Last Updated on February 21, 2022 by Admin 3

CCSP : Certified Cloud Security Professional (CCSP) : Part 17

  1. What process entails taking sensitive data and removing the indirect identifiers from each data object so that the identification of a single entity would not be possible?

    • Tokenization
    • Encryption
    • Anonymization
    • Masking

    Explanation:
    Anonymization is a type of masking, where indirect identifiers are removed from a data set to prevent the mapping back of data to an individual. Although masking refers to the overall approach of covering sensitive data, anonymization is the best answer here because it is more specific to exactly what is being asked. Tokenization involves the replacement of sensitive data with a key value that can be matched back to the real value. However, it is not focused on indirect identifiers or preventing the matching to an individual. Encryption refers to the overall process of protecting data via key pairs and protecting confidentiality.

  2. Because cloud providers will not give detailed information out about their infrastructures and practices to the general public, they will often use established auditing reports to ensure public trust, where the reputation of the auditors serves for assurance.

    Which type of audit reports can be used for general public trust assurances?

    • SOC 2
    • SAS-70
    • SOC 3
    • SOC 1
    Explanation: 
    SOC Type 3 audit reports are very similar to SOC Type 2, with the exception that they are intended for general release and public audiences.SAS-70 audits have been deprecated. SOC Type 1 audit reports have a narrow scope and are intended for very limited release, whereas SOC Type 2 audit reports are intended for wider audiences but not general release.
  3. Which of the following concepts is NOT one of the core components to an encryption system architecture?

    • Software
    • Network
    • Keys
    • Data
    Explanation: 
    The network utilized is not one of the key components of an encryption system architecture. In fact, a network is not even required for encryption systems or the processing and protection of data. The data, software used for the encryption engine itself, and the keys used to implement the encryption are all core components of an encryption system architecture.
  4. For optimal security, trust zones are used for network segmentation and isolation. They allow for the separation of various systems and tiers, each with its own security level.

    Which of the following is typically used to allow administrative personnel access to trust zones?

    • IPSec
    • SSH
    • VPN
    • TLS
    Explanation: 
    Virtual private networks (VPNs) are used to provide administrative personnel with secure communication channels through security systems and into trust zones. They allow staff who perform system administration tasks to have access to ports and systems that are not allowed from the public Internet. IPSec is an encryption protocol for point-to-point communications at the network level, and may be used within a trust zone but not to give access into a trust zone. TLS enables encryption of communications between systems and services and would likely be used to secure the VPN communications, but it does not represent the overall concept being asked for in the question. SSH allows for secure shell access to systems, but not for general access into trust zones.
  5. Which of the following is NOT a major regulatory framework?

    • PCI DSS
    • HIPAA
    • SOX
    • FIPS 140-2
    Explanation: 
    FIPS 140-2 is a United States certification standard for cryptographic modules, and it provides guidance and requirements for their use based on the requirements of the data classification. However, these are not actual regulatory requirements. The Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), and the Payment Card Industry Data Security Standard (PCI DSS) are all major regulatory frameworks either by law or specific to an industry.
  6. As part of the auditing process, getting a report on the deviations between intended configurations and actual policy is often crucial for an organization.

    What term pertains to the process of generating such a report?

    • Deficiencies
    • Findings
    • Gap analysis
    • Errors
    Explanation: 
    The gap analysis determines if there are any differences between the actual configurations in use on systems and the policies that govern what the configurations are expected or mandated to be. The other terms provided are all similar to the correct answer (“findings” in particular is often used to articulate deviations in configurations), but gap analysis is the official term used.
  7. An audit scope statement defines the limits and outcomes from an audit.

    Which of the following would NOT be included as part of an audit scope statement?

    • Reports
    • Certification
    • Billing
    • Exclusions
    Explanation: 
    Billing for an audit, or other cost-related items, would not be part of an audit scope statement and would instead be handled prior to the actual audit as part of the contract between the organization and auditors. Reports, exclusions to the scope of the audit, and required certifications on behalf of the systems or auditors are all crucial elements of an audit scope statement.
  8. What concept and operational process must be spelled out clearly, as far as roles and responsibilities go, between the cloud provider and cloud customer for the mitigation of any problems or security events?

