Domain 2: Cloud Data Security
You are the security manager of a small firm that has just purchased a DLP solution to implement in your cloud-based production environment. Before implementing the solution, what should you explain to senior management? a The additional risks of external attack associated with using the tool b The production impact it will have on the environment c What the price of the tool was d How the solution works
B. All security functions come with an attendant negative productivity effect: The most secure environment will be the least productive, and the most productive will be the least secure. DLP tools will have an overhead cost in terms of production impact and loss of efficiency and speed. This may affect the cost savings that were realized in a cloud migration from the legacy environment, and senior management needs to understand this trade-off. Implementing a DLP solution should not incur any additional risks of external attack, so option A is incorrect. Because the tool has already been purchased, explaining the purchase price is irrelevant at this point, so option C is incorrect. If it was germane (and it was likely not), you should have explained how the tool works before purchasing it; explaining at this point might be interesting, but is not as important as option B, so option D is incorrect.
Digital rights management (DRM) solutions (sometimes referred to as information rights management, or IRM) can be used to protect all sorts of sensitive data but are usually particularly designed to secure ____________. a Personally identifiable information (PII) b Intellectual property c Plans and policies d Marketing material
B. DRM is mainly designed to protect intellectual property. It can also sometimes be used for securing PII, but intellectual property is a better answer here. Plans and policies aren't usually protected in this manner, and marketing material is usually meant to be disseminated, so it does not require protection.
Which of the following characteristics is associated with digital rights management (DRM) solutions (sometimes referred to as information rights management, or IRM)? a Automatic expiration b Multilevel aggregation c Enhanced detail d Broad spectrum
A. Automatic expiration is the trait that allows DRM tools to prevent access to objects when a license expires or remove protections when intellectual property moves into the public domain. The other options are distractors and meaningless in this context.
Which of the following sanitization methods is feasible for use in the cloud? a Crypto-shredding b Degaussing c Physical destruction d Overwriting
A. Cloud customers are allowed to encrypt their own data and manage their own keys; crypto-shredding is therefore possible. Degaussing is not likely in the cloud because it requires physical access to the storage devices and because most cloud providers are using solid-state drives (SSDs) for storage, which are not magnetic. Physical destruction is not feasible because the cloud customer doesn't own the hardware, and therefore won't be allowed to destroy it. Overwriting probably won't work because finding all data in all aspects of the cloud is difficult and the data is constantly being backed up and securely stored, so a thorough process would be very tricky.
Which of the following is not a method for enhancing data portability? a Crypto-shredding b Using standard data formats c Avoiding proprietary services d Favorable contract terms
A. Crypto-shredding is for secure sanitization, not portability. The other methods all enhance portability.
DLP solutions can aid all of the following security-related efforts except ____________. a Access control b Egress monitoring c e-discovery/forensics d Data categorization/classification
A. DLP solutions do not facilitate access control efforts in any way. DLP tools do, however, provide all the functions listed in the other options, so those are incorrect.
You are the security manager of a small firm that has just purchased a DLP solution to implement in your cloud-based production environment. In order to increase the security value of the DLP, you should consider combining it with ____________. a Digital rights management (DRM) and security event and incident management (SIEM) tools b An investment in upgraded project management software c Digital insurance policies d The Uptime Institute's Tier certification
A. DLP tools combined with DRM and SIEM enhance the security value of each because you create in-depth/layered defense. Project management software does not really have anything to do with security, so option B is incorrect. Insurance is a risk transfer mechanism and does not aid in risk mitigation efforts; DLP is for risk mitigation, so option C is incorrect. The Tier certification program is for the cloud provider and not used by the cloud customer, so option D is incorrect.
