Appendix B
Answers to Review Questions
Chapter 1
1. B The cloud is a symbol used to represent the Internet in network diagrams, adopted to represent a “location” for cloud services.
2. A Self-serve management of resource allocation reduces IT administrative overhead, while automated resource allocation reduces administrative overhead for business and IT operations.
3. B Although cloud computing utilized virtualization extensively, virtual hosting services predate cloud computing solutions and lack the flexibility of resource assignment possible in the cloud.
4. B A thin client system does not have a hard drive or flash drive for storage, so it relies on remote applications to operate.
5. B Flexible resource assignment allows the cloud service provider to share resources across multiple customers, reducing active server count, power load, and cooling requirements. The sustainable nature of cloud services includes the mobility of data and service operations as well as the potential for green cooling options.
6. A Cloud computing allows flexibility in applications by including XML technologies for distributed application design and high-performance computing models.
7. C Cloud computing is a flexible self-service and network-accessible pool of computing resources; it is rapidly transforming the modern enterprise network environment by moving on-premises services to remote cloud service providers.
8. B Although cloud computing can provide opportunities for reduced environmental impact through transparent migration to optimal locations and by leveraging economies of scale, it still relies on the same basic components found in a traditional data center.
9. D Being “in the cloud” means only that a service, application, or other component of technology infrastructure is being supported within a cloud computing flexible resource pool environment. There is no specific location that can be pointed to as “the cloud” in general.
10. C System virtualization allows a single powerful host computer’s resources to support multiple virtualized machines at once, allowing full utilization of available resources and reduced power consumption needed during “idle” times.
Chapter 2
1. D Cloud-bursting supports private cloud capacity overruns by failing over to public cloud resources in a compatible hybrid cloud configuration.
2. D The cloud service manager will be responsible for financial management, including pricing, service levels, and service classes that will factor into cloud hosting contracts and billing policies.
3. B Although the spectrum of virtualization begins with the transfer of traditional servers to virtualized hosting in the data center and ends with the fully virtualized public cloud, organizations can take advantage of any level of virtualization without any of the others. This spectrum presentation is merely a mechanism for aligning the various types of virtualized computing.
4. A The traditional data center’s server costs tend to be capital expenses because the burden for change and update lies solely with the organization.
5. B Private clouds are constructed atop local data center resources. Hybrid clouds can blend two or more cloud types including public, private, or other hybrid clouds, while community clouds might be located in one community member’s data center but would be remote for all other members.
6. C NIST specifies the four types of clouds as public, hybrid, private, and community. Community clouds operate as private for the related community of organizations or as a secured partition of a public cloud for all others. A partitioned public cloud is an example of a community cloud that does not reside within the data center of any of the partner consuming organizations.
7. C Like the current distributed electrical power grid, public clouds provide resources to clients based on utility and consumption. Costs are operational for planning and vary based on level of use.
8. A Because a private cloud resides on resources controlled or managed by an organization, it is preferable to other forms of clouds when accountability for data access, location, and other factors are mandated, such as in the case of Health Insurance Portability and Accountability Act (HIPPA) or Sarbanes-Oxley data control requirements.
9. B A community cloud may be resident on one organization’s data center resources but shared with partner organizations as a remote community cloud service. Community clouds may also reside outside of all organizational cloud hosting and be accessed remotely by all partners in the community, as in the case of a partitioned public community cloud service.
10. D Although both Google Docs and Microsoft’s Azure platform are individually examples of public clouds, integration between these services would be considered a public/public hybrid solution.
Chapter 3
1. A Because Software as a Service cloud applications are entirely controlled by their provider, this type of cloud service is the most common and numerous today.
2. B Although the proprietary language options available to a particular PaaS development environment present the most obvious form of vendor lock-in potential, standards do not yet exist across all SaaS or even all IaaS providers’ options, leading to some concerns that an early move into the cloud could create additional costs later for switching to an alternate service.