    • Incident response
    • Problem management
    • Change management
    • Conflict response
    Explanation: 
    Incident response is the process through which security or operational issues are handled, including and coordination with and communication to the appropriate stakeholders. None of the other terms provided is the correct response.
  9. Your new CISO is placing increased importance and focus on regulatory compliance as your applications and systems move into cloud environments.

    Which of the following would NOT be a major focus of yours as you develop a project plan to focus on regulatory compliance?

    • Data in transit
    • Data in use
    • Data at rest
    • Data custodian
    Explanation: 
    The jurisdictions where data is being stored, processed, or consumed are the ones that dictate the regulatory frameworks and compliance requirements, regardless of who the data owner or custodian might be. The other concepts for protecting data would all play a prominent role in regulatory compliance with a move to the cloud environment. Each concept needs to be evaluated based on the new configurations as well as any potential changes in jurisdiction or requirements introduced with the move to a cloud.
  10. Cloud systems are increasingly used for BCDR solutions for organizations.

    What aspect of cloud computing makes their use for BCDR the most attractive?

    • On-demand self-service
    • Measured service
    • Portability
    • Broad network access
    Explanation: 
    Business continuity and disaster recovery (BCDR) solutions largely sit idle until they are actually needed. This traditionally has led to increased costs for an organization because physical hardware must be purchased and operational but is not used. By using a cloud system, an organization will only pay for systems when they are being used and only for the duration of use, thus eliminating the need for extra hardware and costs. Portability is the ability to easily move services among different cloud providers. Broad network access allows access to users and staff from anywhere and from different clients, and although this would be important for a BCDR situation, it is not the best answer in this case. On-demand self-service allows users to provision services automatically and when needed, and although this too would be important for BCDR situations, it is not the best answer because it does not address costs or the biggest benefits to an organization.
  11. What’s a potential problem when object storage versus volume storage is used within IaaS for application use and dependency?

    • Object storage is only optimized for small files.
    • Object storage is its own system, and data consistency depends on replication.
    • Object storage may have availability issues.
    • Object storage is dependent on access control from the host server.
    Explanation: 
    Object storage runs on its own independent systems, which have their own redundancy and distribution. To ensure data consistency, sufficient time is needed for objects to fully replicate to all potential locations before being accessed. Object storage is optimized for high availability and will not be any less reliable than any other virtual machine within a cloud environment. It is hosted on a separate system that does not have dependencies in local host servers for access control, and it is optimized for files of all different sizes and uses.
  12. Many aspects of cloud computing bring enormous benefits over a traditional data center, but also introduce new challenges unique to cloud computing.

    Which of the following aspects of cloud computing makes appropriate data classification of high importance?

    • Multitenancy
    • Interoperability
    • Portability
    • Reversibility
    Explanation: 
    With multitenancy, where different cloud customers all share the same physical systems and networks, data classification becomes even more important to ensure that the appropriate security controls are applied immediately to prevent any potential leakage or exposure to other customers. Portability refers to the ability to move easily from one cloud provider to another. Interoperability refers to the ability to reuse components and services for different uses. Reversibility refers to the ability of the cloud customer to quickly and completely remove all data and services from a cloud provider and to verify the removal.
  13. Without the extensive funds of a large corporation, a small-sized company could gain considerable and cost-effective services for which of the following concepts by moving to a cloud environment?

    • Regulatory
    • Security
    • Testing
    • Development
    Explanation: 
    Cloud environments, regardless of the specific deployment model used, have extensive and robust security controls in place, especially in regard to physical and infrastructure security. A small company can leverage the extensive security controls and monitoring provided by a cloud provider, which they would unlikely ever be able to afford on their own. Moving to a cloud would not result in any gains for development and testing because these areas require the same rigor regardless of where deployment and hosting occur. Regulatory compliance in a cloud would not be a gain for an organization because it would likely result in additional oversight and auditing as well as require the organization to adapt to a new environment.
  14. BCDR strategies typically do not involve the entire operations of an organization, but only those deemed critical to their business.