DLP (data loss prevention or data leak protection) solutions are implemented in the hopes of securing ____________. a Sensitive data that may leave the organization's control b All data within the organization's control c Data being processed by the organization's users d Data that could be intercepted while out of the organization's control
A. DLP, also referred to as egress monitoring, is used to detect and prevent sensitive data from leaving the organization's control without proper approval. Because it is designed to prevent the egress of only certain data sets, options B and C are not correct. Controlling data outside the reach of the organization is difficult at best. While there are some mechanisms that might accomplish this, DLP is not specifically designed for that purpose, so option D is incorrect.
You are the security manager of a small firm that has just purchased a DLP solution to implement in your cloud-based production environment. Which of these activities should you perform before deploying the tool? a Survey your company's departments about the data under their control b Reconstruct your firewalls c Harden all your routers d Adjust the hypervisors
A. In order to "train" the DLP solution properly, you'll need to inform it as to which data in your organization is sensitive...and, in order to do that, you'll need to determine what information your data owners deem sensitive; a survey is a way to do that. A proper DLP solution should not affect or be affected by the firewalls, routers, or hypervisors, so those options B, C, and D are incorrect.
What is a form of cloud storage where data is stored in a logical storage area assigned to the user but not necessarily physically attached or even geographically proximate to the compute node the user is utilizing? a Volume storage b Databases c Content delivery network (CDN) d Object storage
A. In volume storage, the user is assigned a logical drive space into which anything (such as raw data, objects, or applications) may be saved or installed, similar to a mounted drive on a legacy network. Databases store data in an arrangement of characteristics and values, not in an unstructured drive space, so option B is incorrect. CDNs are for distributing data with less chance of quality loss, so option C is incorrect. Object storage arranges data as objects in a structured hierarchy, so option D is incorrect.
Which of the following characteristics is associated with digital rights management (DRM) solutions (sometimes referred to as information rights management, or IRM)? a Mapping to existing access control lists (ACLs) b Delineating biometric catalogs c Preventing multifactor authentication d Prohibiting unauthorized transposition
A. Mapping to existing access control lists (ACLs) is the trait that allows DRM tools to provide additional access control protections for the organization's assets. The other options are distractors and meaningless in this context
Your organization is migrating the production environment to an IaaS cloud implementation. Your users will need to be able to get access to their data and share data with other users in a defined, structured motif. You should configure the cloud memory as _________. a Object storage b Volume storage c Synthetic storage d Databases
A. Object storage is usually arranged in a file hierarchy, with defined structure. Volume storage has data with no defined structure (only memory space), and databases arrange data in tables and relational schemes; neither of these options offers the functions described in the question. Synthetic is a distractor, and meaningless in this context
When implementing cryptography in a cloud environment, where is the worst place to store the keys? a With the cloud provider b Off the cloud, with the data owner c With a third-party provider, in key escrow d Anywhere but with the cloud provider
A. Option A creates a conflict of interest and does not enforce separation of duties. The best practice is to not store cryptographic keys with the data they encrypted, to avoid a potential conflict of interest and to enforce separation of duties. B and C are viable choices, but are each specific. For this question, D is the preferable selection, as it is more general, and therefore not only includes the possibilities of B and C, but any similar possibility. The answer that is more general is more correct, for this question.
Which of the following characteristics is associated with digital rights management (DRM) solutions (sometimes referred to as information rights management, or IRM)? a Persistence b Influence c Resistance d Trepidation
A. Persistence is the trait that allows DRM protection to follow protected files wherever they might be stored/copied. The other options are distractors and meaningless in this context.
According to the (ISC)2 Cloud Secure Data Life Cycle, which phase comes soon after (or at the same time as) the Create phase? a Store b Use c Deploy d Archiv
A. The Cloud Secure Data Life Cycle phases are, in order, Create, Store, Use, Share, Archive, Destroy (a good mnemonic might be CSU-SAD). Options B and D are phases of CSU-SAD but do not immediately follow create. Option C is not a phase of CSU-SAD.
