B. Data discovery in a cloud environment encounters significant challenges due to the distributed nature of cloud computing. A primary concern with eDiscovery is determining all of the applicable data and locating it for collection and preservation. Within a cloud environment, locating the data and ensuring that all locations have been found can be a difficult process and will require the cooperation of both the cloud provider and the cloud customer, with procedures outlined in the contract and SLAs.

A is incorrect because while virtualization forms the backbone of a cloud environment, the actual use of virtual machines does not increase the difficultly of data discovery, even if it does mean that assistance may be needed from the cloud provider for the actual data collection. With physical hardware, it is very easy to fully isolate and gather information because support staff will have full control of and access to the systems at all levels.

C is incorrect because multitenancy involves hosting different systems and applications, from different organizations, within the same cloud environment and sharing resources between them. Although this can pose an additional challenge, depending on the scope of the eDiscovery order and the data it pertains to, data discovery as a broad topic is the more appropriate answer.

D is incorrect because resource pooling is the sharing of resources between many different customers and systems, allowing for the aggregation of resources and the sharing of load across them. This will not have any impact on data-discovery processes.

C. FIPS 140-2 is a security standard from the United States federal government that pertains to the accreditation of cryptographic modules. While this is important to security processes and controls, it is not a certification or audit report that is responsive to overall security controls, policies, or operations.

A is incorrect because the Federal Risk and Authorization Management Program (FedRAMP) is a program under the U.S. government for ensuring adequate security policies, practices, and configurations when using cloud-based resources and services. It offers certifications at different classification levels for federal agencies to use in their security monitoring and auditing and ensures they comply with specific, established security standards.

B is incorrect because the Payment Card Industry Data Security Standard (PCI DSS) is an industry security standard for organizations that process and handle credit card transactions from the major credit card vendors and platforms. PCI DSS certification can be obtained, or required, by complying with and verifying security standards and policies.

D is incorrect because the Service Organization Control (SOC) Type 2 reports focus on the nonfinancial aspects of an organization’s systems, specifically related to security, privacy, availability, processing integrity, and confidentiality. They are produced after thorough audits and reviews, and can be used to assure clients of security controls and policies meeting specific standards and requirements.

D. Classification is the overall process of using certain attributes about data and then applying appropriate security controls to that data. Classification is applied after data discovery has been completed, and it pertains only to the application of security controls, not the actual process of discovering or determining data.

A is incorrect because metadata is essentially data about data. It contains information about the data, such as the type, how it is stored, how it is organized, how it was created, or how it is used. Metadata can also include headers and organizational markings, such as column or field names in a database or a spreadsheet.

B is incorrect because content analysis is actually looking at the data itself to make decisions based on what it is. This can include a person actually looking at it manually, or the use of tools like checksums, heuristics, or statistical analysis to determine its content and data discovery.

C is incorrect because labels are groupings or categorizations that have been applied to data either by personnel or automated means. They are typically done based on characteristics or content of data, and then matched against criteria to be included under such a label. Unlike metadata, labels are only as good as how standardized they are and how thoroughly they are used throughout an environment. If they are not used in a standardized way or done comprehensively across all data sets, their usefulness to data discovery will be greatly diminished.

D. Dynamic application security testing is done against a system or application in its actual runtime state, and the testers do not have specific knowledge about the configurations or technologies employed on it. Unlike static application security testing, dynamic testing must discover all interfaces and paths to test, but unlike penetration testing, it does not attempt to actively exploit vulnerabilities that could cause system outages, impact to users, or damage to the system or data.

A is incorrect because static application security testing is done against offline systems, and the testers have knowledge ahead of time about the application and its configuration. This can include documentation about system design and the specific technologies used, as well as access to the source code and programming libraries that the application was built upon. Because the testing is done against offline systems, it does not have the ability to impact production systems or users while the testing is being completed.

B is incorrect because penetration testing is done against an application where the testers do not have any particular knowledge of the system or application. They would not know the specific technologies or toolsets used in the development of the application, or information about the runtime environment and the technologies it is built upon. Penetration testing is done using the same toolsets and tactics that hackers would use to attack the system in a real situation, and it is intended to determine security vulnerabilities in a proactive manner, allowing for patching or mitigation before hackers are able to discover the same exploits and successfully use them.

C is incorrect because runtime application self-protection is the ability of a system or application to detect and respond to security threats and attacks in an automated manner. It is intended for applications to be able to respond to real-world attacks and scenarios in real time and apply mitigation tactics to stop the attacks immediately, allowing administrative or security personnel to review when available and provide further tuning or to investigate further.

B. Software as a Service allows the least amount of customization by the cloud customer. With the entire system and application under control of the cloud provider, the cloud customer will only have minimal options for customization, which typically is limited to branding or the selection of default options or settings.

A is incorrect because Infrastructure as a Service allows the most customization by the cloud customer. While the cloud provider is solely responsible for the physical infrastructure and appliances of a cloud environment, the cloud customer has enormous control over storage, network settings, virtual machines, and identity and access control systems. With this level of control, the cloud customer can choose which technologies and configurations to use, typically without any involvement from the cloud provider.

C is incorrect because Platform as a Service, while not allowing full control at the operating system level like IaaS, allows tremendous control over application environments and configurations, as well as sole control over the code that is deployed and configured for the applications. PaaS allows the cloud customer to choose the underlying operating system, application frameworks, and programming libraries and interfaces that are used within the environment.

D is incorrect because Desktop as a Service works as a virtual desktop where configurations and installations are stored remotely and accessed over the network. It offers substantial security and recoverability features because the device is no longer the holder of data or software. Although it is centrally maintained, it offers more flexibility as far as configuration, software packages deployed, and customization than a SaaS solution offers to users.

C. Responding is the stage of the risk management process where an organization will determine, based on the exact nature of the risk finding, as well as the potential costs and efforts involved with mitigation, which is the appropriate direction to take. The organization may decide to accept the risk “as is,” which is typically an option when the finding is of a low or possible moderate classification. It can opt to avoid the risk by employing countermeasures or changes in operations so that the risk is never realized, which is typically accomplished by disabling or blocking access to certain functions or interfaces. It can also opt to transfer the risk to another entity, which, although not always possible, will typically be in the form of insurance. Lastly, the organization can decide to mitigate the risk through the use of applicable technologies, configuration changes, or code changes to remove or lessen the vulnerability or exposure.

A is incorrect because the process of assessing risk involves evaluating potential vulnerabilities, coupled with the likeliness of occurrence and the possible damage from a successful exploit, and then assigning a risk classification value (ranging from minimal to critical). In some instances, the assigning of a risk level will be automatically dictated by regulatory requirements, depending on the type of data and application involved. This value and rating will then be used in the responding phase to determine the appropriate course of action based on the risk exposure, the risk appetite of the organization, and the costs associated with mitigation.

B is incorrect because the framing stage of the risk management process is where the overall risk assessment is defined and scoped. The organization will determine during framing what risk and levels it wants to evaluate, based on specific threats, regulation, or the type of data that is used. This will guide the overall risk assessment process from start to finish.

D is incorrect because the main purpose of the monitoring phase is to track risks and evaluations of them over time to determine if they are still applicable, and if the same level of risk classification still applies. This will also incorporate changes from the regulatory perspective and ongoing threats, and can serve as a continual risk management and assessment process for the organization.

D. Although many different types of testing are done at this phase, auditing is not one of them. Testing, as part of the SDLC process, is highly focused on functional and operational readiness, both from a stability perspective and a meeting functional requirements perspective. The testing phase does include security scanning as part of it, but not to the extent of formal audits and evaluations.

A is incorrect because user testing involves having actual users test the application to see if it performs as expected and desired. This is very important overall because it will be a similar experience for all users of the application, and any features that are difficult to use or any aspects that are confusing to users will come to light, and possible fixes can be explored before the application is released to all users. With most testing, application developers and stakeholders are so involved in the application and how it is supposed to work, it is difficult for them to do proper testing and see things from the perspective of actual users, especially those who are new to the application or are encountering the new features being deployed. This will also bring out any user actions and behaviors that cause error conditions or incorrect data inputs that were not considered when the application and error checking were defined and coded.

B is incorrect because stakeholder testing involves management, strategic partners, internal experts, and possibly customers if done as part of a contract for development. These groups are the core investors and administrators of the system or application as well as those who have a vested interest in it and an intimate knowledge of it and how it should operate. Testing by this group should be thorough, using scripted regression testing that evaluates all aspects of the application, including specific targeted testing for new and updated features as part of the code release.

C is incorrect because while much of the testing phase is focused on functional and usability testing by populations of users and stakeholders, vulnerability scanning is also crucial at this stage. Although not a comprehensive audit, scanning should be done using standard tools with full signature sets to detect any common vulnerabilities, especially any code or functions that are vulnerable to XSS or injection attacks.

C. The SOAP protocol only uses XML as a data format for exchanging information. XML is a free, open standard for encoding documents and data in a format that is both machine and human readable. XML is designed to be extremely flexible and to handle any type of data formatting, which makes it ideal for web services. XML is widely used across all platforms and many different application frameworks and programming languages.

A is incorrect because SAML is a free, open standard that is built on XML, and is intended to be used for authentication and authorization data exchange between identity and service providers. While it is similar to and built on top of XML, it is used for the specific purposes of authentication and authorization and is not appropriate to use for general web services, specifically within the SOAP protocol, which requires XML.

B is incorrect because OAuth is an authentication mechanism that allows users to authenticate to many different applications or web services using commonly used credentials, such as Google, Facebook, Twitter, and so on. It enables users to use credentials they already have, without having to create an account on each system or application, and without their credentials ever being exposed. It is an open standard that any system or application is free to use and leverage.

D is incorrect because HTML forms the backbone of web pages and web design, and is used as markup language to enable web browsers to render and display content. Although it is widely used and will be crucial to any web-based application, it is not used to encode information to be used by web services or protocols such as SOAP.

D. SOC reports are done to test controls in place within an organization for financial or other systems. SOC 3 reports specifically are intended for general use and exposure, so they would be appropriate to use for potential cloud customers or put out for public consumption and review.

A is incorrect because SAS 70 reports have largely been phased out and replaced by SOC 1 reports. When they were in routine use, SAS 70 reports were considered “restricted audience,” and as such would not be appropriate for potential customers or current customers. They were intended for internal audit or regulatory compliance review.

B is incorrect because SOC 1 reports are considered restricted-use reports, much the same as their predecessor, the SAS 70 reports. They would not be appropriate for use with potential customers, because they are restricted for internal use only and are also focused only on financial controls.

C is incorrect because SOC 2 reports are very similar to SOC 3 reports, in that they cover security controls and go beyond the financial control limitation of SOC 1 reports. However, SOC 2 reports are not meant for general use and, in this particular example, potential customers.

A. Security should be involved at all times in the SDLC process, including from the very initial stages of requirements gathering. Security can provide guidance on requirements from the regulatory perspective and the necessary security controls that they dictate. By not involving security from the earliest stages, an organization can incur substantial risk for software development because security controls and requirements may be missed or inadequate, requiring later revisions or fixes. This can add additional costs and time to software development projects that are largely avoidable by including security from the onset. It also serves to foster better cooperation and to limit the perception prevalent in many organizations that security is a hindrance or roadblock in development and operations.

B is incorrect because at the design stage, specific decisions are made as to which technologies and programming languages will be used with development. At this point, requirements have already been gathered and scoped, and it is very possible that security requirements have been missed or misunderstood. Although this is still early in the process, and changes are much easier to make at this stage than at later stages, it still adds additional time and costs that could have largely been avoided.

C is incorrect because by the testing stage, development has been either mostly or completely finished, and it is far too late to start the involvement of security. Although security will play a role in the testing phase as far as vulnerability scanning and evaluation of security controls and their implementations go, many security concerns or requirements will likely have been missed throughout the overall development. Because this stage occurs as a final approval before release to production is approved, any changes in design or code based on discovered security concerns will likely incur substantial costs and delays, and depending on the release and any publicity that may have been done, or requirements to meet required deadlines, these delays can carry significant risk to an organization.

D is incorrect because during the development stage, actual coding and implementations are done, based on requirements and decisions made during the design phase. At this stage, the lack of security could lead to a return to the design phase to mitigate concerns or deficiencies, which will in turn delay the project, and will likely add additional costs to the overall project.

D. Although encryption will be used in many archiving solutions and implementations, it is not always a requirement, and will be largely subjective, based on the type of data and the archiving method chosen. It is not considered, by itself, to be a major consideration with archiving.

A is incorrect because the format of archives is very important to consider, both at the time of archiving and for the long-term considerations involved. The format chosen will have to be one that properly ensures archiving and readability. Failure to pick a format that is recoverable for the duration of the required archiving term will expose an organization to substantial risk for noncompliance with data-retention requirements.

B is incorrect because in most instances, requirements for data retention, and possibly even archiving methods, will come from regulatory requirements. Depending on the type of data and its use, regulations will typically require minimum periods of archiving and data retention. In some instances, regulatory requirements will also dictate the time of recovery, in which case regulations will play a large role in the exact methods and technologies chosen for archiving. Also, an organization needs to ensure that it can recover data for the duration of the retention requirements. It serves no purpose and doesn’t satisfy compliance requirements if the data being archived for a period of time cannot be recovered.

