WGU C838 Managing Cloud Security Final Exam Revised 2023

WGU C838 Managing Cloud Security Final Exam Revised 2023 Question 1 This cloud model is composed of five essential characteristics, three service models, and four deployment models. Please match the characteristics below with their descriptions Characteristic Description 1. Broad a. The provider’s computing resources are combined to Network serve multiple consumers using a multi-tenant model, Access with different physical and virtual resources dynamically assigned and reassigned according to consumer demand 2. Metered Access b. Consumer can unilaterally provision computing capabilities as needed automatically 3. On-demand c. Capabilities are available over the network and self-service accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms 4. Resource d. Capabilities can be provisioned and released, in some Pooling cases automatically, to scale rapidly outward and inward commensurate with demand. 5. Rapid e. Cloud systems automatically control and optimize elasticity resource use by leveraging capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. Answers 1c 2e 3b 4a 5d Question 2 What type of cloud deployment model is best for highly sensitive or proprietary information? a) Hybrid b) Private c) Public d) Community Answer B Question 3 Which of the following pose the greatest challenge to security? a) Process b) Technology c) People d) None of the other choices presented                 Security: The system is protected against unauthorized access, both physical and logical. Availability: The system is available for operation and use as committed or agreed. Processing Integrity: System processing is complete, accurate, timely, and authorized. Confidentiality: Information designated as confidential is protected as committed or agreed. Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the provides privacy policy. As a general guideline: SOC I: Those interested in financial statements. SOC II: Information technology personnel will be interested. SOC III: Used to illustrate conformity, compliance, and security efforts to current or potential subscribers and customers of cloud services. Question 15 How is security best accomplished at the SaaS level? a) Security is provided through traditional firewalls. b) Security must be provided by the cloud consumer. c) Security is negotiated as part of the Service Level Agreement. d) Through collaboration. The correct answer is: C Security is negotiated as part of the Service Level Agreement. When working with an external service, be sure to review any SLA (service-level agreements) to ensure security is a prescribed component of the contracted services. This could include customization of service-level requirements for your specific needs. Service levels, security, governance, compliance, and liability expectations of the service and provider are contractually stipulated, managed to, and enforced, when a service level agreement (SLA s), is offered to the consumer. There are two types of SLA s, negotiable and non negotiable. In the absence of an SLA, the consumer administers all aspects of the cloud under its control. When a non negotiable SLA is offered, the provider administers those portions stipulated in the agreement. In the case of PaaS or IaaS, it is usually the responsibility of the consumer 's system administrators to effectively manage the residual services specified in the SLA, with some offset expected by the provider for securing the underlying platform and infrastructure components to ensure basic service availability and security. NIST Draft Publication SP 800-146 says: A subscriber s terms of service for a cloud are determined by a legally binding agreement between the two parties often contained in two parts: (1) a service agreement, and (2) a Service Level Agreement (SLA). Generally, the service agreement is a legal document specifying the rules of the legal contract between a subscriber and provider, and the SLA is a shorter document stating the technical performance promises made by a provider including remedies for performance failures. For simplicity, this NIST publication and most publications refers to the combination of these two documents as an SLA. The self-service aspect of clouds implies that a subscriber either (1) accepts a provider s pricing and SLA, or (2) finds a provider with more acceptable terms, potential subscribers anticipating heavy use of cloud resources may be able to negotiate more favorable terms. For the typical subscriber, however, a cloud s pricing policy and SLA are nonnegotiable. Published SLAs between subscribers and providers can typically be terminated at any time by either party, either for cause such as a subscriber s violation of a cloud s acceptable use policies, or for failure of a subscriber to pay in a timely manner. Further, an agreement can be terminated for no reason at all. Subscribers should analyze provider termination and data retention policies. Provider promises, including explicit statements regarding limitations, are codified in their SLAs. A provider s SLA has three basic parts: (1) a collection of promises made to subscribers, (2) a collection of promises explicitly not made to subscribers, i.e., limitations, and (3) a set of obligations that subscribers must accept. Negotiated SLA If the terms of the default SLA do not address all subscriber needs, the subscriber should discuss modifications of the SLA with the provider prior to use. TIP: It should be clear in all cases that one can assign/transfer responsibility but not necessarily accountability. Question 16 Which of the following is NOT a characteristic of IaaS? a) Resilience b) Flexibility c) Capacity Pools d) Scale The correct answer is: B Flexibility Flexibility is a characteristic of PaaS. IaaS is the area where the traditional data center hardware resides. IaaS is characterized by: • Converged Networks and IT Capacity Pools, • The ability to Scale, • Self-service, and • On-demand capacity, and High availability and resilience. PaaS, on the other hand, is where developers achieve flexibility through the ability to use plugins and environments to quickly meet customer needs. Another closely related term is elasticity which is where a user s environment is managed based on resource utilization. Question 17 Which of the following consists of a library of documents that are used in implementing a framework for IT Service management? a) Jericho/Open Group b) ITIL c) SABSA d) TOGAF The correct answer is: ITIL ITIL is the Information Technology Infrastructure Library. An easy way to remember the characteristics of ITIL is that the L stands for Library, and a Library is where documents reside. ITIL, an acronym for Information Technology Infrastructure Library, is a set of practices for IT Service Management (ITSM) that