3. A The cloud service provider manages resource allocation provisioned for its customers using a subscription or utility-like fee schedule across all types of cloud services. Consumers of SaaS cloud services do not need to interact directly with the platform or infrastructure itself, allowing the provider to manage updates and patches behind the scenes. PaaS consumers similarly do not need to know the infrastructural components behind their application development environment, and even IaaS consumers do not need to worry about the hardware-level support tasks anymore.
4. E NIST defines cloud computing service models for applications (SaaS), platforms (PaaS), and infrastructures (IaaS). Hardware as a Service is just an alternate way to refer to IaaS. Everything as a Service (XaaS) is simply a general term reflecting the evolution of traditional data center models into integrated flexible and adaptable alternatives integrating elements of cloud computing. Industry giants like Google, HP, and Microsoft are starting to use the XaaS designation, but it does not align to a formal category of cloud services.
5. C SaaS options offer almost no application development, while PaaS application development is tied to a provider’s selection of available languages—sometimes even using proprietary versions of common languages to lock clients into their services. IaaS allows the greatest flexibility because an organization can deploy its own resources from the operating system up.
6. B Because the organization is no longer involved in acquisition, installation, and maintenance upgrades, software management life cycles can be shortened and costs reduced through cloud service integration.
7. C Borrowing from cloud computing’s distributed computing origins, very large or complex databases can be broken up, or sharded, for simultaneous processing across multiple cloud resource pools.
8. C Of the three NIST models, IaaS allows the greatest flexibility from the operating system up.
9. B Of the three NIST models, PaaS presents the greatest limitation on cloud application design that could lead to an organization’s “lock in” to a particular cloud vendor’s services. Each vendor’s PaaS services (such as Google Apps, Microsoft Azure, and Amazon Elastic Cloud) offer a limited spectrum of application development languages, often involving proprietary variations even when using standard language bases. Movement to another cloud service provider will involve rewriting many application functions or applications in their entirety.
10. B Although most cloud “as a Service” products can be aligned within the NIST definitions, many cloud services blend varying levels of the NIST models. The common Dropbox service, for example, includes both SaaS (web client for accessing files) and IaaS (cloud file storage) elements into its particular product.
Chapter 4
1. A Because SaaS cloud applications are entirely controlled by their provider, this type of cloud service is the most common and numerous today.
2. B Although the proprietary language options available to a particular PaaS development environment present the most obvious form of vendor lock-in potential, standards do not yet exist across all SaaS or even all IaaS providers’ options, leading to some concerns that an early move into the cloud could create additional costs later for switching to an alternate service.
3. D Mobile devices are able to access cloud services not only through their web browsers but also through applications loaded onto the devices.
4. E NIST defines cloud computing service models for applications (SaaS), platforms (PaaS), and infrastructures (IaaS). Hardware as a Service is just an alternate way to refer to IaaS. Everything as a Service (XaaS) is simply a general term reflecting the evolution of traditional data center models into integrated flexible and adaptable alternatives integrating elements of cloud computing. Industry giants like Google, HP, and Microsoft are starting to use the XaaS designation, but it does not align to a formal category of cloud services.
5. A SaaS options offer almost no application development, while PaaS application development is tied to a provider’s selection of available languages—sometimes even using proprietary versions of common languages to lock clients into its services. IaaS allows the greatest flexibility because an organization can deploy its own resources from the operating system up.
6. B Because the organization is no longer involved in acquisition, the software management life cycles for installation and maintenance upgrades can be shortened and costs reduced through cloud service integration.
7. B IaaS represents cloud resources provided at the lowest level—storage, databases, network interconnections, and similar functions. This is the most flexible level of cloud service but requires the most management and planning of the consuming organization. Platform as a Service represents cloud resources provided at the development level for custom application development and hosting. Public and hybrid clouds are deployment models, not service models.
8. C Network communication is defined by the Open Systems Interconnection (OSI) model, in which data is passed through a series of layers comprising similar communication functionality. Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP) are high-level application protocols that run over Transport Control Protocol (TCP), a low-level data delivery protocol.