C is incorrect because in order for an archiving system to be considered valid and sound, it must be tested to ensure restoration and access are functional. Without this level of assurance, there is no point in having the archives in the first place. Testing should be done at regular intervals and follow the same procedures as those used for actual recoveries and restorations.

B. During an audit, even after extensive planning and scoping, there may end up being negative impacts on the environment and the performance of systems. Although testing should ideally be done against offline systems, that is not always possible in all environments, and may cause potential service interruptions or slowdowns with the systems being tested. If this were to occur, it will be a decision by management as to whether to continue with the audit or to modify the scope or approach.

A is incorrect because cost issues and budgeting would be completed before the audit begins. Once the audit has begun and the original scope and process are followed, costs should not be a dynamic value and should have no impact on the audit proceeding as planned.

C is incorrect because regulatory changes during an actual audit would have no impact on the current audit. Since the audit scope and requirements are done before the audit begins, any changes after that would be captured by future audits. Also, regulatory changes happen over time, and even if new regulations were released during an audit, they would almost certainly have a future implementation and enforcement date.

D is incorrect because software changes or releases would be suspended during auditing periods within any organization. Organizations almost always use an audit period as a freeze for configuration and version changes so that the environment is consistent and static while undergoing testing. The exception to this would be limited changes to mitigate auditing findings during the actual audit so that they can be closed before becoming official, but those changes would be very specific and limited in scope.

B. The E in the acronym for the STRIDE threat model stands for “elevation of privilege.” Elevation of privilege occurs as a threat to applications and systems that use a common login method and then display specific functions or data to users based on their role, with administrative users having the same initial interface as regular users. If the application is not properly coded and performing authorization checks within each function, it is possible for users to authenticate and change their level of access once they are within the application, even gaining administrative access if access controls are not properly enforced.

A is incorrect because the DREAD model does not include elevation of privilege. While the DREAD model also contains an E in its acronym, in this instance it represents “exploitability,” which is a quantitative measure of the skills and sources needed for someone to successfully exploit a weakness. The value will be within a range of 0 to 10, with 0 representing extensive knowledge and resources to exploit and 10 representing no specific knowledge or skill required to exploit.

C is incorrect because HIPAA refers to the U.S. Health Insurance Portability and Accountability Act of 1996. It covers the privacy and security of patient medical information.

D is incorrect because SOX refers to the U.S. Sarbanes-Oxley Act of 2002. SOX is intended to protect the public and shareholders from accounting and fraudulent practices by corporations. In addition, it requires that certain information be disclosed to the public.

C. Qualitative risk assessments are based on documentation and other data about systems and applications that are not easily converted into numerical values for comparison. They are often done in situations where an organization does not have the time or money to complete a more exhaustive quantitative assessment. After a thorough review of documentation, systems design, policies, and operational practices, risk categories can be assigned for management review based on the likeliness of threats being exploited, as well as the potential damage that could occur if they were successfully exploited.

A is incorrect because computational is not a type of risk assessment.

B is incorrect because quantitative risk assessments are based on numerical data and metrics. With the availability of quantified data and risks, real calculations can be performed during a quantitative assessment. This will include the values for single loss expectancy (SLE), the annualized rate of occurrence (ARO), and the derived annualized loss expectancy (ALE). These values and calculations can give management hard data and cost numbers to make informed risk mitigation or acceptance decisions.

D is incorrect because cursory is not a type of risk assessment.

A. The SOC 2 auditing reports are built on a set of five principles: security, processing integrity, privacy, availability, and confidentiality. A SOC 2 audit can include any number of these principles, but under the official guidelines, the security principle must always be included. Within the security principle are seven categories: change management, communications, logical and physical access controls, monitoring of controls, organization and management, risk management and design and implementation of controls, and system operations.

B is incorrect because while processing integrity is one of the five principles of the SOC 2 audits, it is not required to be included with any of the other principles. The processing integrity principle is focused on ensuring that data is in its correct format, accurate, and verified, and that it has not been altered or modified by unauthorized parties or means.

C is incorrect because while privacy is one of the five principles of the SOC 2 audits, it is not required to be included with any others during audits. The privacy principle is focused on personal and private information, and ensuring that it is handled per the organization’s policies, as well as per any applicable regulations or laws, during all times—whether it is created, stored, processed, or disposed of by a system or application.

D is incorrect because like processing integrity and privacy, availability is one of the five principles of the SOC 2 auditing reports, but it is not a required principle to be included while auditing any others. The availability principle evaluates whether data or functions are available to authorized parties when needed, and in such a manner that meets requirements and policies. These requirements and policies can come from either business needs and expectations or in some instances legal or regulatory mandates.

A. Sandboxing involves isolating systems and applications from others within the same environment. This is typically done to keep data segregated and inaccessible from other systems, such as keeping production and nonproduction data segregated from each other. This can also be done within environments to keep production data isolated, such as keeping employee data and customer data completely segregated from each other, or in an academic setting, keeping student data and faculty/staff data isolated from each other. The need for isolation can sometimes come from organizational security policies, but in many instances it will be required by regulation.

B is incorrect because while application virtualization will keep applications isolated away from operating systems and other applications, it is restricted to the application layer and cannot be used for overall systems. Also, application virtualization will typically be within the same host systems, so any potential compromise of the host system could expose data between the two virtualization containers.

C is incorrect because firewalling is used to limit or restrict specific network traffic from making successful inbound or outbound connections, usually with specific ports as well. Although a firewall is a security tool for protecting and isolating traffic, it is not used for segregating and isolating systems or applications as an overall concept like sandboxing is.

D is incorrect because Puppet is a tool for maintaining configurations and deployments across systems and applications, as well as for enforcing rules and requirements for the configurations. It is not a concept for segregating and isolating systems or applications within an environment.

D. SAST is always done against systems that are not live and operational to users or customers. SAST is done by testers with extensive knowledge of systems and how they were coded, and as such, it will typically produce superior results as compared to other types of testing that must discover and scan to try and determine how systems are put together.

A is incorrect because the testers performing SAST will have access to the source code, and in many instances full knowledge of the SDLC process that the application went through. It is intended to expose programming errors and typical security deficiencies related to coding, such as XSS and injection.

B is incorrect because SAST testing is always done against nonproduction systems; these systems will not have production data or users interacting with them. This enables testers to do more invasive and deeper testing than what can be done against live systems because the risk of data corruption or negatively impacting users will not exist with SAST.

C is incorrect because one of the key aspects of SAST is the knowledge on the part of the testers of the systems’ configurations and the technologies used. With other types of testing, where this inside knowledge is not present, the testers are limited to the information they are able to expose or glean from scanning and other discovery tools. Relying on scanning and discovery will always pose significant challenges because many other layers of security and complementary systems will likely limit or prohibit a high degree of success for these tools.

A. The four cloud deployment models are public, private, hybrid, and community. Public cloud deployments are operated and maintained by companies that offer services to the public as a whole, without needing to be part of a special group or population. Many of these offerings are free or mostly free, and many are very commonly known to the public and in widespread use. Someone wanting to leverage a public cloud just needs network access and typically a credit card to purchase services or add-ons. Private clouds are run either by cloud service providers or by the organizations using them. They are not available to the general public and will necessitate a contractual or partnership relationship with the cloud customer. Hybrid clouds are a mixture of two or more of the other cloud models, typically public and private cloud offerings used together. The community cloud model is where cloud services are maintained and offered by an organization or company, which may or may not be a member of the specific community, but services are restricted to a certain population or type of cloud customer, such as universities or members of professional organizations.

B is incorrect because while public, private, and hybrid are correct cloud deployment models, there is no “internal” model for cloud deployments. Instead, the correct cloud deployment model is community.

C is incorrect because while hybrid and community are correct cloud deployment models, there are no “internal” and “external” cloud models. The other two correct cloud deployment models are public and private.

D is incorrect because while public, private, and hybrid are correct cloud deployment models, there is no “organizational” cloud deployment model. Instead, the correct cloud deployment model is community.

A. GitHub is an online code repository that works from both command-line and web-based interfaces. It provides robust access control and many different toolsets for code collaboration, including bug tracking, management tools, and wikis. For code collaboration and management, it offers extensive versioning and branching capabilities and is in widespread use throughout the IT industry.

B is incorrect because Chef is a software tool for handling infrastructure configurations. It will often be used in conjunction with GitHub to form a comprehensive management solution for systems and applications, but by itself does not handle code versioning and collaboration.

C is incorrect because Puppet is also a software application for handling infrastructure configurations. It works much in the same way as Chef and is used to manage configurations and standards in regard to systems configuration, not to handle code versioning and collaboration.

D is incorrect because Nessus is a tool for conducting vulnerability scans, and it does not have anything to do with code collaboration and versioning. Nessus works by taking a large ensemble of known vulnerabilities and scanning against systems to determine if they are vulnerable to them. With the results, application developers and security teams can proactively discover and mitigate security vulnerabilities before a malicious actor is able to exploit them.

D. Escalation is the process of moving issues or alerts along a predefined path to others responsible for remediation and action if those prior to them in the chain do not respond. This is done to bring the issues to the attention of management. While SIEM solutions can trigger alerts based on predefined conditions, the full workflow of escalation is handled by an external tool or application, and the role of the SIEM solution would be the initial identification and alert.

A is incorrect because correlation is a key component and use of SIEM solutions. An SIEM solution has as a primary function the collecting of logs from many systems throughout an infrastructure. With having data from many different systems, an SIEM solution can easily detect the same pattern or other details across those systems, whereas relying on log files from particular servers would require each server to be analyzed independently. The SIEM solution also allows for the identification of the same types of issues, traffic, or events across a heterogeneous environment. For example, if an IP address is suspected of attempting to attack a system or application, an SIEM solution can correlate the traffic and events across networking devices, servers, firewalls, IPSs, and so on, which otherwise would require different teams and substantial resources to search, and would typically take much longer than the rapid nature of a security incident.

B is incorrect because a core component of an SIEM solution is the aggregation of events and data from many disparate systems into a single searching and reporting platform. Without an SIEM solution, log data would be held through a data center environment on many different devices, and likely in many different formats. An SIEM solution will collect and aggregate all of that data into a single system that can be searched in a uniform and consolidated manner. This allows an organization to see the same particular traffic or details across the enterprise, without having to search many different systems, as well as being able to search logs (which are likely in many different formats) from a single interface using the same commands. Aggregation in this way allows an organization to analyze data in a much more rapid and efficient manner than would be possible without aggregation.

C is incorrect because an SIEM solution is a crucial tool in many organizations for compliance activities. Almost all regulatory systems require activities such as periodic review of log data for specific types of activities. This could include invalid login attempts, account creations, access control changes, and many other types of data points. With an SIEM solution, this reporting is easy to do using the robust search and reporting features, as well as leveraging correlation and aggregation to allow a single reporting tool to generate reports across the enterprise and many diverse and disparate systems.

B. A malicious insider is any user of a system, though typically someone with elevated access, who uses their otherwise authorized access for unauthorized means. Because a malicious insider uses authorized access, it is very difficult for an organization or monitoring tool to detect such a vulnerability. Typically, such an attack will only become obvious after it has already been completed and the damage is done. While possessing authorized access, a malicious insider in most instances will also have extensive knowledge of the system or application, as well as the data contained within it, and will know what has the most value and the best ways to compromise it.

A is incorrect because data loss can typically be prevented by having in place redundant systems as well as appropriate business continuity and disaster recovery plans. While redundancy can help prevent data loss from happening at all, having robust and comprehensive backups, as well as the means to restore them quickly, will largely mitigate or minimize the effects of any data loss.

C is incorrect because proper validation, certification, and testing of APIs will largely mitigate vulnerabilities and prevent successful exploits from ever occurring. Because the APIs of a system are known and selected prior to use, secure requirements and standards can be used in their selection and implementation, ensuring everything is done in a secure manner. The use of appropriate monitoring tools will also go a long way toward preventing insecure APIs from being successfully exploited and mitigating the damage should such exploitation occur.

D is incorrect because many methods and tools are available to minimize or prevent account hijacking. Through the use of technologies such as multifactor authentication, the possibility of credentials being stolen and successfully used to access data is very minimal. Even if passwords and user IDs are successfully stolen and obtained by a malicious actor, they will not be in possession of the second factor needed to access the systems or data. Other approaches, such as active alerting for users attempting to access systems from unknown or unique locations, can also make such an attack much more difficult. For example, systems can monitor for the location or origination of login attempts, and any attempt made from outside a typical geographic region (especially from a foreign location) can cause logins for that user to be disabled until they can be validated, even in instances where multifactor authentication is not used.