focuses on aligning IT services with the needs of business. In its current form (known as ITIL 2011 edition), ITIL is published as a series of five core volumes, each of which covers a different ITSM lifecycle stage. Although ITIL underpins ISO/IEC 20000 (previously BS15000), the International Service Management Standard for IT service management, there are some differences between the ISO 20000 standard and the ITIL framework. ITIL describes processes, procedures, tasks, and checklists which are not organizationspecific, but can be applied by an organization for establishing integration with the organization's strategy, delivering value, and maintaining a minimum level of competency. It allows the organization to establish a baseline from which it can plan, implement, and measure. It is used to demonstrate compliance and to measure improvement. The following answers are incorrect: All of the other answers are incorrect. , comprised of more than 200 enterprises, develops and maintains the TOGAF standard and publishes successive versions at regular intervals. See Downloading TOGAF 9. TOGAF is the de facto global standard for Enterprise Architecture. The Open Group Architecture Forum The TOGAF framework enables organizations to effectively address critical business needs by: • Ensuring that everyone speaks the same language • Avoiding lock-in to proprietary solutions by standardizing on open methods for Enterprise Architecture • Saving time and money, and utilize resources more effectively • Achieving demonstrable ROI Jericho/Open Group now part of the Open Group Security Forum. The Jericho Forum Cloud Cube Model can be found at the URL in the reference section below. It is downloadable in PDF format. SABSA is a proven methodology for developing business-driven, risk and opportunity focused Security Architectures at both enterprise and solutions level that traceably support business objectives. It is also widely used for Information Assurance Architectures, Risk Management Frameworks, and to align and seamlessly integrate security and risk management into IT Architecture methods and frameworks. SABSA is comprised of a series of integrated frameworks, models, methods and processes, used independently or as an holistic integrated enterprise solution, including: • Business Requirements Engineering Framework (known as Attributes Profiling) • Risk and Opportunity Management Framework • Policy Architecture Framework • Security Services-Oriented Architecture Framework • Governance Framework • Security Domain Framework • Through-life Security Service Management & Performance Management Framework Question 18 Which of the following architectures uses a cube model to create a framework for exploring different cloud formations? a) ColTRANE b) TOGAF c) Jericho/Open Group d) NIST e) The correct answer is: Jericho/Open Group The Jericho/Open Group explores considerations of whether cloud computing is appropriate for all organizations. It developed a cube model that examines different cloud architecture, know as Cloud Formations. The Jericho Forum s objectives related to cloud computing are distinctive: enabling secure collaboration in the appropriate cloud formations best suited to the business needs. With this in mind, the aim of this paper is to: • point out that not everything is best implemented in clouds; it may be best to operate some business functions using a traditional non-cloud approach • explain the different cloud formationsthat the Jericho Forum has identified • describe key characteristics, benefits and risks of each cloud formation • provide a framework for exploring in more detail the natureof different cloud formations and the issues that need answering to make them safe and secure places to work in. For more information about the Jericho Cube Model Question 19 Which of the following terms best describes the ability for cloud consumers to access evidence, actions, controls and process that were performed by a specified user? a) Auditability b) SLA c) Regulatory Compliance d) Portability The correct answer is: A Auditability Similar to standard audit trails and systems logging, systems auditing and reporting are offered as a standard feature by many of the cloud providers. Auditability within the cloud architecture fouses on actions and activities of users and systems. The following answers are incorrect: SLA Service Level Agreements (SLAs) in the Cloud. There have been many articles written on the topic, but still there is confusion about the importance of SLAs. Most people require a blueprint for architects and contractors to start building a new home and similarly would expect a new car to come with a warranty. An SLA serves as both the blueprint and warranty for cloud computing. Regulatory Compliance is an organization's adherence to laws, regulations, guidelines and specifications relevant to its business. Violations of regulatory compliance regulations often result in legal punishment, including federal fines. Examples of regulatory compliance laws and regulations include the Dodd-Frank Act, Payment Card Industry Data Security Standard (PCI DSS) , Health Insurance Portability and Accountability Act (HIPAA), the Federal Information Security Management Act (FISMA) and the Sarbanes-Oxley Act (SOX). As the number of rules has increased since the turn of the century, regulatory compliance has become more prominent in a variety of organizations. The trend has even led to the creation of corporate, chief and regulatory compliance officer positions to hire employees whose sole focus is to make sure the organization conforms to stringent, complex legal mandates. Portability Consumers of cloud services may seek cloud portability so that they can migrate services to a new provider in response to a price increase or a breached service-level agreement. Other customers may seek cloud portability capabilities to fulfill a business need, such as moving cloud-based resources to another provider that is geographically closer to the consumers of the cloud service. Cloud portability requires interoperability among cloud providers, which means that one cloud provider must be able to replicate the application environment that the previous cloud provider had established for the service. The IEEE has formed a working group to develop a set of interoperability standards -- the IEEE P2301 Draft Guide for Cloud Portability and Interoperability Profiles. Several vendors and providers have formed the open source OpenStack initiative, which is developing a cloud operating system that would provide some of the interoperability required for cloud portability. Individual vendors have also formed partnerships to create technology for cloud portability. Question 20 Which of the following is a true statement? a) Deployment of a cloud solution is always a technology