteristics of cloud computing? - ANSWER-Elasticity
Simplicity
Scalability
What is a cloud customer? - ANSWER-Anyone purchasing cloud services
What is a cloud user? - ANSWER-Anyone using cloud services
What are the three cloud computing service models? - ANSWER-SaaS(Software as a
service)
PaaS(Platform as a service)
IaaS(Infrastructure as a service)
What is IaaS (Infrastructure as a Service)? - ANSWER-Cloud provider provides all the
physical capability and administration, while the customer is responsible for logical
resources.
What is PaaS (Platform as a Service)? - ANSWER-A cloud computing service that
provides the hardware and the operating system and is responsible for updating and
maintaining both.
,What is SaaS (Software As A Service)? - ANSWER-Cloud provider manages
everything.
What are the four cloud deployment models? - ANSWER-Public
Private
Community
Hybrid
What cloud model is owned by a single organization? - ANSWER-Private
What cloud model is an arrangement of two or more cloud servers? - ANSWER-Hybrid
What cloud model is a shared setup between orgs? - ANSWER-Community
What cloud model is open for free usage? - ANSWER-Public
What is a cloud service provider? - ANSWER-Cloud service provider manages and
provides entire hosting ability
What is a Cloud Access Security Broker? - ANSWER-Third-party acting as an
intermediary for identity and access management
What do regulators do? - ANSWER-Ensure organizations are in compliance with
regulatory framework.
What word in the CIA triad describes: What protects information from unauthorized
access/dissemination? - ANSWER-Confidentiality
What word in the CIA triad describes: Ensuring that information is not subject to
unauthorized modification? - ANSWER-Integrity
What word in the CIA triad describes: Ensuring that authorized users can access the
information when they are permitted to do so? - ANSWER-Availability
What is a cloud architect? - ANSWER-Expert in cloud computing
What is cloud os also known as? - ANSWER-PaaS
NIST standard number that lists accredited and outmoded cryptosystems - ANSWER-
FIPS 140-2
customer may be unable to leave, migrate, or transfer to an alternate provider due to
technical or non-technical constraints. - ANSWER-vendor lock-m
What is cloud migration? - ANSWER-Process of transitioning part of a company's data
or services from onsite premises to the cloud
,What is cloud portability? - ANSWER-Move applications and data between cloud
providers
What offers a degree of assurance that nobody w/o authorization will be able to access
other's data? - ANSWER-Encryption
If a cloud customer wants a secure, isolated sandbox in order to conduct software
development and testing, which cloud service model would probably be best? -
ANSWER-PaaS
What technology has NOT made cloud service viable? - ANSWER-Smart hubs
What determines the critical paths, processes, and assets of an organization? -
ANSWER-BIA
Fully-operational environment with very little maintenance or administration necessary,
which cloud service model would probably be best? - ANSWER-PaaS
customer is unable to recover or access their own data due to the cloud provider going
into bankruptcy or otherwise leaving the market. - ANSWER-Vendor lock-out
What are four examples of things to know to decide how to handle risks within an org? -
ANSWER-Inventory of all assets
Valuation of each asset
Critical paths, processes, and assets
Clear understanding of risk appetite
T/F: Assets are only tangible items. - ANSWER-False. Assets are everything owned or
controlled by an org.
The process of evaluating assets? - ANSWER-Business Impact Analysis(BIA)
What is criticality? - ANSWER-Something an org could not operate or exist without
What are 5 examples of criticality for an org - ANSWER-Tangible assets
Intangible assets
Processes
Data paths
Personnel
In risk, what is the avoidance method? - ANSWER-Avoiding high risk
In risk, what is the acceptance method? - ANSWER-Acceptable level of risk
In risk, what is an example of the avoidance method? - ANSWER-Insurance
, In risk, what is the mitigation method? - ANSWER-Controls or countermeasures
Assets can be what? - ANSWER-Tangible
Intangible
Personnel
What does Business Impact Analysis do? - ANSWER-Defines which of the assets
provide the intrinsic value of an organization.
What is risk appetite - ANSWER-Level, Amount, or Type of risk that an org finds
acceptable
What is the IaaS boundary? - ANSWER-The provider is responsible for connectivity and
power and the customer is in charge for installation of software.
What is the PaaS boundary? - ANSWER-The provider is responsible for updates and
administration of the OS and the customer monitors and reviews software events.
What is the SaaS boundary? - ANSWER-The provider is responsible for system
maintenance and the customer supplies and processes data to and in the system.
What should encryption be used for in a cloud datacenter? - ANSWER-Long-term
storage/archiving
Protecting near-term stored files, such as snapshots of virtualized instances
Preventing unauthorized access to specific datasets by authorized personnel
What should encryption be used for in communications between cloud providers and
users? - ANSWER-Creating secure sessions
Ensuring the integrity and confidentiality of data in transit
What are 4 controls/mechanisms a cloud provider should play a role in in layered
defense? - ANSWER-Strong personnel controls
Technological controls
Physical controls
Governance mechanisms
In cloud layered defense what are examples of personnel controls? - ANSWER-
background checks
continual monitoring
In cloud layered defense what are examples of technological controls? - ANSWER-
encryption
event logging
access control enforcement