C. IaaS uses object and volume storage types. With volume storage, a logical storage unit will be allocated to the virtual machine, and it will appear to the system, applications, or users as part of the file system. It can then be used as normal storage would in a physical server model, complete with file system organization, permissions, data structures, and any other aspects of a file system. With object storage, data is kept in a flat structure and accessed through the use of opaque tokens, rather than a filename or through a directory structure. This type of storage is often used for media objects such as images, videos, and audio files, as well as where cloud providers store system images and virtual machine files.

A is incorrect because structured and unstructured storage types belong to PaaS, not IaaS. Structured storage is done typically through systems such as databases, which have a set, defined data-organization scheme and are maintained by the cloud provider, with data inserted or created by the cloud customer. Unstructured data does not follow platform-defined structures and is open to the data structures defined by the cloud customer. This will typically be used for web-based systems within a PaaS environment, where the web objects, media files, and components are stored and accessed via the application framework.

B is incorrect because while file and database are two common storage methods or concepts, they are higher-level concepts that many other data structures fit within, and are not part of the formal data structures that IaaS uses.

D is incorrect because while block and striped are concepts in computing that relate to data storage and structure, they are not data types themselves, nor are they used and defined within IaaS or other cloud models.

D. Cryptographic erasure is a means to ensure data is no longer accessible, and it can always be used within a cloud environment because it is purely a software approach and not dependent on the infrastructure. Rather than a traditional means of overwriting or destroying physical media, cryptographic erasure is performed by encrypting data and then destroying the keys that were used to encrypt it, thus rendering it inaccessible and unreadable. This method, especially where data is already encrypted, is extremely fast and efficient. Whereas deleting large volumes or numbers of files on a system can often take substantial time to complete, in addition to the significant time required for overwriting or ensuring it is deleted, keys can be deleted instantaneously and from where they are housed, sometimes without even accessing the systems holding the actual data. If the data was encrypted with strong encryption, the chances of it ever being accessed again are extremely low; for the most part, it’s virtually impossible.

A is incorrect because physical destruction of media is virtually impossible within a cloud environment. With multitenancy and resource pooling, you can be assured that every physical device houses more than one cloud customer. Due to this, the idea of having the cloud provider destroy the physical media housing the data is an impossibility. Also, with how much data is always moving and being balanced within a cloud environment, it is almost impossible to fully determine all the physical locations of data at any one point so that such destruction could even be requested.

B is incorrect because shredding is a form of physical destruction of media and, as explained for answer A, would not be possible within a cloud environment.

C is incorrect because the realities of a cloud environment, with the use of virtualization and constant balancing and migrating of data, make it impossible to perform overwriting in a manner where it could be ensured that all data is overwritten. It also would be virtually impossible to isolate a particular customer’s data, even if one could determine all the locations of that data, and perform overwriting in a manner that would not impact other tenants within the same environment.

A. The use of IPS systems can be complicated with elasticity and auto-scaling; as systems are expanded programmatically, it is difficult to ensure that traffic is accurately routed through IPS systems and that the correct signatures, policies, and rules are applied. Within a traditional data center, network pathways are known, and routing as well as physical network connections will ensure that the correct paths are always taken. In cloud environments, where the infrastructure is in a constant state of flux, this is far more difficult to achieve. The primary means to implement IPS to get around the shortcomings of virtual network-based IPS is through the use of host-based IPS systems in a cloud environment.

B is incorrect because XML accelerators will be placed around load balancers and will automatically be added as systems are expanded programmatically. This differs from IPS because it relates to where in the network flow XML accelerators are placed and how the network is routed. XML accelerators also are used in conjunction with established web services, which, regardless of the number of virtual machines accessing them, will remain the same.

C is incorrect because elasticity will have no impact on vulnerability scanners, other than changing the number of systems that must be scanned. However, through auto-scaling and elasticity, the server type and purpose will be known, and it is easy to ensure that these systems are added to the lists for vulnerability scanning.

D is incorrect because web application firewalls (WAFs) are used based on the purpose of the server, which will be known through auto-scaling. Also, they are often placed in front of servers at the load balancer level, so the number of servers behind the load balancer will not have any direct impact on the use of WAFs.

B. Portability is the feature that allows a system to easily move between different cloud providers. This is accomplished by relying on standardized toolsets and platforms and avoiding the use of propriety APIs or other toolsets that will end up binding an organization to a particular cloud provider, making the cost of moving to another substantial, in both time and money.

A is incorrect because interoperability is the ability of a system or application to reuse components. This allows organizations to avoid particular ties to vendors or other systems for the components or functions of their own systems and applications. This can also be related to the use of standardized data structures and formats to avoid vendor lock-in.

C is incorrect because multitenancy relates to a cloud environment hosting applications and systems from different customers within the same physical systems. While this concept would make it easy for any cloud customer to establish systems in a new cloud provider, it does not address at all the ability of a customer to move from one cloud environment to another.

D is incorrect because measured service relates to a cloud customer only paying for the resources they consume, and only for the duration of the time in which they are consuming them. Although this makes it easier and cheaper to get set up in any environment and scale outward as needed, it does not address the ability of systems or applications to move from one environment to the other beyond just the initial setup costs required to do so (not from a technical perspective).

D. The S in the STRIDE threat model stands for spoofing, or more specifically, spoofing identity. This involves applications that have unique access controls for individual users and administrators, but then within the application they use service accounts or common credentials to communicate with databases, APIs, or other services. In this instance, it is possible for a user to assume the identity of another within the application once authenticated, and then make it appear as if that user is accessing resources through the application. To mitigate this threat, systems should continually check the access of a user as they move between interfaces or functions to ensure they have the proper level of access, as well as check that the identity the system assumes they have actually matches the identity that they used to initially authenticate and access the system or application.

A is incorrect because the S stands for “spoofing identity” and not for “security.” While security is obviously a large part of the STRIDE threat model at a high level, and is the overarching concept, it is not the actual term used here.

B is incorrect because the S stands for “spoofing identity” and not for “structured.” The term structured typically applies to data types, especially for PaaS implementations, where structured and unstructured are the two official data types.

C is incorrect because the S stands for “spoofing identity” and not for “standard.” While standard is a term used a lot within security and IT in general, especially as it relates to certifications and best practices, it is not applicable in this instance as part of the STRIDE threat model.

A. Encryption is intended to protect the confidentiality and privacy of data first and foremost. While encryption can certainly prevent the unauthorized altering of data at rest, that is not its intended purpose.

B is incorrect because confidentiality is the main concern and focus of encryption. It is intended to prevent the unauthorized exposure or leakage of data to parties that are not authorized to have it. In order to read data that is encrypted, a party would need to have access to the keys used to encrypt it. Encryption is focused solely on the ability to read data, so it is not used to prevent the encrypted volumes from being intercepted specifically—just the reading and access of the data contained with them.

C is incorrect because in order for an encryption system to be usable in a real environment and within applications, it must be easy and efficient to use. That is one of the main benefits and features of encryption. Although an encryption system is virtually unbreakable with current technology and capabilities, if you are in possession of the correct keys, it takes very little overhead to decrypt and read the data. In order to integrate into applications, especially those open to the public and that have larger user bases, this speed and efficiency is absolutely crucial.

D is incorrect because key management is one of the central challenges and components of any encryption system. The keys are central to encrypting and then decrypting data, and the corruption, loss, or exposure of the keys will either render the security useless or make the data unrecoverable. Each organization will have to carefully analyze its systems and applications where encryption is used, and based on the particulars of each system and application, where it is hosted, how it is accessed, and many other factors, make the most appropriate decision on how keys will be secured and managed.

C. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the United States is concerned with the protection of patient privacy and the security involved with the protection of medical records. While a major part of the law protects workers and their families from losing health insurance when they change or lose their jobs, the other major parts of the law that are important in this context are the protection of patient data, the requirements to establish electronic healthcare transactions, and the attempt to standardize identifiers with healthcare institutions.

A is incorrect because HIPAA is concerned with healthcare data, not financial data. Other major regulatory and standards systems are concerned with financial data, such as SOX and PCI DSS.

B is incorrect because HIPAA has nothing to do with historical data beyond how it relates to healthcare data. As with most regulatory systems, there are requirements for data retention that establish minimum periods of time to maintain data, but the overall focus of the regulations is not “historical” in any sense.

D is incorrect because HIPAA was established long before cloud computing came into existence, and it is not focused on specific technologies but rather on the overall handling of records and security requirements. While HIPAA will certainly apply to any healthcare systems hosted in a hybrid cloud environment, that is not the purpose or focus of the law.

A. The relying party in a federated environment is the actual service provider that gives access to secure systems or data. The relying party consumes authentication tokens that are generated by an acceptable identity provider and then grants authorization to access the systems or data based on the successful authentication, and possibly based on specific attributes about the user or entity that are provided by the identity provider, enabling the relying party to make decisions about roles based on pre-defined configurations.

B is incorrect because the identity provider is the generator of authentication tokens in a federated system, not the component that will consume and process them. The role of the identity provider is to perform authentication on users who are known to it, and in many instances to provide additional attributes and information about those users to the relying party so that it can make authorization decisions that are appropriate for the user and the data access they are attempting to use.

C is incorrect because a cloud services broker does not play any role in a federated system or environment. The role of a cloud services broker is to take the cloud services offered by public or private cloud providers and then extend or add value to them through integration, aggregation, or by providing customized interfaces or data fields.

D is incorrect because authentication provider could be another term for identity provider. Thus, the authentication provider would not be a consumer of authentication tokens, but rather a generator or provider of them.

D. The “use” phase of the cloud data lifecycle is where the data is actually processed or consumed by an application or user. During the “use” phase, data will transition between the data-at-rest and data-in-use states and will require additional security as it is exposed and accessed by systems. Therefore, it must be presented in an unencrypted state. This also extends the data security concerns from the server or storage aspect to the client aspect and the security of the specific device or client being used to access the data. Compared to some other phases, the “use” phase is considered read-only because any modification or creation would fall under a different phase.

A is incorrect because the “create” phase is when data is first entered into a system, or modified from a previous form, and thus new data has been created. At the “create” phase, the important initial decisions as to data classification are made so that security controls can be immediately placed on the data from the point of conception. These decisions will impact all later phases for the data and will govern much of its use and processing for its lifetime.

B is incorrect because the “share” phase is where data is made available for systems or applications outside of the original intended ones for the data. Because the data will be leaving the original system and its security enclave, security becomes an important aspect as it is incumbent on the receiving party to secure it from that point onward. This is typically accomplished from auditing reports and operating agreements that establish security standards and requirements for all parties that will consume and accept the data.

C is incorrect because the “store” phase is where the data is officially recorded and entered upon its creation. This is usually a simultaneous process, or one that happens immediately after the creation of the data. Data can be entered in many different types of storage, including databases and file systems. Storage must be done with respect to the classification of the data, ensuring that appropriate security controls are in place immediately upon the data being entered. This is also the phase where concepts such as redundancy and backup methods are used on the data.

D. Data in archive is not one of the official states of data as it applies to security and encryption. Although the other three states of data in use, data at rest, and data in transit will have implications and applicability to archiving, the concept of archiving is found within them and is not considered a state in and of itself.

A is incorrect because data in use is an official state of data. During this state, data is actually consumed and processed by a system or application. As such, additional security controls need to be applied compared to when the data is in static storage. This also exposes the security from the client side because it will be what is viewing the data and in some instances processing the data as well.

B is incorrect because data in transit is also an official state of data. During this phase, data will traverse networks and systems, typically between storage and processing entities. During this phase, particular security concerns arise because the data will usually cross systems and networks that are not under the control or security perimeter of the originating organization. This will often be mitigated by the use of encryption, where the entities on both sides are knowledgeable of the keys. This prevents any systems in the middle, or anyone who manages to capture the data, from being able to read or modify it.

C is incorrect because data at rest is an official state of data. With this state, the data is contained within storage systems and is not actively being processed or consumed. This is typically the easiest state in which to secure data because technologies such as encryption and isolation can be used to prevent the access or exposure of data.

B. FIPS 140, specifically the current revision of FIPS 140-2, is a processing standard published by the United States government pertaining to the certification of cryptographic modules that are used within systems. Following this standard, which is contained in four levels, will ensure varying degrees of confidence in the security of cryptographic modules used to encrypt and decrypt data on systems.

A is incorrect because FIPS 199 is a U.S. government standard that defines security categories of systems that are used by the government and are not specifically related to cryptographic modules. The FIPS 199 standard establishes low, moderate, and high categories for information systems, and requires all agencies of the government to evaluate and rate their systems into one of the categories for confidentiality, integrity, and availability security concerns. The highest rating from any of these three areas becomes the overall rating of the system. For example, if a system is rated moderate for confidentiality and availability, but high for integrity, then the system as a whole will be considered a high system.

C is incorrect because FIPS 201 is a U.S. government standard that establishes guidelines for personal identity verification (PIV) for any employees or contractors of the federal government. The requirements apply to all federal government information systems and applications, with the exception of national security systems, which are covered under their own separate regulations and policies. The PIV standard advocates for the use of smartcard technology as a requirement for any identification systems, extending beyond the typical password requirements into the multifactor realm.

D is incorrect because FIPS 153 is a standard relating to 3D graphics and has no impact on or role in cryptographic modules.

