Download Managing Cloud Security Final Exam: Questions and Answers and more Exams Cybercrime, Cybersecurity and Data Privacy in PDF only on Docsity!
WGU C838 MANAGING CLOUD SECURITY FINAL EXAM
OA QUESTIONS & ANSWERS LATEST
What are the 4 characteristics of cloud computing? - ANSWER>>Broad network access On-demand services Resource Pooling Measured or "metered" service What NIST publication number defines cloud computing? - ANSWER>> 800 - 145 What ISO/IEC standard provides information on cloud computing? - ANSWER>> 17788 What is another way of describing a functional business requirement? - ANSWER>>necessary What is another way of describing a nonfunctional business requirement? - ANSWER>>not necessary What is the greatest driver pushing orgs to the cloud? - ANSWER>>Cost savings What is cloud bursting? - ANSWER>>Ability to increase available cloud resources on demand What are 3 characteristics of cloud computing? - ANSWER>>Elasticity Simplicity Scalability What is a cloud customer? - ANSWER>>Anyone purchasing cloud services
What is a cloud user? - ANSWER>>Anyone using cloud services What are the three cloud computing service models? - ANSWER>>SaaS(Software as a service) PaaS(Platform as a service) IaaS(Infrastructure as a service) What is IaaS (Infrastructure as a Service)? - ANSWER>>Cloud provider provides all the physical capability and administration, while the customer is responsible for logical resources. What is PaaS (Platform as a Service)? - ANSWER>>A cloud computing service that provides the hardware and the operating system and is responsible for updating and maintaining both. What is SaaS (Software As A Service)? - ANSWER>>Cloud provider manages everything. What are the four cloud deployment models? - ANSWER>>Public Private Community Hybrid What cloud model is owned by a single organization? - ANSWER>>Private What cloud model is an arrangement of two or more cloud servers? - ANSWER>>Hybrid What cloud model is a shared setup between orgs? - ANSWER>>Community
What is cloud migration? - ANSWER>>Process of transitioning part of a company's data or services from onsite premises to the cloud What is cloud portability? - ANSWER>>Move applications and data between cloud providers What offers a degree of assurance that nobody w/o authorization will be able to access other's data? - ANSWER>>Encryption If a cloud customer wants a secure, isolated sandbox in order to conduct software development and testing, which cloud service model would probably be best? - ANSWER>>PaaS What technology has NOT made cloud service viable? - ANSWER>>Smart hubs What determines the critical paths, processes, and assets of an organization? - ANSWER>>BIA Fully-operational environment with very little maintenance or administration necessary, which cloud service model would probably be best? - ANSWER>>PaaS customer is unable to recover or access their own data due to the cloud provider going into bankruptcy or otherwise leaving the market. - ANSWER>>Vendor lock-out What are four examples of things to know to decide how to handle risks within an org? - ANSWER>>Inventory of all assets Valuation of each asset Critical paths, processes, and assets Clear understanding of risk appetite
T/F: Assets are only tangible items. - ANSWER>>False. Assets are everything owned or controlled by an org. The process of evaluating assets? - ANSWER>>Business Impact Analysis(BIA) What is criticality? - ANSWER>>Something an org could not operate or exist without What are 5 examples of criticality for an org - ANSWER>>Tangible assets Intangible assets Processes Data paths Personnel In risk, what is the avoidance method? - ANSWER>>Avoiding high risk In risk, what is the acceptance method? - ANSWER>>Acceptable level of risk In risk, what is an example of the avoidance method? - ANSWER>>Insurance In risk, what is the mitigation method? - ANSWER>>Controls or countermeasures Assets can be what? - ANSWER>>Tangible Intangible Personnel What does Business Impact Analysis do? - ANSWER>>Defines which of the assets provide the intrinsic value of an organization. What is risk appetite - ANSWER>>Level, Amount, or Type of risk that an org finds acceptable
event logging access control enforcement In cloud layered defense what is an examples of physical controls? - ANSWER>>access to overall campus In cloud layered defense what is an example of governance mechanisms? - ANSWER>>auditing What are ways for securing devices in a datacenter? - ANSWER>>Guess accounts removed no default passwords systems are patched, maintained and updated unused ports are closed limited physical access What is layered defense? - ANSWER>>The practice of having multiple overlapping means of securing the environment with a variety of methods Who determines risk appetite? - ANSWER>>senior management Experimental technology of processing encrypted data w/o decrypting it first? - ANSWER>>Homomorphic T/F: Data owners remain legally responsible for all data they own - ANSWER>>True What are four ways an org might categorize data? - ANSWER>>Regulatory compliance business function function unit by project What are three examples of classification? - ANSWER>>sensitivity jurisdiction criticality
