CCSP : Certified Cloud Security Professional (CCSP) : Part 15

CCSP : Certified Cloud Security Professional (CCSP) : Part 15

1. You were recently hired as a project manager at a major university to implement cloud services for the academic and administrative systems. Because the load and demand for services at a university are very cyclical in nature, commensurate with the academic calendar, which of the following aspects of cloud computing would NOT be a primary benefit to you?

   • Measured service
   • Broad network access
   • Resource pooling
   • On-demand self-service

   Explanation:
   Broad network access to cloud services, although it is an integral aspect of cloud computing, would not being a specific benefit to an organization with cyclical business needs. The other options would allow for lower costs during periods of low usage as well as provide the ability to expand services quickly and easily when needed for peak periods. Measured service allows a cloud customer to only use the resources it needs at the time, and resource pooling allows a cloud customer to access resources as needed. On-demand self-service enables the cloud customer to change its provisioned resources on its own, without the need to interact with the staff from the cloud provider.

2. Which cloud deployment model is MOST likely to offer free or very cheap services to users?

   • Hybrid
   • Community
   • Public
   • Private
   Explanation:
   Public clouds offer services to anyone, regardless of affiliation, and are the most likely to offer free services to users. Examples of public clouds with free services include iCloud, Dropbox, and OneDrive. Private cloud models are designed for specific customers and for their needs, and would not offer services to the public at large, for free or otherwise. A community cloud is specific to a group of similar organizations and would not offer free or widely available public services. A hybrid cloud model would not fit the specifics of the question.

3. Where is a DLP solution generally installed when utilized for monitoring data in transit?

   • Network perimeter
   • Database server
   • Application server
   • Web server
   Explanation:
   To monitor data in transit, a DLP solution would optimally be installed at the network perimeter, to ensure that data leaving the network through various protocols conforms to security controls and policies. An application server or a web server would be more appropriate for monitoring data in use, and a database server would be an example of a location appropriate for monitoring data at rest.

4. With IaaS, what is responsible for handling the security and control over the volume storage space?

   • Management plane
   • Operating system
   • Application
   • Hypervisor
   Explanation:
   Volume storage is allocated via a LUN to a system and then treated the same as any traditional storage. The operating system is responsible for formatting and securing volume storage as well as controlling all access to it. Applications, although they may use volume storage and have permissions to write to it, are not responsible for its formatting and security. Both a hypervisor and the management plane are outside of an individual system and are not responsible for managing the files and storage within that system.

5. Configurations and policies for a system can come from a variety of sources and take a variety of formats. Which concept pertains to the application of a set of configurations and policies that is applied to all systems or a class of systems?

   • Hardening
   • Leveling
   • Baselines
   • Standards
   Explanation:
   Baselines are a set of configurations and policies applied to all new systems or services, and they serve as the basis for deploying any other services on top of them. Although standards often form the basis for baselines, the term is applicable in this case. Hardening is the process of securing a system, often through the application of baselines. Leveling is an extraneous but similar term to baselining.

6. Which of the following tasks within a SaaS environment would NOT be something the cloud customer would be responsible for?

   • Authentication mechanism
   • Branding
   • Training
   • User access
   Explanation:
   The authentication mechanisms and implementations are the responsibility of the cloud provider because they are core components of the application platform and service. Within a SaaS implementation, the cloud customer will provision user access, deploy branding to the application interface (typically), and provide or procure training for its users.

7. An SLA contains the official requirements for contract performance and satisfaction between the cloud provider and cloud customer.

   Which of the following would NOT be a component with measurable metrics and requirements as part of an SLA?

   • Network
   • Users
   • Memory
   • CPU
   Explanation:
   Dealing with users or user access would not be an appropriate item for inclusion in an SLA specifically. However, user access and user experience would be covered indirectly through other metrics. Memory, CPU, and network resources are all typically included within an SLA for availability and response times when dealing with any incidents.

8. Within a federated identity system, which of the following would you be MOST likely to use for sending information for consumption by a relying party?

