CCSP : Certified Cloud Security Professional (CCSP) : Part 05

CCSP : Certified Cloud Security Professional (CCSP) : Part 05

1. Which aspect of archiving must be tested regularly for the duration of retention requirements?

   • Availability
   • Recoverability
   • Auditability
   • Portability

   Explanation: 
   In order for any archiving system to be deemed useful and compliant, regular tests must be performed to ensure the data can still be recovered and accessible, should it ever be needed, for the duration of the retention requirements.

2. Which of the following represents a minimum guaranteed resource within a cloud environment for the cloud customer?

   • Reservation
   • Share
   • Limit
   • Provision
   Explanation:
   A reservation is a minimum resource that is guaranteed to a customer within a cloud environment. Within a cloud, a reservation can pertain to the two main aspects of computing: memory and processor. With a reservation in place, the cloud provider guarantees that a cloud customer will always have at minimum the necessary resources available to power on and operate any of their services.

3. When is a virtual machine susceptible to attacks while a physical server in the same state would not be?

   • When it is behind a WAF
   • When it is behind an IPS
   • When it is not patched
   • When it is powered off
   Explanation: 
   A virtual machine is ultimately an image file residing a file system. Because of this, even when a virtual machine is “powered off,” it is still susceptible to attacks and modification. A physical server that is powered off would not be susceptible to attacks.

4. Which of the following threat types involves an application developer leaving references to internal information and configurations in code that is exposed to the client?

   • Sensitive data exposure
   • Security misconfiguration
   • Insecure direct object references
   • Unvalidated redirect and forwards
   Explanation: 
   An insecure direct object reference occurs when a developer has in their code a reference to something on the application side, such as a database key, the directory structure of the application, configuration information about the hosting system, or any other information that pertains to the workings of the application that should not be exposed to users or the network. Unvalidated redirects and forwards occur when an application has functions to forward users to other sites, and these functions are not properly secured to validate the data and redirect requests, allowing spoofing for malware of phishing attacks. Sensitive data exposure occurs when an application does not use sufficient encryption and other security controls to protect sensitive application data. Security misconfigurations occur when applications and systems are not properly configured or maintained in a secure manner.

5. Which of the following is the biggest concern or challenge with using encryption?

   • Dependence on keys
   • Cipher strength
   • Efficiency
   • Protocol standards
   Explanation: 
   No matter what kind of application, system, or hosting model used, encryption is 100 percent dependent on encryption keys. Properly securing the keys and the exchange of them is the biggest and most important challenge of encryption systems.

6. Which of the following would NOT be considered part of resource pooling with an Infrastructure as a Service implementation?

   • Storage
   • Application
   • Mamory
   • CPU
   Explanation: 
   Infrastructure as a Service pools the compute resources for platforms and applications to build upon, including CPU, memory, and storage. Applications are not part of an IaaS offering from the cloud provider.

7. Which technology is NOT commonly used for security with data in transit?

   • DNSSEC
   • IPsec
   • VPN
   • HTTPS
   Explanation: 
   DNSSEC relates to the integrity of DNS resolutions and the prevention of spoofing or redirection, and does not pertain to the actual security of transmissions or the protection of data.

8. Which of the following roles is responsible for gathering metrics on cloud services and managing cloud deployments and the deployment processes?

   • Cloud service business manager
   • Cloud service operations manager
   • Cloud service manager
   • Cloud service deployment manager
   Explanation: 
   The cloud service deployment manager is responsible for gathering metrics on cloud services, managing cloud deployments and the deployment process, and defining the environments and processes.

9. Which of the following is considered an external redundancy for a data center?

   • Power feeds to rack
   • Generators
   • Power distribution units
   • Storage systems
   Explanation: 
   Generators are considered an external redundancy to a data center. Power distribution units (PDUs), storage systems, and power feeds to racks are all internal to a data center, and as such they are considered internal redundancies.

10. Which of the following is the optimal humidity level for a data center, per the guidelines established by the America Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE)?

    • 30-50 percent relative humidity
    • 50-75 percent relative humidity
    • 20-40 percent relative humidity
    • 40-60 percent relative humidity
    Explanation: 
    The guidelines from ASHRAE establish 40-60 percent relative humidity as optimal for a data center.