decision. b) Organizational goals that require technology, especially cloud technology are best met when technology is considered at the forefront. c) The choice to deploy a cloud solution is primarily a technical decision. d) Funding and technology decisions for movement to the cloud should be made with the business direction at the core. The correct answer is: D Funding and technology decisions for movement to the cloud should be made with the business direction at the core. This question is a trap for many overly technical thinkers. It should always be understood that business direction must lead any decisions about the type of technology to use. Another point to keep in mind is that the non-vendor specific exams, such as the CCSP are always geared more towards management of the business over the technical aspects of the business. Question 21 Privacy in the cloud is most often achieved through which of the following? a) Privacy must be outlined in the Service Level Agreement with the cloud provider. b) Privacy is achieved through the security provided by the cloud provider. c) Privacy is best achieved through regulatory compliance. d) Privacy is one of the essential elements of cloud computing and need not be addressed as it is part of resource pooling. The correct answer is: A Privacy must be outlined in the Service Level Agreement with the cloud provider. Due to the disparate geographic locations of cloud data, privacy must be outlined and understood as part of the Service Level Agreement. It is neither built into any cloud computing model or part of the essential elements which comprise cloud computing. Security of the data is not related to privacy. Question 22 Regulatory compliance is most closely aligned with which of the following? a) The focus of an organization to produce information about actions of the users. b) The requirement of an organization to access, report, and obtain evidence of organizational controls. c) The requirement of an organization to define processes and procedures. d) The requirement of an organization to adhere to relevant laws, guidelines and specifications relevant to its business. The correct answer is: The requirement of an organization to adhere to relevant laws, guidelines and specifications relevant to its business. While all of the answers are related to how governance is achieved (through auditing and defined processes), regulatory compliance is directly associated with following laws and guidelines. Regulatory compliance is an organization's adherence to laws, regulations, guidelines and specifications relevant to its business. Violations of regulatory compliance regulations often result in legal punishment, including federal fines. Examples of regulatory compliance laws and regulations include the Dodd-Frank Act, Payment Card Industry Data Security Standard (PCI DSS) , Health Insurance Portability and Accountability Act (HIPAA), the Federal Information Security Management Act (FISMA) and the Sarbanes-Oxley Act (SOX). As the number of rules has increased since the turn of the century, regulatory compliance has become more prominent in a variety of organizations. The trend has even led to the creation of corporate, chief and regulatory compliance officer positions to hire employees whose sole focus is to make sure the organization conforms to stringent, complex legal mandates. Question 23 Richie has been asked to speak with the Board of Directors at a law firm about cloud deployments. One of the board members has told the board that the cloud is the best business decision for them due to the clear perimeter offered between the cloud provider and the cloud customers. What is the best advice that Richie can give to the Board members? a) The perimeter transforms into a series of highly dynamic "micro borders" for some cloud providers. b) There is no clear perimeter in cloud networks. c) The Board member is correct in stating that the perimeter is clearly the demarcation point. d) The classic definition of a network perimeter takes on different meanings under different guises and deployment models. The correct answer is: The classic definition of a network perimeter takes on different meanings under different guises and deployment models. This is a scenario based question in which all the answers are correct, however, only one serves as the best answer. In this case, Richie is tasked with speaking to the Board of Directors, and he is also in the delicate position of pointing out that one member of the board has an incorrect assumption about cloud environments. The best way to approach this is to introduce the general concept of the varied perimeters offered by the cloud. It should always be remembered that the non-vendor specific exams, such as the CCSP are always geared more towards management of the business over the technical aspects of the business, and the ability to speak to board members is an important facet of a business approach. There is no relevance to which type of corporation Richie is addressing. The definitions of cloud perimeter does not change based on the industry. Each industry will need to choose the best cloud deployment based on what is best for their particular business. Question 24 Which of the following protocols is NOT used to protect data in transit? a) IPSEC b) TLS c) KMS d) SSL The correct answer is: C KMS KMS is the acronym for Key Management service. It is a vital component of a cryptographic solution, but it is not a protocol. This question is a negative question. Which means the answer that is NOT a protocol is the correct choices. All of the other choices presented are protocol used to protect data in transit. TLS Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL). SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers. IPSec or IP Security is an Internet Engineering Task Force (IETF) standard suite of protocols that provides data authentication, integrity, and confidentiality as data is transferred between communication points across IP networks. IPSec provides data security at the IP packet level. A packet is a data bundle that is organized for transmission across a network, and it includes a header and payload (the data in the packet). IPSec emerged as a viable network security standard because enterprises wanted to ensure that data could be securely transmitted over the Internet. IPSec protects against possible security exposures by protecting data while in transit. Question 25 Which of the following roles is most likely responsible for reviewing how data is protected in transit as well as the design and assessment of encryption algorithms for use within cloud environments? a) Cloud Architect b) Cloud Administrator c) Cloud Operator d) Cloud Storage Administrator The correct answer is: A Cloud Architect Cloud Roles Cloud computing has created new