Cloud Security Alliance Cloud Security Alliance Certifications CCSK Questions & Answers

• Question 151:

  What are major factors to building and managing a secure management plane?

  A. Perimeter security; customer authentication; internal authentication and credential passing; authorization and entitlements; and logging, monitoring, and alerting

  B. API management; end point security; logging; and authentication and authorization

  C. Device patching and maintenance; internal authentication and credential passing; access management and logging, monitoring, and alerting

  D. Perimeter security; customer authentication; internal authentication and credential passing; authorization and entitlements; and governance auditing

  E. Perimeter patching; log authentication; external entitlement passing; credential alerting and customer security

  Correct Answer: A

  SG Page# 72 says "Delving into implementation specifics is beyond the scope of this Guidance, but at a high level there are five major facets to building and managing a secure management plane:"

  Perimeter security:

  Customer authentication:

  Internal authentication and credential passing:

  Authorization and entitlements:

  Logging, monitoring, and alerting:

• Question 152:

  Cloud storage will most often utilize the same types of data storage used in traditional data storage technologies.

  A. True

  B. False

  Correct Answer: B

  B: 11.1.2, Since cloud storage is virtualized it tends to support different data storage types than used in traditional storage technologies. Below the virtualization layer these might use well-known data storage mechanisms, but the cloud storage virtualization technologies that cloud users access will be different.

• Question 153:

  Prominent recommended standards to enable federation of identity in cloud environments include:

  A. FIDO

  B. Kerberos

  C. SSO

  D. SAML

  E. X 509

  Correct Answer: D

• Question 154:

  How can you reduce the blast radius if an attacker compromises one system?

  A. Configure distinct firewall rules

  B. Configure applications on distinct virtual networks only connecting where needed

  C. Configure role-based access controls

  D. Configure a default deny

  E. Use different cloud providers

  Correct Answer: B

  Security Guidance, page 82 A common, practical example leveraging this capability is running most, if not all, applications on their own virtual network and only connecting those networks as needed. This dramatically reduces the blast radius if an attacker compromises an individual system. The attacker can no longer leverage this foothold to expand across the entire data center.

• Question 155:

  What are the three valid options for protecting data as it moves to and within the cloud?

  A. Client/Application Encryption, Link/Network Encryption, Proxy-Based Encryption

  B. Client/Application Encryption, Link/Network Encryption, Hypervisor Encryption

  C. Client/Application Bundling, Link/Network Bundling, Proxy-Based Bundling

  D. Password Encryption, Link/Network Encryption, Proxy-Based Encryption

  E. Client/Application Encryption, Cloud Encoding, Proxy-Based Encryption

  Correct Answer: A

  11.1.3.1.

  There are a few options for in-transit encryption depending on what the cloud platform supports. One way is to encrypt before sending to the cloud (client-side encryption). Network encryption (TLS/SFTP/etc.) is another option. Most cloud

  provider APIs use Transport Layer Security (TLS) by default; if not, pick a different provider, since this is an essential security capability. Proxy-based encryption may be a third option, where you place an encryption proxy in a trusted area

  between the cloud user and the cloud provider and the proxy manages the encryption before transferring the data to the provider.

• Question 156:

  To what extent does the CSA Guidance document suffice for legal advice in setting up relationships with cloud service providers?

  A. The CSA Guidance document provides adequate legal advice under certain circumstances.

  B. The CSA Guidance document provides an overview of selected issues and it is not a substitute for obtaining legal advice.

  C. The CSA Guidance document provides copious amounts of relevant case law to enable legal inferences to be developed.

  D. The CSA Guidance document does not discuss any legal issues at all.

  E. The CSA Guidance document provides sufficient guidance to substitute for legal advice.

  Correct Answer: B

  Answer is B: CCSK Study Security Guide pg 37: highlights some of the legal issues raised by moving data to the cloud; contracting with cloud service providers; and handling electronic discovery requests in litigation. Our overview here cannot address every potential legal situation. To address your specific issues, you should consult with legal counsel in the jurisdiction(s) in which you intend to operate and/or in which your customers reside. In addition, be aware that laws and regulations change frequently, and thus you should verify the relevancy of information contained in this domain before relying on it. Domain 3 is concerned primarily with the legal implications of public cloud computing and third party-hosted private clouds.

• Question 157:

  ENISA: A key area of controls for cloud provider network architecture is

  A. Patch management

  B. SAFECode software assurance

  C. Hardening of virtual machines according to industry standard guidelines

  D. Distributed Denial of Service mitigation

  E. Antivirus

  Correct Answer: C

  C. Hardening of virtual machines according to industry standard guidelines

  ENISA (European Union Agency for Cybersecurity) recognizes the importance of hardening virtual machines in cloud provider network architecture as a key area of controls. Hardening involves implementing security best practices and configurations to reduce the attack surface and enhance the security posture of virtual machines within the cloud environment.

  The other options (A, B, D, E) might be relevant to security but are not specifically highlighted by ENISA as key areas of controls for cloud provider network architecture in the context of the given options.

• Question 158:

  What makes the metastructure layer of cloud computing so different from traditional computing?

  A. It includes the management plane components, which are network enabled and remotely accessible

  B. It is automatically patch and scalable

  C. It includes the data and information components

  D. It includes the underlying application services

  E. It eliminates the need for the Infostructure layer

  Correct Answer: A

  A. It includes the management plane components, which are network enabled and remotely accessible

  The metastructure layer of cloud computing is different from traditional computing in that it includes the management plane components that are network-enabled and remotely accessible. The management plane in cloud computing allows users to control and manage cloud resources and services through remote interfaces. This level of remote access and management is a distinctive feature of the metastructure layer in cloud computing compared to traditional computing. The other options do not accurately describe the main difference between the metastructure layer of cloud computing and traditional computing.

• Question 159:

  While a virtual machine is a full abstraction of an operating system, a container is a constrained place to run segregated processes while still using the kernel and other OS capabilities.

  A. True

  B. False

  Correct Answer: A

  A. True

  The statement is true. A virtual machine (VM) is a full abstraction of an operating system, where each VM includes its own complete operating system instance along with virtualized hardware. On the other hand, a container is a more lightweight form of virtualization that provides a constrained environment to run segregated processes while sharing the same kernel and OS capabilities. This enables containers to be more efficient in terms of resource usage compared to full virtual machines.

• Question 160:

  What are the main considerations for key management?

  A. Performance, control, immutability, and security

  B. Performance, accessibility, immutability, and security

  C. Performance, control, accessibility, and security

  D. Performance, accessibility, latency, and security

  E. Accessibility, control, latency, and security

  Correct Answer: D

  11.1.4.3 Key Management (Including Customer-Managed Keys)

  The main considerations for key management are performance, accessibility, latency, and security.