B. Type 1 hypervisors run directly attached to the underlying hardware of the host and do not have any software between them or dependencies on external operating systems. With configuration, the Type 1 hypervisor is highly optimized for its intended functions, and all code is removed by the vendor, with the exception of the code explicitly required for it. This removes the complexity and flexibility of operating systems, which even with all unnecessary services and functions disabled or removed will still contain large amounts of code or components that are not needed to operate the hypervisor. The direct tie between the hypervisor and hardware allows the vendors to lock down and patch specific to threats and exploits in their software only, without the need to rely on other libraries or components from operating systems, including being at the mercy of the operating system vendors to appropriately patch their own systems within a reasonable timeframe.

A is incorrect because the management plane is a web portal or utility for managing hypervisors that runs within its own systems and software. This creates dependencies on operating systems and application frameworks that will run the portal or utilities, potentially introducing many security vulnerabilities and requiring the reliance on those vendors for timely and comprehensive patching. Because the management plane is used to manage and control hypervisors throughout the environment, any security exploit of it will potentially expose an entire infrastructure or data center to threats and exposure.

C is incorrect because Type 2 hypervisors are software-based applications that reside on a host system and then launch virtual machines within them. With this type of configuration, the hypervisor is dependent on the operating system of the host, rather than running directly on top of the hardware with a Type 1 hypervisor. Due to this dependency, the hypervisor is potentially vulnerable to any security exploits that occur with the underlying operating system. Operating systems are also designed to support a wide range of applications and uses. Therefore, they will have large amounts of code and components that are not necessary for the use of the hypervisor, potentially exposing far more possible vulnerabilities to protect and monitor than if the hypervisor was dedicated and running on the hardware directly.

D is incorrect because, as part of their nature, virtual machines run under host systems and therefore are dependent on them and are largely at their mercy from a security perspective. Any compromise of the host system can potentially render any virtual machines hosted by it vulnerable as well.

A. Cross-site scripting involves injecting scripts into web pages that are then executed on the client side by the browser. This allows an attack to run scripts using the permissions of the browser and any authenticated sessions to execute. This can expose web applications to potential attacks by allowing the bypassing of some security controls such as same-origin policies, as well as utilizing the credentials of a valid user to execute.

B is incorrect because injection attempts involve sending segments of code through input fields in order to have the code executed by the system or application. This is done to attempt to access information and bypass security controls when the input fields are not properly validated or sanitized when submitted by the user. For example, a field may call for the user’s e-mail address, but an attacker may send SQL code in the input field. If the application does not properly validate the input fields, the application may either directly run the code or insert it into the database and then execute it later when a SQL command is run against that field. This can be used by an attacker to expose other database areas beyond those intended, or even dump entire database fields or file system information back to the malicious actor.

C is incorrect because unvalidated redirects occur when an application does not properly validate input and sets up a situation where users can be redirected through this untrusted input to external sites. Through this kind of attack, it is possible for the attacker to steal user credentials and attempt phishing attacks against users as well. Because the user went through a trusted application and was redirected by it, they may not be aware they are no longer sending input to the trusted application and are thus exposing their private data or privileged access.

D is incorrect because a man-in-the-middle attack involves the interception of communications between two parties. The attacker attempts to read, alter, or redirect the data flows in a manner that the parties are unaware it is happening and continue to use the transmissions as they normally would.

C. Tokenization is the process of replacing sensitive data with an opaque or random value, with the ability to map back the value to the original real value. This allows an application to operate in the same manner in which it was coded and to use the same values as keys, but without using the actual real values, which may contain PII or other sensitive data. This can allow an application to conform to confidentiality or privacy requirements without the need for other, more expensive and intensive implementations such as encryption. With the ability to map back tokenized values to the original sensitive values, the system that contains the original mappings or is responsible for generating them must be protected and secured to prevent exposure.

A is incorrect because obfuscation involves replacing sensitive or protected data fields with random information, typically for generating data sets for testing in nonproduction systems or other purposes similar in nature. The difference between tokenization and obfuscation is that, with obfuscation, the original mappings to the protected data are not maintained, nor are they important. Although this will be more secure than tokenization because the original mappings are not preserved anywhere, it also means that the data cannot be used in any meaningful way beyond functional testing or development purposes.

B is incorrect because masking is another term for obfuscation.

D is incorrect because anonymization involves replacing data so that it cannot be successfully mapped back to an individual. It is built on the concept of direct and indirect identifiers. Indirect identifiers are those attributes that by themselves cannot map to a single individual, but a combination of many indirect identifiers could lead to the identification of a specific individual. Anonymization is often used in conjunction with the obfuscation or tokenization of sensitive fields as a way of removing the indirect identifiers to ensure the data sets cannot be mapped back successfully through any means.

A. Financial security is not one of the specific security domains presented as part of the Cloud Controls Matrix (CCM). While many other domains will play into the protection of financial information, there is not a domain that is specifically related to it. This also includes the inclusion of costs as a factor in security, because only security controls and policies are part of the CCM.

B is incorrect because mobile security is one of the specific domains outlined in the Cloud Controls Matrix.

C is incorrect because data center security is one of the specific domains outlined in the Cloud Controls Matrix.

D is incorrect because interface security is one of the specific domains outlined in the Cloud Controls Matrix, specifically labeled as application and interface security.

B. ISO/IEC 17788, specifically the latest revision ISO/IEC 17788:2014, provides an overview and vocabulary for cloud computing. It defines much of the commonly used cloud terminology, such as service categories and cloud deployment models.

A is incorrect because ISO/IEC 27001 is a general security standard that can apply to any type of system in any type of hosting environment.

C is incorrect because ISO/IEC 17789 is focused on cloud computing and the reference architecture, including the common features that define cloud computing, such as measured service, broad network access, multitenancy,
on-demand self-service, rapid elasticity and scalability, and resource pooling.

D is incorrect because ISO/IEC 27040 is focused on security techniques as they relate to storage security.

B. As they relate to PII, ZIP Codes would not be considered a protected piece of information. A ZIP Code, being a broad geographic area, would not meet the definition required for PII because it solely cannot be used to identify an individual. However, combined with other various pieces of information, a ZIP Code could be used to narrow down information and possibly identify or distinguish an individual from others with similar attributes.

A is incorrect because an address relates to a specific resident or location and, as such, can directly identify an individual.

C is incorrect because biometrics can immediately and directly identify an individual, and most biometric markers will be unique to a single individual.

D is correct because a personal phone number, and in many instances even a business phone number, can be directly tied to a specific individual and, as such, is definitely considered PII.

C. Portability is the concept that allows a cloud customer to easily move between cloud providers at a later date. Portability takes into account the characteristics and features of a system or application that can lead to vendor lock-in and therefore are aspects that should be avoided. For example, if a cloud customer builds their systems or applications around specific APIs or features that are proprietary to a specific cloud provider, it will be almost impossible for the cloud customer to later move to a different cloud provider without incurring substantial costs in both time and money to change their applications, which would also expose them to significant risk for such an undertaking.

A is incorrect because interoperability refers to the ability of a system or application to reuse components from previous versions or other applications in new ways. With this ability, developers can save time and money building applications and components through the use of code that not only is already written, but also tested and verified by both users and security scanning.

B is incorrect because reversibility refers to the ability of a cloud customer to remove all systems, applications, and data from a cloud environment, as well as to ensure that all traces of them have been securely deleted. This is governed by contract terms for the level of assistance that the cloud provider must provide as well as the timeliness of having all tasks completed and verified.

D is incorrect because broad network access is one of the core components of cloud computing, but it does not relate at all to moving between cloud providers. Broad network access refers to the ability to access cloud resources and systems from anywhere and over the public Internet, rather than through restricted network tunnels or specific physical networks.

D. Hardware is not considered one of the core building blocks of cloud computing. With cloud computing specifically, hardware should not be a
concern at all for cloud customers, because they will never interact with it or even have a need to really know what it is. All cloud services are segregated from the hardware layer, and cloud customers are only buying computing resources that are consumable in nature and specific to their computing needs.

A is incorrect because CPU is a core building block of cloud computing. When new virtual machines or virtual appliances are provisioned in a cloud environment, one of the main selections made is in regard to their CPU resources. The measured service costs associated with each virtual machine and the aggregate total of CPU resources will tie directly into the costs of hosting with the cloud environment. With the cloud built entirely on virtual and logical infrastructure from the perspective of the cloud customer, CPU allocations per virtual machine can easily be changed with stopping and starting of a virtual machine after configuration changes have been made through the service portal. CPU is part of the resource pooling and is shared between the tenants of the cloud environment.

B is incorrect because memory is a core building block of cloud computing. Much like CPU resources, memory is configured per virtual machine, and the individual or aggregate totals will tie into the cost structure for the cloud customer. Memory can also be changed after the provisioning configurations have been updated by a simple stopping and starting of the virtual machine instance. Memory is part of the resource pooling and is shared among the tenants of the cloud environment.

D is incorrect because storage is also part of the pooled resources of a cloud infrastructure, and it shares similar qualities to memory and CPU as far as ease of changes and modifications after initial builds. Depending on the cloud service category, storage will come in different formats, and billing may differ as a unit cost based on the type of storage selected.

D. The audit scope statement focuses on the reasons and goals for conducting the audit, and the costs associated with the audit are handled under different processes. By the time an audit scope statement is being worked out between the organization and the auditor, costs will have already been determined and the scope will focus on the technical and procedural details of the audit.

A is incorrect because the statement of purpose is the first step in the audit scope statement. The statement of purpose covers the reason for the audit. Typically, audits can be conducted either for internal purposes of the organization and at the organization’s own request, or they can be conducted to fulfill requirements from regulations. In the case of regulations, the statement of purpose, as well as many aspects of the audit scope as a whole, may be dictated by the regulatory requirements pertinent to the type of application or date under review.

B is incorrect because deliverables are a key component to an audit scope statement. While all audits will ultimately result in the production of certain reports, these reports can differ greatly based on the audience or purpose of the audit. The scope will cover the format of the deliverables, which can be textual reports, presentations, or even formatted specifically for import into software applications for tracking. This also includes who should receive the reports in the end. In most instances, even if they are done for regulatory reasons, unless the auditors are tied directly to the regulators, the reports will first go to management for review and will then be made known to the regulators.

C is incorrect because the classification of the data, as well as the reports produced, is a key consideration of an audit scope. Under most regulatory systems, the classification of the data will directly tie into the type and scope of audit, as well as to what degree specific security controls are tested and what is required of them. When the report is ultimately produced, it could fall under classification requirements as well, depending on the system and data. Audit reports should be well protected at all times because they essentially contain information about verified and perceived weaknesses of the security controls employed on a system, as well as information pertaining to specific threats and the likeliness of their successful exploit.

D. A PIN could not be used as part of a multifactor authentication system if a password is also used because a PIN is essentially a type of numeric password, so both would be in the same category of authentication types—in this case, something “known” to the user.

A is incorrect because a fingerprint could be used along with a password for multifactor authentication. The password would be something “known” to the user, while the fingerprint would be something in the user’s possession, as well as being a biometric factor.

B is incorrect because an RSA token could be used as secondary factor with multifactor authentication if a password is used as well. The RSA token represents a PIN code, and the user would need to be in possession of the token in order to know the regularly changing PIN code that the token has at the time the PIN code needs to be entered. This would satisfy the multifactor requirements because the password would constitute something “known” to the user and the RSA token would be something in possession of the user.

C is incorrect because the use of a text message as a secondary factor along with a password would satisfy the requirement for multifactor authentication. To receive the text message with a secondary code, the user would need to be in possession of a preregistered device, which would be something in their possession. Because the device would have to be preregistered with the system to receive the text code, this also is a robust security system because it would negate someone from getting a new device and then trying to use it to access the system.

A. ISO/IEC 27050 is a standard focused on eDiscovery processes and how best to approach an order. The goal of the standard is to establish common terminology, give an overview of the eDiscovery process, and then provide guidance and best practices for conducting the data collection, including discovery, preservation, and analysis.

B is incorrect because ISO/IEC 17789 provides a reference architecture for cloud computing and is focused on general cloud computing design and implementation. While some information contained would be useful in some instances of eDiscovery, the standard itself does not address eDiscovery at all or provide any guidance toward it.

C is incorrect because ISO/IEC 27001 is focused on general security principles and best practices, and does not have any specific guidance or focus on eDiscovery processes or anything that is involved with them.

D is incorrect because ISO/IEC 17788 provides terminology and definitions for cloud computing in general, but does not have any focus or sections pertaining to eDiscovery at all.

C. The activity of a cloud service administrator is not one of the defined cloud computing activities in ISO/IEC 17789.

A is incorrect because the cloud service provider is an official role established in ISO/IEC 17789. The cloud service provider is the entity that makes cloud services available to users or customers, regardless of the cloud deployment model or hosting model used.

B is incorrect because the cloud service partner is an official role established in ISO/IEC 17789. The cloud service partner is defined as an entity that assists either the cloud service customer or the cloud service provider in the delivery of cloud services, or both.