requirements for how applications are built, managed and supported by cloud infrastructure. Additionally, teams now have to take responsibility for ensuring proper billing and maintenance. Cloud Administrator (and Cloud Operator) This is a top-level role, with responsibility for overseeing the organization‚„¢s overall cloud implementation. A cloud administrator is typically tasked with setting up, monitoring and maintaining the cloud architecture, and along the way is bound to interact often with system, cloud storage and network administrators. The cloud operator is essentially a junior cloud administrator who oversees to day-today operations. Cloud Application Architect Cloud application architects shape software for deployment on specific clouds. They typically adapt or port applications for compatibility. Moreover, this role bridges the gap between end users and back-end systems. Architects need both the system administrator experience to tune operating systems and the rapport with end users to make sure that applications exhibit consistently high performance and usability throughout their life cycles. Cloud Architect Title notwithstanding, the cloud architect does a very different job from the cloud application architect. Essentially, cloud architects determine whether private clouds align with the goals of their respective organizations. To this end, these architects design the platform and evaluate technologies and vendors to find the right fit. Cloud Data Architect Another architect role, this one primarily deals with the management of cloud-stored data. Cloud data architects deal with the wide variety of storage types and associated service-level agreements, ensuring that storage is used appropriately and optimally. Cloud Service Manager Similar to cloud data architects, cloud service managers work with SLAs. They may design rules, policies and SLA pricing models, while also keeping SLAs current so that they align with organizational priorities. Cloud Storage Administrator Cloud storage administrators create SLAs for different users and map bandwidth, capacity and reliability of storage services to user groups. They monitor the integrity of SLAs and may work with other administrators in the organization. Cloud Developer Cloud developers create software for infrastructure, on clients such as the euca2ools suite or system components like Eucalyptus Cloud Controller. They may work with the cloud administrator during debugging. Cloud User Not a technical role per se, but a term denoting anyone who has accessed to compute resources such images and instances within a cloud environment. Cloud users may be granted system administrator privileges for the instances that they initiate. Question 26 Which of the following approaches is typically used for SaaS environments and cloud deployments? a) Remote Key Management Service b) Segregated Key Management c) Hybrid Key Management d) Client Side Key Management The correct answer is: D Client Side Key Management This decentralized approach puts the customer in complete control of encryption/decryption keys. As shown in the graphic below from the Cloud Security Alliance Encryption Implementation Guidance, almost all processing and control is done on the customer side. The cloud provider does not hold keys, has minimal knowledge of users, cannot decrypt customer data, and facilitates the storage of encrypted data. The KMS is provided and run by the cloud provider, but the KMS resides on customer s premise and the keys are generated and held by the customer. This type of solution can be used by cloud storage and SaaS providers, Question 27 Which of the following essential characteristics of the cloud most closely resembles the scalability of traditional computing? a) Rapid Elasticity b) On-Demand Self Service c) Measured Self-Service d) Broad Network Access The correct answer is: Rapid Elasticity Rapid Elasticity is the equivalent of the scalability of traditional cloud computing. Seamless and quick Scale-out as well as scale-in are two characteristics of Rapid Elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time. The following are Essentials characteristics of the cloud. There are 4 in total with Elasticity mentioned above: On-Demand Self Service A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. Broad network access. Measured Self-Service Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. Broad Network Access Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations). Resource pooling The provider s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth. Question 28 What is a key activity for any organization considering moving to the cloud? a) Classifying the organizations data to determine the requirements for the cloud engagement. b) All of the other choices are considerations. c) Determining the best cloud formation for the business. d) Understanding if the cloud is the correct choice for the business of the organization. The correct answer is: B All of the other choices are considerations. Question 29 The primary goal is to standardize, streamline, and create an efficient account creation and management process, while creating a consistent, measurable, traceable, and auditable framework providing access to end users. What are we referring to? a) Centralized Key Management b) Provisioning and De-Provisioning c) Migration and Transference d) Multi-Factor Authentication and Resource Access The correct answer is: Provisioning and De-Provisioning This is a question that is designed to confuse you when answering any other questions about Identity and Access Management. Only one of the answers is a key component of IAM. Some test takers may flag this question because they may think that it correctly lists the 4 key components, and they may answer subsequent Identity and Access management questions based on these false choices. Some of those later questions may also include these incorrect choices. Be careful of misleading choices in these types of questions. Question 30 Which of the following is the name of the free, publicly accessible registry where cloud service providers can publish their CSA-related assessments? a) Cloud Capability Matrix b) STAR c) ISO 27001 d) Cloud Security Roadmap Answer is B Question 31 Which of the following is the primary protocol in relation to Centralized Directory Services? a) Lightweight Directory Access Protocol (LDAP) b) LPIE Protocol (LPIEP) c) Multi-Factor Authentication Protocol (MAP) d) Privileged Identity Protocol (PIP) The correct answer is: Lightweight Directory Access Protocol (LDAP) The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number. Question 32 What is true about a Type II (Two) Hypervisor? a) A Type II Hypervisor is more secure than a Type I hypervisor. b) A Type II Hypervisor is Bare Metal c) A Type II Hypervisor is easier