CCSK Certificate of Cloud Security Knowledge (v5.0) Questions and Answers

MFA relies on physical tokens and biometrics to secure accounts.

MFA requires multiple forms of validation that would have to compromise.

MFA requires and uses more complex passwords to secure accounts.

MFA eliminates the need for passwords through single sign-on.

Role-Based Access Control

Unlimited Access

Mandatory Access Control

Least-Privileged Access

Cloud Service Customers (CSCs) are solely responsible for security in the cloud environment. The Cloud Service Providers (CSPs) are accountable.

Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) share security responsibilities. The exact allocation of responsibilities depends on the technology and context.

Cloud Service Providers (CSPs) are solely responsible for security in the cloud environment. Cloud Service Customers (CSCs) have an advisory role.

Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) share security responsibilities. The allocation of responsibilities is constant.

Cloud sprawl disperses assets, making it harder to monitor assets.

Cloud sprawl centralizes assets, simplifying security monitoring.

Cloud sprawl reduces the number of assets, easing security efforts.

Cloud sprawl has no impact on security monitoring.

A single deployment for all applications

Shared deployments for similar applications

Randomized deployment configurations

Multiple independent deployments for applications

By rotating keys on a regular basis

By using default policies for all keys

By specifying fine-grained permissions

By granting root access to administrators

Reduces the need for security auditing

Enables consistent security configurations through automation

Increases manual control over security settings

Increases scalability of cloud resources

It allows for quick restoration points during updates or changes

It is used for load balancing VMs

It enhances VM performance significantly

It provides real-time analytics on VM applications

Focusing exclusively on signature-based detection for known malware

Deploying behavioral detectors for IAM and management plane activities

Implementing full packet capture and monitoring

Relying on IP address and connection header monitoring

Adds complexity by requiring separate configurations and integrations.

Ensures better security by offering diverse IAM models.

Reduces costs by leveraging different pricing models.

Simplifies the management by providing standardized IAM protocols.

Post-Incident Activity

Detection and Analysis

Preparation

Containment, Eradication, and Recovery

Notifying affected parties

Isolating affected systems

Restoring services to normal operations

Documenting lessons learned and improving future responses

Inability to monitor cloud infrastructure for threats

IAM failures

Lack of encryption for data at rest

Vulnerabilities in cloud provider's physical infrastructure

Scalability and redundancy

Improved software development methodologies

Enhanced security and compliance

Cost efficiency and speed to market

A shared set of resources delivered over the Internet

A model for more-efficient use of network-based resources

A model for on-demand network access to a shared pool of configurable resources

Services that are delivered over the Internet to customers

Component credentials

Immutable infrastructure

Infrastructure as code

Application integration

Developing a cloud service provider evaluation criterion

Deploying automated security monitoring tools across cloud services

Establishing a Cloud Incident Response Team and response plans

Conducting regular vulnerability assessments on cloud infrastructure

To increase data transfer speeds within the cloud environment

To reduce the cost of cloud services

To ensure compliance, security, and efficient management aligned with the organization's goals

To eliminate the need for on-premises data centers

Software as a Service (SaaS)

Database as a Service (DBaaS)

Platform as a Service (PaaS)

Infrastructure as a Service (IaaS)

Continuous Build, Integration, and Testing

Continuous Delivery and Deployment

Secure Design and Architecture

Secure Coding

To implement detailed procedural instructions for security measures

To organize control objectives for achieving desired security outcomes

To ensure compliance with all regulatory requirements

To provide tools for automated security management

To provide cloud service rate comparisons

To certify cloud services for regulatory compliance

To document security and privacy controls of cloud offerings

To manage data residency and localization requirements

Network Attached Storage (NAS)

Block storage

File storage

Object storage

Integration with network infrastructure

Adherence to software development practices

Optimization for cost reduction

Alignment with security objectives and regulatory requirements

Database encryption

Media encryption

Asymmetric encryption

Object encryption

Client/application encryption

Multi-tenancy

Nation-state boundaries

Measured service

Unlimited bandwidth

Hybrid clouds

Agile

BusOps

DevOps

SecDevOps

Scrum

Enforce isolation and maintain a secure virtualization infrastructure

Monitor and log workloads and configure the security settings

Enforce isolation and configure the security settings

Maintain a secure virtualization infrastructure and configure the security settings

