CCSP : Certified Cloud Security Professional (CCSP) : Part 01

CCSP : Certified Cloud Security Professional (CCSP) : Part 01

1. Which of the following roles is responsible for creating cloud components and the testing and validation of services?

   • Cloud auditor
   • Inter-cloud provider
   • Cloud service broker
   • Cloud service developer

   Explanation: 
   The cloud service developer is responsible for developing and creating cloud components and services, as well as for testing and validating services.

2. What is the best source for information about securing a physical asset’s BIOS?

   • Security policies
   • Manual pages
   • Vendor documentation
   • Regulations
   Explanation: 
   Vendor documentation from the manufacturer of the physical hardware is the best source of best practices for securing the BIOS.

3. Which of the following is not a component of contractual PII?

   • Scope of processing
   • Value of data
   • Location of data
   • Use of subcontractors
   Explanation: 
   The value of data itself has nothing to do with it being considered a part of contractual

4. Which of the following concepts refers to a cloud customer paying only for the resources and offerings they use within a cloud environment, and only for the duration that they are consuming them?

   • Consumable service
   • Measured service
   • Billable service
   • Metered service
   Explanation: 
   Measured service is where cloud services are delivered and billed in a metered way, where the cloud customer only pays for those that they actually use, and for the duration of time that they use them.

5. Which of the following roles involves testing, monitoring, and securing cloud services for an organization?

   • Cloud service integrator
   • Cloud service business manager
   • Cloud service user
   • Cloud service administrator
   Explanation: 
   The cloud service administrator is responsible for testing cloud services, monitoring services, administering security for services, providing usage reports on cloud services, and addressing problem reports

6. What is the only data format permitted with the SOAP API?

   • HTML
   • SAML
   • XSML
   • XML
   Explanation: 
   The SOAP protocol only supports the XML data format.

7. Which data formats are most commonly used with the REST API?

   • JSON and SAML
   • XML and SAML
   • XML and JSON
   • SAML and HTML
   Explanation: 
   JavaScript Object Notation (JSON) and Extensible Markup Language (XML) are the most commonly used data formats for the Representational State Transfer (REST) API, and are typically implemented with caching for increased scalability and performance.

8. Which of the following threat types involves an application that does not validate authorization for portions of itself after the initial checks?

   • Injection
   • Missing function-level access control
   • Cross-site request forgery
   • Cross-site scripting
   Explanation:​
   It is imperative that an application perform checks when each function or portion of the application is accessed, to ensure that the user is properly authorized to access it. Without continual checks each time a function is accessed, an attacker could forge requests to access portions of the application where authorization has not been granted.

9. Which of the following roles involves overseeing billing, purchasing, and requesting audit reports for an organization within a cloud environment?

   • Cloud service user
   • Cloud service business manager
   • Cloud service administrator
   • Cloud service integrator
   Explanation:​
   The cloud service business manager is responsible for overseeing business and billing administration, purchasing cloud services, and requesting audit reports when necessary

10. What is the biggest concern with hosting a key management system outside of the cloud environment?

    • Confidentiality
    • Portability
    • Availability
    • Integrity
    Explanation:​
    When a key management system is outside of the cloud environment hosting the application, availability is a primary concern because any access issues with the encryption keys will render the entire application unusable.

11. Which of the following approaches would NOT be considered sufficient to meet the requirements of secure data destruction within a cloud environment?

    • Cryptographic erasure
    • Zeroing
    • Overwriting
    • Deletion
    Explanation:​
    Deletion merely removes the pointers to data on a system; it does nothing to actually remove and sanitize the data. As such, the data remains in a recoverable state, and more secure methods are needed to ensure it has been destroyed and is not recoverable by another party.

12. Which of the following cloud aspects complicates eDiscovery?

    • Resource pooling
    • On-demand self-service
    • Multitenancy
    • Measured service
    Explanation: 
    With multitenancy, eDiscovery becomes more complicated because the data collection involves extra steps to ensure that only those customers or systems that are within scope are turned over to the requesting authority.

13. What does the management plane typically utilize to perform administrative functions on the hypervisors that it has access to?

    • Scripts
    • RDP
    • APIs
    • XML
    Explanation: 
    The functions of the management plane are typically exposed as a series of remote calls and function executions and as a set of APIs. These APIs are typically leveraged through either a client or a web portal, with the latter being the most common.

14. What is a serious complication an organization faces from the perspective of compliance with international operations?

    • Different certifications
    • Multiple jurisdictions
    • Different capabilities
    • Different operational procedures
    Explanation: 
    When operating within a global framework, a security professional runs into a multitude of jurisdictions and requirements, and many times they might be in contention with one other or not clearly applicable. These requirements can include the location of the users and the type of data they enter into systems, the laws governing the organization that owns the application and any regulatory requirements they may have, as well as the appropriate laws and regulations for the jurisdiction housing the IT resources and where the data is actually stored, which might be multiple jurisdictions as well.

15. Which networking concept in a cloud environment allows for network segregation and isolation of IP spaces?

    • PLAN
    • WAN
    • LAN
    • VLAN
    Explanation: 
    A virtual area network (VLAN) allows the logical separation and isolation of networks and IP spaces to provide enhanced security and controls.

16. Which of the following standards primarily pertains to cabling designs and setups in a data center?

    • IDCA
    • BICSI
    • NFPA
    • Uptime Institute
    Explanation: 
    The standards put out by Building Industry Consulting Service International (BICSI) primarily cover complex cabling designs and setups for data centers, but also include specifications on power, energy efficiency, and hot/cold aisle setups.

17. Which of the following publishes the most commonly used standard for data center design in regard to tiers and topologies?

    • IDCA
    • Uptime Institute
    • NFPA
    • BICSI
    Explanation: 
    The Uptime Institute publishes the most commonly used and widely known standard on data center tiers and topologies. It is based on a series of four tiers, with each progressive increase in number representing more stringent, reliable, and redundant systems for security, connectivity, fault tolerance, redundancy, and cooling.

18. What type of segregation and separation of resources is needed within a cloud environment for multitenancy purposes versus a traditional data center model?

    • Virtual
    • Security
    • Physical
    • Logical
    Explanation: 
    Cloud environments lack the ability to physically separate resources like a traditional data center can. To compensate, cloud computing logical segregation concepts are employed. These include VLANs, sandboxing, and the use of virtual network devices such as firewalls.

19. Which United States law is focused on data related to health records and privacy?

    • Safe Harbor
    • SOX
    • GLBA
    • HIPAA
    Explanation: 
    The Health Insurance Portability and Accountability Act (HIPAA) requires the U.S. Federal Department of Health and Human Services to publish and enforce regulations pertaining to electronic health records and identifiers between patients, providers, and insurance companies. It is focused on the security controls and confidentiality of medical records, rather than the specific technologies used, so long as they meet the requirements of the regulations.

20. What is used for local, physical access to hardware within a data center?

    • SSH
    • KVM
    • VPN
    • RDP
    Explanation: 
    Local, physical access in a data center is done via KVM (keyboard, video, mouse) switches.