According to the (ISC)2 Cloud Secure Data Life Cycle, in which phase should the process of categorization/classification of data occur? a Create b Store c Define d Use
A. The Cloud Secure Data Life Cycle phases are, in order, Create, Store, Use, Share, Archive, Destroy (a good mnemonic might be CSU-SAD). The best practice for categorizing/classifying data is to do so when it is first created/collected so that the proper security controls can be applied to it throughout the rest of the cycle. Options B and D are phases of the CSU-SAD but are not the proper times to be applying classification/categorization; that would be too late in the cycle. Option C is not a phase of CSU-SAD.
As with the legacy environment, cloud data encryption includes all the following elements except ____________. a The user b The data itself c The encryption engine d The encryption keys
A. The user is not really an aspect of an encryption deployment, although it may be argued that the user will need to refrain from disclosing their own private key(s) to anyone else.
You are the security manager of a small firm that has just purchased a DLP solution to implement in your cloud-based production environment. In order to get truly holistic coverage of your environment, you should be sure to include __________ as a step in the deployment process. a Getting signed user agreements from all users b Installation of the solution on all assets in the cloud data center c Adoption of the tool in all routers between your users and the cloud provider d All of your customers to install the tool
A. This is a tricky question. In the cloud environment, we know that all users will be entering the environment through remote access; in many cases, this will include the use of their personal devices. In order for DLP solutions to function properly, all devices accessing the production environment must have local DLP agents installed, and that requires signed user agreements. It would be unnecessary (and intrusive, and cumbersome) to install DLP agents on all assets in the cloud data center, which includes not only your organization's assets but also those of all the other cloud tenants in that data center. This might even be illegal. Option B is incorrect. Assuming you could install (or even know) all the routers between your users and the cloud data center is ridiculous; option C is incorrect. Getting your customer to install a DLP client would be nice, in theory...but also pointless. Your customers don't work for you; they are outside your organization. DLP tools are used to prevent sensitive data from leaving your environment; by the time it has reached a customer, sensitive information is far outside your control and DLP would be of no use. Option D is incorrect.
Data dispersion uses ___________, where the legacy implementation was called "striping." a Chunking b Vaulting c Lumping d Grouping
A. Where RAID used data striping across multiple drives, with data dispersion this technique is referred to as "chunking," or sometimes "sharding" when encryption is also used. The other options are all distractors, with no meaning in this context.
Data dispersion is a cloud data security technique that is most similar to which legacy implementation? a Business continuity and disaster recovery (BCDR) b Redundant Array of Inexpensive Disks (RAID) c Software-defined networking (SDN) d Content delivery network (CDN)
B. Data dispersion is basically RAID in the cloud, with data elements parsed and stored over several areas/devices instead of stored as a unit in a single place. RAID (and data dispersion) does aid in BCDR activities by increasing the robustness and resiliency of stored data, but BCDR is a much more general discipline, so it is not the optimum answer for the question. SDN is used for abstracting network control commands away from production data, and CDN is usually used for ensuring quality of streaming media
What is a form of cloud data protection where data is spread across multiple storage devices/locations, similar to RAID in the legacy environment? a Infringing b Data dispersion c Voiding d Crypto-shredding
B. Data dispersion is the cloud version of using RAID arrays, protecting data by spreading it across multiple volumes/devices. Options A and C are terms that have no meaning in this context and are only distractors. Crypto-shredding is a form of device/media sanitization utilizing cryptography and has nothing to do with RAID, so option D is incorrect.
What is one of the benefits of implementing an egress monitoring solution? a Preventing DDoS attacks b Inventorying data assets c Interviewing data owners d Protecting against natural disasters
B. Egress monitoring solutions (often referred to as DLP tools, where DLP stands for data loss protection or data leak prevention, or some combination of these terms) require the organization to appropriately inventory and classify data assets so the tool knows what to protect. DLP does not aid in protections for DDoS or natural disasters, which affect availability, not confidentiality (DLP only enhances confidentiality efforts). Option C is a distractor and has nothing to do with DLP.