9. B In client/server architecture, thin clients are unable to perform their own processing and rely upon server-based applications and services. Thick clients, on the other hand, have enough processing and storage resources to perform local processing. Desktops and mobile devices are examples of thin or thick clients.
10. D The development of customized and personalized applications is a function of PaaS. With PaaS, applications are developed, deployed, updated, and maintained by an organization’s own development staff, as opposed to SaaS, in which the cloud service provider performs those functions. Aggregation of data is generally considered to be a benefit of enterprise SaaS, while the ability to run applications without them being installed on individual machines is an advantage of both enterprise and personal SaaS.
Chapter 5
1. C Computers, servers, and other physical devices are fixed assets and therefore, capital expenses. Operating expenses are those associated with ordinary business operations. A cost is considered direct or indirect based on whether it can be assigned to a single process, product, or service or to multiple ones, so more information would be required for option B or option C to be correct.
2. B Vertical scaling, or scaling up, involves adding resources to a single node or host. Horizontal scaling, or scaling out, involves adding additional nodes to a distributed system, while diagonal scaling is a combination of the two. Load balancing is a process associated with scaling application services.
3. B This is referred to as vendor-lock in and can be problematic when the organization wants to switch to a different cloud service provider.
4. D Increasing capital expenses is not a business driver for cloud computing. Businesses looking to adopt cloud computing are seeking to decrease capital expenses (e.g., hardware costs) by shifting the cost to operations.
5. B Organizational agility is the ability to rapidly adapt to market changes. It is similar to strategic flexibility, but strategic flexibility involves anticipating and preparing for uncertainty. Utility and process transformation are levels of maturity identifying how an organization can leverage cloud services.
6. B Pay-as-you-go billing allows for rapid development without being limited by the cost of computing hardware or being stalled by procurement times. Economies of scale is a tool for cost reduction. Mobility and improved disaster recovery are cloud computing benefits, but they do not directly relate to time to market.
7. A Some managers prefer to “see” what they are paying for, even if it is otherwise unnecessary. A more appropriate reason for keeping control over the hardware would be if it is required for legal or regulatory compliance. Additionally, organizations that have significant IT investment, particularly recent investment, may not be able to justify disposing of infrastructure, and sufficient Internet connectivity is required for public cloud implementations.
8. B An organization with a geographically distributed workforce is an ideal candidate for using a public cloud solution.
9. C A hybrid cloud is the best solution for organizations with appropriate infrastructure and compelling reasons to implement a private cloud solution but that also have periods of high demand that make bursting into the public cloud much more cost effective than purchasing additional infrastructure. Moving everything to the public cloud or trying to utilize a community cloud would not align with the mandate of leveraging existing internal resources.
10. D Compliance is the responsibility of the organization, not the cloud service provider. Software license management, backups, and patch management duties may all be transferred to a cloud service provider to reduce administrative overhead.
Chapter 6
1. C Although throughput and resiliency address the ability to transport ever-larger volumes of data that must remain available, scalability addresses the ability to expand both network and system resources to meet expanding variable data consumption in a cloud service environment.
2. A Virtual Extensible Local Area Network (VXLAN) services provide virtual Layer 2 (Data-Link) network tunnels between Layer 3 (Network) subnets.
3. A The primary cause of network congestion is oversubscription of devices on the network segment, which depends on the number of devices and the bandwidth available to each.
4. D Resource pooling makes it possible for automated cloud provisioning systems to allow computing resources such as storage, memory, network bandwidth, virtual servers, and processing power to be assigned dynamically or upon request.
5. B Federated cloud services can provide interconnections between clouds, allowing multiple clouds to be managed as a single cloud resource pool in private/private, private/public, and public/public configurations.
6. D Network congestion can be addressed by expanding the available bandwidth (upgrading the network) or by segmenting subnetworks to limit collisions between devices on the same subnet.
7. C Availability in automated cloud self-service makes it possible to manage resource allocation and provisioning even during off-hours, weekends, and holidays when the IT staff is otherwise engaged. Concealing complexity from operators eases development and resource access at all times, so it would not be associated with holidays in particular.
