The third domain of the Certified Cloud Security Professional (CCSP) Exam Outline concerns the underlying infrastructure of the cloud, including both hardware and software, the concept of pooled resources, and a detailed discussion of identity and access management (IAM). You are in charge of creating the business continuity and disaster recovery (BC/DR) plan and procedures for your organization. Your organization has its production environment hosted in a cloud environment. You are considering using cloud backup services for your BC/DR purposes as well. What would probably be the best strategy for this approach, in terms of redundancy and resiliency?
You are in charge of creating the business continuity and disaster recovery (BC/DR) plan and procedures for your organization. You decide to have a tabletop test of the BC/DR activity. Which of the following will offer the best value during the test? You are in charge of creating the business continuity and disaster recovery (BC/DR) plan and procedures for your organization. Your organization has its production environment hosted by a cloud provider, and you have appropriate protections in place. Which of the following is a significant consideration for your BC/DR backup? You are in charge of creating the business continuity and disaster recovery (BC/DR) plan and procedures for your organization. You are going to conduct a full test of the BC/DR plan. Which of the following strategies is an optimum technique to avoid major issues? A Security Assertion Markup Language (SAML) identity assertion token uses the ___________________ protocol. The minimum essential characteristics of a cloud data center are often referred to as “ping, power, pipe.” What does this term mean? To support all aspects of the CIA triad (confidentiality, integrity, availability), all of the following aspects of a cloud data center need to be engineered with redundancies except ___________________. Who is the cloud carrier? Which of the following terms describes a means to centralize logical control of all networked nodes in the environment, abstracted from the physical connections to each? In software-defined networking (SDN), the northbound interface (NBI) usually handles traffic between the ___________________ and the ___________________. Software-defined networking (SDN) allows network administrators and architects to perform all the following functions except ___________________. Which of the following is a device specially purposed to handle the issuance, distribution, and storage of cryptographic keys? When discussing the cloud, we often segregate the data center into the terms compute, storage, and networking. Compute is made up of ___________________ and ___________________. All of the following can be used to properly apportion cloud resources except ___________________. Which of the following is a method for apportioning resources that involves setting guaranteed minimums for all tenants/customers within the environment? Which of the following is a method for apportioning resources that involves setting maximum usage amounts for all tenants/customers within the environment? Which of the following is a method for apportioning resources that involves prioritizing resource requests to resolve contention situations? A bare-metal hypervisor is Type ___________________. A hypervisor that runs inside another operating system (OS) is a Type ___________________ hypervisor. A Type ___________________ hypervisor is probably more difficult to defend than other hypervisors. One of the security challenges of operating in the cloud is that additional controls must be placed on file storage systems because ___________________. What is the main reason virtualization is used in the cloud? Orchestrating resource calls is the job of the ___________________. Which of the following terms describes a cloud storage area that uses a filesystem/hierarchy? Typically, which form of cloud storage is used in the near term for snapshotted virtual machine (VM) images? Who operates the management plane? What is probably the optimum way to avoid vendor lock-in? Who will determine whether your organization’s cloud migration is satisfactory from a compliance perspective? What is probably the best way to avoid problems associated with vendor lock-out? In a public cloud services arrangement, who creates governance that will determine which controls are selected for the data center and how they are deployed? What is the term that describes the situation when a malicious user or attacker can exit the restrictions of a virtual machine (VM) and access another VM residing on the same host? What is the term that describes the situation when a malicious user or attacker can exit the restrictions of a single host and access other nodes on the network? ___________________ is/are probably the main cause of virtualization sprawl. Sprawl is mainly a(n) ___________________ problem. Which of the following risks exists in the traditional environment but is dramatically increased by moving into the cloud? A fundamental aspect of security principles, ___________________ should be implemented in the cloud as well as in traditional environments. From a security perspective, automation of configuration aids in ___________________. ___________________ is the most prevalent protocol used in identity federation. A user signs on to a cloud-based social media platform. In another browser tab, the user finds an article worth posting to the social media platform. The user clicks on the platform’s icon listed on the article’s website, and the article is automatically posted to the user’s account on the social media platform. This is an example of what? A group of clinics decides to create an identification federation for their users (medical providers and clinicians). If they opt to review each other, for compliance with security governance and standards they all find acceptable, what is this federation model called? A group of clinics decides to create an identification federation for their users (medical providers and clinicians). If they opt to hire a third party to review each organization, for compliance with security governance and standards they all find acceptable, what is this federation model called? A group of clinics decides