CCSK Certificate of Cloud Security Knowledge (v5.0) Questions and Answers

It allows for quick restoration points during updates or changes

It is used for load balancing VMs

It enhances VM performance significantly

It provides real-time analytics on VM applications

Risk assessment

Audit

Penetration testing

Incident response

Continuous Build, Integration, and Testing

Continuous Delivery and Deployment

Secure Design and Architecture

Secure Coding

MFA relies on physical tokens and biometrics to secure accounts.

MFA requires multiple forms of validation that would have to compromise.

MFA requires and uses more complex passwords to secure accounts.

MFA eliminates the need for passwords through single sign-on.

Notifying affected parties

Isolating affected systems

Restoring services to normal operations

Documenting lessons learned and improving future responses

Component credentials

Immutable infrastructure

Infrastructure as code

Application integration

AI enhances security without any adverse implications

AI mainly reduces manual work with no significant security impacts

AI enhances detection mechanisms but could be exploited for sophisticated attacks

AI is only beneficial in data management, not security

Scalability and redundancy

Improved software development methodologies

Enhanced security and compliance

Cost efficiency and speed to market

It consolidates logs into a single location.

It decreases the amount of data that needs to be reviewed.

It encrypts all logs to prevent unauthorized access.

It automatically resolves all detected security threats.

A single deployment for all applications

Shared deployments for similar applications

Randomized deployment configurations

Multiple independent deployments for applications

Reduces the need for security auditing

Enables consistent security configurations through automation

Increases manual control over security settings

Increases scalability of cloud resources

High operational costs

Misconfigurations

Limited scalability

Complex deployment pipelines

Inability to monitor cloud infrastructure for threats

IAM failures

Lack of encryption for data at rest

Vulnerabilities in cloud provider's physical infrastructure

Limited deployment options

Manual management of resources

Automation of deployment and scaling

Increased hardware dependency

Cloud sprawl disperses assets, making it harder to monitor assets.

Cloud sprawl centralizes assets, simplifying security monitoring.

Cloud sprawl reduces the number of assets, easing security efforts.

Cloud sprawl has no impact on security monitoring.

Focusing exclusively on signature-based detection for known malware

Deploying behavioral detectors for IAM and management plane activities

Implementing full packet capture and monitoring

Relying on IP address and connection header monitoring

Local backup

Multi-region resiliency

Single-region resiliency

High Availability within one data center

They represent the logging of different networking solutions, and DNS Logs are more suitable for a ZTA implementation

DNS Logs record domain name resolution requests and responses, while Flow Logs record info on source, destination, protocol

They play identical functions and can be used interchangeably

DNS Logs record all the information about the network behavior, including source, destination, and protocol, while Flow Logs record users' applications behavior

Cloud storage management and governance

Data center infrastructure and architecture

IAM and networking

Application development and deployment

Developing a cloud service provider evaluation criterion

Deploying automated security monitoring tools across cloud services

Establishing a Cloud Incident Response Team and response plans

Conducting regular vulnerability assessments on cloud infrastructure

Cloud Service Customers (CSCs) are solely responsible for security in the cloud environment. The Cloud Service Providers (CSPs) are accountable.

Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) share security responsibilities. The exact allocation of responsibilities depends on the technology and context.

Cloud Service Providers (CSPs) are solely responsible for security in the cloud environment. Cloud Service Customers (CSCs) have an advisory role.

Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) share security responsibilities. The allocation of responsibilities is constant.

To reduce the number of network hops for log collection

To facilitate efficient central log collection

To use CSP's analysis tools for log analysis

To convert cloud logs into on-premise formats

By reducing the threat of breaches and vulnerabilities

Confining breaches to a smaller portion of the network

Allowing faster data recovery and response

Monitoring and detecting unauthorized access attempts

Integration with network infrastructure

Adherence to software development practices

Optimization for cost reduction

Alignment with security objectives and regulatory requirements

It may require a subpoena of the provider directly

It would require a previous access agreement

It would require an act of war

It would require a previous contractual agreement to obtain the application or access to the environment

It would never be obtained in this situation

True

False

Allowing the cloud provider to manage your keys so that they have the ability to access and delete the data from the main and back-up storage.