   • XML
   • HTML
   • WS-Federation
   • SAML
   Explanation:
   The Security Assertion Markup Language (SAML) is the most widely used method for encoding and sending attributes and other information from an identity provider to a relying party.WS-Federation, which is used by Active Directory Federation Services (ADFS), is the second most used method for sending information to a relying party, but it is not a better choice than SAML. XML is similar to SAML in the way it encodes and labels data, but it does not have all of the required extensions that SAML does. HTML is not used within federated systems at all.

9. Which data state would be most likely to use digital signatures as a security protection mechanism?

   • Data in use
   • Data in transit
   • Archived
   • Data at rest
   Explanation:
   During the data-in-use state, the information has already been accessed from storage and transmitted to the service, so reliance on a technology such as digital signatures is imperative to ensure security and complement the security methods used during previous states. Data in transit relies on technologies such as TLS to encrypt network transmission of packets for security. Data at rest primarily uses encryption for stored file objects. Archived data would be the same as data at rest.

10. There is a large gap between the privacy laws of the United States and those of the European Union. Bridging this gap is necessary for American companies to do business with European companies and in European markets in many situations, as the American companies are required to comply with the stricter requirements.

    Which US program was designed to help companies overcome these differences?

    • SOX
    • HIPAA
    • GLBA
    • Safe Harbor
    Explanation:
    The Safe Harbor regulations were developed by the Department of Commerce and are meant to serve as a way to bridge the gap between privacy regulations of the European Union and the United States. Due to the lack of adequate privacy laws and protection on the federal level in the US, European privacy regulations generally prohibit the exporting of PII from Europe to the United States. Participation in the Safe Harbor program is voluntary on the part of US organizations. These organizations must conform to specific requirements and policies that mirror those from the EU, thus possibly fulfilling the EU requirements for data sharing and export. This way, American businesses can be allowed to serve customers in the EU. The Health Insurance Portability and Accountability Act (HIPAA) pertains to the protection of patient medical records and privacy. The Gramm-Leach-Bliley Act (GLBA) focuses on the use of PII within financial institutions. The Sarbanes-Oxley Act (SOX) regulates the financial and accounting practices used by organizations in order to protect shareholders from improper practices and errors.

11. Audits are either done based on the status of a system or application at a specific time or done as a study over a period of time that takes into account changes and processes.

    Which of the following pairs matches an audit type that is done over time, along with the minimum span of time necessary for it?

    • SOC Type 2, one year
    • SOC Type 1, one year
    • SOC Type 2, one month
    • SOC Type 2, six months
    Explanation:
    SOC Type 2 audits are done over a period of time, with six months being the minimum duration. SOC Type 1 audits are designed with a scope that’s a static point in time, and the other times provided for SOC Type 2 are incorrect.

12. With software-defined networking (SDN), which two types of network operations are segregated to allow for granularity and delegation of administrative access and functions?

    • Filtering and forwarding
    • Filtering and firewalling
    • Firewalling and forwarding
    • Forwarding and protocol
    Explanation:
    With SDN, the filtering and forwarding capabilities and administration are separated. This allows the cloud provider to build interfaces and management tools for administrative delegation of filtering configuration, without having to allow direct access to underlying network equipment. Firewalling and protocols are both terms related to networks, but they are not components SDN is concerned with.

13. Along with humidity, temperature is crucial to a data center for optimal operations and protection of equipment.

    Which of the following is the optimal temperature range as set by ASHRAE?

    • 69.8 to 86.0 degrees Fahrenheit (21 to 30 degrees Celsius)51.8 to 66.2 degrees Fahrenheit (11 to 19 degrees Celsius)
    • 51.8 to 66.2 degrees Fahrenheit (11 to 19 degrees Celsius)
    • 64.4 to 80.6 degrees Fahrenheit (18 to 27 degrees Celsius)
    • 44.6 to 60.8 degrees Fahrenheit (7 to 16 degrees Celsius)
    Explanation:
    The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommends 64.4 to 80.6 degrees Fahrenheit (or 18 to 27 degrees Celsius) as the optimal temperature range for data centers. None of these options is the recommendation from ASHRAE.