to create an identification federation for their users (medical providers and clinicians). If they opt to use the web of trust model for federation, who is/are the identity provider(s)? A group of clinics decides to create an identification federation for their users (medical providers and clinicians). If they opt to use the web of trust model for federation, who is/are the service providers? A group of clinics decides to create an identification federation for their users (medical providers and clinicians). In this federation, all of the participating organizations would need to be in compliance with what U.S. federal regulation? What is the process of granting access to resources? The process of identity management includes all the following elements except ___________________. Which organizational entity usually performs the verification part of the provisioning element of the identification process? Of the following options, which is a reason cloud data center audits are often less easy to verify than traditional audits? Of the following options, which is a reason cloud data center audits are often less easy to verify than traditional audits? Of the following options, which is a reason cloud data center audits are often less easy to verify than audits in standard data centers? The cloud customer will usually not have physical access to the cloud data center. This enhances security by ___________________. Which of the following controls would be useful to build into a virtual machine baseline image for a cloud environment? Which of the following controls would be useful to build into a virtual machine baseline image for a cloud environment? Virtual machine (VM) configuration management (CM) tools should probably include ___________________. Using a virtual machine baseline image could be very useful for which of the following options? What can be revealed by an audit of a baseline virtual image, used in a cloud environment? Using one cloud provider for your operational environment and another for your BC/DR backup will also give you the additional benefit of ___________________. Having your BC/DR backup stored with the same cloud provider as your production environment can help you ___________________. If you use the cloud for BC/DR purposes, even if you don’t operate your production environment in the cloud, you can cut costs by eliminating your ___________________. If the cloud is used for BC/DR purposes, the loss of ___________________ could gravely affect your organization’s RTO. What is the most important asset to protect in cloud BC/DR activities? When considering cloud data replication strategies (i.e., whether you are making backups at the block, file, or database level), which element of your organization’s BC/DR plan will be most affected by your choice? In addition to BC/DR, what other benefit can your data archive/backup provide? Which of the following risks is probably most significant when choosing to use one cloud provider for your operational environment and another for BC/DR backup/archive? Return to normal operations is a phase in BC/DR activity when the emergency is over and regular production can resume. Which of the following can sometimes be the result when the organization uses two different cloud providers for the production and BC/DR environments? Which of these determines the critical assets, recovery time objective (RTO), and recover point objective (RPO) for BC/DR purposes? What artifact—which should already exist within the organization—can be used to determine the critical assets necessary to protect in the BC/DR activity? Which of the following is probably the most important element to address if your organization is using two different cloud providers for the production and BC/DR environments? In a managed cloud services arrangement, who invokes a BC/DR action? What do you need to do in order to fully ensure that a BC/DR action will function during a contingency? Which of the following is probably the most important activity, of those listed? The BC/DR plan/policy should include all of the following except ___________________. The BC/DR plan/process should be written and documented in such a way that it can be used by ___________________. Which of the following probably poses the most significant risk to the organization? Which of the following probably poses the most significant risk to the organization? Why does the physical location of your data backup and/or BC/DR failover environment matter? According to the European Union Agency for Network and Information Security (ENISA), a cloud risk assessment should provide a means for customers to accomplish all these assurance tasks except ___________________. The European Union Agency for Network and Information Security’s (ENISA’s) definition of cloud computing differs slightly from the definition offered by (ISC)2 (and, for instance, NIST). What is one of the characteristics listed by ENISA but not included in the (ISC)2 definition? Risk should always be considered from a business perspective. Risk is often balanced by corresponding ___________________. When considering the option to migrate from an on-premise environment to a hosted cloud service, an organization should weigh the risks of allowing external entities to access the cloud data for collaborative purposes against ___________________. There are many ways to handle risk. However, the usual methods for addressing risk are not all possible in the cloud because ___________________. In which cloud service model does the customer lose the most control over governance? Which of the following poses a new risk in the cloud, not affecting the traditional, on-premise IT environment? In addition to the security offered by the cloud provider, a cloud customer must consider the security offered by ___________________. Which of the following poses a new risk in the cloud, not affecting the traditional, on-premise IT environment? Where is isolation failure probably least likely to pose a significant risk? Which of the following poses a new risk in the cloud, not affecting the traditional, on-premise environment? Which of these does the cloud customer need to ensure protection of intellectual property created in the cloud? What could be the result of failure of the cloud