Cloud Security Alliance Cloud Security Alliance Certifications CCSK Questions & Answers

• Question 181:

  What are six phases of the Data Security Lifecycle?

  A. Create, Store, Use, Share, Archive, Destroy

  B. Create, Classify, Use, Store, Archive, Destroy

  C. Assign, Define, Create, Process, Store, Destroy

  D. Create, Classify, Use, Store, Retain, Destroy

  E. Assign, Define, Store, Process, Transmit, Destroy

  Correct Answer: A

  Refer to Cloud Security Guidance v4, page 63 The Data Security Lifecycle is Create, Store, Use, Share, Archive, Destroy

• Question 182:

  Which tool is the primary tool between the cloud provider and consumer that extends governance into business partners and providers?

  A. Compliance Reporting

  B. Supplier Assessments

  C. Consumer Assessments

  D. Contracts

  E. Service-level Agreements (SLAs)

  Correct Answer: D

  Contracts define the relationship between providers and customers and are the primary tool for customers to extend governance to their suppliers. CCSK Study Security Guide, pg 29, 2.1.1.1

• Question 183:

  ENISA: Because it is practically impossible to process data in encrypted form, customers should have the following expectation of cloud providers:

  A. Provider should be PCI compliant

  B. Provider should immediately notify customer whenever data is in plaintext form

  C. Provider must be highly trustworthy and have compensating controls to protect customer data when it is in plaintext form

  D. Provider should always manage customer encryption keys with hardware security module (HSM) storage

  E. Homomorphic encryption should be implemented where necessary

  Correct Answer: C

  V10. IMPOSSIBILITY OF PROCESSING DATA IN ENCRYPTED FORM

  Encrypting data at rest is not difficult, but despite recent advances in homomorphic encryption (27), there is little prospect of any commercial system being able to maintain this encryption during processing. In one article, Bruce Schneier

  estimates that performing a web search with encrypted keywords -- a perfectly reasonable simple application of this algorithm -- would increase the amount of computing time by about a trillion (28). This means that for a long time to come,

  cloud customers doing anything other than storing data in the cloud must trust the cloud provider.

• Question 184:

  Which statement best describes the options for PaaS encryption?

  A. PaaS is very diverse and may include client/application, database, and proxy encryption as well as other options.

  B. PaaS is strictly limited to client/application, database and proxy encryption.

  C. PaaS is sensitive to application updates and therefore must be constantly refreshed with relevant keys.

  D. PaaS is very diverse and would most likely include le/folder and instance-managed encryption.

  E. PaaS is limited to public networks.

  Correct Answer: A

  A. PaaS is very diverse and may include client/application, database, and proxy encryption as well as other options.

  PaaS (Platform as a Service) is a cloud computing service model that provides a platform for developers to build, deploy, and manage applications without managing the underlying infrastructure. PaaS offerings can be diverse, and the encryption options available within a PaaS environment can vary. It can include various encryption measures such as client/application, database, and proxy encryption, along with other security features. The range of encryption options depends on the specific PaaS provider and the services they offer.

• Question 185:

  What can be implemented to help with account granularity and limit blast radius with IaaS an PaaS?

  A. Maintaining tight control of the primary account holder credentials

  B. Configuring secondary authentication

  C. Implementing least privilege accounts

  D. Establishing multiple accounts

  E. Configuring role-based authentication

  Correct Answer: D

  D. Establishing multiple accounts

  To help with account granularity and limit the blast radius in Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) environments, one effective strategy is to establish multiple accounts. This practice is commonly referred to as account isolation or account segmentation. By creating separate accounts based on specific roles, projects, or application environments, organizations can achieve finer granularity in access control and resource allocation. This approach reduces the potential blast radius of security

  incidents by isolating resources and minimizing the impact of any security issues that might occur within a specific account.

  The other options (A, B, C, and E) are also important security measures, but establishing multiple accounts is specifically focused on account granularity and reducing the potential blast radius, which aligns with the question's context.

