MANAGING CLOUD SECURITY PRACTICE EXAM QUESTIONS
AND ANSWERS GRADED A+
✔✔A broad and developing concept addressing the management of the various network
components. The objective is to provide a control plane to manage network traffic on a
more abstract level than through direct management of network components. -
✔✔Software-Defined Networking (SDN)
✔✔Includes day-to-day basis laws such as speed limits, state tax laws, the criminal
code, and so on, which are enacted by a state legislature as opposed to those enacted
at the national or federal level. - ✔✔State law
✔✔SAST testing is useful in finding such security problems as cross-site scripting
(XSS) errors, SQL injection vulnerabilities, buffer overflows, unhandled error conditions,
and backdoors. This type of test usually delivers more results and more accuracy than
its counterpart dynamic application security testing (DAST). - ✔✔Static Application
Security Testing (SAST)
✔✔The collection of multiple distributed and connected resources responsible for
storing and managing data online in the cloud. - ✔✔Storage Cloud
✔✔Derived from an acronym for the following six threat categories: spoofing identity,
tampering with data, repudiation, information disclosure, denial of service (DoS), and
elevation of privilege. - ✔✔STRIDE Threat Model
✔✔Reduces the likelihood of unauthorized users gaining access and restricts
authorized users to permitted activities. - ✔✔Strong authentication
✔✔Describes how the participants would perform their tasks in a given BC/DR scenario.
- ✔✔Tabletop testing
✔✔A methodology and a set of tools that enable security architects, enterprise
architects, and risk management professionals to leverage a common set of solutions
that fulfill their common needs to be able to assess where their internal IT and their
cloud providers are in terms of security capabilities. Allows them to plan a roadmap to
meet the security needs of their business. - ✔✔TCI Reference Architecture
✔✔A cloud provider who manages the administration of a user's system and who is not
under the user's control. - ✔✔Third-party admin
✔✔The process of replacing sensitive data with unique identification symbols that retain
all the essential information about the data without compromising its security. -
✔✔Tokenization
,✔✔Refers to the body of rights, obligations, and remedies that set out reliefs for
persons who have been harmed by others. - ✔✔Tort law
✔✔Protects the esteem and goodwill that an organization has built among the
marketplace, especially in public perception. - ✔✔Trademark
✔✔A risk management strategy that involves the contractual shifting of a risk from one
organization to another. - ✔✔Transference
✔✔Ensures the privacy of communication between applications. - ✔✔Transport Layer
Security (TLS)
✔✔Highlights where a customer may be unable to leave, migrate, or transfer to an
alternate provider due to technical or nontechnical constraints.
Occurs in a situation where a customer may be unable to leave, migrate, or transfer to
an alternate provider due to technical or non-technical constraints. - ✔✔Vendor Lock-In
✔✔The optimization of cloud computing and cloud services for a particular vertical
(such as a specific industry) or specific-use application. - ✔✔Vertical Cloud Computing
✔✔A VMI helps to mitigate risk and ensure that a virtual machine's (VM's) security
baseline is not modified over time. It provides an agentless method to examine all
aspects of a VM from its physical location and its network settings to the installed
operating systems (OSs), patches, applications, and services being used. - ✔✔Virtual
Machine Introspection (VMI)
✔✔Creates a secure tunnel across untrusted networks that can aid in obviating man-in-
the-middle attacks such as eavesdropping. - ✔✔Virtual private network
✔✔A process of creating a virtual version of something, including virtual computer
hardware platforms, operating systems, storage devices, and computer network
resources. - ✔✔Virtualization
✔✔Enable cloud computing to become a real and scalable service offering due to the
savings, sharing, and allocation of resources across multiple tenants and environments.
- ✔✔Virtualization Technologies
✔✔Encrypts only a part of a hard drive instead of the entire disk. - ✔✔Volume
encryption
, ✔✔Allocates a storage space within the cloud and this storage space is represented as
an attached drive to the user's virtual machine. - ✔✔Volume storage
✔✔An appliance, server plug-in, or filter that applies a set of rules to a hypertext
transfer protocol (HTTP) conversation. Generally, these rules cover common attacks
such as cross-site scripting (XSS) and SQL injections. - ✔✔Web Application Firewall
(WAF)
✔✔Which of the following standards sets out terms and definitions, principles, a
framework, and a process for managing risk?
A ISO 31000:2009
B ISO 28000:2007
C ISO 27001:2013
D ISO/IEC 27037:2012 - ✔✔A
✔✔Which of the following are the virtualization risks?
Each correct answer represents a complete solution. Choose three.
1) Guest breakout
2) Resource exhaustion
3) Sprawl
4) Isolation control failure
5) Snapshot and image security
A 2,4,5
B 1,3,5 - ✔✔B
✔✔Which category does Rapid Provisioning and Scalability fall into?
A PaaS
B IaaS
C SaaS
D XaaS - ✔✔A
✔✔Kim works as a project manager in ABC Inc. His organization requires an application
to launch its products. For this, Kim performs the following activities:
-Discusses business requirements in terms of confidentiality, integrity, and availability
-Determines, creates, and identifies information to transmit or store
-Determines privacy requirements
Which of the following phases of SDLC includes the activities performed by Kim?