    Which concept pertains to the amount of data and services needed to reach the predetermined level of operations?

    • SRE
    • RPO
    • RSL
    • RTO
    Explanation: 
    The recovery point objective (RPO) sets and defines the amount of data an organization must have available or accessible to reach the predetermined level of operations necessary during a BCDR situation. The recovery time objective (RTO) measures the amount of time necessary to recover operations to meet the BCDR plan. The recovery service level (RSL) measures the percentage of operations that would be recovered during a BCDR situation. SRE is provided as an erroneous response.
  15. Which of the following is NOT a commonly used communications method within cloud environments to secure data in transit?

    • IPSec
    • HTTPS
    • VPN
    • DNSSEC
    Explanation: 
    DNSSEC is used as a security extension to DNS lookup queries in order to ensure the authenticity and authoritativeness of hostname resolutions, in order to prevent spoofing and redirection of traffic. Although it is a very important concept to be employed for security practices, it is not used to secure or encrypt data transmissions. HTTPS is the most commonly used security mechanism for data communications between clients and websites and web services. IPSec is less commonly used, but is also intended to secure communications between servers. VPN is commonly used to secure traffic into a network area or subnet for developers and administrative users.
  16. Which crucial aspect of cloud computing can be most threatened by insecure APIs?

    • Automation
    • Resource pooling
    • Elasticity
    • Redundancy
    Explanation:
    Cloud environments depend heavily on API calls for management and automation. Any vulnerability with the APIs can cause significant risk and exposure to all tenants of the cloud environment. Resource pooling and elasticity could both be impacted by insecure APIs, as both require automation and orchestration to operate properly, but automation is the better answer here. Redundancy would not be directly impacted by insecure APIs.
  17. The WS-Security standards are built around all of the following standards except which one?

    • SAML
    • WDSL
    • XML
    • SOAP
    Explanation: 
    The WS-Security specifications, as well as the WS-Federation system, are built upon XML, WDSL, and SOAP. SAML is a very similar protocol that is used as an alternative to WS.XML, WDSL, and SOAP are all integral to the WS-Security specifications.
  18. Which protocol, as a part of TLS, handles negotiating and establishing a connection between two parties?

    • Record
    • Binding
    • Negotiation
    • Handshake
    Explanation: 
    The TLS handshake protocol is what negotiates and establishes the TLS connection between two parties and enables a secure communications channel to then handle data transmissions. The TLS record protocol is the actual secure communications method for transmitting data; it’s responsible for the encryption and authentication of packets throughout their transmission between the parties, and in some cases it also performs compression. Negotiation and binding are not protocols under TLS.
  19. BCDR strategies typically do not involve the entire operations of an organization, but only those deemed critical to their business.

    Which concept pertains to the required amount of time to restore services to the predetermined level?

    • RPO
    • RSL
    • RTO
    • SRE
    Explanation: 
    The recovery time objective (RTO) measures the amount of time necessary to recover operations to meet the BCDR plan. The recovery service level (RSL) measures the percentage of operations that would be recovered during a BCDR situation. The recovery point objective (RPO) sets and defines the amount of data an organization must have available or accessible to reach the predetermined level of operations necessary during a BCDR situation. SRE is provided as an erroneous response.
  20. Your company is in the planning stages of moving applications that have large data sets to a cloud environment.

    What strategy for data removal would be the MOST appropriate for you to recommend if costs and speed are primary considerations?

    • Shredding
    • Media destruction
    • Crypthographic erasure
    • Overwriting
    Explanation: 
    Cryptographic erasure involves having the data encrypted, typically as a matter of standard operations, and then rendering the data useless and unreadable by destroying the encryption keys for it. It represents a very cheap and immediate way to destroy data, and it works in all environments. With a cloud environment and multitenancy, media destruction or the physical destruction of storage devices, including shredding, would not be possible. Depending on the environment, overwriting may or may not be possible, but cryptographic erasure is the best answer because it is always an available option and is very quick to implement.