CCSK Certificate of Cloud Security Knowledge (v5.0) Questions and Answers

Arbitrary contract termination by acquiring company

Resource isolation may fail

Provider may change physical location

Mass layoffs may occur

Non-binding agreements put at risk

Administrative access

Management plane

Identity and Access Management

Single sign-on

Cloud dashboard

You should apply cloud firewalls on a per-network basis.

You should deploy your cloud firewalls identical to the existing firewalls.

You should always open traffic between workloads in the same virtual subnet for better visibility.

You should implement a default allow with cloud firewalls and then restrict as necessary.

You should implement a default deny with cloud firewalls.

False

True

Only the cloud consumer

Only the cloud provider

Both the cloud provider and consumer

It is determined in the agreement between the entities

It is outsourced as per the entity agreement

Encryption

Organization

Knowledge management

IDS

Insulation

The provider is accountable for all risk management.

You can manage, transfer, accept, or avoid risks.

The consumers are completely responsible for all risk.

If there is still residual risk after assessments and controls are in

place, you must accept the risk.

Risk insurance covers all financial losses, including loss of

customers.

Inspect and account for risks inherited from other members of the cloud supply chain and take active measures to mitigate and contain risks through operational resiliency.

Respect the interdependency of the risks inherent in the cloud supply chain and communicate the corporate risk posture and readiness to consumers and dependent parties.

Negotiate long-term contracts with companies who use well-vetted software application to avoid the transient nature of the cloud environment.

Provide transparency to stakeholders and shareholders demonstrating fiscal solvency and organizational transparency.

Both B and C.

DLP can provide options for quickly deleting all of the data stored in a cloud environment.

DLP can classify all data in a storage repository.

DLP never provides options for how data found in violation of a policy can be handled.

DLP can provide options for where data is stored.

DLP can provide options for how data found in violation of a policy can be handled.

Use strong multi-factor authentication

Secure backup processes for key management systems

Segregate keys from the provider hosting data

Stipulate encryption in contract language

Select cloud providers within the same country as customer

Planned Outages

Resiliency Planning

Expected Engineering

Chaos Engineering

Organized Downtime

False

True

Network traffic rules for cloud environments

A number of requirements to be implemented, based upon numerous standards and regulatory requirements

Federal legal business requirements for all cloud operators

A list of cloud configurations including traffic logic and efficient routes

The command and control management hierarchy of typical cloud company

Cloud Service Customers (CSCs) are solely responsible for security in the cloud environment. The Cloud Service Providers (CSPs) are accountable.

Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) share security responsibilities. The exact allocation of responsibilities depends on the technology and context.

Cloud Service Providers (CSPs) are solely responsible for security in the cloud environment. Cloud Service Customers (CSCs) have an advisory role.

Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) share security responsibilities. The allocation of responsibilities is constant.

Governance and Retention Management

Governance and Risk Management

Governing and Risk Metrics

False

True

Scope of the assessment and the exact included features and services for the assessment

Provider infrastructure information including maintenance windows and contracts

Network or architecture diagrams including all end point security devices in use

Service-level agreements between all parties

Full API access to all required services

Application Consumer

Database Manager

Application Developer

Cloud Provider

Web Application CISO

Lack of visibility

Deployment flexibility

Scaling and costs

Intelligence sharing

Insulation of clients

Platform-based Workload

Pod

Abstraction

Container

Virtual machine

Virtualization

Applistructure

Hypervisor

Metastructure

Orchestration

False

True

A general lack of interoperability standards means that extra focus must be placed on the security aspects of migration between Cloud providers.

The size of data sets hosted at a Cloud provider can present challenges if migration to another provider becomes necessary.

Customers of SaaS providers in particular need to mitigate the risks of application lock-in.

Clients need to do business continuity planning due diligence in case they suddenly need to switch providers.

Geographic redundancy ensures that Cloud Providers provide highly available services.

Configuring secondary authentication

Establishing multiple accounts

Maintaining tight control of the primary account holder credentials

Implementing least privilege accounts

Configuring role-based authentication

False

True

To automate the data encryption process across all cloud services

To reduce the overall cost of cloud storage solutions

To apply appropriate security controls based on asset sensitivity and importance

To increase the speed of data retrieval within the cloud environment

Reliability

Security

Performance

Scalability

It compresses data to save space

It speeds up data retrieval times

It monitors unauthorized access attempts

It secures data stored as objects

The division of security responsibilities between cloud providers and customers

The relationships between IaaS, PaaS, and SaaS providers

The compliance with geographical data residency and sovereignty

The guidance for the cloud compliance framework

High operational costs

Misconfigurations

Limited scalability

Complex deployment pipelines

Notifying affected parties

Isolating affected systems

Restoring services to normal operations

Documenting lessons learned and improving future responses

Local backup

Multi-region resiliency

Single-region resiliency

High Availability within one data center

To create a separation between development and operations

To eliminate the need for IT operations by automating all tasks

To enhance collaboration between development and IT operations for efficient delivery

To reduce the development team size by merging roles

Continuous Build, Integration, and Testing

Continuous Delivery and Deployment

Secure Design and Architecture

Secure Coding

Through virtualization, with administrators allocating resources based on SLAs

Through abstraction and automation to distribute resources to customers

By allocating physical systems to a single customer at a time

Through manual configuration of resources for each user need

They represent the logging of different networking solutions, and DNS Logs are more suitable for a ZTA implementation

DNS Logs record domain name resolution requests and responses, while Flow Logs record info on source, destination, protocol

They play identical functions and can be used interchangeably

DNS Logs record all the information about the network behavior, including source, destination, and protocol, while Flow Logs record users' applications behavior

Implementing dynamic network segmentation policies

Employing Role-Based Access Control (RBAC) for container access

Regular vulnerability scanning of deployed containers

Use of immutable containers

Cloud sprawl disperses assets, making it harder to monitor assets.

Cloud sprawl centralizes assets, simplifying security monitoring.

Cloud sprawl reduces the number of assets, easing security efforts.

Cloud sprawl has no impact on security monitoring.

MFA relies on physical tokens and biometrics to secure accounts.

MFA requires multiple forms of validation that would have to compromise.

MFA requires and uses more complex passwords to secure accounts.

MFA eliminates the need for passwords through single sign-on.

It identifies issues before full deployment, saving time and resources.

It increases the overall testing time and costs.

It allows skipping final verification tests.

It eliminates the need for continuous integration.

AI enhances security without any adverse implications

AI mainly reduces manual work with no significant security impacts

AI enhances detection mechanisms but could be exploited for sophisticated attacks

AI is only beneficial in data management, not security

Contracts

Shared Responsibility Model

Service Registry

Risk Register

Firewalls

Software-Defined Perimeter (SDP)

Virtual Private Network (VPN)

Intrusion Detection System (IDS)

Role-Based Access Control

Unlimited Access

Mandatory Access Control

Least-Privileged Access

To increase data transfer speeds within the cloud environment

To reduce the cost of cloud services

To ensure compliance, security, and efficient management aligned with the organization's goals

To eliminate the need for on-premises data centers

Using access controls as the sole security measure

Encrypting all objects in the repository

Encrypting the access paths only

Encrypting only sensitive objects

Network Attached Storage (NAS)

Block storage

File storage

Object storage

Integration with network infrastructure

Adherence to software development practices

Optimization for cost reduction

Alignment with security objectives and regulatory requirements

Software as a Service (SaaS)

Database as a Service (DBaaS)

Platform as a Service (PaaS)

Infrastructure as a Service (IaaS)

A single deployment for all applications

Shared deployments for similar applications

Randomized deployment configurations

Multiple independent deployments for applications