What is a data owner? - ANSWER>>Collects or creates the data, and possesses the rights and responsibilities of the data What is a data custodian? - ANSWER>>Manipulates, stores, or moves the data, and serves as a cloud provider What is datamining? - ANSWER>>Data mining tries to automatically find interesting patterns in data using plethora of technologies What method would an org creates categories based on which rules apply to a specific dataset? - ANSWER>>regulatory compliance What method would an org have specific categories for different uses of data? - ANSWER>>business function What would a department or office be called that has its own category and keeps all the data it controls? - ANSWER>>functional unit what dataset is defined by projects? - ANSWER>>by project What data discovery method is used when the discovery effort is considered in response to a mandate with a specific purpose? - ANSWER>>Label-based What data discovery method is used to collect all matching data elements for a certain purpose - ANSWER>>Metedata-based What data discovery method is used to locate and identify specific kinds of data by delving into the datasets? - ANSWER>>Content-based What data discovery method is used to create new data feeds from sets of data already existing within the environment? - ANSWER>>data analytics
What are trade secrets? - ANSWER>>Any form of knowledge or info that has economic value from not being known to others, or readily ascertainable by proper means and has been the subject of reasonable efforts by the owner to maintain secrecy What are rudimentary reference checks? - ANSWER>>Content itself can automatically check for proper usage or ownership What is the presence of licensed media? - ANSWER>>DRM engine on the media identifies the unique disk What are online reference checks? - ANSWER>>Product key What is support-based licensing? - ANSWER>>the need for continual help for content What are local agent checks? - ANSWER>>Installed reference tool that checks the protected content against the user's license What are four examples of conflicts that are posed while employing DRM to the cloud? - ANSWER>>API Replication Jurisdiction Enterprise What are six retention policies that should be included in data retention? - ANSWER>>retention periods applicable regulation retention formats data classification archiving and retrieval procedures monitoring, maintenance, and enforcement
What are four legacy examples of data destruction? - ANSWER>>Physical destruction of media and hardware degaussing overwriting Cryptoshredding data retention policy: Retention period - ANSWER>>how long data should be kept data retention policy: data classification - ANSWER>>how and when data should be categorized data retention policy: retention format - ANSWER>>how data is achieved and stored data retention policy: applicable regulation - ANSWER>>senior management's decision to resolve conflict in policy What is jurisdiction? - ANSWER>>geophysical location of the source or storage point of the data might have significant bearing on how that data is treated and handled What is a data audit? - ANSWER>>A powerful tool to regularly review, inventory, and inspect usage and condition of the information that an organization owns. What does copyright not protect? - ANSWER>>ideas, facts, titles, names, short phrases, blank forms Who is the data processor in the cloud motif? - ANSWER>>Cloud provider What isn't included in data labels? - ANSWER>>Data value What is the intellectual property protection for the tangible expression of a creative idea? - ANSWER>>Copyright What federal agency accepts applications for new patents? - ANSWER>>USPTO
data leaves active use and enters long-term storage - ANSWER>>archive data is permanently removed using physical or digital means - ANSWER>>destroy T/F: Archive phase is for short-term storage when planning security controls for the data
- ANSWER>>False T/F: Archive phase activities in the cloud will largely be driven by whether a user is using the same cloud provider for backups and its production environment - ANSWER>>True T/F: In the archive phase, physical security of the data in short-term storage is also important - ANSWER>>False T/F: In the archive phase, cryptography will, as with most data-related controls, be an essential consideration - ANSWER>>True What is volume storage? - ANSWER>>allocates a storage space within the cloud; this storage space is represented as an attached drive to the user's virtual machine What are two types of volume storage architecture? - ANSWER>>File Block Volume storage is associated with what infrastructure model? - ANSWER>>Infrastructure as a Service(IaaS) What is object-based storage? - ANSWER>>Data is stored as objects What is a database? - ANSWER>>Provides some sort of structure for stored data; it is backend storage in the datacenter, accessed by users utilizing online apps
What is a content delivery network? - ANSWER>>Acts as a form of data caching, usually near geophysical locations of high use demand, improves bandwidth and provides quality What are three levels of encryption related to databases? - ANSWER>>File-level Transparent application-level When the database is stored on a volume, what encryption type should be used? - ANSWER>>file-level When wanting to encrypt the entire database or specific portions of it, what type of encryption should be used? - ANSWER>>transparent When should application-level encryption be used with a database? - ANSWER>>compromised administrative accounts other database and application-level attacks What is tokenization? - ANSWER>>Practice of having two distinct databases: one with the live, actual sensitive data, and one with nonrepresentational tokens mapped to each piece of data What are the four goals of Security Information and Event Management(SIEM)? - ANSWER>>Centralize collection of log data enhanced analysis capabilities dashboarding automated response What does DLP in egress monitoring stand for? - ANSWER>>data loss, leak prevention, and protection What are the four major goals of DLP? - ANSWER>>Additional security Policy Enforcement Enhanced Monitoring
