Last Updated on February 21, 2022 by Admin 3

CCSP : Certified Cloud Security Professional (CCSP) : Part 12

  1. Which of the following threat types involves an application that does not validate authorization for portions of itself beyond when the user first enters it?

    • Cross-site request forgery
    • Missing function-level access control
    • Injection
    • Cross-site scripting

    Explanation: 
    It is imperative that applications do checks when each function or portion of the application is accessed to ensure that the user is properly authorized. Without continual checks each time a function is accessed, an attacker could forge requests to access portions of the application where authorization has not been granted. An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. Cross-site scripting occurs when an attacker is able to send untrusted data to a user’s browser without going through validation processes. Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials.

  2. Clustered systems can be used to ensure high availability and load balancing across individual systems through a variety of methodologies.

    What process is used within a clustered system to ensure proper load balancing and to maintain the health of the overall system to provide high availability?

    • Distributed clustering
    • Distributed balancing
    • Distributed optimization
    • Distributed resource scheduling
    Explanation: 
    Distributed resource scheduling (DRS) is used within all clustered systems as the method for providing high availability, scaling, management, workload distribution, and the balancing of jobs and processes. None of the other choices is the correct term in this case.
  3. Although the REST API supports a wide variety of data formats for communications and exchange, which data formats are the most commonly used?

    • SAML and HTML
    • XML and SAML
    • XML and JSON
    • JSON and SAML
    Explanation: 
    JavaScript Object Notation (JSON) and Extensible Markup Language (XML) are the most commonly used data formats for the Representational State Transfer (REST) API and are typically implemented with caching for increased scalability and performance. Extensible Markup Language (XML) and Security Assertion Markup Language (SAML) are both standards for exchanging encoded data between two parties, with XML being for more general use and SAML focused on authentication and authorization data. HTML is used for authoring web pages for consumption by web browsers
  4. The share phase of the cloud data lifecycle involves allowing data to leave the application, to be shared with external systems, services, or even other vendors/contractors.

    What technology would be useful for protecting data at this point?

    • IDS
    • DLP
    • IPS
    • WAF
    Explanation: 
    Data loss prevention (DLP) solutions allow for control of data outside of the application or original system. They can enforce granular control such as printing, copying, and being read by others, as well as forcing expiration of access. Intrusion detection system (IDS) and intrusion prevention system (IPS) solutions are used for detecting and blocking suspicious and malicious traffic, respectively, whereas a web application firewall (WAF) is used for enforcing security or other controls on web-based applications.
  5. When an API is being leveraged, it will encapsulate its data for transmission back to the requesting party or service.

    What is the data encapsulation used with the SOAP protocol referred to as?

    • Packet
    • Payload
    • Object
    • Envelope
    Explanation: 
    Simple Object Access Protocol (SOAP) encapsulates its information in what is known as a SOAP envelope. It then leverages common communications protocols for transmission. Object is a type of cloud storage, but also a commonly used term with certain types of programming languages. Packet and payload are terms that sound similar to envelope but are not correct in this case.
  6. From a security perspective, what component of a cloud computing infrastructure represents the biggest concern?

    • Hypervisor
    • Management plane
    • Object storage
    • Encryption
    Explanation: 
    The management plane will have broad administrative access to all host systems throughout an environment; as such, it represents the most pressing security concerns. A compromise of the management plane can directly lead to compromises of any other systems within the environment. Although hypervisors represent a significant security concern to an environment because their compromise would expose any virtual systems hosted within them, the management plane is a better choice in this case because it controls multiple hypervisors. Encryption and object storage both represent lower-level security concerns.
  7. Which of the following is NOT one of the main intended goals of a DLP solution?

