Page 1 of 69
C838 – Managing Cloud Security (WGU) 2026 | Verified CCSP
Exam Prep Questions & Complete Study Guide
Cloud Bursting - ANSWER-When a company uses its own computing infrastructure
for normal usage and accesses the cloud when it needs to scale for high/peak load
requirements, ensuring a sudden spike in usage does not result in poor performance
or system crashes.
No; under current laws, liability and risk for safeguarding PII and meeting
regulations reside with the organization, even if they have contracted with a cloud
provider. - ANSWER-Can an organization transfer risk and liability for safeguarding
PII to a cloud provider?
- Elasticity
- Scalability - ANSWER-- The ability to acquire resources as you need them and
release resources when you no longer need them
- This is similar, but usually relates more to environments with more predictable
workloads. Usually done in advance to give resources room to grow. For example,
purchasing additional room to allow a database to grow larger in the coming months
due to projected business growth.
- SaaS
- PaaS; it is everything included in IaaS which the addition of operating systems
- IaaS
- Physical access to the devices on which their data resides - ANSWER-- This cloud
service model includes applications, CRM, hosted HR, and email
- This model includes operating systems and is popular with DevOps for creating and
testing software
, Page 2 of 69
- This model includes hardware, blades, connectivity, and utilities; it is similar to a
"warm site"
- What does a customer give up in all three of these models?
- The customer. The vendor provides all hardware, but not logical resources such as
software
- The vendor - ANSWER-- Who is responsible for all logical resources, such as
software, in an IaaS service model?
- Who is responsible for administering, patching, and updating the OS in a PaaS
service model?
- Public
- Private
- Community - ANSWER-- This type of cloud deployment model is owned by a
specific company and offered to anyone who contracts it services.
- This type of cloud is owned by a specific organization but is only available to users
authorized by that organization; it is similar to a legacy IT structure or what used to
be considered an itranet
- This type of cloud features infrastructure and processing owned or controlled by
distinct individuals and organizations, but they come together in some fashion to
perform joint tasks; an example is the Playstation gaming network
CASB (Cloud Access Security Broker) - ANSWER-A software tool or service that
enforces cloud-based security requirements such as IAM (Identity and Access
Management). It is placed between the organization's resources and the cloud,
monitors all network traffic, and can enforce security policies.
1. NIST 800-53
2. NIST 800-61
3. NIST 800-37
, Page 3 of 69
4. ISO 31000:2009
5. ISO/IEC 28007:2007 - ANSWER-1. A guidance document with the primary goal of
ensuring that appropriate security requirements and controls are applied to all U.S.
federal government information in information management systems.
2. A guidance document which outlines a framework for incident response plans
3. A guidance document for implementing RMF (Risk Management Framework)
4. This is an international standard that focuses on designing, implementing, and
reviewing risk management processes & practices
5. This standard refers to addressing risks in a supply chain
FIPS 140-2 - ANSWER-Primary goal of this is to accredit and distinguish secure and
well-architected cryptographic modules produced by private sector vendors who
seek to have their solutions and services certified for use in regulated industries that
collect, store, transfer, or share data that is deemed to be "sensitive" but not
classified.
TCI (Trusted Cloud Initiative) Reference Architecture - ANSWER-A methodology and
a set of tools that enables security professionals to leverage a common set of
solutions that fulfill their common needs to be able to assess where their internal IT
and their cloud providers are in terms of security capabilities and to plan a roadmap
to meet the security needs of their business.
- Vendor Lock-in
- Vendor Lock-out - ANSWER-- This is when a customer may be unable to leave,
migrate, or transfer to an alternate provider due to technical or non-technical
constraints.
- This is when a customer is unable to access their data because a cloud vendor has
gone out of business or otherwise left the marketplace.
- IaaS: the customer is responsible for everything from OS on down including
choosing, installing, and administering software and supplying and managing data.
, Page 4 of 69
Vendor provides buildings and hardware for the datacenter. The customer can still
collect and review logs from the software. - ANSWER-- In which Cloud Model does
the customer have the most responsibility and authority?
- PaaS - ANSWER-- In which Cloud Model is the vendor responsible for installing and
administering the OS but not other software?
- SaaS; the vendor owns the hardware, software, and admin duties for both. The
customer only supplies the data. The customer is essentially the same as a basic user
in legacy IT environments: they have little to no admin rights or privileged accounts
and few permissions and responsibilities. - ANSWER-- In which Cloud Model does
the customer have the least amount of control over the environment?
Homomorphic Encryption - ANSWER-This technology is still theoretic. It would
enable processing of encrypted data without the need to decrypt the data. It allows
the cloud customer to upload data to a cloud service provider for processing without
the requirement to decipher the data first.
The Usefulness of the asset - ANSWER-What is something that cannot be
determined about assets by gathering business requirements?
Delivering computing resources to a remote customer over a network - ANSWER-
What is a simple definition of Cloud Computing?