• Question 186:

  Which of the following statements best defines the "authentication" component of identity, entitlement, and access management (IdEA).

  A. A guarantee that data in a repository is 100% unregulated

  B. Updating security protocols to the latest version

  C. Establishing/asserting the identity to the application

  D. The process of specifying and maintaining access policies

  E. None of the above

  Correct Answer: C

  C. Establishing/asserting the identity to the application

  Authentication is the process of verifying and confirming the identity of a user or entity attempting to access a system, application, or resource. It involves presenting credentials (such as username and password, biometric data, or digital certificates) to prove one's identity and gain access to the desired resource. The authentication component of identity, entitlement, and access management (IdEA) is responsible for validating and asserting the identity of users or entities interacting with an application or system.

• Question 187:

  Which of the following statements best describes the potential advantages of security as a service?

  A. The standardization of security software makes the outsourcing of security as a service nearly obsolete.

  B. The advantages may include flexible offering of services, greater security domain knowledge and efficiency of SecaaS providers.

  C. The advantages are not realized until a security breach actually occurs. At that time the greater response of the security team should be obvious.

  D. The higher costs and reduced flexibility are more than compensated for by the ability to pass the security responsibilities on to another rm.

  E. Many areas of security as a service are ripe for adoption with the notable exceptions of anti-malware and anti-spam programs.

  Correct Answer: B

• Question 188:

  What is true of how the management plane is to be secured in the cloud?

  A. The cloud provider is responsible for securing the management plane and exposing the required security features, while the cloud consumer is responsible for Configuring access to the management plane.

  B. The cloud consumer is responsible for securing the management plane, exposing the required security features, and Configuring access to the management plane.

  C. The cloud consumer is responsible for securing the management plane and exposing the required security features, while the cloud provider is responsible for Configuring access to the management plane.

  D. The cloud provider is responsible for securing the management plane, exposing the required security features, and Configuring access to the management plane.

  E. The cloud provider is responsible exposing the required security features, while the cloud consumer is responsible for securing the management plane and Configuring access to the management plane.

  Correct Answer: A

  The cloud provider is responsible for ensuring the management plane is secure and necessary security features are exposed to the cloud user, such as granular entitlements to control what someone can do even if they have management

  plane access.

  The cloud user is responsible for properly configuring their use of the management plane, as well as for securing and managing their credentials.

• Question 189:

  Which action is part of the containment phase of the incident response lifecycle?

  A. Evaluating infrastructure by proactive scanning and network monitoring, vulnerability assessments, and performing risk assessments

  B. Planning notification and coordination of activities

  C. Making considerations for data loss versus service availability

  D. Configuring and validating alerts

  E. Analyzing what happened

  Correct Answer: C

  Answer is C: CSA guidance 9.1.1 Containment, Eradication and Recovery Containment: Taking systems offline. Considerations for data loss versus service availability. Ensuring systems don't destroy themselves upon detection

• Question 190:

  What is the most important reason for knowing where the cloud service provider will host the data?

  A. Such knowledge is a prerequisite to implementing the required measures to ensure compliance with local laws that restrict the cross-border flow of data.

  B. Enable the data controller to register with the local Data Protection Officer(s), where appropriate.

  C. To facilitate comprehensive disaster planning.

  D. To enable data location transparency for the consumer.

  E. To allow compliance with local laws regarding data privacy and safeguarding.

  Correct Answer: A

  A. Such knowledge is a prerequisite to implementing the required measures to ensure compliance with local laws that restrict the cross-border flow of data.

  Knowing where the cloud service provider will host the data is crucial for ensuring compliance with local laws and regulations regarding the cross-border transfer of data. Many countries have specific requirements and restrictions on the transfer of personal or sensitive data outside their borders. By knowing the location of the data hosting, the data controller can take appropriate measures to comply with these laws, such as implementing data protection safeguards or obtaining necessary permissions or agreements. It allows the organization to ensure that the data is handled in accordance with applicable legal requirements and helps mitigate the risk of non-compliance and potential legal consequences.