to deploy than a Type III Hypervisor d) A Type II Hypervisor is OS-Based The correct answer is: D Type II Hypervisor is OS-based The primary software component in virtualization is a hypervisor. The hypervisor manages the VMs, virtual data storage, and virtual network components. As an additional layer of software on the physical server, it represents an additional attack surface. If an attacker is able to compromise a physical host, the attacker can potentially access all of the virtual systems hosted on the physical server. Administrators often take extra care to ensure virtual hosts are hardened. There are only 2 Hypervisor types: • Type I, which runs directly on the hardware with VM resources provided by the hypervisor, Type 1 hypervisors run directly on the system hardware. They are often referred to as a "native " or "bare metal " or "embedded " hypervisors in vendor literature. Type I hypervisor are known to be more secure. and • Type II, which runs on a host operating system. Type 2 hypervisors run on a host operating system. When the virtualization movement first began to take off, Type 2 hypervisors were most popular. Administrators could buy the software and install it on a server they already had. In Summary, Type I = Hardware, Type II = Operating System TIP: This question intentionally offers a misleading answer by mentioning a hypervisor type that does not exist (Type III). Beware of these misleading choices that could subsequently cause you to incorrectly answer other related questions on the exam later on. Question 33 Why is a Type I Hypervisor less vulnerable to attack than other hypervisor types? a) Type IV hypervisors security is limited in its patch availability. b) The limited access and strong control over the OS greatly increases the reliability and robustness of Type I hypervisors. c) The operating system-based hypervisor is standardized, making it less vulnerable. d) Type I hypervisors are NOT less vulnerable to attack than Type II hypervisors. The correct answer is: B The limited access and strong control over the OS greatly increases the reliability and robustness of Type I hypervisors. The operating-system based hypervisor is a Type II hypervisor, which is more vulnerable due to the lack of standardization on the OS and other layers. A great web site you should visit is the Search Virtualization web site. Here is what they say about this topic: In virtualization, the hypervisor (also called a virtual machine monitor) is the low-level program that allows multiple operating systems to run concurrently on a single host computer. Hypervisors use a thin layer of code in software or firmware to allocate resources in real-time. You can think of the hypervisor as the traffic cop that controls I/O and memory management. There are two types of hypervisors: Type 1 and Type 2. Type 1 hypervisors run directly on the system hardware. They are often referred to as a "native " or "bare metal " or "embedded " hypervisors in vendor literature. Type 2 hypervisors run on a host operating system. When the virtualization movement first began to take off, Type 2 hypervisors were most popular. Administrators could buy the software and install it on a server they already had. Type 1 hypervisors are gaining popularity because building the hypervisor into the firmware is proving to be more efficient. According to IBM, Type 1 hypervisors provide higher performance, availability, and security than Type 2 hypervisors. (IBM recommends that Type 2 hypervisors be used mainly on client systems where efficiency is less critical or on systems where support for a broad range of I/O devices is important and can be provided by the host operating system.) Exam Tip: There is no such thing as a Type IV hypervisor. This question intentionally offers a misleading answer by mentioning a hypervisor type that does not exist (Type IV). Beware of these misleading choices that could subsequently cause you to incorrectly answer other related questions on the exam. Question 34 In a PaaS environment, should a tenant be given shell access to the server that runs their VM instances? a) No, because shell access to the VM could result in configuration changes that could impact multiple tenants. b) Yes, because a tenant needs full access to the server in order to make necessary changes to the configuration of the VMs. c) No, because there is no way to monitor shell access to a VM server. d) Yes, because shell access is a core comonent of a PaaS implementation. The correct answer is: A No, because shell access to the VM could result in configuration changes that could impact multiple tenants. PaaS tenants should not have shell access to the servers running their instances (even when virtualized). The rationale behind this is to limit the chance and likelihood of configuration or system changes affecting multiple tenants. Where possible, administration facilities should be restricted to siloed containers to reduce this risk. Careful consideration should be given before access is provided to the underlying infrastructure hosting a PaaS instance. In enterprises, this may have less to do with malicious behavior and more to do with efficient cost control; it takes time and effort to undo tenant-related fixes to their environment. Question 35 A guaranteed method to protect a VM from attack is to power it off. True or False? Choose the best statement below. a) This is false because simply powering off a VM does not stop the processes from running, leading to VM sprawl b) This is false because simply powering off a VM still leaves the image files susceptible to malware infections and missed patching c) This is true, because simply powering off a VM renders it inaccessible to the system on which it resides d) This is true because simply powering off a VM makes it safe against malware infections and missed patching The correct answer is: This is false, because simply powering off a VM still leaves the image files susceptible to malware infections and missed patching. - A powered off VM is a file and like all files, it is susceptible to malware infections. Another problem with a powered off VM is that it may be turned on at a later time and may have missed a critical security patch, making it vulnerable to attacks that exploit the unpatched system. - VM sprawl is a concern when working in a virtual environment but it is irrelevant to the question that was asked. Sprawl occurs when you lose control of the amount of content on your image store. Cloud servers contain tens of VMs. These VMs may be active or offline and, regardless of state, are susceptible to attacks. Active VMs are vulnerable to all traditional attacks that can affect physical servers. Once a VM is compromised, VMs on the same physical server can attack each other because they share the same hardware and software