DLP solutions may use all the following techniques to identify sensitive data except ____________. Pattern matching Inference Keyword identification Metadata tags
B. Inference is an attack technique that derives sensitive material from an aggregation of innocuous data; DLP tools, thus far, do not have this capability. All the other techniques listed may be used by DLP solutions to detect sensitive data before it leaves the control of the owner.
You are the security manager of a small firm that has just purchased a DLP solution to implement in your cloud-based production environment. What should you expect immediately following the implementation of the DLP solution? a Immediate decrease in lost data b A series of false-positive indications c Increase in morale across the organization d Increase in gross revenue
B. It will take a while for the DLP solution to "learn" the particulars of your environment and to be conditioned properly. A significant number of false-positive indications will be expected in the near term, until you can hone the responses to properly meet your organization's needs. The DLP tool will not work optimally immediately upon implementation, so option A is incorrect. DLP tools do not affect morale or revenues, so options C and D are incorrect.
You are the security manager of a small firm that has just purchased a DLP solution to implement in your cloud-based production environment. What should you not expect the tool to address? a Sensitive data sent inadvertently in user emails b Sensitive data captured by screen shots c Sensitive data moved to external devices d Sensitive data in the contents of files sent via FTP
B. It's unlikely that any DLP tools will be able to detect sensitive data captured, stored, and/or sent as graphic image files, which is the usual form of screen shots. A proper DLP tool should be able to detect all the other types of activity, so the other options are incorrect.
Which of the following should occur during the final phase of the Cloud Secure Data Life Cycle? a Data dispersion b Crypto-shredding c Cryptoparsing d Cryptosporidium
B. The Cloud Secure Data Life Cycle phases are, in order, Create, Store, Use, Share, Archive, Destroy (a good mnemonic might be CSU-SAD). Crypto-shredding (also called cryptographic erasure) is the preferred method of data sanitization for a cloud environment; this should take place in the final phase of the cycle, destroy. Option A is incorrect because data dispersion is a means of making data more resilient and secure; in the final phase of the cycle, we want to get rid of the data, not make it resistant to loss. Option C is incorrect because cryptoparsing is a made-up term and used here as a distractor. Option D is incorrect because cryptosporidium is a microorganism and has nothing to do with InfoSec; it is used here as a distractor
You are the security manager of a small firm that has just purchased a DLP solution to implement in your cloud-based production environment. You understand that all of the following aspects of cloud computing may make proper deployment of the DLP difficult or costly except ____________. a Data will not remain in one place or form in the cloud b The cloud environment will include redundant and resilient architecture c There will be a deleterious impact on production when installing the DLP tool d You might not have sufficient proper administrative rights in the cloud infrastructure
B. The fact that cloud data centers are designed with multiple redundancies of all systems and components won't really have any bearing on your decision and implementation of your DLP solution. Because data will move across nodes in the data center and will take different forms (such as live data in a virtualized instance or snapshotted data saved in a file store when a virtual machine is not being used at a specific moment), you will have to determine how the DLP will function in that environment, and whether it was designed for cloud usage. Option A is incorrect. Option C is true for any environment, not just the cloud; all security functions necessarily negatively impact operations and production. Option B is a better answer. Option D is also correct; it may be difficult to situate all the necessary DLP agents in all the locations you'd prefer because the cloud customer may not have access rights to the necessary underlying infrastructure.
What type of data storage is often used in PaaS arrangements? a Ephemeral b Database c Long-term d Nefarious
B. The platform as a service (PaaS) model allows the cloud customer to install and run applications in the cloud environment. With a database, the cloud customer can store data in a database administered by the cloud provider but can then tailor applications and services for reaching into and manipulating that database. Ephemeral and long-term storage take place in the software as a service (SaaS model), and there is no such thing as "nefarious data storage," so the other options A, C, and D are incorrect
Your organization is migrating the production environment to an IaaS cloud implementation. Your users will need to be able to get access to their data, install programs, and partition memory space for their own purposes. You should configure the cloud memory as ___________. a Object b Volume c Synthetic d Database
B. Volume storage allows all the functions described in the question. Object storage has data arranged in a file structure, and databases arrange data in tables and relational schemes; neither of these options offers the functions described in the question. Synthetic is a distractor and meaningless in this context.