What is the practice of obscuring raw data where only a portion is displayed for operational purposes? - ANSWER>>Masking What are third-party providers of IAM functions for the cloud environment? - ANSWER>>Cloud Access Security Broker(CASB) T/F: The goals of DLP include elasticity - ANSWER>>False T/F: Risk and responsibilities will be shared between the cloud provider and customer - ANSWER>>True T/F: The customer is concerned with dat, whereas the provider is concerned with security and operation - ANSWER>>True T/F: The customer wants to refute control, deny insight, and refrain from disclosing any information used for malicious purpose - ANSWER>>False T/F: The customer is legally liable for their data even if the provider was negligent. - ANSWER>>True What is a private cloud? - ANSWER>>a cloud that is owned and operated by an organization for its own benefit. What are 5 risks private cloud owners face? - ANSWER>>Personnel threats Natural disasters External attacks regulatory noncompliance malware What are 3 risk associated with a community cloud? - ANSWER>>Resiliency through shared ownership Access and control lack of centralized standards
What are the 3 main issues with a public cloud? - ANSWER>>vendor lock-in vendor lock-out multitenant environments What are 4 things to consider to avoid vender lock-in? - ANSWER>>Ensure favorable contract terms for portability Avoid proprietary formats Ensure no physical limitations to moving Check for regulatory constraints What are 4 factors to consider to avoid vender lock-out? - ANSWER>>Provider longevity Core competency Jurisdictional suitability Supply chain dependencies Legislative environment What are 4 risks in a multitenant environment? - ANSWER>>Conflict of interest Privilege escalation Information bleed Legal activity What are 3 risks associated with Infrastructure as a Service(Iaas)? - ANSWER>>Personnel threats External threats Lack of specific skillsets what are 4 risks associated with Platform as a service(Paas)? - ANSWER>>Interoperability issues Persistent backdoors Virtualization Resource Sharing
What are some examples of cloud computing external threats? - ANSWER>>malware, hacking, man-in-the-middle What is a personnel threats? - ANSWER>>Malicious or negligent insider who can cause negative impact, as they have physical access to the resources What is resource sharing? - ANSWER>>Programs and instances run by the customer that will operate on the same devices used by other customers, sometimes simultaneously What is an interoperability issue? - ANSWER>>Customer's software may not function properly with each new adjustment in the environment if the OS is updated by the provider What is a data seizure? - ANSWER>>Legal activity that might results in a host machine being confiscated or inspected by law enforcement or plaintiffs' attorneys What is guest escape? - ANSWER>>improperly designed or poorly configured hypervisor might allow for a user to leave the confines of their own virtualized instance What is information bleed? - ANSWER>>Possibility that processing performed on one virtualized instance may be detected by other instances on the same host What are three techniques to enhance the portability of data and avoid vendor lock-in - ANSWER>>Favorable contract terms Avoid proprietary data formats No physical limitations to moving What are six countermeasures against internal threats? - ANSWER>>Least privilege mandatory vacation separation of duties skills and knowledge testing extensive and comprehensive training programs aggressive background checks
What are 3 countermeasures that can be applied to cloud operations against internal threats? - ANSWER>>DLP solutions Financial penalties against the cloud provider's personnel broad contractual protections What are 3 dependencies that must be considered after cloud migration? - ANSWER>>The cloud provider's vendors, utilities, and suppliers What 3 models are generally available for cloud BCDR? - ANSWER>>Private architecture, cloud backup cloud provider, back from same provider cloud provider, backup from another cloud provider T/F: After cloud migration and taking account new factors related to data breach impacts; Legal liability can't be transferred to the cloud provider - ANSWER>>True What are three methods that can attenuate harm caused by privilege escalation? - ANSWER>>Automated analysis tools Extensive access control and authentication tools and techniques Analysis and review of all log data by trained, skilled personnel on a frequent basis What word describes the general ease and efficiency of moving data from one provider to another? - ANSWER>>Portability Who's responsibility involves infrastructure and physical security? - ANSWER>>cloud provider Who's responsibility involves data security and governance? - ANSWER>>Enterprise