resources, including memory, device drivers, storage, and hypervisor software. Question 36 Why is a single point of access to a VM environment considered a security threat? a) A single point of access to a VM environment is a security threat because it opens the door to a compromise of the virtual cloud infrastructure. b) A single point of access to a VM environment is a security threat because it creates strict network topologies, which are counter-productive. c) A single point of access to a VM environment is security threat due to its decreased complexity, which decreases a defense-in-depth approach. d) A single point of access to a VM environment is a security threat because it creates too many physical endpoints, increasing complexity. The correct answer is: A single point of access to a VM environment is a security threat because it opens the door to a compromise of the virtual cloud infrastructure. Hosts have a limited number of access points (NICs) available to all VMs. This represents a critical security vulnerability: compromising these access points opens the door to compromise the VMs, the hypervisor, or the virtual switch. The Cloud Security Alliance Common Controls Matrix (CCM) provides a good go-to guide for specific risks for SaaS, PaaS, and IaaS. You can get a copy at the URL below: Question 37 Nancy is designing a web site for a public company. As part of the design, she has created a web page that allow each new earnings report to be posted simply by adding an incremental number to the public URL name. The January report would be added to URL as "Earnings_2016_1 ", and the February report would be "Earnings_2016_2 ". You have been asked to evaluate this design decision. Please choose the best answers from the following choices. a) This is a good design because it prevents SQL injection attacks. b) This is a bad design because it creates the threat of Insecure Direct Object References. c) This is a good design because it is efficient and operationally expedient. d) This is a bad design because it creates the threat of a Cross-Site Request Forgery (CSRF). The correct answer is: B This is a bad design because it creates the threat of Insecure Direct Object References. Insecure Direct Object references occur when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. In this case, an attacker could anticipate that the March earnings report will be posted with the name "Earnings_2016_3 ". A change to the URL (known as URL tampering) could reveal this report. If the report is posted before the official earnings statement is released to the public, an attacker can gain valuable market information. Question 38 According to the Data Security Lifecycle, there are a number of actions which can be taken on data. Which of these functions maps to all areas of the Data Security Lifecycle? a) Process b) Access c) Destroy d) Store The correct answer is: Access Access is the only action that maps to all of the areas of the Data security LifeCycle model. The six areas of the Secure Data Lifecycle seen below are: Create, Store, Use, Share, Archive and Destroy. The functions that can be imposed on the data are: Access, Process, Store. The lifecycle includes six phases from creation to destruction. Although it is shown as a linear progression, once created, data can bounce between phases without restriction, and may not pass through all stages (for example, not all data is eventually destroyed 1.Create. Creation is the generation of new digital content, or the alteration/updating/modifying of existing content. 2. Store. Storing is the act committing the digital data to some sort of storage repository and typically occurs nearly simultaneously with creation. 3. Use. Data is viewed, processed, or otherwise used in some sort of activity, not including modification. 4. Share. Information is made accessible to others, such as between users, to customers, and to partners. 5. Archive. Data leaves active use and enters long-term storage. 6. Destroy. Data is permanently destroyed using physical or digital means (e.g., cryptoshredding). Question 39 Common Criteria (CC) has two key components: Protection profiles and Evaluation Assurance Levels (EALs). Which of the following statements concerning CC is TRUE? a) EALs define a standard set of security requirements for a specific type of product b) Protection profiles define how thoroughly a product is tested on a scale of 1-7 c) More testing means that the product is more secure, whereas less testing means that the product is less secure d) CC is an international evaluation framework The correct answer is: D CC is an international evaluation framework. The CC is updated periodically. Distinctly, the CC has two key components: Protection profiles: Define a standard set of security requirements for a specific type of product, such as a firewall, IDS, or unified threat management (UTM). The evaluation assurance levels (EALs): Define how thoroughly the product is tested. EALs are rated using a sliding scale from 1‚€œ 7, with 1 being the lowest-level evaluation and 7 being the highest. The higher the level of evaluation, the more quality assurance (QA) tests the product would have undergone. NOTE: Undergoing more tests does not necessarily mean the product is more secure. The seven EALs are as follows: EAL1: Functionally tested EAL2: Structurally tested EAL3: Methodically tested and checked EAL4: Methodically designed, tested, and reviewed EAL5: Semiformally designed and tested EAL6: Semiformally verified design and tested EAL7: Formally verified design and tested Question 40 Benefits of cloud computing may include all of the following except: a) Appreciation of IT technologies b) Reducing maintenance and configuration time c) Pay per use d) Pooling resources The correct answer is: A Appreciation of IT technologies. Question 41 After years of receiving negative internal and external audit report findings and now facing loss of accreditation and government funding, University of ABC (U of ABC) has decided to move to cloud computing. The University has not conducted a Business Impact Analysis (BIA) or Risk Assessment (RA) in at least five years; and has had a high employee turnover rate over the past two years after changes in its executive staff and Board members. Upon interviewing several vendors, senior management has decided to use the CSP that guarantees staff and student availability to computing resources. Last month, a natural disaster resulted in staff and students losing availability to computing resources. CSP was not responding to any of ABC s requests or inquiries. Furthermore, as a result of the ensuing bad publicity, student enrollment has declined. Perhaps some of these issues could have been avoided if U of ABC would have: a) Had effective board oversight b) Consistently practiced due diligence