D is incorrect because the cloud service customer is an official role established in ISO/IEC 17789. The cloud service customer is defined as any entity that has a business relationship for the use of cloud services.

B. The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is specifically focused on the use of PII by financial institutions and the necessary requirements for the protection of it. The act contains what is known as the Safeguards Rule, which puts the specific requirements and burdens on financial institutions to protect the privacy and personal information of their customers. The act also requires regular notification of the privacy practices of financial institutions as well as with whom they share personal information and for what purposes.

A is incorrect because the Sarbanes-Oxley Act (SOX) is focused on the protection of stakeholders and shareholders from financial irregularities, improper practices, and errors by organizations. The act also outlines specific requirements for data retention and preservation of financial and system records.

C is incorrect because the Health Insurance Portability and Accountability Act (HIPAA) is focused on privacy and personal information as it relates to healthcare and health records, and has no bearing on financial institutions at all.

D is incorrect because PCI DSS is a financial industry regulation as it pertains to organizations that accept credit card payments from the major credit network providers. It is focused on security requirements and records retention for those types of transactions specifically, and does not apply to personal data or the financial sector in general.

B. Network is not a defined cloud service capability. Network services are a major component of cloud computing in general, and all service capabilities heavily use and depend on network services, but network is not a standalone category.

A is incorrect because infrastructure is one of the three cloud service capabilities. This is why Infrastructure as a Service is one of the three main cloud service categories, where the cloud provider is responsible for the physical environment and making services available, but the cloud customer is responsible for the virtual machines, configurations, storage, and almost all aspects of maintenance.

C is incorrect because platform is one of the three cloud service capabilities. Platform as a Service, being one of the main cloud service categories, is where the cloud provider makes available to the cloud customer virtual machines with application frameworks installed and configured, where the cloud customer just needs to load their application code and data. The cloud service provider is responsible for the patching and maintenance of the virtual machines and the associated frameworks running on them.

D is incorrect because software is one of the three cloud service capabilities. Software as a Service is one of the main cloud service categories, and one where the cloud provider is responsible for the infrastructure up through the fully functional application. The cloud customer may have limited configuration or default settings to leverage but otherwise is responsible for importing or loading applicable data and then for user account management.

D. The future use or intended use of data should have no bearing on the classification of it. The classification of data should be based on the sensitivity of the data, any regulatory requirements, and the potential risks and costs associated with compromise. Applications and services that intend to use data must adapt their security controls and policies to the classification of the data. The data should not be classified based on the demands or needs of specific applications or users.

A is incorrect because metadata is one of the keys for classifying data. Information about the creation of data, the time of creation, who created the data, where and how it is stored, and the specific fields involved all play heavily into data classification, and all fall under the concept of metadata.

B is incorrect because any data that contains PII will automatically have legal or regulatory requirements placed on it for data classification. In most regulatory systems, the inclusion of PII will have automatic ramifications on the classification level of the data and the necessary security controls that must be used on it.

C is incorrect because the creator of data can definitely have an impact on the classification level of it. For example, if the creator of data is a doctor’s office, and the nature of the data is healthcare related, then the data will automatically assume certain data classification requirements.

D. The location of the data, and any jurisdictions that the location falls under, will always be the prevailing factor for determining which regulations apply to it, regardless of what type of data it is.

A is incorrect because while PII will have a definite impact on the regulations
that apply to data, it is a subsection of the overall data classification requirements.

B is incorrect because the classification of the data will always have a major impact on the regulations that apply to it, but the jurisdiction, based on location, is ultimately what makes that determination.

C is incorrect because while the population of the data can certainly have an impact on the regulations that apply to it, it is a subset of the overall data classification requirements.

C. Baselines are set configuration standards and requirements that apply to a system or application. Baselines are often part of regulatory or legal requirements and oftentimes follow published industry standard guidelines.

A is incorrect because images form the basis for virtual machines, but are the end result of applied configurations and requirements, not the mechanism for applying or ensuring their compliance.

B is incorrect because repudiation deals with the verifiability of an individual and proof of their activities, and does not have any impact or bearing on system configurations or regulatory requirements, though repudiation and nonrepudiation may certainly be themes of regulatory requirements.

D is incorrect because interoperability has to do with the ability of systems or applications to reuse components or code to make development simpler, more granular and efficient, and less costly. It does not have anything to do with regulatory requirements or their enforcement.

B. When a company is dealing with eDiscovery orders, the chain of custody is extremely important as it pertains to official legal proceedings. The chain of custody documents everyone who has had possession of the data, in what format, and for what reasons. For data to be admissible for legal proceedings, the chain of custody is vital in showing that nothing has been tampered with and that everyone in possession of the data can be questioned and investigated, if needed.

A is incorrect because although encryption may be used as part of eDiscovery to sign, preserve, and protect any evidence that is collected and turned over, especially if the data is sensitive, in general it is not a required element of eDiscovery.

C is incorrect because although compression may be used when preserving and submitting evidence pursuant to the order, it is not a required element and will have no bearing on the overall process of eDiscovery.

D is incorrect because confidentiality may or may not be a factor with eDiscovery, depending on the nature of the data requested and the types of systems involved.

A. Limits are put in place to enforce the maximum amount of compute resources that any one tenant or system can consume. The limits can be placed on various levels and units, ranging from a specific virtual machine to a cloud customer for the aggregate of their utilization across all systems. They are designed to ensure that no single host or customer can utilize enormous resources that will ultimately make the cloud provider unable to properly allocate resources and serve the needs of other cloud customers.

B is incorrect because multitenancy is the larger concept that deals with hosting multiple, different cloud customers within the same cloud environment. While it is certainly the driving reason why the need for balancing resource allocations is necessary, that concept itself does not play into the specific details of implementations like this.

C is incorrect because a reservation is the minimum amount of resources guaranteed to a cloud customer within the environment. A reservation will typically guarantee to a cloud customer that they will have the minimum required resources necessary to power on and operate their services within the environment. Reservations also offer insurance against denial-of-service (DoS) attacks or other customers using such large amounts of resources that the cloud customer cannot operate their services.

D is incorrect because shares are focused on cloud customers requesting more resources for allocation and provisioning than are currently available in the environment. Shares establish a prioritization and weighting system, defined by the cloud provider, that determines which systems, applications, and customers will receive priority for additional resource requests when utilization is high and resources are limited.

B. The data steward is responsible for overseeing an organization’s policy in regard to data access, as well as for evaluating access requests and matching them with organizational policy to ensure compliance and proper use. If the business purpose is acceptable, the data steward is responsible for ensuring that appropriate approvals have been obtained and documented as well.

A is incorrect because while the data owner has final authority and responsibility over data policies and access, the data steward is the position officially designated for directly carrying out those duties. The data owner is responsible for establishing the risk management approach to data security and access in conjunction with management and then matching this to the organizational policies or regulatory requirements.

C is incorrect because the data processor is the one who actually uses the data within an application or service. As the consumer of the data, the data processor does not play a role in granting data access or policy enforcement.

D is incorrect because the term data controller is synonymous with data owner; they have the same duties and responsibilities.

C. With PaaS, the cloud provider is giving the cloud customer a fully functioning environment, including the operating system and any middleware or application framework components. As part of the services, the licensing costs and tracking are the responsibility of the cloud provider and are factored into the metered costs of the cloud customer.

A is incorrect because staffing comes in many different forms, with many different parties involved. Within cloud computing, although the cloud provider has staffing to maintain the environment, due to self-service provisioning, staffing is not needed as additional virtual machines are brought online or new services provisioned; this is all handled through automated processes.

B is incorrect because development is not part of the services from a cloud provider, nor is it included in the costs from the cloud provider for cloud services. Development would be done under its own contract, or possibly even under contracts that incorporate the costs of the cloud hosting services as well. However, it would not be a direct part of the metered services from the cloud provider as additional resources are allocated or provisioned.

D is incorrect because auditing is part of all cloud server categories and is documented in the contract and SLA requirements. It is not a specific part
of any one category over another, though it can differ in scope based on the specific category used. Regardless, it does not relate to the metered costs of any cloud category.

C. FIPS 140-2 is a certification for cryptographic modules based on the specific needs and requirements for the level of encryption and the protection of it. It is based on both software and hardware requirements and the level of control, features, and protections that each have. It is not a regulatory framework with compliance requirements.

A is incorrect because FedRAMP is a regulatory framework that the United States federal government uses to assess and certify cloud services for its use by federal agencies. As part of FedRAMP, there is a certification process for low and moderate systems, as well as high systems as of 2016, to meet requirements and auditing. One aspect of FedRAMP is that it was designed for use by any federal agency once a provider had been certified, removing the need for each agency to conduct its own certifications and audits of the cloud services provider. FedRAMP is available for use by civilian agencies and can be used for data and systems other than those for national defense.

B is incorrect because HIPAA relates to regulated healthcare and personal data within the United States, and sets strict and extensive requirements for how it must be protected. It is specialized for healthcare data and supersedes any other regulatory requirements to which a system or data might be subjected. As part of HIPAA regulations, data controllers are subjected to increased scrutiny for the methods and processes they use to protect personal and patient data.

D is incorrect because PCI DSS is an industry-specific regulation and oversight framework, established by the major credit card companies and networks, and is a requirement for any business that conducts transactions over those networks.

A. Private clouds offer the most control and ownership for an organization. With a private cloud, an organization will either have sole ownership or be a strategic paying partner with the entity running the cloud and thus have much more influence and input into decisions and policies than any other model affords.

B is incorrect because an organization would have very little say, or possibly even no say, in how a public cloud operates or functions. Public clouds typically offer free services to the public at large, or offer services to any customer willing to pay. With the large number of customers or free services offered, it is not possible for a public cloud to take into account individual demands from customers or for customers to expect any reasonable likeliness of their demands being met. Public clouds are intended to serve mass populations and to do so cheaply and efficiently. They are not intended for a large degree of customization or for adapting to the particular needs of individual customers.

C in incorrect because while a community cloud will typically offer customers a higher degree of input and influence than a public cloud, it will not match what a private cloud can offer. While a community cloud will usually have a smaller subset of users, who share many common traits, it is still bound to serve multiple different customers with their own needs, desires, and expectations. Any requested changes by one customer would almost certainly have an impact on other customers, so it is difficult to allow customers to have significant influence for particular needs or requests.

D is incorrect because a hybrid cloud itself is not an entity that an organization could have influence over; it is a concept that involves the use of multiple cloud deployment models. As such, the positives and negatives of each environment would be combined within a hybrid cloud and ultimately would minimize the level of influence a cloud customer could have.

D. The purpose of encryption, first and foremost, is to prevent the unauthorized viewing of data. While encryption can be a useful tool when used in conjunction with other tools (for digital signing and nonrepudiation, for example), the protection against unauthorized access to data is its primary intended use and focus. With the use of modern and strong encryption techniques, along with the proper protection of keys, data can easily and efficiently be rendered inaccessible and virtually unbreakable.

A is incorrect because encryption is not focused on integrity, or useful to protect it, in any reasonable sense. Encryption is focused solely on the confidentiality aspect of security overall. While it will prevent a user from accessing the data to modify it, especially while the data is at rest, it is not a tool that can be used with an application or live environment to prevent the unauthorized modification of data once it is accessible.

B is incorrect because encryption will not promote or assist in availability at all. The use of encryption will not enhance the availability or accessibility of data at all; instead, it is merely designed to protect the confidentiality of data.

C is incorrect because encryption will not prevent the destruction or deletion of data at all.

B. Application virtualization allows you to run parallel application deployments in the same environment for the purposes of testing new features or patches. It differs from sandboxing because it does not require distinct systems or segregated networks to function, and can be focused purely at the application level. It takes far fewer resources to set up and use than sandboxing.

A is incorrect because sandboxing goes far beyond isolating applications for testing. With sandboxing, you are setting up totally separate and distinct virtual machines, and in most cases network isolation as well. Although sandboxing could be used to test new features for applications, it goes far beyond that mandate. Therefore, application virtualization is a more appropriate approach to take.

C is incorrect because a honeypot does not have anything to do with the testing of new application features or the isolation of them. A honeypot is a security concept of setting up servers and data that appear to be legitimate production systems in order to entice attackers to go after them instead of the real systems. The security team can then use the attacks and traffic they see going against the honeypot to block sources or refine security controls and configurations of the actual production systems.

D is incorrect because a federation is a concept within identity and access management and does not have any relationship to or impact on application isolation or testing.

D. Auditors would not be included or considered during the collection of requirements for an application or system. While auditors will play a role later in any new design or modification by ensuring compliance with regulation and policy, they would not be involved at an early stage at all. The role of an auditor is to validate configurations, policies, and practices against the regulations they are designed to comply with, and to establish a gap analysis between the desired and actual state of the system or application, not to be involved with design or development decisions.