8. B The storage gateway can store regularly accessed data in its cache to improve response time in comparison to repeated access against the original storage server.
9. C A cloud orchestration layer provides the ability to arrange, organize, integrate, and manage multiple cloud services, facilitating cloud interoperability if it is not already present.
10. A The Cloud Security Alliance (CSA) is a group that focuses on audit and security standards for cloud computing.
Chapter 7
1. D The cost of technical support escalations, although monetary, is an element of IT service management. Changes in software licensing and the shifting of technology from CAPEX to OPEX are likely to require significant changes to an organization’s budgeting process.
2. B A successful pilot indicates an organization’s readiness, and identification of regulatory requirements is necessary to determine both the business needs and the appropriate service provider. Executive management support, as well as that of key stakeholders, is necessary due to the changes in organizational cultural, domain management, and business processes that will occur. A fully staffed help desk may be of little consequence if help desk functionality is transferred to the cloud service provider.
3. C A service-level agreement (SLA) acts as an intermediary between the customer and the provider, and one of its functions is to document the roles and responsibilities of both the customer and the provider so that there are no surprises. A service-level objective is a quality of service measurement. Web hosting and software license agreements are also contracts between customers and providers; however, they may not contain all the necessary elements of an SLA.
4. A While personnel from multiple business units may participate in negotiation, review of the SLA, and management of cultural change, a successful pilot program requires representatives from all business elements in order to accurately identify potential issues.
5. C CompTIA and EXIN differ on vendor selection with regard to standards. EXIN does not indicate a preference in technology (e.g., Java), while CompTIA does. As such, whether or not the provider uses Java-based standards may not be a critical success factor, but the other options certainly are.
6. B Prior to identification of services, deployment models, and vendors, the organization must identify its business processes and their technical dependencies. After all this is done, the organization can implement its pilot program.
7. A The type of service provider (Infrastructure, Software, or Platform as a Service) is a prerequisite for embarking on a pilot program.
8. C Organizations considering using cloud services for mission-critical services or data should be very concerned with both availability and performance because deficiencies in either could negatively impact business. The other options are all standard elements of SLAs.
9. D It requires both business and technical staff to accurately identify business processes, their technological dependencies, and the impact of change to both. The organization’s infrastructure, however, is generally the domain of technical staff.
10. A Any consideration of cloud service adoption should be based on business needs. Regulatory requirements, security requirements, and cost control are all examples of specific business needs.
Chapter 8
1. A, B, D The three tiers of a distributed application are the presentation tier (user interface), application tier (business logic), and data tier (data storage).
2. D Desktop applications can use all the power available in a desktop to allow for security, reliability and manageability but cannot scale out to use other computers.
3. B Distributed applications do not require the use of a web server and can have any type of user interface.
4. A, B You can make a web-based distributed application highly available by providing several web servers and scalable by adding servers as needed based on usage. Security and reliability are no different than with a regular distributed application, although some people might argue that you can easily enable SSL to encrypt data transmission in a web application yet the same can be used for a regular distributed application.
5. C The four design patterns of cloud-based applications are predictable burst; unpredictable burst; start small, grow fast; and periodic processing.
6. B Stateful objects should be avoided at all times because calls from the client can reach different servers at any time, and code should be optimized for multicore use.
7. C IaaS offerings are the most expensive of the three main XaaS offerings and require the customer to handle operating system maintenance. However, they allow for minimal changes to the existing code because you are basically moving your servers to a virtualized cloud environment.
8. D Although some cloud service providers provide only proprietary development tools, most providers allow the use of commonly used tools such as Visual Studio and programming languages such as C# and Java.
9. B Big data applications are I/O bound, which may result in large costs for transferring data over the Internet.
10. C DDOS attacks can cause new instances of a presentation layer server to be added automatically, increasing the compute cost of the application.
Chapter 9
1. A A service-level agreement specifies how frequently a service is available for use. This is usually a percentage value, like 99.9%, which specifies that the service is down for no more than 8.76 hours a year for a service expected to run 24 hours a day every day of the year.