11. What is the first stage of the cloud data lifecycle where security controls can be implemented?

    • Use
    • Store
    • Share
    • Create
    Explanation: 
    The “store” phase of the cloud data lifecycle, which typically occurs simultaneously with the “create” phase, or immediately thereafter, is the first phase where security controls can be implemented. In most case, the manner in which the data is stored will be based on its classification.

12. What controls the formatting and security settings of a volume storage system within a cloud environment?

    • Management plane
    • SAN host controller
    • Hypervisor
    • Operating system of the host
    Explanation: 
    Once a storage LUN is allocated to a virtual machine, the operating system of that virtual machine will format, manage, and control the file system and security of the data on that LUN.

13. What does SDN stand for within a cloud environment?

    • Software-dynamic networking
    • Software-defined networking
    • Software-dependent networking
    • System-dynamic nodes
    Explanation: 
    Software-defined networking separates the administration of network filtering and network forwarding to allow for distributed administration.

14. From a legal perspective, what is the most important first step after an eDiscovery order has been received by the cloud provider?

    • Notification
    • Key identification
    • Data collection
    • Virtual image snapshots
    Explanation: 
    The contract should include requirements for notification by the cloud provider to the cloud customer upon the receipt of such an order. This serves a few important purposes. First, it keeps communication and trust open between the cloud provider and cloud customers. Second, and more importantly, it allows the cloud customer to potentially challenge the order if they feel they have the grounds or desire to do so.

15. Which of the following would make it more likely that a cloud provider would be unwilling to satisfy specific certification requirements?

    • Resource pooling
    • Virtualization
    • Multitenancy
    • Regulation
    Explanation: 
    With cloud providers hosting a number of different customers, it would be impractical for them to pursue additional certifications based on the needs of a specific customer. Cloud environments are built to a common denominator to serve the greatest number of customers, and especially within a public cloud model, it is not possible or practical for a cloud provider to alter their services for specific customer demands.

16. Which of the following pertains to fire safety standards within a data center, specifically with their enormous electrical consumption?

    • NFPA
    • BICSI
    • IDCA
    • Uptime Institute
    Explanation: 
    The standards put out by the National Fire Protection Association (NFPA) cover general fire protection best practices for any type of facility, but also specific publications pertaining to IT equipment and data centers.

17. Which of the following roles involves the connection and integration of existing systems and services to a cloud environment?

    • Cloud service business manager
    • Cloud service user
    • Cloud service administrator
    • Cloud service integrator
    Explanation: 
    The cloud service integrator is the official role that involves connecting and integrating existing systems and services with a cloud environment. This may involve moving services into a cloud environment, or connecting to external cloud services and capabilities from traditional data center-hosted services.

18. Which technique involves replacing values within a specific data field to protect sensitive data?

    • Anonymization
    • Masking
    • Tokenization
    • Obfuscation
    Explanation: 
    Masking involves replacing specific data within a data set with new values. For example, with credit card fields, as most who have ever purchased anything online can attest, nearly the entire credit card number is masked with a character such as an asterisk, with the last four digits left visible for identification and confirmation.

19. What expectation of data custodians is made much more challenging by a cloud implementation, especially with PaaS or SaaS?

    • Data classification
    • Knowledge of systems
    • Access to data
    • Encryption requirements
    Explanation: 
    Under the Federal Rules of Civil Procedure, data custodians are assumed and expected to have full and comprehensive knowledge of the internal design and architecture of their systems. In a cloud environment, especially with PaaS and SaaS, it is impossible for the data custodian to have this knowledge because those systems are controlled by the cloud provider and protected as proprietary knowledge.

20. What type of PII is controlled based on laws and carries legal penalties for noncompliance with requirements?

    • Contractual
    • Regulated
    • Specific
    • Jurisdictional
    Explanation: 
    Regulated PII involves those requirements put forth by specific laws or regulations, and unlike contractual PII, where a violation can lead to contractual penalties, a violation of regulated PII can lead to fines or even criminal charges in some jurisdictions. PII regulations can depend on either the jurisdiction that applies to the hosting location or application or specific legislation based on the industry or type of data used.