A is incorrect because users would be a primary concern and focus during the requirements-gathering stage of a system or application. Input from users, as the ultimate consumers of the system, is vital for a system to work efficiently and easily, with features that consumers find beneficial and productive. Without the input of users, stakeholders and developers are left to assume their decisions are what people will ultimately desire and need, and substantial gaps between their perceptions and the perceptions of users are very likely. This could lead to a system that does not meet expectations, or even ultimately fails to catch on with consumers.

B is incorrect because management has the major financial role and responsibility to both shareholders and users of a system or application. While the users and their satisfaction will ultimately decide the fate or success of an application, management sets the direction and desired features of the application, as well as ensures compliance with regulators. Management also has the responsibility for protecting both personal and financial data, and needs to be heavily involved at all stages to set priorities and budgets for development, as well as to make decisions as to which requirements to focus on and which might be deferred to a later version or update.

C is incorrect because regulators and the regulations they enforce will have a strong influence on all aspects of an application in regard to security and policies. Many of the features and configurations of a system or application will be driven directly by regulations, or at least choices in approach will be limited by regulations.

D. The requirement-analysis phase is where the specific hardware and software platforms with which the programmers will work are decided, along with the specific functionality and features that are expected. This will then be used during the design phase for the programmers to plan the actual coding and methodology to develop the application around to meet the design requirements.

A is incorrect because the requirement-gathering phase is where the mandatory requirements and success criteria for the development and overall project are decided. This involves representation from all stakeholder groups, and an analysis of any regulatory requirements that must be adhered to as well. The overall budget and timeline for the project are also decided at this phase.

B is incorrect because the development phase is where the actual coding of the application occurs and where the executable code is compiled. As each segment of code is completed and each milestone reached, functional testing is completed against the code to ensure that it functions as designed and required. The development phase is typically the longest phase of the SDLC process.

C is incorrect because the design phase is where the requirements for and decisions on platforms and technologies are combined to form a project plan to create the actual code. This phase also includes the merging of security and risk management concerns into the overall plan, as well as the testing and validation to be completed during the development phase.

A. The General Data Protection Regulation (GDPR) (EU 2016/679) is a regulation, covering the European Union and the European Economic Area, pertaining to data protection and privacy. The GDPR is a uniform regulation throughout the EU and covers all countries, citizens, and areas under its jurisdiction, regardless of where the data is created, processed, or stored. The regulation places the burden for technical and operational controls on the entities that are using and storing the data for the protection and enforcement of it. Under the GDPR, organizations must make it known to users what data they are collecting and for what purpose, whether it will be shared with any third parties, and what their policies are for data retention. The GDPR grants the right to individuals to obtain a copy of the data that an organization is storing in regard to themselves, as well as the right to request deletion of the data in most instances.

B is incorrect because the Health Insurance Portability and Accountability Act (HIPAA) is focused on healthcare data and the privacy and protection of patient data by covered healthcare professionals, and does not pertain to the privacy regulations regarding the European Union.

C is incorrect because the Sarbanes-Oxley Act (SOX) pertains to financial and accounting records and their transparency to regulators and shareholders. It involves reporting requirements and data-retention requirements and does not pertain to the privacy of individuals or interactions with the European Union at all.

D is incorrect because the Gramm-Leach-Bliley Act (GLBA) pertains to PII and financial institutions. It requires that financial institutions provide all users and customers with a copy of their privacy policy and practices, including when and with whom customer information may be shared. It also puts the burden on financial institutions for adequate security controls and oversight of any personal data they collect or store from customers.

A. Dynamic optimization is the continual and automatic process within a cloud environment of shifting resources and virtual machines between physical hosts and resources to ensure a proper balance is maintained. This ensures that a single physical host or a subset of physical hosts does not become maxed out on resources and thus impact other customers or virtual machines on the same host. This ensures availability and auto-scaling and makes sure any provisioning requests are able to be met as they come in from customers.

B is incorrect because auto-scaling pertains to the automatic and programmatic mechanisms for scaling up or down a system or application based on load and demand. It pertains only to the system or application in question and does not pertain to the resources of the overall environment or to meeting the needs of each tenant.

C is incorrect because elasticity refers to the ability of the environment to provision and de-provision resources to meet current needs in a programmatic and automated way. If elasticity is implemented correctly, the systems and applications should ideally have the exact resources they need at any time and not have an excess or deficit of resources.

D is incorrect because resource pooling refers to the overall sharing of the aggregate resources available in a cloud environment between all the individual tenants of the environment. It refers to the overall allocation of resources and is not related to the ability to adapt to specific situations or demands on a system or application.

B. Object storage is a type of IaaS storage where files and objects are physically stored on a separate system and are referenced by a key or token value. It differs from traditional storage, as it does not contain any organizational or hierarchical capabilities; instead, everything is stored in a flat system with a token or key as the only reference for access. It is heavily used for media objects such as pictures and videos, or for the storage of larger files where organization is not relevant, such as virtual machine image files.

A is incorrect because structured is a type of storage under Platform as a Service, and is typically related to storage types such as databases that have defined structures and rules pertaining to how the data is organized and stored.

C is incorrect because while volume storage is a type used under IaaS, it involves and resembles traditional storage, with a file system and tree structure where data can be organized and accessed in the same manner as a traditional server (by pathname and filename).

D is incorrect because unstructured is a type of storage under PaaS that is used for handling data objects that will not fit within a structured system. This includes websites and web pages, their associated components, media files, images, or anything else that will not fit within a typical database paradigm.

A. After the objectives within an audit have been defined, the defining of the scope is the next step. This involves the specifics of what is to be tested as well as all the details about how and when it will be tested.

B is incorrect because conducting the audit occurs after both the scope and objectives have been defined, which will serve as the roadmap for the actual audit.

C is incorrect because the identification of stakeholders will be done as part of initially defining objectives, and will then be refined some during the defining of the scope.

D is incorrect because gathering documentation is not a step itself and is done as part of both the defining objectives and defining scope steps.

D. Cryptography as an overall concept is a specific domain of ISO/IEC 27001:2013, which covers all of the various aspects and methods where cryptography is used within IT services and operations.

A is incorrect because firewalls are covered under network domains and are not a specific domain themselves.

B is incorrect because IPS is covered under network and application security and is not a domain itself.

C is incorrect because a honeypot is a security mechanism for capturing and analyzing attack attempts against systems that uses a similar-looking server with fake data that is designed to entice attackers. The application owners can then use the exploit attempts that are directed toward the honeypot to refine and augment security controls on the actual production systems.

A. Representational State Transfer (REST) and Simple Object Access Protocol (SOAP) are the two main types of APIs used within cloud-based systems. SOAP is focused on providing a structured information exchange system for web services, and REST is a protocol for using HTTP requests to access and manipulate data.

B is incorrect because although SOAP is one of the two methods, XML is a protocol for encoding and representing data and is not one of the two main API types for cloud-based systems.

C is incorrect because although REST is one of the two methods, XML is a protocol for encoding and representing data and is not one of the two main API types for cloud-based systems.

D is incorrect because although REST is one of the two methods, HTTPS is a protocol for secure communication extensions to the HTTP web protocol and is not one of the two types of APIs used by cloud-based systems.

A. An XML accelerator is designed to sit in front of application servers or
services and APIs for the purpose of offloading processing and validation of incoming XML. It is a highly scaled and tuned appliance to handle its specific purpose and will allow the back-end service providers to focus on business logic rather than processing and validating the incoming data.

B is incorrect because an XML firewall is designed to protect systems and scan data as it is coming in and out of an application or data center for validity, but does not provide the processing capabilities and application interaction of an XML accelerator.

C is incorrect because a web application firewall is designed to inspect web traffic coming into an application to detect security exploit attempts or other signatures of the traffic and take specific action against them based on what policies are matched. This can include redirecting or blocking the traffic before it reaches the application.

D is incorrect because a firewall is designed to control network communications between sources and destinations, as well as the ports they are communicating over. It does not perform content inspection on packets.

A. With a single sign-on system, once the user has successfully authenticated, they are issued an opaque token that can then be used to access systems that are part of the federation. Each system can validate the token back to the identity provider to ensure it is current and to gain information about the user to then make informed decisions on authorization within the application.

B is incorrect because a key would typically refer to encryption and is not used to refer to maintaining the session and presence within a single sign-on system.

C is incorrect because XML is a standard for data encoding and presentation, and would not be used for proving identity after successful login.

D is incorrect because SAML is used within a federated system to pass information about the user for authorization or registration purposes, but would not be used to validate the authentication in the way that the token would be.

C. The service level agreement (SLA) will determine and document the requirements and expectations for factors such as uptime and availability within a cloud environment that are expected to be met by the cloud provider. This will be done on a percentage basis that represents how much unscheduled or unplanned downtime is allowable within a specified period of time, and will be specific to the applications and systems in question.

A is incorrect because the contract is the high-level formal agreement between the cloud provider and the cloud customer that documents the requirements for policies and resources that are covered for an agreed-upon price, but does not specify operational details such as availability and uptime requirements like the SLA would, or the metrics used to evaluate them.

B is incorrect because an operational level agreement is similar to an SLA, but is used internally between components of the same organization to document duties and responsibilities, and would not pertain to the relations or arrangements between the cloud customer and the cloud provider.

D is incorrect because regulations may serve as the inputs or requirements for specific performance metrics, but not how they would be enforced as part of the business relationship. They would be captured within the SLA, where their requirements and metrics are established.

D. Virtualization makes repeated audits and verifications difficult within a cloud environment because it is almost impossible to ensure that the system being tested now is the same as the previous one. In a virtual environment, images are changed often and systems reimaged for patches or other changes. This differs from a traditional data center where servers are physical assets that can easily be verified as being the same system as before, even if upgrades and features have changed over time.

A is incorrect because multitenancy refers to the hosting of multiple customers within the same cloud environment and within the same pool of resources, and would not play into the ability to audit or ensure consistency over time.

B is incorrect because resource pooling refers to the aggregation of resources from the entire cloud environment and how they are made available to all the customers within the cloud environment, and would not be a factor in auditing consistency over time.

C is incorrect because elasticity refers to the ability for systems to automatically scale up or down to meet current demands without having an excess or deficiency of resources at any given point.

B. The SOC 2 reports do not contain the legal compliance controls as a factor, because they can differ greatly from one jurisdiction to another, and each regulatory system will have its own compliance requirements and auditing demands.

A is incorrect because the monitoring of controls is one of the main seven categories under SOC 2 and pertains to organizations effectively testing and verifying their controls are adequately addressing their intended threats, as well as ensuring that mechanisms put in place are still in place and have not been changed through unintended or unauthorized means.

C is incorrect because change management is a core component of SOC 2 reports and how an organization oversees and verifies the process of changes within their environments. This includes documentation, approvals, and risk management evaluations for all proposed changes, as well as tracking their completion and the signoff from functional testing and validation.

D is incorrect because system operations and how an organization runs its systems through policies and procedures is a core component of evaluation under the SOC 2 reports.

C. The Generally Accepted Privacy Principles (GAPP) was established by a joint effort between the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). It serves to assist organizations and their management in developing strong privacy programs that address risk and regulatory requirements.

A is incorrect because the Gramm-Leach-Bliley Act (GLBA) was established by the United States federal government to deal with financial organizations and the way they handle personal and private information.

B is incorrect because the Health Insurance Portability and Accountability Act (HIPAA) was established by the United States federal government and pertains to the protection of private health information and records.

D is incorrect because the ISO/IEC 27001 standards on security were established by the joint technical committee between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

B. Reversibility refers to the ability for a cloud customer to withdraw their data and configurations from a cloud environment quickly and efficiently. The cloud provider must also provide assurances and a timeline for securely and completely removing the data from within their environment.

A is incorrect because portability refers to the ability for a system or application to move between different cloud providers, but does not relate to the ability to securely remove its data and configurations from one environment as it moves to another. Instead, portability is purely focused on the ability to move or migrate.

C is incorrect because sanitation commonly refers to the ability to ensure that data has been securely deleted and wiped from a system, but does not pertain to the ability to extract data or configurations from an environment.

D is incorrect because wiping would be the same concept as sanitation in this case, and it would have the same limitations and concepts that apply to it.

A. Transport Layer Security (TLS) is the standard protocol used for sending encrypted traffic over a network between two parties. It has replaced SSL, which is no longer considered secure enough for general usage. TLS supports much stronger and more robust encryption ciphers.

B is incorrect because SSL was the predecessor to TLS and has been replaced as the standard method for encrypting communications over the network. At this point, SSL is considered insecure because it uses weaker and older ciphers that no longer provide adequate protection or assurance of security.

C is incorrect because IPsec is a communications method that is used to encrypt traffic between two hosts. However, it is not in widespread use due to resource limitations and demands. It also requires known hosts to be configured to use it, and it is not a general-purpose encryption method that is widely available.

D is incorrect because DNSSEC is used to verity the integrity and authority of DNS resolution and lookups back to their intended issuer. It digitally signs DNS resolutions that can be verified back to their source, preventing the spoofing or redirecting of network traffic by sending out incorrect IP address resolutions to hosts.