2. A, B SaaS vendors tend to have an automatic contract renewal clause and policies on data ownership and deletion. It is necessary to understand and negotiate those with vendors. The programming language used by a SaaS vendor cannot be changed by a customer because the SaaS vendor owns the application and develops its code; the same goes for the operating system running on the servers.
3. C When using an IaaS vendor, the customer is responsible for managing everything on the virtual servers, from the operating system to the application.
4. A, C Cloud service vendors must be managed closely since the daily operations of the organization now relies on the availability of services provided by the vendor. Integration of data maintained on premises and on the cloud is needed to provide a more accurate picture of the business and facilitate business decisions. Desktop security does not affect cloud services because data is stored and changed in the cloud. Customer management does not affect cloud systems.
5. C AppController can be used to manage and create services on a private or public cloud using Microsoft System Center and Azure.
6. A, C Internet bandwidth is the main factor that must be taken into account when moving to a SaaS model because all calls that used to be made to an on-premises application are now directed to the Internet. Because connectivity to the Internet is required, the WAN design of the organization must be looked into to ensure that remote offices have the necessary connectivity to run the SaaS applications.
7. A, B, C A service description details what is offered by the vendor, a service-level agreement specifies the availability of the service offered, and the support agreement details how incidents are handled by the vendor.
8. B SaaS vendors are responsible for code maintenance and operation of applications they host.
9. A IaaS is viewed as hardware as a service. The vendor manages the connectivity and storage but not the individual virtual machines.
10. B PaaS vendors have a predefined set of programming languages that can be used in their platform.
Chapter 10
1. B ITIL is a collection of best practices on how to manage an IT infrastructure. The best practices prescribed by ITIL are technology agnostic.
2. A, C, D, E, G ITIL is composed of five distinguished volumes: Service Design, Service Strategy, Service Transition, Service Operation, and Continual Process Improvement.
3. C ITIL Service Transition provides guidance on the deployment of services required by an organization into a production environment.
4. D ITIL Service Operation provides guidance on achieving the delivery of agreed levels of service to end users and the organization, including event management, incident management, problem management, request fulfillment, and access management.
5. A Utility includes functionality, increased performance, and the removal of constraints. For instance, a cloud-based accounting service may provide the same functionality as an accounting service hosted on premises, but it may also allow the user to work from any device connected to the Internet, removing the constraint of connectivity to the corporate network and increasing performance by allowing the user to work even if the corporate network is unavailable.
6. A Availability values are similar to probabilities. It is probable that a five 9s service will be available 99.999% of the time. To determine overall availability of independent events, you need to multiply the individual probabilities. For instance, the probability of getting a 6 from rolling a die is 1/6, the probability of rolling a 6 twice in a row is 1/6 × 1/6, or 1/36.
7. D SaaS consumers do not have access to the underlying platform. They can only, and should always, monitor access to the services being consumed.
8. C PaaS consumers do not have access to the underlying fabric of a cloud solution, but they are responsible for developing and deploying services to the VM. They can, and should, monitor these services.
9. A A watcher node is a computer located at a user facility that connects to a service and performs operations to measure response time and connectivity to the service.
10. C A synthetic transaction is a set of prerecorded operations that mimic how a user operates a given service. Synthetic transactions are used to verify if a service is available from a specific location and the performance of said service.
Chapter 11
1. C While timely installation of security patches is a security control, it does not apply to malicious insiders. Employee background checks, strong security policies, and logging employee actions are appropriate mitigations because they reduce the risk of malicious employees being hired, limit the access they may have to customer data, and provide an audit trail to aid in incident response.
2. D Firewalls manage network traffic but do not, on their own, secure communications. Virtual private networking (VPN) creates a private network over an intermediate network such as the Internet through tunneling, isolating communications. Secure Sockets Layer (SSL) is a type of encryption used to secure web communications.