    • Showing due diligence
    • Preventing malicious insiders
    • Regulatory compliance
    • Managing and minimizing risk
    Explanation: 
    Data loss prevention (DLP) extends the capabilities for data protection beyond the standard and traditional security controls that are offered by operating systems, application containers, and network devices. DLP is not specifically implemented to counter malicious insiders, and would not be particularly effective in doing so, because a malicious insider with legitimate access would have other ways to obtain data. DLP is a set of practices and controls to manage and minimize risk, comply with regulatory requirements, and show due diligence with the protection of data.
  8. Data center and operations design traditionally takes a tiered, topological approach.

    Which of the following standards is focused on that approach and is prevalently used throughout the industry?

    • IDCA
    • NFPA
    • BICSI
    • Uptime Institute
    Explanation: 
    The Uptime Institute publishes the most widely known and used standard for data center topologies and tiers. The National Fire Protection Association (NFPA) publishes a broad range of fire safety and design standards for many different types of facilities. Building Industry Consulting Services International (BICSI) issues certifications for data center cabling. The International Data Center Authority (IDCA) offers the Infinity Paradigm, which takes a macro-level approach to data center design.
  9. Jurisdictions have a broad range of privacy requirements pertaining to the handling of personal data and information.

    Which jurisdiction requires all storage and processing of data that pertains to its citizens to be done on hardware that is physically located within its borders?

    • Japan
    • United States
    • European Union
    • Russia
    Explanation: 
    The Russian government requires all data and processing of information about its citizens to be done solely on systems and applications that reside within the physical borders of the country. The United States, European Union, and Japan focus their data privacy laws on requirements and methods for the protection of data, rather than where the data physically resides.
  10. The management plane is used to administer a cloud environment and perform administrative tasks across a variety of systems, but most specifically it’s used with the hypervisors.

    What does the management plane typically leverage for this orchestration?

    • APIs
    • Scripts
    • TLS
    • XML
    Explanation: 
    The management plane uses APIs to execute remote calls across the cloud environment to various management systems, especially hypervisors. This allows a centralized administrative interface, often a web portal, to orchestrate tasks throughout an enterprise. Scripts may be utilized to execute API calls, but they are not used directly to interact with systems. XML is used for data encoding and transmission, but not for executing remote calls. TLS is used to encrypt communications and may be used with API calls, but it is not the actual process for executing commands.
  11. When dealing with PII, which category pertains to those requirements that can carry legal sanctions or penalties for failure to adequately safeguard the data and address compliance requirements?

    • Contractual
    • Jurisdictional
    • Regulated
    • Legal
    Explanation: 
    Regulated PII pertains to data that is outlined in law and regulations. Violations of the requirements for the protection of regulated PII can carry legal sanctions or penalties. Contractual PII involves required data protection that is determined by the actual service contract between the cloud provider and cloud customer, rather than outlined by law. Violations of the provisions of contractual PII carry potential financial or contractual implications, but not legal sanctions. Legal and jurisdictional are similar terms to regulated, but neither is the official term used.
  12. Although the United States does not have a single, comprehensive privacy and regulatory framework, a number of specific regulations pertain to types of data or populations.

    Which of the following is NOT a regulatory system from the United States federal government?

    • HIPAA
    • SOX
    • FISMA
    • PCI DSS
    Explanation: 
    The Payment Card Industry Data Security Standard (PCI DSS) pertains to organizations that handle credit card transactions and is an industry-regulatory standard, not a governmental one. The Sarbanes-Oxley Act (SOX) was passed in 2002 and pertains to financial records and reporting, as well as transparency requirements for shareholders and other stakeholders. The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and pertains to data privacy and security for medical records. FISMA refers to the Federal Information Security Management Act of 2002 and pertains to the protection of all US federal government IT systems, with the exception of national security systems.
  13. The president of your company has tasked you with implementing cloud services as the most efficient way of obtaining a robust disaster recovery configuration for your production services.

    Which of the cloud deployment models would you MOST likely be exploring?