B. Because cloud environments do not have the ability to physically separate networks the same way a traditional data center would, they rely on logical separations with VLANs to keep systems isolated from others. This enables security to be controlled within the VLAN and allows similar systems and applications to communicate with each other within a secure enclave where the separation of physical networks and cabling is not possible.

A is incorrect because subnets break up larger networks into logical sections for IP addressing and organization, but do not contain the protections and segregations that VLANs afford and allow.

C is incorrect because gateways are where systems send data when they do not know the specific route. The gateway can determine how to route the packets to the correct destination and can serve as a router on the network.

D is incorrect because IPsec is an encryption protocol that is applied to each and every packet sent between two systems over the network, and does not play a role in the segregation of networks without a logical framework.

B. The European Union issued Directive 95/46, which established data privacy of personal information to be a human right. Following this directive, Europe has had some of the strictest privacy controls and requirements in the world.

A is incorrect because the United States does not currently have a federal-level policy on data privacy and personal information protection in a general sense, but it does for more specific applications such as healthcare and financial data.

C is incorrect because Russia did not issue Directive 95/46, but it does has its own laws focused on protecting the privacy of information for Russian citizens, including restrictions that require all data on Russian citizens to be housed on servers that reside within the political boundaries of the Russian Federation.

D is incorrect because Japan was not a party to Directive 95/46.

A. Homomorphic is a new cutting-edge type of encryption that allows a system or application to read and manipulate encrypted data without first having to unencrypt it. This allows for enhanced security because the data does not need to reside on a system in unencrypted format at any point, so even a compromise of a system will not reveal data to the malicious actor, because they would still need the encryption keys to read it, even on a live system that is accessing the data.

B is incorrect because symmetric encryption refers to the situation where both parties of a secure communication have the same key pairs and they are exchanged prior to communications being established. This allows for very fast communications over encrypted channels, but does require both parties to be known and familiar with each other before attempting communication so that the keys can be exchanged.

C is incorrect because asymmetric encryption is done through the use of keys and certificates issued by known authorities that are trusted by both parties. This requires reliance on the third-party authority to establish trust, and it enables communications over secure channels where the parties don’t know each other and haven’t already exchanged keys.

D is incorrect because public key is another term for asymmetric encryption.

A. The DREAD threat model includes discoverability as the second D in the acronym. In this sense, discoverability refers to the likeliness or possibility that a malicious actor will discover that a specific vulnerability exists and have the ability to exploit it.

B is incorrect because the Sarbanes-Oxley Act covers companies and the way they handle financial transactions, records, retention, and the transparency of their practices and compliance. The concept of discoverability does not directly play a role in SOX.

C is incorrect because the STRIDE threat model does not include discoverability as one of its key components. With the STRIDE acronym, the D stands for denial of service.

D is incorrect because the Cloud Security Alliance Treacherous 12 does not include discoverability as one of its 12 key components.

B. From the perspective of eDiscovery, whom data is shared with is not a primary concern or one of the main principles of it. Data collection is the responsibility of the authoritative source or systems that use it, but logging and preservation are focused on the data owner or the one who controls and makes the data available to consumers.

A is incorrect because possession of the data is one of the three main components of eDiscovery, and the party that possesses the data will likely be the first recipient of the eDiscovery order.

C is incorrect because control of the data is one of the main components and principles of eDiscovery. This is of particular concern within a cloud environment because the boundaries will blur between the cloud customer and cloud provider with most cloud implementations.

D is incorrect because custody is one of the main principles and components of eDiscovery. Within a cloud environment, custody is very important and can be complex because the duties for custody fall on both the cloud provider and the cloud customer, and depending on the type of cloud implementation, the duties may fall on one party more than the other.

A. Security controls and testing are crucial aspects of an external audit and typically the focus of one. While internal audits may perform some level of security controls validation, they are not considered to be valid audits, because there is no independent external auditor to evaluate them. Independent and external testing for audits is paramount to instill trust in a system, and it is a required component for regulatory compliance and certification programs.

B is incorrect because costs would be considered part of an internal audit of operation policies and procedures. External audits are focused on regulatory compliance or certifications, as well as on ensuring customer requirements for security controls and validation, and are not concerned with costs. They are only concerned with the compliance (or lack thereof) with requirements and regulation.

C is incorrect because operating efficiency is a major component of internal auditing and a crucial input for management oversight and decision making. An external audit would not be concerned with operating efficiency, but rather only with compliance with regulatory or certification standards and the validation of security controls and policies.

D is incorrect because system design overall is internal to an organization. While an external audit will likely include a review of system design, it is for the purposes of establishing knowledge of how security controls are designed and implemented, not with the soundness of efficiency or customer satisfaction beyond the security controls requirements and validation.

A. iSCSI is a protocol that sits on top of the TCP stack and enables the sending of SCSI commands over a network, rather than through the traditional method in a physical environment where storage devices are directly attached to the server. Within a cloud data center especially, iSCSI is crucial because virtual machines and other virtual appliances will not have any direct physical connections to storage systems.

B is incorrect because TCP is the general protocol for network communications and is not specifically related to storage systems or the direct carrier of storage communications or commands. TCP does play a central role given that iSCSI is dependent on it, but by itself TCP is not an appropriate answer here.

C is incorrect because TLS is a secure communications and encryption protocol for network traffic, but it’s not specifically related to storage systems or the carrying of storage solution communications.

D is incorrect because NetBIOS is a program that allows applications to communicate over a local area network with each other, and is not specifically related to storage communications.

C. Regardless of the cloud service category employed, the cloud provider will always be responsible for the management and operations of the underlying physical environment. Even with IaaS, the cloud customer is not responsible for, or involved with, the physical environment at all.

A is incorrect because infrastructure is the sole responsibility of the cloud provider with PaaS or SaaS, but is a shared responsibility with the cloud customer for IaaS.

B is incorrect because data is always the responsibility of the cloud customer, who is responsible for the maintaining and loading of data as well as ensuring the appropriate use of it and access to it. Even within a SaaS implementation, the cloud customer as the data owner is always responsible for the data.

D is incorrect because only in the SaaS service category is the cloud provider responsible for the applications. With both PaaS and IaaS, the cloud customer loads, configures, and maintains the applications at all times.

D. A reservation is a set-aside and guaranteed amount of resources that will always be available to a system or application. Typically, reservations represent the minimal amount of resources required to power on and operate a cloud customer’s systems, but may not provide for increased provisioning as needed.

A is incorrect because limits are upper boundaries on the amount of resources that a system, application, or customer can consume within a cloud environment, and are not a guarantee that a specific minimum of resources will be available at any given point.

B is incorrect because shares are a means of prioritizing the allocation of requested resources for times when there may be limitations on what can be allocated. This allows the cloud provider to establish a weighting system based on contract, system, application, or any other factor that they need for their systems to follow when resources are requested. Those with the highest priority will receive what is requested first and foremost, and those at the lower end will receive resources last, or possibly not at all.

C is incorrect because resource pooling represents the overall aggregation and allocation of compute resources throughout the entire cloud environment, as well as the sharing of all of these resources by any cloud customers hosted within the environment. Resource pooling applies to the overall concept of aggregating and sharing resources, rather than the actual allocation and management of them.

C. The Security Assertion Markup Language (SAML) is the standard protocol for information exchange within federated identity systems. It is used for exchanging both authentication data and information to be used for authorization purposes. SAML is based on XML standards and is widely used throughout the industry to ensure compatibility between identity providers and service providers or relying parties.

A is incorrect because OAuth is a standard for providing login services to online sites and applications through the use of a user’s credentials on a third-party system such as Google or Facebook. Through OAuth, the user can authenticate and gain access to an application without exposing their login credentials or creating a new account on that system. However, it is not the common standard for information and authentication exchange within federated systems.

B is incorrect because OpenID is similar to OAuth, in that it allows a user to use their own authentication system to log in to a new system, but it is not the standard protocol used with federated systems. OpenID allows a user to use accounts such as Google and Facebook to authenticate to new applications, without the need to create a new account or expose their login credentials to it.

D is incorrect because while WS-Federation is also a federated identity system, it is one that was developed by a select group of companies for use within their systems and is not used in a widespread manner as a standard for the federated identity systems that are commonly used.

C. Insufficient due diligence is where an organization does not properly evaluate, plan, design, operate, or secure their systems and applications or the data that they house. Any of these areas can cause security exposure if sufficient due diligence is not applied to them, and can lead to any other sorts of vulnerabilities and attacks being possible as a result.

A is incorrect because data loss occurs when data is corrupted or deleted, either intentionally or through the actions of malicious actors, or even malicious insiders. While a security breach will often be the result of not placing sufficient oversight or security controls in place, that is not the focus of the data loss vulnerabilities, so it is not the best answer in this case.

B is incorrect because system vulnerabilities can occur in many forms, and are not necessarily the result of insufficient oversight or controls. They can occur in software or configurations, even those done following best practices, because exploits can be found nonetheless.

D is incorrect because advanced persistent threats involve a malicious actor establishing a presence in an environment and gathering information or data over a long term; these are often caused by insiders being susceptible to social engineering attacks such as phishing. In many circumstances, the cause of this threat is a lack of training and not a deficit of security controls or oversight.

B. SOC 1 reports are considered restricted-use reports and are limited in the audience they can or should be exposed to. Potential customers, which do not currently have a contractual or business relationship with a cloud provider, would not be included within the restricted-use classes.

A is incorrect because regulators are a key audience of SOC 1 reports and one of the primary groups that will receive and review them.

C is incorrect because current customers are a key audience for SOC 1 reports. They do have a contractual agreement with a cloud provider and, as such, have the necessary nondisclosure agreements and understandings that come with it.

D is incorrect because regardless of the type of audit requested by an organization, the audit will always be available to management and those responsible for ordering it.

B. In order for a DLP solution to work with data in transit, first and foremost it has to be able to read the data as it is transmitted. Typically, this will be done by having the DLP system unencrypt and then re-encrypt packets as they pass through it. This enables the point-to-point encryption to still be in place, but also allows the DLP system to do its inspection and processing of data in a secure manner.

A is incorrect because scalability is a concern all around with any system or technology, but is not a specific concern with data in transit like encryption is, which can make an entire system ineffective if not done correctly. If a system is not scaling and is making processing very slow, at a minimum it would be a performance issue and would not result in the exposing of data or bypassing of policies.

C is incorrect because redundancy is not a major factor in ensuring that a DLP system properly protects data. Although a lack of redundancy can lead to problems with availability or speed, it will not expose sensitive or protected data in the event of an outage.

D is incorrect because integrity is not a major concern with a DLP solution. The focus is on ensuring that only authorized parties are able to access the data, as well as how it is accessed, because confidentiality is paramount. Also, because connections are typically encrypted, integrity will be ensured through the use of trusted keys to read and access the data upon receipt.

A. Certifications, based on industry and independent standards, are a primary means for a data center to ensure certain security controls and operational best practices are followed by a cloud provider. Certifications provide both the standards and best practices required for specific types of data or the classification of it, as well as requirements for regular audits and remediation for any deficiencies found from the audits. If certifications are required or desired, they must be documented and agreed to as part of the contract. Many cloud providers maintain a number of certifications by default to serve the needs of their customers, or the vast majority of their customers. Because a cloud provider is likely serving a large number of customers, it is unlikely it will be willing to obtain any additional certifications required by specific cloud customers and will instead only offer the ones it has already obtained and maintain. Even if a cloud provider does currently have a certification that is desired or required by the cloud customer, it should still appear in the contract as a requirement to ensure the continued maintenance of the certification by the cloud provider.

B is incorrect because availability is an operational issue that would be addressed by SLA requirements instead of the contract.

C is incorrect because incident management, including its timing and process, is an operational issue that would be covered by the SLA and not the contract. The contract may require that an incident management process exist with the cloud provider, but the exact details and specific requirements of it would be contained within the SLA.

D is incorrect because elasticity would also be an operational issue covered by the SLA and not contained within the contract, with the exception of the contract possibly requiring the capability in general at a high level. The SLA would contain the exact requirements for elasticity and how it is to be implemented and controlled.

A. Generators are considered an external redundancy issue because they are outside the interior of the data center; they work on the incoming power feeds and their availability. They do not serve a redundancy capacity for power once it has entered within the data center itself, and they are independent of the data center.

B is incorrect because cooling chillers are contained within the interior of the data center and operate on systems within it. Although in some instances there may be external coolers that pump in cold air from the outside, in general they are considered internal.

C is incorrect because power distribution units (PDUs) are internal to the data center and provide power directly to the racks, actual systems, and other internal components of the data center. They receive power from the outside and operate on the interior, and as such, are an internal redundancy issue.

D is incorrect because storage systems are part of the actual systems and operations of the data center, and by definition are an internal redundancy issue. They are contained within the racks or on the floor of the actual data center, and they receive inputs of power and network after they pass into the data center and have gone through their own internal redundancy capabilities. Therefore, storage systems are near the end of the chain and are solely internal to the data center.

C. Masking involves replacing sensitive data fields with opaque and randomized values. It is particularly used for preparing production data for test or development environments, where the data is needed in the same format, but having connections to real users or sensitive data is not important. Unlike tokenization, masking does not have the ability to map the data back to the original values, which is why it is typically used for testing in nonproduction environments.

