CCSK Certificate of Cloud Security Knowledge (v5.0) Questions and Answers

False

True

Building and properly configuring a secure network infrastructure

Configuring second factor authentication across the network

Properly configuring the deployment of the virtual network, especially the firewalls

Properly configuring the deployment of the virtual network, except the firewalls

Providing as many API endpoints as possible for custom access and configurations

Risk Impact

Domain

Control Specification

False

True

A library of data definitions

A group of entities which have decided to exist together in a single

cloud

Identities which share similar attributes

Several countries which have agreed to define their identities with

similar attributes

The connection of one identity repository to another

Rapid elasticity

Resource pooling

Broad network access

Measured service

On-demand self-service

Intrusion Prevention System

URL filters

Data Loss Prevention

Cloud Access and Security Brokers (CASB)

Database Activity Monitoring

VM communications may use a virtual network on the same hardware host

The guest OS can invoke stealth mode

Hypervisors depend upon multiple network interfaces

VM images can contain rootkits programmed to bypass firewalls

Most network security systems do not recognize encrypted VM traffic

More efficient and timely system updates

ISO 27001 certification

Provider can obfuscate system O/S and versions

Greater compatibility with customer IT infrastructure

Lock-In

Risk Impact

Domain

Control Specification

Platform-based Workload

Pod

Abstraction

Container

Virtual machine

The CCM columns are mapped to HIPAA/HITECH Act and therefore Health4Sure could verify the CCM controls already covered ad a result of their compliance with HIPPA/HITECH Act. They could then assess the remaining controls. This approach will save time.

The CCM domain controls are mapped to HIPAA/HITECH Act and therefore Health4Sure could verify the CCM controls already covered as a result of their compliance with HIPPA/HITECH Act. They could then assess the remaining controls thoroughly. This approach saves time while being able to assess the company’s overall security posture in an efficient manner.

The CCM domains are not mapped to HIPAA/HITECH Act. Therefore Health4Sure should assess the security posture of their cloud service against each and every control in the CCM. This approach will allow a thorough assessment of the security posture.

False

True

Improper management of VM instances, causing customer VMs to be commingled with other customer systems.

Looping within virtualized routing systems.

Lack of vulnerability management standards.

Using a compromised VM to exploit a hypervisor, used to take control of other VMs.

Instability in VM patch management causing VM routing errors.

Discovery

Custody

Subpoena

Risk Assessment

Scope

False

True

Infrastructure

Datastructure

Infostructure

Applistructure

Metastructure

Sales

Marketing

Legal counsel

Auditors

Accounting

The laws protecting customer data are based on the cloud provider and customer location only.

The confidentiality agreements between companies using cloud computing services is limited legally to the company, not the provider.

The companies using the cloud providers are the custodians of the data entrusted to them.

The cloud computing companies are absolved of all data security and associated risks through contracts and data laws.

The cloud computing companies own all customer data.

The process of specifying and maintaining access policies

Checking data storage to make sure it meets compliance requirements

Giving a third party vendor permission to work on your cloud solution

Establishing/asserting the identity to the application

Enforcing the rules by which access is granted to the resources

It reduces hardware costs

It provides dynamic and granular policies with less management overhead

It locks down access and provides stronger data security

It reduces the blast radius of a compromised system

It enables you to configure applications around business groups

Serverless computing

Virtual machineless

Abstraction

Container

Provider managed

Attributes belong to entities and identities belong to attributes. Each attribute can have multiple identities but only one entity.

An attribute is a unique object within a database. Each attribute it has a number of identities which help define its parameters.

An identity is a distinct and unique object within a particular namespace. Attributes are properties which belong to an identity. Each identity can have multiple attributes.

Attributes are made unique by their identities.

Identities are the network names given to servers. Attributes are the characteristics of each server.

Nothing. There are simply limitations around the data that can be logged in the cloud.

Ask the cloud provider to open more ports.

You can instrument the technology stack with your own logging.

Ask the cloud provider to close more ports.