- Ubiquitous: the resources are everywhere and can be accessed by a client with an
internet connection
- Convenient: easy for the client to use
- On-demand: available whenever the client needs to use it and can be upgraded
easily; for example, adding a new virtual with a few mouse clicks
- Minimal management effort by client and minimal interaction with the cloud
service provider; when you need to add that virtual server, you can do it easily
C838 – Managing Cloud Security (WGU) 2026 | Verified CCSP
Exam Prep Questions & Complete Study Guide
Cloud Bursting - ANSWER-When a company uses its own computing infrastructure
for normal usage and accesses the cloud when it needs to scale for high/peak load
requirements, ensuring a sudden spike in usage does not result in poor performance
or system crashes.
No; under current laws, liability and risk for safeguarding PII and meeting
regulations reside with the organization, even if they have contracted with a cloud
provider. - ANSWER-Can an organization transfer risk and liability for safeguarding
PII to a cloud provider?
- Elasticity
- Scalability - ANSWER-- The ability to acquire resources as you need them and
release resources when you no longer need them
- This is similar, but usually relates more to environments with more predictable
workloads. Usually done in advance to give resources room to grow. For example,
purchasing additional room to allow a database to grow larger in the coming months
due to projected business growth.
- SaaS
- PaaS; it is everything included in IaaS which the addition of operating systems
- IaaS
- Physical access to the devices on which their data resides - ANSWER-- This cloud
service model includes applications, CRM, hosted HR, and email
- This model includes operating systems and is popular with DevOps for creating and
testing software
, Page 2 of 69
- This model includes hardware, blades, connectivity, and utilities; it is similar to a
"warm site"
- What does a customer give up in all three of these models?
- The customer. The vendor provides all hardware, but not logical resources such as
software
- The vendor - ANSWER-- Who is responsible for all logical resources, such as
software, in an IaaS service model?
- Who is responsible for administering, patching, and updating the OS in a PaaS
service model?
- Public
- Private
- Community - ANSWER-- This type of cloud deployment model is owned by a
specific company and offered to anyone who contracts it services.
- This type of cloud is owned by a specific organization but is only available to users
authorized by that organization; it is similar to a legacy IT structure or what used to
be considered an itranet
- This type of cloud features infrastructure and processing owned or controlled by
distinct individuals and organizations, but they come together in some fashion to
perform joint tasks; an example is the Playstation gaming network
CASB (Cloud Access Security Broker) - ANSWER-A software tool or service that
enforces cloud-based security requirements such as IAM (Identity and Access
Management). It is placed between the organization's resources and the cloud,
monitors all network traffic, and can enforce security policies.
1. NIST 800-53
2. NIST 800-61
3. NIST 800-37
, Page 3 of 69
4. ISO 31000:2009
5. ISO/IEC 28007:2007 - ANSWER-1. A guidance document with the primary goal of
ensuring that appropriate security requirements and controls are applied to all U.S.
federal government information in information management systems.
2. A guidance document which outlines a framework for incident response plans
3. A guidance document for implementing RMF (Risk Management Framework)
4. This is an international standard that focuses on designing, implementing, and
reviewing risk management processes & practices
5. This standard refers to addressing risks in a supply chain
FIPS 140-2 - ANSWER-Primary goal of this is to accredit and distinguish secure and
well-architected cryptographic modules produced by private sector vendors who
seek to have their solutions and services certified for use in regulated industries that
collect, store, transfer, or share data that is deemed to be "sensitive" but not
classified.
TCI (Trusted Cloud Initiative) Reference Architecture - ANSWER-A methodology and
a set of tools that enables security professionals to leverage a common set of
solutions that fulfill their common needs to be able to assess where their internal IT
and their cloud providers are in terms of security capabilities and to plan a roadmap
to meet the security needs of their business.
- Vendor Lock-in
- Vendor Lock-out - ANSWER-- This is when a customer may be unable to leave,
migrate, or transfer to an alternate provider due to technical or non-technical
constraints.
- This is when a customer is unable to access their data because a cloud vendor has
gone out of business or otherwise left the marketplace.
- IaaS: the customer is responsible for everything from OS on down including
choosing, installing, and administering software and supplying and managing data.
, Page 4 of 69
Vendor provides buildings and hardware for the datacenter. The customer can still
collect and review logs from the software. - ANSWER-- In which Cloud Model does
the customer have the most responsibility and authority?
- PaaS - ANSWER-- In which Cloud Model is the vendor responsible for installing and
administering the OS but not other software?
- SaaS; the vendor owns the hardware, software, and admin duties for both. The
customer only supplies the data. The customer is essentially the same as a basic user
in legacy IT environments: they have little to no admin rights or privileged accounts
and few permissions and responsibilities. - ANSWER-- In which Cloud Model does
the customer have the least amount of control over the environment?
Homomorphic Encryption - ANSWER-This technology is still theoretic. It would
enable processing of encrypted data without the need to decrypt the data. It allows
the cloud customer to upload data to a cloud service provider for processing without
the requirement to decipher the data first.
The Usefulness of the asset - ANSWER-What is something that cannot be
determined about assets by gathering business requirements?
Delivering computing resources to a remote customer over a network - ANSWER-
What is a simple definition of Cloud Computing?
- Ubiquitous: the resources are everywhere and can be accessed by a client with an
internet connection
- Convenient: easy for the client to use
- On-demand: available whenever the client needs to use it and can be upgraded
easily; for example, adding a new virtual with a few mouse clicks
- Minimal management effort by client and minimal interaction with the cloud
service provider; when you need to add that virtual server, you can do it easily