A is incorrect because tokenization involves replacing sensitive fields with opaque values while preserving the mappings back to the original data. It is a tactic typically used in live systems to protect sensitive data and retain the real mappings on another system. By using tokenization with test data, you are still exposing potential security risks in less secure environments because the mapping back to the original values is possible. Therefore, masking is more appropriate.

B is incorrect because encryption would not be used to prepare data for testing in nonproduction systems. It would be used for the transport or protection of data in a nonproduction environment in some cases, but once the data is there and loaded into the environment, encryption would not provide any protection and will still result in having sensitive or production data in a test or development environment.

D is incorrect because classification is the determining of security controls and categories for data and the degree of protection required. It would not play a role in the loading of production data into a nonproduction environment.

B. A gap analysis is an official report on the differences and inconsistencies between the intended or required configurations and operations of a system or application and the reality of what is actually in place and in effect.

A is incorrect because audit findings is a common term used for the gap analysis by many in the industry, but it is not the official term used as part of the auditing process.

C is incorrect because audit deficiency is not a term used to refer to the concepts within a gap analysis.

D is incorrect because compliance analysis is not a term used to refer to what is officially known as gap analysis, nor is it a term used to refer to anything within the IT industry.

C. Cloud-based systems and applications are heavily dependent on encryption for virtually all communications and storage systems. The confidentiality and protection of the keys are the most important factors in providing the security of data within the system. Beyond confidentiality, the availability of the key management system is vital for any applications and access to work in order to make data available. If the key management system becomes unavailable, it is impossible to access systems or their data, effectively shutting down all operations until access to the key management system can be restored.

A is incorrect because encryption is not designed or intended to provide integrity of systems or data. As such, confidentiality and availability of the key management system are the most important factors. However, integrity does come into play somewhat with the key management system because any altering or corruption of keys will also render them useless, which is what makes backups and redundancy imperative as well.

B is incorrect because the important factor for encryption is having the correct set of keys. If you are in possession of the correct working keys, it is assumed that you have obtained them from an appropriate known source, because they would have been used to encrypt the data or communication initially. Thus, nonrepudiation is automatically provided because you can verify the keys are correct and from the correct source if you can successfully use them to decrypt the encrypted data.

D is incorrect because archiving is not an important factor in key management systems. Keys are only good as long as they are used to encrypt data or communications, and the long-term archiving of keys would be unnecessary if they are not currently used. There would be no reason to keep keys in archive format like there is for logs and other important data within systems and applications.

B. Injection involves sending invalid commands through input fields in an application with the intent of getting the application to execute the code and thus bypass many security controls that are in place. If an application does not properly validate input fields to ensure that they are in the correct format and do not contain extraneous code or commands, the application may expose data or configuration information to a malicious actor.

A is incorrect because cross-site scripting involves attempts to have the user’s client or browser execute commands against a site. Because it is executed against the client side or browser, it is not a direct attempt to inject commands into the application. It is intended to have the user’s browser access the application with their own credentials and bypass common security tactics such as same-origin policies.

C is incorrect because insecure direct object references involve the exposure of internal information or configurations that appear within the code and are viewable on the client side. This can include directory structures, filenames, configuration items, information about service accounts or credentials, or any other type of information that should not be exposed outside of the actual system hosting the application or services.

D is incorrect because cross-site forgery requests involve having a trusted client of an application or trusted user send unauthorized commands under their own credentials. They essentially involve leveraging a valid, trusted user’s session and credentials to attack a site or application.

A. Integrity is the main security principle concerned with data being in its intended form and accurate. This allows the data to be considered trustworthy throughout its entire lifecycle, ensuring that it has not been altered in an unauthorized manner or by an unauthorized party.

B is incorrect because confidentiality is concerned with ensuring that no one but authorized users are able to access or read data. It is not concerned with the content of the data in regard to the editing or manipulation of it.

C is incorrect because availability is the main security principle concerned with data being available to authorized parties as needed and in the form needed. It is not focused on the content of the data or the protection of it from unauthorized altering.

D is incorrect because privacy is concerned with the confidentiality of personal data and ensuring that it is not viewed or accessed by anyone unauthorized to do so. Akin to confidentiality, privacy is not focused on the editing or manipulation of data.

C. Advanced persistent threats involve a malicious actor establishing a presence within a system or application, with the goal of accessing information or resources over an extended period of time while avoiding detection. Some of the primary ways of establishing such a presence are through attacks such as phishing, infected USB devices, and social engineering attempts to get users to execute code on a system. One of the most effective ways to combat many of these types of attacks is through user education to avoid their successful execution and entry into a system. This should be coupled with other technological countermeasures as well.

A is incorrect because data breaches are active exploits done by attackers that require policy and technological solutions to prevent. Overall, user training will not be an effective countermeasure for data breaches, with the exception of those that occur as a result of advanced persistent threats.

B is incorrect because account hijacking is a major threat in which malicious actors are able to obtain credentials to access a system. Although training can be used to mitigate account hijacking, technological countermeasures are also very effective against it (unlike with advanced persistent threats). Countermeasures such as the use of multifactor authentication systems can effectively eliminate the hijacking of account credentials for accessing a system.

D is incorrect because user training will not be an effective tool against malicious insiders. By nature, malicious insiders have decided to use their legitimate access for unauthorized purposes; therefore, training efforts will not be an effective mitigation.

B. The Building Industry Consulting Service International (BICSI) issues standards and certifications related to complex cabling of data systems. The standards are focused on cabling setups and designs, but also include specifications on power, energy efficiency, and setup and configuration of hot and cold aisles within a data center.

A is incorrect because the International Data Center Authority (IDCA) establishes standards for all aspects of data center design. While it does include some guidance on cabling design and implementation as part of its Infinity Paradigm, it is just one small section of their overall guidelines and not a focus of them. BICSI is a far more focused and comprehensive set of standards specific to cabling design.

C is incorrect because the Uptime Institute is focused on data center tiers and topologies. It establishes a paradigm of four tiers, with each tier building in more redundancy and reliable systems than the previous tier. It focuses on redundancy and reliability of all aspects of data centers and data center operations, as well as provides testing protocols for ensuring compliance with standards.

D is incorrect because the National Fire Protection Association (NFPA) issues guidelines for fire protection for any type of building or facility, not just data centers. Specific to a data center, the standards provide guidance for electrical wiring and emergency procedures for all systems within a data center.

B. The Dynamic Host Configuration Protocol (DHCP) is designed to automatically provide an IP address and other crucial network information to hosts on a network, as well as to provide for the centralized management of their network presence. This differs from the traditional static approach, where a host would have a specific configuration entered into it that would need to be changed individually and directly on the host if the need ever arose. With a cloud environment, where systems auto-scale and are dynamically optimized and moved around constantly, the static method would never work. With DHCP, it is trivial for new hosts to be enabled as well as for hosts to be moved between physical hardware programmatically and the network information to be easily updated and changed as necessary.

A is incorrect because DNSSEC is a protocol for ensuring the integrity of DNS resolutions and their validation back to an authoritative host. It does not offer any capabilities for providing network configuration information to hosts or assisting with the automation or orchestration of a dynamic environment.

C is incorrect because IPsec is a protocol that works along with IP communications and encrypts each packet of a session. It is used for point-to-point communications security and would not play any role in the automation or orchestration of systems within a cloud environment.

D is incorrect because VLANs are virtual network segments used to isolate devices by application, purpose, or environment; they assist with providing access controls and restrictions based on networking. While they are crucial to making a cloud environment work with security practices and regulatory requirements, VLANs are not essential or a part of the automation and orchestration of cloud services.

C. A web application firewall (WAF) is typically an appliance that inspects HTTP traffic before it hits an application server and has the ability to apply a set of filters and rules to it. A WAF will typically be used to detect and block XSS and injection attempts before they hit the actual application, but it also has the ability to detect and manipulate almost anything that is found in an HTTP communication stream. A WAF can also be used to block specific traffic based on originating IP address, type of request, or virtually any other aspect of the request.

A is incorrect because an XML accelerator is intended to process XML traffic and data packages before they reach an application server. This allows a highly optimized appliance to offload substantial processing requirements and load from application servers, and it allows for faster and more efficient processing of requests and data.

B is incorrect because an XML firewall serves the purpose of inspecting incoming XML traffic and applying security policies and processing to determine if it is legitimate and should be allowed to reach the application servers. While it serves a similar functionality to a WAF, it is focused solely on the processing of XML data and not on general processing of HTTP requests and communications.

D is incorrect because firewalls are network appliances and work solely on network layer traffic, applying rules based on ports, protocols, and IP source and destinations. Firewalls are not capable of inspecting packets at the application layer or applying rules to such packets.

D. ISO/IEC in general are standards based on IT policies and best practices. They are done at a higher level, so they are flexible for a variety of diverse systems and requirements, and they serve as a strong framework for implementing regulatory or organizational policies and requirements. As such, they do not articulate or cover potential penalties, either civil or criminal, that could be triggered in the event of privacy policy violations. Penalties can differ widely from jurisdiction to jurisdiction, and the applicable regulations in each jurisdiction would be where any potential penalties are covered.

A is incorrect because communication to individuals about the use and storage of their personal information is a crucial component of the standard. Many regulatory requirements specifically articulate communication and transparency to their customers about their personal data and privacy, and it has been incorporated as a key component in most of the best-practices systems as well.

B is incorrect because consent to use or store private and personal information is also a key component of the standard as well as many regulatory systems. While it is imperative to properly communicate and inform users and customers as to which of their data you will use, collect, or keep, it is also imperative to get their informed consent to do so under most regulatory systems.

C is incorrect because, as with any regulation or standard practice, the main mechanism for the validation and compliance enforcement is through the audit process.

B. Multitenancy is the concept of having multiple customers sharing the same physical infrastructure and systems. With a traditional data center model, different customers use their own dedicated and segregated physical hardware, typically within their own cages and with totally separate networking cabling and hardware as well. With a cloud deployment, all customers share the same physical hardware, thus requiring the use of logical segregation to ensure security.

A is incorrect because resource pooling does not deal with the segregation or isolation of resources and access within a shared environment. Resource pooling is the aggregation and allocation of compute resources across all customers.

C is incorrect because elasticity refers to the ability of a system to scale up or down based on current demands, and to ensure that at any given point a system or application has the exact resources it needs. This is done to eliminate having an excess or deficit of resources at any time, and so that customers are paying for exactly what they need and are consuming.

D is incorrect because measured service refers to the concept within cloud computing where the cloud customer only pays for those services they use. It does not relate to any technical capabilities or the segregation of services within the environment.

C. A container is a wrapper with all the components necessary to run an application that is deployed into a hosted environment. The container is completely removed from the operating system and underlying hardware.

A is incorrect because with a container, the configurations that are necessary to run and operate an application are vital. This allows for a standardized deployment and all necessary configuration options and specifications that will be uniform across all containers. Depending on the application deployed via a container, the configuration files may be the only necessary modifications from an organization before the application is ready for use.

B is incorrect because in any container deployment, the actual application code is necessary for operation. The code may be compiled code or scripts. By using containers to distribute code, you are assured that all systems have the same exact code, without modification, and will decrease the resources needed for validation of any deployments.

D is incorrect because any libraries that are necessary for an application to operate must be included in the container. Deploying libraries through a container, rather than a traditional method of installing on each server, gains the same advantages of code deployments, where the resources necessary to validate deployments are decreased as you have assurance that all containers will contain the exact some copy of libraries.

A. DNSSEC is explicitly designed to prove the validity and authenticity of DNS lookups from their authoritative host. It is intended to eliminate the possibility of rogue DNS servers intercepting lookup requests from devices or clients and inserting incorrect IP address resolutions in an attempt to direct traffic away from the legitimate destination. DNSSEC works by applying digital keys to the authoritative DNS host and then signing lookup and resolution requests when sending them back to the requestor. With the ability to authenticate those keys back to the authoritative host, trust is established that the DNS resolutions are correct and from the proper authority, and not inserted by a rogue or malicious host. DNSSEC ensures the integrity of DNS resolutions, but not the confidentiality or availability of them. It also is intended to work without requiring additional lookups when making the initial DNS request, instead sending back all required information from a single query.

B is incorrect because DNSSEC is only designed to ensure the integrity of DNS resolutions; it will not provide any encryption or protection for the confidentiality of data communications or connections. Once the DNS lookup has been completed and the results validated by the requestor, the role of DNSSEC ends, and another technology such as TLS or IPsec would need to be leveraged to ensure confidentiality and prevent the snooping of communications and data transfers.

C is incorrect because cross-site scripting is a potential application and client vulnerability, and the lookup and integrity of DNS resolutions that DNSSEC is intended to provide would not be a factor or tool used to mitigate or prevent it.

D is incorrect because distributed denial-of-service (DDoS) attacks are threats to a system or application in the area of availability. DNSSEC is just intended to mitigate against integrity attacks and threats, so it would be of no use in the mitigation against a DDoS attack.