You are the security manager of a small firm that has just purchased a data loss prevention or data leak protection (DLP) solution to implement in your cloud-based production environment. In which of the following cases would you not have to get permission from the cloud provider to install and implement the tool? a If it's hardware based and your production environment is in an IaaS model b If you purchased it from a vendor other than the cloud provider c If it's software based and your production environment is in a PaaS model d If it affects all guest instances on any given host devic
C. A cloud customer can install applications on a PaaS environment, usually as they see fit and without prior coordination with the provider. Hardware introduced into the cloud environment will definitely need permission from your cloud provider, regardless of the deployment model you use, so option A is incorrect (and unlikely to occur, as permission is probably not going to be granted). While the provider may offer a DLP function as an add-on service, which would definitely be permissible for you to use, the use of an outside vendor's product may have to be reviewed by the provider before implementation, based on a number of other variables (such as the other possible answers). Option C is preferable, so option B is incorrect. Affecting all images on a host may impact other customers in a multitenant environment, so option D is not the correct answer.
You are the security team leader for an organization that has an infrastructure as a service (IaaS) production environment hosted by a cloud provider. You want to implement an event monitoring (security information and event management (SIEM)/security information management (SIM)/security event management (SEM)) solution in your production environment in order to acquire better data for security defenses and decisions. Which of the following is probably your most significant concern about implementing this solution in the cloud? a The solution should give you better analysis capability by automating a great deal of the associated tasks. b Dashboards produced by the tool are a flawless management benefit. c You will have to coordinate with the cloud provider to ensure that the tool is acceptable and functioning properly. d Senior management will be required to approve the acquisition and implementation of the tool.
C. Because the tool will require at least some installation and reporting capability within the cloud environment, it is essential to coordinate with the cloud provider to ensure that the solution you choose will function properly and is allowed by the provider. Option A is true, but not a major concern; that is a benefit of SIEM/SEM/SIM tools. Option B is not true because dashboards can often misconstrue pertinent reporting data when they are used to chase management goals instead of distilling raw data appropriately. Option D is not true because management should not be involved in such granular decisions.
What is a form of cloud storage often used for streaming multimedia data to users? a Volume storage b Databases c Content delivery network (CDN) d Neutral storage
C. CDNs are often used to place large stores of multimedia data in a location geographically near to the end users who will consume that data; this is mostly to accomplish a reduction in data degradation due to distance between resource and user. Volume storage assigns a logical, unstructured drive space to the user, so option A is incorrect. Databases store data in an arrangement of characteristics and values, so option B is incorrect. Neutral storage is a nonsense term, used only as a distractor, so option D is incorrect.
Which of the following characteristics is associated with digital rights management (DRM) solutions (sometimes referred to as information rights management, or IRM)? a Transparent encryption modification b Bilateral enhancement c Continuous audit trail d Encompassing flow
C. Continuous audit trail is the trait that allows DRM tools to log and exhibit all access to a given object. The other options are distractors and meaningless in this context.
Egress monitoring solutions usually include a function that ____________. a Arbitrates contract breaches b Performs personnel evaluation reviews c Discovers data assets according to classification/categorization d Applies another level of access control
C. Egress monitoring solutions (often referred to as DLP tools, where DLP stands for data loss protection or data leak prevention, or some combination of these terms) will often include a discovery function, which will locate data assets according to criteria defined by the organization. DLP solutions cannot arbitrate contract breaches or perform personnel evaluations. Usually, DLPs also do not apply additional access controls; that is typically a characteristic of a digital rights management (DRM) solution.