AND ANSWERS GRADED A+
✔✔A broad and developing concept addressing the management of the various network
components. The objective is to provide a control plane to manage network traffic on a
more abstract level than through direct management of network components. -
✔✔Software-Defined Networking (SDN)
✔✔Includes day-to-day basis laws such as speed limits, state tax laws, the criminal
code, and so on, which are enacted by a state legislature as opposed to those enacted
at the national or federal level. - ✔✔State law
✔✔SAST testing is useful in finding such security problems as cross-site scripting
(XSS) errors, SQL injection vulnerabilities, buffer overflows, unhandled error conditions,
and backdoors. This type of test usually delivers more results and more accuracy than
its counterpart dynamic application security testing (DAST). - ✔✔Static Application
Security Testing (SAST)
✔✔The collection of multiple distributed and connected resources responsible for
storing and managing data online in the cloud. - ✔✔Storage Cloud
✔✔Derived from an acronym for the following six threat categories: spoofing identity,
tampering with data, repudiation, information disclosure, denial of service (DoS), and
elevation of privilege. - ✔✔STRIDE Threat Model
✔✔Reduces the likelihood of unauthorized users gaining access and restricts
authorized users to permitted activities. - ✔✔Strong authentication
✔✔Describes how the participants would perform their tasks in a given BC/DR scenario.
- ✔✔Tabletop testing
✔✔A methodology and a set of tools that enable security architects, enterprise
architects, and risk management professionals to leverage a common set of solutions
that fulfill their common needs to be able to assess where their internal IT and their
cloud providers are in terms of security capabilities. Allows them to plan a roadmap to
meet the security needs of their business. - ✔✔TCI Reference Architecture
✔✔A cloud provider who manages the administration of a user's system and who is not
under the user's control. - ✔✔Third-party admin
✔✔The process of replacing sensitive data with unique identification symbols that retain
all the essential information about the data without compromising its security. -
✔✔Tokenization
,✔✔Refers to the body of rights, obligations, and remedies that set out reliefs for
persons who have been harmed by others. - ✔✔Tort law
✔✔Protects the esteem and goodwill that an organization has built among the
marketplace, especially in public perception. - ✔✔Trademark
✔✔A risk management strategy that involves the contractual shifting of a risk from one
organization to another. - ✔✔Transference
✔✔Ensures the privacy of communication between applications. - ✔✔Transport Layer
Security (TLS)
✔✔Highlights where a customer may be unable to leave, migrate, or transfer to an
alternate provider due to technical or nontechnical constraints.
Occurs in a situation where a customer may be unable to leave, migrate, or transfer to
an alternate provider due to technical or non-technical constraints. - ✔✔Vendor Lock-In
✔✔The optimization of cloud computing and cloud services for a particular vertical
(such as a specific industry) or specific-use application. - ✔✔Vertical Cloud Computing
✔✔A VMI helps to mitigate risk and ensure that a virtual machine's (VM's) security
baseline is not modified over time. It provides an agentless method to examine all
aspects of a VM from its physical location and its network settings to the installed
operating systems (OSs), patches, applications, and services being used. - ✔✔Virtual
Machine Introspection (VMI)
✔✔Creates a secure tunnel across untrusted networks that can aid in obviating man-in-
the-middle attacks such as eavesdropping. - ✔✔Virtual private network
✔✔A process of creating a virtual version of something, including virtual computer
hardware platforms, operating systems, storage devices, and computer network
resources. - ✔✔Virtualization
✔✔Enable cloud computing to become a real and scalable service offering due to the
savings, sharing, and allocation of resources across multiple tenants and environments.
- ✔✔Virtualization Technologies
✔✔Encrypts only a part of a hard drive instead of the entire disk. - ✔✔Volume
encryption
, ✔✔Allocates a storage space within the cloud and this storage space is represented as
an attached drive to the user's virtual machine. - ✔✔Volume storage
✔✔An appliance, server plug-in, or filter that applies a set of rules to a hypertext
transfer protocol (HTTP) conversation. Generally, these rules cover common attacks
such as cross-site scripting (XSS) and SQL injections. - ✔✔Web Application Firewall
(WAF)
✔✔Which of the following standards sets out terms and definitions, principles, a
framework, and a process for managing risk?
A ISO 31000:2009
B ISO 28000:2007
C ISO 27001:2013
D ISO/IEC 27037:2012 - ✔✔A
✔✔Which of the following are the virtualization risks?
Each correct answer represents a complete solution. Choose three.
1) Guest breakout
2) Resource exhaustion
3) Sprawl
4) Isolation control failure
5) Snapshot and image security
A 2,4,5
B 1,3,5 - ✔✔B
✔✔Which category does Rapid Provisioning and Scalability fall into?
A PaaS
B IaaS
C SaaS
D XaaS - ✔✔A
✔✔Kim works as a project manager in ABC Inc. His organization requires an application
to launch its products. For this, Kim performs the following activities:
-Discusses business requirements in terms of confidentiality, integrity, and availability
-Determines, creates, and identifies information to transmit or store
-Determines privacy requirements
Which of the following phases of SDLC includes the activities performed by Kim?