Enforce isolation and monitor and log workloads

Arbitrary contract termination by acquiring company

Resource isolation may fail

Provider may change physical location

Mass layoffs may occur

Non-binding agreements put at risk

More efficient and timely system updates

ISO 27001 certification

Provider can obfuscate system O/S and versions

Greater compatibility with customer IT infrastructure

Lock-In

The CCM columns are mapped to HIPAA/HITECH Act and therefore Health4Sure could verify the CCM controls already covered ad a result of their compliance with HIPPA/HITECH Act. They could then assess the remaining controls. This approach will save time.

The CCM domain controls are mapped to HIPAA/HITECH Act and therefore Health4Sure could verify the CCM controls already covered as a result of their compliance with HIPPA/HITECH Act. They could then assess the remaining controls thoroughly. This approach saves time while being able to assess the company’s overall security posture in an efficient manner.

The CCM domains are not mapped to HIPAA/HITECH Act. Therefore Health4Sure should assess the security posture of their cloud service against each and every control in the CCM. This approach will allow a thorough assessment of the security posture.

Network traffic rules for cloud environments

A number of requirements to be implemented, based upon numerous standards and regulatory requirements

Federal legal business requirements for all cloud operators

A list of cloud configurations including traffic logic and efficient routes

The command and control management hierarchy of typical cloud company

The hypervisor

Virtualization management components apart from the hypervisor

Configuration and VM sprawl issues

All of the above

Policies and procedures shall be established for managing the risks associated with applying changes to business-critical or customer (tenant)-impacting (physical and virtual) applications and system-

system interface (API) designs and configurations, infrastructure network and systems components.

Policies and procedures shall be established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or

managed user end-point devices (e.g. issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.

All cloud-based services used by the company's mobile devices or BYOD shall be pre-approved for usage and the storage of company business data.

None of the above

Client, Controller, and Gateway

Client, Controller, Firewall, and Gateway

Client, Firewall, and Gateway

Controller, Firewall, and Gateway

Client, Controller, and Firewall

False

True

Any encryption option that is available for volume storage, object storage, or PaaS

Provider-managed and (sometimes) proxy encryption

Client/application and file/folder encryption

Object encryption Volume storage encryption

False

True

Public

PaaS

Private

IaaS

Hybrid

False

True

Serverless computing

Virtual machineless

Abstraction

Container

Provider managed

VM communications may use a virtual network on the same hardware host

The guest OS can invoke stealth mode

Hypervisors depend upon multiple network interfaces

VM images can contain rootkits programmed to bypass firewalls

Most network security systems do not recognize encrypted VM traffic

Scope of the assessment and the exact included features and services for the assessment

Provider infrastructure information including maintenance windows and contracts

Network or architecture diagrams including all end point security devices in use

Service-level agreements between all parties

Full API access to all required services

proxy encryption

data rights management

hypervisor agents

data dispersion

random placement

Software Development Kits (SDKs)

Resource Description Framework (RDF)

Extensible Markup Language (XML)

Application Binary Interface (ABI)

Application Programming Interface (API)

Service Provider or Tenant/Consumer

Physical, Network, Compute, Storage, Application or Data

SaaS, PaaS or IaaS

Building and properly configuring a secure network infrastructure

Configuring second factor authentication across the network

Properly configuring the deployment of the virtual network, especially the firewalls

Properly configuring the deployment of the virtual network, except the firewalls

Providing as many API endpoints as possible for custom access and configurations

The metrics defining the service level required to achieve regulatory objectives.

The duration of time that a security violation can occur before the client begins assessing regulatory fines.

The cost per incident for security breaches of regulated information.

The regulations that are pertinent to the contract and how to circumvent them.

The type of security software which meets regulations and the number of licenses that will be needed.

False

True

Intrusion Prevention System

URL filters

Data Loss Prevention

Cloud Access and Security Brokers (CASB)

Database Activity Monitoring