    • Hybrid
    • Private
    • Community
    • Public
    Explanation: 
    A hybrid cloud model spans two more different hosting configurations or cloud providers. This would enable an organization to continue using its current hosting configuration, while adding additional cloud services to enable disaster recovery capabilities. The other cloud deployment models–public, private, and community–would not be applicable for seeking a disaster recovery configuration where cloud services are to be leveraged for that purpose rather than production service hosting.
  14. If you are running an application that has strict legal requirements that the data cannot reside on systems that contain other applications or systems, which aspect of cloud computing would be prohibitive in this case?

    • Multitenancy
    • Broad network access
    • Portability
    • Elasticity
    Explanation: 
    Multitenancy is the aspect of cloud computing that involves having multiple customers and applications running within the same system and sharing the same resources. Although considerable mechanisms are in place to ensure isolation and separation, the data and applications are ultimately using shared resources. Broad network access refers to the ability to access cloud services from any location or client. Portability refers to the ability to easily move cloud services between different cloud providers, whereas elasticity refers to the capabilities of a cloud environment to add or remove services, as needed, to meet current demand.
  15. The REST API is a widely used standard for communications of web-based services between clients and the servers hosting them.

    Which protocol does the REST API depend on?

    • HTTP
    • SSH
    • SAML
    • XML
    Explanation: 
    Representational State Transfer (REST) is a software architectural scheme that applies the components, connectors, and data conduits for many web applications used on the Internet. It uses and relies on the HTTP protocol and supports a variety of data formats. Extensible Markup Language (XML) and Security Assertion Markup Language (SAML) are both standards for exchanging encoded data between two parties, with XML being for more general use and SAML focused on authentication and authorization data. Secure Shell client (SSH) is a secure method for allowing remote login to systems over a network.
  16. Which of the following actions will NOT make data part of the create phase of the cloud data lifecycle?

    • Modify data
    • Modify metadata
    • New data
    • Import data
    Explanation: 
    Modifying the metadata does not change the actual data. Although this initial phase is called “create,” it can also refer to modification. In essence, any time data is considered “new,” it is in the create phase. This can come from data that is newly created, data that is imported into a system and is new to that system, or data that is already present and is modified into a new form or value.
  17. Most APIs will support a variety of different data formats or structures.

    However, the SOAP API will only support which one of the following data formats?

    • XML
    • XSLT
    • JSON
    • SAML
    Explanation: 
    The Simple Object Access Protocol (SOAP) protocol only supports the Extensible Markup Language (XML) data format. Although the other options are all data formats or data structures, they are not supported by SOAP.
  18. Which cloud storage type is typically used to house virtual machine images that are used throughout the environment?

    • Structured
    • Unstructured
    • Volume
    • Object
    Explanation:
    Object storage is typically used to house virtual machine images because it is independent from other systems and is focused solely on storage. It is also the most appropriate for handling large individual files. Volume storage, because it is allocated to a specific host, would not be appropriate for the storing of virtual images. Structured and unstructured are storage types specific to PaaS and would not be used for storing items used throughout a cloud environment.
  19. With an API, various features and optimizations are highly desirable to scalability, reliability, and security.

    What does the REST API support that the SOAP API does NOT support?

    • Acceleration
    • Caching
    • Redundancy
    • Encryption
    Explanation: 
    The Simple Object Access Protocol (SOAP) does not support caching, whereas the Representational State Transfer (REST) API does. The other options are all capabilities that are either not supported by SOAP or not supported by any API and must be provided by external features.
  20. Although much of the attention given to data security is focused on keeping data private and only accessible by authorized individuals, of equal importance is the trustworthiness of the data.

    Which concept encapsulates this?

    • Validity
    • Integrity
    • Accessibility
    • Confidentiality
    Explanation: 
    Integrity refers to the trustworthiness of data and whether its format and values are true and have not been corrupted or otherwise altered through unauthorized means. Confidentiality refers to keeping data from being access or viewed by unauthorized parties. Accessibility means that data is available and ready when needed by a user or service. Validity can mean a variety of things that are somewhat similar to integrity, but it’s not the most appropriate answer in this case.