Maintaining customer managed key management and revoking or deleting keys from the key management system to prevent the data from being accessed again.

Practice Integration of Duties (IOD) so that everyone is able to delete the encrypted data.

Keep the keys stored on the client side so that they are secure and so that the users have the ability to delete their own data.

Both B and D.

Elastic infrastructure

Default deny

Decreased use of micro-services

Segregation by default

Fewer serverless configurations

Platform-as-a-service (PaaS)

Desktop-as-a-service (DaaS)

Infrastructure-as-a-service (IaaS)

Identity-as-a-service (IDaaS)

Software-as-a-service (SaaS)

Sales

Marketing

Legal counsel

Auditors

Accounting

Nothing.

It depends on how the automation is configured.

Changes made in production are overwritten by the next code or template change.

Changes made in test are overwritten by the next code or template change.

Changes made in production are untouched by the next code or template change.

Mappings to well-known standards and frameworks

Service Provider or Tenant/Consumer

Physical, Network, Compute, Storage, Application or Data

SaaS, PaaS or IaaS

Single key for all data owners

One key per data owner

Multiple keys per data owner

The answer could be A, B, or C depending on the provider

C for data subject to the EU Data Protection Directive; B for all others

The CCM columns are mapped to HIPAA/HITECH Act and therefore Health4Sure could verify the CCM controls already covered ad a result of their compliance with HIPPA/HITECH Act. They could then assess the remaining controls. This approach will save time.

The CCM domain controls are mapped to HIPAA/HITECH Act and therefore Health4Sure could verify the CCM controls already covered as a result of their compliance with HIPPA/HITECH Act. They could then assess the remaining controls thoroughly. This approach saves time while being able to assess the company’s overall security posture in an efficient manner.

The CCM domains are not mapped to HIPAA/HITECH Act. Therefore Health4Sure should assess the security posture of their cloud service against each and every control in the CCM. This approach will allow a thorough assessment of the security posture.

You should apply cloud firewalls on a per-network basis.

You should deploy your cloud firewalls identical to the existing firewalls.

You should always open traffic between workloads in the same virtual subnet for better visibility.

You should implement a default allow with cloud firewalls and then restrict as necessary.

You should implement a default deny with cloud firewalls.

The devices used to access data have different storage formats.

The devices used to access data use a variety of operating systems and may have different programs installed on them.

The device may affect data dispersion.

The devices used to access data use a variety of applications or clients and may have different security characteristics.

The devices used to access data may have different ownership characteristics.

Platform-based Workload

Pod

Abstraction

Container

Virtual machine

Application logic

Access controls

Encryption solutions

Physical destruction

Asset management and tracking

False

True

False

True

Rapid elasticity

Resource pooling

Broad network access

Measured service

On-demand self-service

False

True

Use strong multi-factor authentication

Secure backup processes for key management systems

Segregate keys from the provider hosting data

Stipulate encryption in contract language

Select cloud providers within the same country as customer

You might not have the ability or administrative rights to search or access all hosted data.

The cloud provider must conduct the search with the full administrative controls.

All cloud-hosted email accounts are easily searchable.

Search and discovery time is always factored into a contract between the consumer and provider.

You can easily search across your environment using any E-Discovery tool.

False

True

Arbitrary contract termination by acquiring company

Resource isolation may fail

Provider may change physical location

Mass layoffs may occur

Non-binding agreements put at risk

False

True

Conceptual models or frameworks

Design patterns

Controls models or frameworks

Reference architectures

Cloud Controls Matrix (CCM)

VM communications may use a virtual network on the same hardware host

The guest OS can invoke stealth mode

Hypervisors depend upon multiple network interfaces

VM images can contain rootkits programmed to bypass firewalls

Most network security systems do not recognize encrypted VM traffic

Inspect and account for risks inherited from other members of the cloud supply chain and take active measures to mitigate and contain risks through operational resiliency.

Respect the interdependency of the risks inherent in the cloud supply chain and communicate the corporate risk posture and readiness to consumers and dependent parties.

Negotiate long-term contracts with companies who use well-vetted software application to avoid the transient nature of the cloud environment.

Provide transparency to stakeholders and shareholders demonstrating fiscal solvency and organizational transparency.

Both B and C.