Egress monitoring solutions usually include a function that ____________. a Uses biometrics to scan users b Inspects incoming packets c Resides on client machines d Uses stateful inspection
C. Egress monitoring solutions (often referred to as DLP tools, where DLP stands for data loss protection or data leak prevention, or some combination of these terms) will often include an agent that resides on client devices in order to inspect data being shared/sent by end users. DLP tools do not inspect incoming packets, with or without stateful inspection; this is the job of firewalls. DLP solutions do not typically use biometrics in any way.
Data dispersion uses ___________, where the legacy implementation was called "parity bits." a Smurfing b Snarfing c Erasure coding d Real-time bitlinking
C. Erasure coding is the practice of having sufficient data to replace a lost chunk in data dispersion, protecting against the possibility of a device failing while it holds a given chunk; parity bits serve the same purpose in the legacy RAID configuration. The other options do not have any meaning in this context.
In which of these options does the encryption engine reside within the application accessing the database? aTransparent encryption b Symmetric-key encryption c Application-level encryption d Homomorphic encryption
C. In application-level encryption, the application will encrypt data before it is placed in the database. In transparent encryption, the entire database is encrypted. Symmetric-key encryption is a kind of encryption and not truly indicative of a strategy used in database encryption. Homomorphic encryption is an experimental, theoretical process that might allow processing encrypted information without the need to decrypt it first.
Which of the following is not a step in the crypto-shredding process? a Encrypt data with a particular encryption engine b Encrypt first resulting keys with another encryption engine c Save backup of second resulting keys d Destroy original second resulting keys
C. In crypto-shredding, the purpose is to make the data unrecoverable; saving a backup of the keys would attenuate that outcome because the keys would still exist for the purpose of recovering data. All other steps outline the crypto-shredding process.
Erasure coding, in the cloud, is similar to what element of RAID implementations in the legacy environment? a Deltas b Inversion c Parity bits d Transposition
C. Similar to parity bits in RAID, erasure coding is used in cloud data dispersion implementations to create a situation where data can still be recovered even if a segment or portion of the dispersed data is lost (due to drive failure, disaster, etc.). Options A and B have no meaning in this context and are only used as distractors. Transposition is a cryptographic technique and does not relate to RAID in any way, so option D is also incorrect.
According to the (ISC)2 Cloud Secure Data Life Cycle, which phase comes immediately before the Share phase? a Create b Destroy c Use d Encrypt
C. The Cloud Secure Data Life Cycle phases are, in order, Create, Store, Use, Share, Archive, Destroy (a good mnemonic might be CSU-SAD). Options A and B are phases of CSU-SAD but do not immediately precede Share. Option D is not a phase of CSU-SAD.
You are the security manager of a small firm that has just purchased a DLP solution to implement in your cloud-based production environment. You are interested in fielding the solution as an awareness tool, to optimize security for your organization through conditioning user behavior. You decide to set the solution to ____________. a Suspend user accounts and notify the security office when it detects possible sensitive data egress attempted by a user b Halt the transaction and notify the user's supervisor when the user attempts to transfer sensitive data c Query the user as to whether they intend to send sensitive data upon detection of an attempted transfer d Sever remote connections upon detection of a possible sensitive data transfer
C. These are all possible settings for a modern DLP solution. However, the best option, in light of the question, is to query the user as to their intent; this aids the user in understanding and knowing when sensitive data might be leaving the organization accidentally, through a mistake on the user's part. The other options are more severe and restrictive; these will enhance security but reduce productivity and are management and technological controls instead of awareness tools, so they are wrong for this question.
Which of the following is not a security concern related to archiving data for long-term storage? a Long-term storage of the related cryptographic keys b Format of the data c Media the data resides on d Underground depth of the storage facility
D. A long-term storage facility may or may not be located underground; the security of that facility (and the data contained therein) is not dependent on this aspect. Option A is a security concern because loss of the keys may result in losing the data (by losing access to the data), and keeping the keys with the data they protect increases risk. Both the format of the data and the media on which it resides (options B and C) are important to bear in mind, as either (or both) may be outmoded by the time the data might need to be retrieved from the archive: Data and formats do not age well
Which of the following will DLP solutions most likely not inspect? a Email content b FTP traffic c Material saved to portable media d VoIP conversations
D. Commercial DLP products that monitor speech in real time and censor conversations are not yet widely available. A proper DLP solution will monitor all the technologies in the other options, so those are incorrect.