and due care c) Had a current BIA and RA d) Had an effective cloud backup solution The correct answer is: B Consistently practiced due diligence and due care Due diligence is the act of investigating and understanding the risks a company faces. Due care is the development and implementation of policies and procedures to aid in protecting the company, its assets, and its people from those threats. Had the U of ABC practiced due care and due diligence, it would have had a current BIA, RA, business continuity plan, etc.; They would have understood and documented the University's and CSP s responsibilities prior to signing SLAs, contracts, etc., and would have better understood cloud services, performance, resiliency, options, etc. Furthermore, practicing due diligence and due care would have helped to address and lessen the ill effects of its inadequate board and employee turnover issues. Question 42 Which answer best describes Software as a Service (SaaS)? a) Consumer can provision processing, storage, networks and other fundamental operating computing resources. Consumer does not manage or control underlying infrastructure, but has control over OS storage and deployed applications and possible select network components such as firewalls. b) Consumer uses provider's applications and resources. The consumer does not manage or control the underlying cloud infrastructure, but has control over the deployed application. c) Consumer deploys cloud infrastructure that the consumer created or acquired. Consumer does not manage or control underlying infrastructure, but has control over deployed application and possible configuration settings for the application hosting environment. d) Consumer uses provider's applications, applications are accessible from various client devices through thin client or program interface, and the consumer manages or controls underlying infrastructure. Security lies more with consumer. The correct answer is: B Consumer uses provider's applications and resources. The consumer does not manage or control the underlying cloud infrastructure, but has control over the deployed application. According to ‚“The NIST Definition of Cloud Computing,‚ in SaaS, ‚“The capability provided to the consumer is to use the provider‚„¢s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including networks, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.‚ Question 43 Which of the following cloud deployment models is use when the capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. a) IaaS b) Private Cloud c) PaaS d) SaaS The correct answer is: D SaaS Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure2. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited userspecific application configuration settings. The following answers are incorrect: IaaS Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). IaaS Private Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. IaaS Private Cloud PaaS Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider.3 The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting Question 44 Looking at the cloud deployment models below and integrated functionality, which one achieve the highest level of integration? a) All models have the same integration level b) PaaS c) SaaS d) IaaS The correct answer is: C SaaS Understanding the relationships and dependencies between cloud computing models is critical to understanding cloud computing security risks. IaaS is the foundation of all cloud services, with PaaS building upon IaaS, and SaaS in turn building upon PaaS as described in the Cloud Reference Model diagram. In this way, just as capabilities are inherited, so are information security issues and risk. It is important to note that commercial cloud providers may not neatly fit into the layered service models. Nevertheless, the reference model is important for relating real world services to an architectural framework and understanding that the resources and services require security analysis. It should therefore be clear that there are significant trade offs to each model in terms of integrated features, complexity versus openness (extensibility), and security. Generally, SaaS provides the most integrated functionality built directly into the offering, with the least consumer extensibility, and a relatively high level of integrated security (at least the provider bears a responsibility for security). SaaS in turn is built upon the underlying IaaS and PaaS stacks and provides a self contained operating environment that is used to deliver the entire user experience, including the content, its presentation, the application(s), and management capabilities. TIP: The key takeaway for security architecture is that the lower down the stack the cloud service provider stops, the more security capabilities and management consumers are responsible for implementing and managing themselves. IaaS IaaS includes the entire infrastructure resource stack from the facilities to the hardware platforms that reside in them. It incorporates the capability to abstract resources (or not), as well as deliver physical and logical connectivity to those resources. Ultimately, IaaS provides a set of API s, which allows management and other forms of interaction with the infrastructure by consumers. PaaS PaaS sits on top of IaaS and adds an additional layer of integration with application development frameworks, middleware capabilities, and functions such as database, messaging, and queuing. These services allow developers to build applications on the platform with programming languages and tools that are supported by the stack. Question 45 Within which cloud service model would you find and control applications settings only? a) Software as a Service (SaaS) b) Infrastructure as a Service (IaaS) c) PaaS d) Security as a Service (SecaaS) The correct answer is: A Software as a Service (SaaS) Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure2. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. The following answers are incorrect: Infrastructure as a Service (IaaS) Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). Infrastructure as a Service (IaaS) PaaS Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider.3 The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. Infrastructure as a Service (IaaS) PaaS Security as a Service (SecaaS) Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider.3 The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. Cloud Computing represents one of the most significant shifts in information technology the industry has experienced. Reaching the point where computing functions as a utility has great potential, promising expansive innovations. One such innovation is the centralization of security resources. The security industry has recognized the benefits of a standardized security framework for both the providers and consumers. In the context of a cloud service level agreement between providers and consumers, a standardized security framework takes the form of a document that specifies which security services are provided how and where. With the maturation of security offerings based on standard frameworks, cloud consumers have recognized the need to centralize computing resources for providers and consumers. One of the milestones of the maturity of cloud as a platform for business operations is the adoption of Security as a Service (SecaaS) on a global scale and the recognition of how security can be enhanced. The worldwide implementation of security as an outsourced commodity will eventually minimize the disparate variances and security voids. SecaaS is looking at Enterprise security from the cloud – this is what differentiates it from most of the other work / research on cloud security. Predominantly cloud security discussions have focused on how to migrate to the Cloud and how to ensure Confidentiality, Integrity, Availability and Location are maintained when using the Cloud. SecaaS looks from the other side to secure systems and data in the cloud as well as hybrid and traditional enterprise networks via cloud-based services. These systems may be in the cloud or more traditionally hosted within the customer’s premises. An example of this might be Question 46 Which of the following is true of a private cloud? a) It may be internal or external to an organization. b) It is always managed by a broker. c) It must be internal to an organization. d) It must be external to an organization. The correct answer is: A It may be internal or external to an organization. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. The private cloud deployment model includes cloud-based assets for a single organization. Organizations can create and host private clouds using their own resources. If so, the organization is responsible for all maintenance. However, an organization can also rent resources from a third party and split maintenance requirements based on the service model (SaaS, PaaS, or IaaS). Question 47 The Open Web Application Security Project (OWASP) has produced a list of the top ten critical web application security threats that should be tested. Which of the following threats could be best mitigated by input validation? a) Insecure Direct Object References b) Security Reconfiguration c) Cross-Site Request Forgery d) Injection Flaws Answer D Question 48 A Man in The Middle attack against a cloud consumer is most closely aligned with which of the following common threats? a) Low Orbit Ion Cannon Attack b) Denial of Service c) Traffic Hijacking d) Cruzr attack The correct answer is: C Traffic Hijacking Hijacking is a form of Man In The Middle (MITM) attack. Even thou this is not a cloudspecific threat, it has been a constant thorn and challenge for security professionals to combat through the years. Account and Service traffic hijacking has long been targeted by attackers, using methods such as phishing, more recently smishing (SMS Phishing), spear-phishing (targeted phishing attacks), and exploitation of software and other applications vulnerabilities. Question 49 The definition of cloud portability is? a) The deployment of a company's cloud computing strategy b) The ability to move applications and related data between CSPs, or between public and private cloud environments. c) A company that purchases hosting services from a cloud server hosting or cloud computing provider and then resells them to its own customers. d) Multiple customers using the same public cloud. The correct answer is: The ability to move applications and related data between CSPs, or between public and private cloud environments. Question 50 Which of the following is a not a SSO technology? a) SAML b) SCIM c) XACML d) OpenID Connect The correct answer is C Question 51 Which of the following is a VALID cloud system role based on ISO/IEC 17788? a) Cloud owner b) Cloud auditor c) Cloud director d) Cloud billing partner The correct answer is: Cloud auditor Cloud auditor - this is someone specifically responsible for conducting audits of cloud systems and cloud applications. This is primarily done by an independent third party rather than by your CSP, but often paid by the customer to provide validation that the SLAs are being met DISCUSSION: The cloud computing roles based on ISO/IEC 11788 include: 1) Cloud auditor - this is someone specifically responsible for conducting audits of cloudsystems and cloud applications. This is primarily done by an independent third party rather than by your CSP, but often paid by the customer to provide validation that the SLAs are being met 2) Cloud service broker - A partner that serves as an intermediary between the cloud service customer and the cloud service provider. An example would be someone that sells cloud space to be hosted on Amazon Web Services. 3) Cloud service customer - the person that is utilizing services through the cloud service provider. 4) Cloud service partner - holds a relationship with the cloud service provider OR the cloud service customer. Their responsibility is to assist with the delivery of cloud services. 5) Cloud service provider - offers cloud services to cloud customers - such as Amazon Web Services, Microsoft, or Google 6) Cloud service user - someone who interacts with the services being offered by the cloud services customer. For example, a subscriber to Netflix would be a cloud service user. Question 52 Resource pooling is an important concept for cloud computing. Which of the following statements about resource pooling is most correct? a) Resource pooling and the ability to dynamically adjust to varying customer needs is the reason cloud computing is significantly more expensive than traditional data centers. b) Resource pooling allows for dynamic adjustment to shared resources, but is only available in a private cloud. c) Resource pooling allows companies to dynamically have the resources they need when they need it rather than having to build out systems large enough to handle their maximum load. d) Resource pooling provides dedicated resources to cloud tenants. The correct answer is:Resource pooling allows companies to dynamically have the resources they need when they need it rather than having to build out systems large enough to handle their maximum load. Resource pooling allows companies to dynamically have the resources they need when they need it rather than having to build out systems large enough to handle their maximum load. Source: The idea behind resource pooling is that through modern scalable systems involved in cloud computing and software as a service (SaaS), providers can create a sense of infinite or immediately available resources by controlling resource ad