Nothing. The cloud provider must make the information available.

Defining and maintaining the governance plan

Adherence to internal policies, laws, regulations, standards, and best practices

Implementing automation technologies to monitor the control implemented

Conducting regular penetration testing as stated in applicable laws and regulations

To reduce the number of network hops for log collection

To facilitate efficient central log collection

To use CSP's analysis tools for log analysis

To convert cloud logs into on-premise formats

To increase data transfer speeds within the cloud environment

To reduce the cost of cloud services

To ensure compliance, security, and efficient management aligned with the organization's goals

To eliminate the need for on-premises data centers

To automate the data encryption process across all cloud services

To reduce the overall cost of cloud storage solutions

To apply appropriate security controls based on asset sensitivity and importance

To increase the speed of data retrieval within the cloud environment

To create a separation between development and operations

To eliminate the need for IT operations by automating all tasks

To enhance collaboration between development and IT operations for efficient delivery

To reduce the development team size by merging roles

Limited deployment options

Manual management of resources

Automation of deployment and scaling

Increased hardware dependency

Optimizing cloud infrastructure performance

Managing user authentication for human access

Securely handling stored authentication credentials

Monitoring network traffic for security threats

To implement detailed procedural instructions for security measures

To organize control objectives for achieving desired security outcomes

To ensure compliance with all regulatory requirements

To provide tools for automated security management

Requires extensive on-premises infrastructure

Shifts more responsibility to cloud service providers

Increases workload for developers

Eliminates need for cloud service providers

A single deployment for all applications

Shared deployments for similar applications

Randomized deployment configurations

Multiple independent deployments for applications

Contracts

Shared Responsibility Model

Service Registry

Risk Register

High operational costs

Misconfigurations

Limited scalability

Complex deployment pipelines

Software as a Service (SaaS)

Database as a Service (DBaaS)

Platform as a Service (PaaS)

Infrastructure as a Service (IaaS)

Using access controls as the sole security measure

Encrypting all objects in the repository

Encrypting the access paths only

Encrypting only sensitive objects

Inability to monitor cloud infrastructure for threats

IAM failures

Lack of encryption for data at rest

Vulnerabilities in cloud provider's physical infrastructure

It identifies issues before full deployment, saving time and resources.

It increases the overall testing time and costs.

It allows skipping final verification tests.

It eliminates the need for continuous integration.

To reduce costs associated with physical hardware

To simplify the deployment of virtual machines

To quickly respond to evolving threats and changing infrastructure

To ensure high availability and load balancing

Through virtualization, with administrators allocating resources based on SLAs

Through abstraction and automation to distribute resources to customers

By allocating physical systems to a single customer at a time

Through manual configuration of resources for each user need

Notifying affected parties

Isolating affected systems

Restoring services to normal operations

Documenting lessons learned and improving future responses

Post-Incident Activity

Detection and Analysis

Preparation

Containment, Eradication, and Recovery

They represent the logging of different networking solutions, and DNS Logs are more suitable for a ZTA implementation

DNS Logs record domain name resolution requests and responses, while Flow Logs record info on source, destination, protocol

They play identical functions and can be used interchangeably

DNS Logs record all the information about the network behavior, including source, destination, and protocol, while Flow Logs record users' applications behavior

Reduces the need for security auditing

Enables consistent security configurations through automation

Increases manual control over security settings

Increases scalability of cloud resources

Enhancing data governance and compliance

Simplifying cloud service integrations

Increasing cloud data processing speed

Reducing the cost of cloud storage

Enhances security by supporting authorizations based on the current context and status

Reduces log analysis requirements

Simplifies regulatory compliance by using a single sign-on mechanism

These are required for proper implementation of RBAC

It solely focuses on user authentication improvements

It replaces existing network protocols with new proprietary ones

It filters traffic near user devices, reducing the need for backhauling

It requires all traffic to be sent through central data centers

Continuous Build, Integration, and Testing

Continuous Delivery and Deployment

Secure Design and Architecture

Secure Coding