Digital rights management (DRM) solutions (sometimes referred to as information rights management, or IRM) often protect unauthorized distribution of what type of intellectual property? a Patents b Trademarks c Personally identifiable information (PII) d Copyright
D. DRM is often deployed to ensure that copyrighted material (frequently software) is only delivered to and used by licensed recipients. Patents are more complicated and not often distributed to a mass market, so DRM does not assist in that way. Trademarks are representations of a brand and meant to be distributed, so DRM does not protect them. PII is not typically a type of intellectual property.
Data dispersion provides protection for all the following security aspects except ___________. a Protecting confidentiality against external attack on the storage area b Loss of availability due to single storage device failure c Loss due to seizure by law enforcement in a multitenant environment d Protecting against loss due to user error
D. Data dispersion can't really aid in inadvertent loss caused by an errant user; if the user accidentally deletes/corrupts a file, that file will be deleted/corrupted across all the storage spaces where it is dispersed. The technique does, however, protect against the other risks: It enhances confidentiality because an attacker gaining illicit access to a single storage space will only get a chunk of the data, which is useless without the other chunks; this same aspect also protects loss when law enforcement seizes a specific storage device/space when they are investigating another tenant at the same cloud provider your organization uses. And loss of availability due to single device failure is probably the primary reason for having data dispersion (like RAID before it).
What is a form of cloud storage where data is stored as objects, arranged in a hierarchal structure, like a file tree? a Volume storage b Databases c Content delivery network (CDN) d Object storage
D. Object storage stores data as objects (hence the name), often arranged in a hierarchical structure.
At what phase of the Cloud Secure Data Life Cycle does data enter long-term storage? a The first b The second c The fourth d The fifth
D. The Cloud Secure Data Life Cycle phases are, in order, Create, Store, Use, Share, Archive, Destroy (a good mnemonic might be CSU-SAD). Archiving (the fifth phase) is the process of moving data out of the production environment and into long-term storage.
Why is the term (ISC)2 Cloud Secure Data Life Cycle actually somewhat inaccurate? a The term is not used only by (ISC)2 b Not all phases are secure c Not all phases take place in the cloud d It's not actually a cycle
D. The Cloud Secure Data Life Cycle phases are, in order, Create, Store, Use, Share, Archive, Destroy (a good mnemonic might be CSU-SAD). This is not truly a cycle because data does not continue after the destroy phase (that is to say, the same data or process does not go back to create after destroy). Option A might be considered true because the CSU-SAD cycle is not unique to (ISC)2, but this is not the best answer; option D is preferable because it is not truly a cycle. Options B and C are incorrect because activity in each of the phases involves security aspects and all phases relate to how data is involved in the cloud.
When implementing a digital rights management (DRM) solution in a cloud environment, which of the following does not pose an additional challenge for the cloud customer? a Users might be required to install a DRM agent on their local devices b DRM solutions might have difficulty interfacing with multiple different OSs and services c DRM solutions might have difficulty interacting with virtualized instances d Ownership of intellectual property might be difficult to ascertain
D. The owner of intellectual property will not change whether the material is stored in the cloud or in a legacy environment. Moving into the cloud will probably result in more use of personal devices, requiring users to install local DRM agents, so option A is true, making it not a suitable answer to this question. Options B and C are also true, due to the nature of cloud computing, and are therefore also not suitable for this question.
The cloud security professional should be aware that encryption will most likely be necessary in all the following aspects of a cloud deployment except ____________. a Data at rest b Data in motion c Data in use d Data of relief
D. The term data of relief doesn't really mean anything and is therefore the correct answer for this question. Encryption is used in all other aspects of cloud data.