3. B Although there are numerous risks, there are also significant benefits related to scale. Cloud service providers often take advantages of economy of scale to provide security services many organizations would be unlikely to afford on their own.
4. C Metrics analysis is part of the Check phase, in which the ISMS is evaluated for effectiveness. Metrics are identified in the Plan phase and implemented in the Do phase. Changes to metrics are made in the Act phase.
5. B Loss of organizational control is a problem when an organization is unable to properly manage risk due to unknown exposure. This risk is mitigated by clearly defining security responsibilities and requirements in the service-level agreement (SLA). Encryption is an appropriate mitigation technique against the risk of unauthorized access to confidential data and weak data destruction procedures because even if unauthorized individuals did gain access to encrypted files, they would be unreadable without the key (or a great deal of computing power to dedicate to breaking the encryption). Encryption also protects against the danger of password compromise in transmission.
6. B Recovery is part of incident management and takes place after a security incident has occurred, such as restoring from backup after data loss. It does not prevent data exposure from occurring. An audit can be used to test whether or not appropriate controls are in place. Data isolation reduces the risk of data exposure in a multitenant environment. Encryption renders data unreadable without the appropriate key.
7. C DoS is an attack against availability. MitM attacks involve eavesdropping on encrypted communications. XSS involves injecting malicious code into hyperlinks with the goal of intercepting data. Password theft leads to unauthorized access of confidential data.
8. B A strong ISMS is necessary for both organizations and cloud service providers due to shared responsibility for security management.
9. D Security management responsibilities of both the provider and the customer should be defined in the SLA to ensure that proper controls are applied and monitored. The provider’s security incident notification procedures should be defined in the SLA to ensure that they meet the business needs and regulatory requirements of the customer.
10. B Risk is a factor of probability (likelihood) and impact (loss)—specifically, the probability that a particular incident will occur and the impact to the business when that happens. Threats, vulnerabilities, and successful exploits have the potential to negatively impact an organization but do not in and of themselves define risk.
Chapter 12
1. B Authentication is the process of verifying an entity’s identity by validating one or more factors against a trusted identity provider. Authorization is the process of determining whether a user has permission to access a resource and is similar to access control. Logging in is the process of presenting credentials for authentication.
2. D Data in the cloud may be subject to multiple jurisdictions, based on the laws of the countries in which the data resides or passes through as well as the country of residence of the data owner and cloud service provider.
3. A The number of servers an organization needs may increase or decrease dynamically to provide sufficient quality of service and may overrun per-device or per-processor licenses.
4. D Although the organization can delegate operational duties to a cloud service provider and in some cases the cloud service provider may share responsibility with the organization, an organization cannot delegate responsibility for compliance or liability. Options A, B, and C are all examples of appropriate mitigations against noncompliance.
5. B Not only are government agencies not required to notify data owners, certain countries have gag orders that prevent the service providers from providing notification to the data owners.
6. D Unauthorized access is a security and privacy risk and is not directly related to records retention. Secure destruction of records on schedule, provider restrictions on archived storage, and difficulties associating metadata with archived records are all records retention risks that should be addressed prior to moving records subject to retention into the cloud.
7. C Implementing single sign-on allows an organization’s users to authenticate once and pass identity attributes on to multiple applications. Kerberos is a secure authentication protocol that can be used in single sign-on. Integrated Windows authentication refers to Microsoft products authenticating against a domain login. Authorization occurs after authentication and involves determining proper permissions.
8. B The United States and the European Union have taken different approaches toward privacy, and US organizations that are compliant with US privacy laws may not be compliant with stricter EU laws. This has resulted in the Safe Harbor Framework, which allows organizations to certify that they are compliant with EU privacy laws so that they may handle EU data.
9. C Cost is a business risk, not a legal risk. Data isolation, jurisdiction (in reference to data location), and electronic discovery are all legal risks.
10. B In federated identity management, identity information is passed from identity providers to service providers (e.g., cloud services), allowing an organization to take advantage of single sign-on. Authentication refers to validating an entity’s identity, and authorization is the process of determining whether an entity has permission to access a resource.