provider to secure the hypervisor in such a way that one user on a virtual machine can see the resource calls of another user’s virtual machine? Key generation in a cloud environment might have less entropy than the traditional environment for all the following reasons except ___________________. Lack of industry-wide standards for cloud computing creates a potential for ___________________. What can hamper the ability of a cloud customer to protect their assets in a managed services arrangement? Cloud administration almost necessarily violates the principles of the ___________________ security model. The physical layout of a cloud data center campus should include redundancies of all the following except ___________________. Best practice for planning the physical resiliency for a cloud data center facility includes ___________________. The physical layout of a cloud data center campus should include redundancies of all the following except ___________________. There are two reasons to conduct a test of the organization’s recovery from backup in an environment other than the primary production environment. Which of the following is one of them? There are two reasons to conduct a test of the organization’s recovery from backup in an environment other than the primary production environment. Which of the following is one of them? In an IaaS arrangement, who accepts responsibility for securing cloud-based applications? Industry best practices dictate that cloud customers do not ___________________. It is possible for the cloud customer to transfer ___________________ risk to the provider, but the cloud customer always retains ultimate legal risk. A process for ___________________ can aid in protecting against data disclosure due to lost devices. All of the following can be used in the process of anomaly detection except ___________________. Critical components should be protected with ___________________. It’s important to maintain a current asset inventory list, including surveying your environment on a regular basis, in order to ___________________. Which of the following can enhance data portability? Which of the following can enhance application portability? What should the cloud customer do to ensure that disaster recovery activities don’t exceed the maximum allowable downtime (MAD)? Which of the following would probably best aid an organization in deciding whether to migrate from a traditional environment to a particular cloud provider? A cloud provider will probably require all of the following except ___________________ before a customer conducts a penetration test. Cloud providers will probably not allow ___________________ as part of a customer’s penetration test. A cloud customer performing a penetration test without the provider’s permission is risking ___________________. When a customer performs a penetration test in the cloud, why isn’t the test an optimum simulation of attack conditions? Managed cloud services exist because the service is less expensive for each customer than creating the same services for themselves in a traditional environment. What is the technology that creates most of the cost savings in the cloud environment? Managed cloud services exist because the service is less expensive for each customer than creating the same services for themselves in a traditional environment. From the customer perspective, most of the cost differential created between the traditional environment and the cloud through virtualization is achieved by removing ___________________. Managed cloud services exist because the service is less expensive for each customer than creating the same services for themselves in a traditional environment. Using a managed service allows the customer to realize significant cost savings through the reduction of ___________________. Which of the following is a risk posed by the use of virtualization? The tasks performed by the hypervisor in the virtual environment can be most likened to the tasks of the ___________________ in the traditional environment. Mass storage in the cloud will most likely currently involve ___________________. What is the type of cloud storage arrangement that involves the use of associating metadata with the saved data? According to the NIST Cloud Computing Reference Architecture, which of the following is most likely a cloud carrier? Resolving resource contentions in the cloud will most likely be the job of the ___________________. Security controls installed on a guest virtual machine operating system (VM OS) will not function when ___________________. Typically, SSDs are ___________________. Typically, SSDs are ___________________. Typically, SSDs are ___________________. Of the following control techniques/solutions, which can be combined to enhance the protections offered by each? Of the following control techniques/solutions, which can be combined to enhance the protections offered by each? Risk assessment is the responsibility of ___________________. Which entity can best aid the organization in avoiding vendor lock-in? Perhaps the best method for avoiding vendor lock-out is also a means for enhancing BC/DR capabilities. This is ___________________. ___________________ can often be the result of inadvertent activity. Of the following, which is probably the most significant risk in a managed cloud environment? What is the optimal number of entrances to the cloud data center campus? The cloud data center campus physical access point should include all of the following except ___________________. Where should multiple egress points be included? Which of the following is a risk in the cloud environment that does not exist or is not as prevalent in the traditional environment? All security controls necessarily ___________________. Which of the following is a risk in the cloud environment that does not exist or is not as prevalent in the traditional environment? Which of the following is a risk in the cloud environment that does not exist or is not as prevalent in the traditional environment? DDoS attacks do not affect ___________________ for cloud customers. Sprawl in the cloud can lead to significant additional costs to the organization because of ___________________. It is best to use variables in ___________________.
3.16.51.157