14. Which of the following statements best describes a Type 1 hypervisor?

    • The hypervisor software runs within an operating system tied to the hardware.
    • The hypervisor software runs as a client on a server and needs an external service to administer it.
    • The hypervisor software runs on top of an application layer.
    • The hypervisor software runs directly on “bare metal” without an intermediary.
    Explanation:
    With a Type 1 hypervisor, the hypervisor software runs directly on top of the bare-metal system, without any intermediary layer or hosting system. None of these statements describes a Type 1 hypervisor.

15. Which cloud storage type resembles a virtual hard drive and can be utilized in the same manner and with the same type of features and capabilities?

    • Volume
    • Unstructured
    • Structured
    • Object
    Explanation:
    Volume storage is allocated and mounted as a virtual hard drive within IaaS implementations, and it can be maintained and used the same way a traditional file system can. Object storage uses a flat structure on remote services that is accessed via opaque descriptors, structured storage resembles database storage, and unstructured storage is used to hold auxiliary files in conjunction with applications hosted within a PaaS implementation.

16. Which aspect of SaaS will alleviate much of the time and energy organizations spend on compliance (specifically baselines)?

    • Maintenance
    • Licensing
    • Standardization
    • Development
    Explanation:
    With the entire software platform being controlled by the cloud provider, the standardization of configurations and versioning is done automatically for the cloud customer. This alleviates the customer’s need to track upgrades and releases for its own systems and development; instead, the onus is on the cloud provider. Although licensing is the responsibility of the cloud customer within SaaS, it does not have an impact on compliance requirements. Within SaaS, development and maintenance of the system are solely the responsibility of the cloud provider.

17. Many tools and technologies are available for securing or monitoring data in transit within a data center, whether it is a traditional data center or a cloud.

    Which of the following is NOT a technology for securing data in transit?

    • VPN
    • TLS
    • DNSSEC
    • HTTPS
    Explanation:
    DNSSEC is an extension of the normal DNS protocol that enables a system to verify the integrity of a DNS query resolution by signing it from the authoritative source and verifying the signing chain. It is not used for securing data transmissions or exchanges. HTTPS is the most common method for securing web service and data calls within a cloud, and TLS is the current standard for encrypting HTTPS traffic. VPNs are widely used for securing data transmissions and service access.

18. With a federated identity system, where would a user perform their authentication when requesting services or application access?

    • Cloud provider
    • The application
    • Their home organization
    • Third-party authentication system
    Explanation:
    With a federated identity system, a user will perform authentication with their home organization, and the application will accept the authentication tokens and user information from the identity provider in order to grant access. The purpose of a federated system is to allow users to authenticate from their home organization. Therefore, using the application or a third-party authentication system would be contrary to the purpose of a federated system because it necessitates the creation of additional accounts. The use of a cloud provider would not be relevant to the operations of a federated system.

19. Where is an XML firewall most commonly and effectively deployed in the environment?

    • Between the application and data layers
    • Between the presentation and application layers
    • Between the IPS and firewall
    • Between the firewall and application server
    Explanation:
    An XML firewall is most commonly deployed in line between the firewall and application server to validate XML code before it reaches the application. An XML firewall is intended to validate XML before it reaches the application. Placing the XML firewall between the presentation and application layers, between the firewall and IPS, or between the application and data layers would not serve the intended purpose.

20. Modern web service systems are designed for high availability and resiliency. Which concept pertains to the ability to detect problems within a system, environment, or application and programmatically invoke redundant systems or processes for mitigation?

    • Elasticity
    • Redundancy
    • Fault tolerance
    • Automation
    Explanation:
    Fault tolerance allows a system to continue functioning, even with degraded performance, if portions of it fail or degrade, without the entire system or service being taken down. It can detect problems within a service and invoke compensating systems or functions to keep functionality going. Although redundancy is similar to fault tolerance, it is more focused on having additional copies of systems available, either active or passive, that can take up services if one system goes down. Elasticity pertains to the ability of a system to resize to meet demands, but it is not focused on system failures. Automation, and its role in maintaining large systems with minimal intervention, is not directly related to fault tolerance.