Chap 10 Q/A
4. Greg would like to find a reference document that describes how to map cloud security controls to different regulatory standards. What document would best assist with this task? A. CSA CCM B. NIST SP 500-292 C. ISO 27001 D. PCI DSS
A. CSA CCM The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a reference document designed to help organizations understand the appropriate use of cloud security controls and map those controls to various regulatory standards. NIST SP 500-292 is a reference model for cloud computing and operates at a high level. ISO 27001 is a general standard for cybersecurity, and PCI DSS is a regulatory requirement for organizations involved in processing credit card transactions.
20. Tony purchases virtual machines from Microsoft Azure and uses them exclusively for use by his organization. What model of cloud computing is this? A. Public cloud B. Private cloud C. Hybrid cloud D. Community cloud
A. Public cloud This is an example of public cloud computing because Tony is using a public cloud provider, Microsoft Azure. The fact that Tony is limiting access to virtual machines to his own organization is not relevant because the determining factor for the cloud model is whether the underlying infrastructure is shared, not whether virtualized resources are shared.
13. Brian would like to limit the ability of users inside his organization to provision expensive cloud server instances without permission. What type of control would best help him achieve this goal? A. Resource policy B. Security group C. Multifactor authentication D. Secure web gateway
A. Resource policy Cloud providers offer resource policies that customers may use to limit the actions that users of their accounts may take. Implementing resource policies is a good security practice to limit the damage caused by an accidental command, a compromised account, or a malicious insider.
14. Ursula would like to link the networks in her on-premises datacenter with cloud VPCs in a secure manner. What technology would help her best achieve this goal? A. Transit gateway B. HSM C. VPC endpoint D. SWG
A. Transit gateway Cloud providers offer VPC endpoints that allow the connection of VPCs to each other using the cloud provider's secure network backbone. Cloud transit gateways extend this model even further, allowing the direct interconnection of cloud VPCs with on-premises VLANs for hybrid cloud operations. Secure web gateways (SWGs) provide a layer of application security for cloud-dependent organizations. Hardware security modules (HSMs) are special purpose computing devices that manage encryption keys and also perform cryptographic operations in a highly efficient manner.
17. Kira would like to implement a security control that can implement access restrictions across all of the SaaS solutions used by her organization. What control would best meet her needs? A. Security group B. Resource policy C. CASB D. SWG
C. CASB Cloud access security brokers (CASBs) are designed specifically for this situation: enforcing security controls across cloud providers. A secure web gateway (SWG) may be able to achieve Kira's goal but it would be more difficult to do so. Security groups and resource policies are controls used in IaaS environments.
12. In which of the following cloud categories are customers typically charged based on the number of virtual server instances dedicated to their use? A. IaaS only B. SaaS only C. IaaS and PaaS D. IaaS, SaaS, and PaaS
C. IaaS and PaaS Customers are typically charged for server instances in both IaaS environments, where they directly provision those instances, and PaaS environments, where they request the number of servers needed to support their applications. In an SaaS environment, the customer typically has no knowledge of the number of server instances supporting their use.
2. Fran's organization uses a Type I hypervisor to implement an IaaS offering that it sells to customers. Which one of the following security controls is least applicable to this environment? A. Customers must maintain security patches on guest operating systems. B. The provider must maintain security patches on the hypervisor. C. The provider must maintain security patches on the host operating system. D. Customers must manage security groups to mediate network access to guest operating systems.
C. The provider must maintain security patches on the host operating system. Type I hypervisors, also known as bare-metal hypervisors, run directly on top of the physical hardware and, therefore, do not require a host operating system.
10. Which one of the following is not an example of infrastructure as code? A. Defining infrastructure in JSON B. Writing code to interact with a cloud provider's API C. Using a cloud provider's web interface to provision resources D. Defining infrastructure in YAML
C. Using a cloud provider's web interface to provision resources Infrastructure as code is any approach that automates the provisioning, management, and deprovisioning of cloud resources. Defining resources through JSON or YAML is IaC, as is writing code that interacts with an API. Provisioning resources through a web interface is manual, not automated, and therefore does not qualify as IaC.
19. Brenda's company provides a managed incident response service to its customers. What term best describes this type of service offering? A. MSP B. PaaS C. SaaS D. MSSP
D. MSSP Brenda's company is offering a technology service to customers on a managed basis, making it a managed service provider (MSP). However, this service is a security service, so the term managed security service provider (MSSP) is a better description of the situation.
3. In what cloud security model does the cloud service provider bear the most responsibility for implementing security controls? A. IaaS B. FaaS C. PaaS D. SaaS
D. SaaS The cloud service provider bears the most responsibility for implementing security controls in an SaaS environment and the least responsibility in an IaaS environment. This is due to the division of responsibilities under the cloud computing shared responsibility model.