MODULE 1: INTRODUCTION TO CLOUD COMPUTING

1) Which technology is generally required to build resource pools?

a) Virtualization
b) CPUs and memory
c) The Internet
d) VLANs

2) What is the key difference between traditional virtualization and cloud?

a) Hypervisors
b) Commercial virtualization software
c) Orchestration
d) Abstraction

3) Which of the following is *not* a key potential benefit of cloud computing:

a) agility
b) Resiliency
c) Compliance
d) Economics

4) What business benefit(s) was Amazon attempting to realize when they created their internal cloud computing program? Select
all that apply.
a) Faster time to deploy developer resources
b) Build a world-class public cloud computing platform
c) Better match real-time capacity to fluctuating demand
d) Beat Microsoft

5) Resource pools permanently assign resources to a user.

a) True
b) False

6) Cloud computing supports scaling up of required resources, but not scaling down.
a) True
b) False

7) Which of the following appear in both the NIST and ISO/IEC cloud computing definitions? Select all that apply.
a) Network access
b) On-demand
c) Self Service
d) Resource pools
e) Rapid provisioning

8) Click and drag the correct NIST model element to the appropriate category below.
 Answer
9) Services scaling out and scaling in quickly are an example of which essential characteristic of cloud.
a) Resource Pooling
b) On-Demand Self Service
c) Rapid Elasticity
d) Measured Service
e) Broad Network Access

10) Click and drag the Essential Characteristics to the box below.

Answer

11) Which of the following is not an emergent property of resource

a) Pooling
b) Governance
c) Isolation
d) Segmentation
e) Broad Network Access

12) Which service model would a cloud database be considered?

a) Storage as a service
b) Platform as a Service
c) Software as a Service
d) Infrastructure as a Service

13) Software as a Service is always built on top of Platform as a Service which is always built on Infrastructure as a Service.
a) True
b) False

14) Which of the following is most likely to be considered laaS:

a) A container registry
b) A cloud message queue
c) The cloud’s management console
d) A virtual machine

15) In laaS, individual virtual machines use which kind of storage?

a) VsTOR-based hardware
b) A database platform
c) The local hard drives on the servers
d) Virtual volumes from a storage pool
16) Platform as a Service abstracts application platforms and platform components from underlying resources, and can be built on
top of laaS.
a) True
b) False

17) Which of the following is not required to be considered SaaS?

a) Underlying physical hardware
b) Customer management of the underlying resources
c) The essential characteristics
d) A complete application

18) Drag the labels to indicate which of the SaaS components are built on laaS.

Answer

19) If an organization uses a Community Cloud Deployment Model, some portion of the physical infrastructure MUST be on-
premises with one of the community members.
a) True
b) False

20) If an organization employs the technique of cloud bursting, which cloud deployment model are they utilizing?
a) Proprietary
b) Multi-Tenancy
c) PaaS
d) Hybrid

21) Which element of the logical model describes the cloud management plane?
a) Infostructure
b) Infrastructure
c) Applistructure
d) Metastructure
22) Click and drag the Accessible and Consumed By items on the left to complete the column.

23) In which service model does the cloud consumer have the least amount of control over security?
a) Infrastructure as a Service
b) Platform as a Service
c) security as a Service
d) software as a service

24) In which cloud service model is the cloud consumer responsible for ensuring that the hypervisor is not vulnerable to attack?
a) Software as a Service
b) Infrastructure as a Service
c) Platform as a Service
d) None of the above

25) When should you define the security controls when building a cloud deployment?
a) Before determining the service and deployment models
b) Before selecting the provider
c) After identifying control gaps
d) After identifying requirements

26) Click and drag the items to the correct category.

Answer
 MODULE 2: INFRASTRUCTURE SECURITY FOR CLOUD COMPUTING

1) Cloud infrastructure security does not include the virtualization components:

a) False
b) True

2) Which of the following resource pools is not associated with IaaS:

a) storage
b) Network
c) Middleware
d) Compute

3) Click on the components that the cloud consumer is primarily responsible for securing.

Answer

4) Which of the following are typically in the underlying infrastructure of a cloud? (click all that apply)
a) Database
b) Message queue
c) API server
d) Hypervisors
e) identity service

5) Why is hardening infrastructure components so important?

a) Clouds are sometimes based on common components that may contain vulnerabilities.
b) All security is important
c) Infrastructure components are most likely to be exposed to cloud consumers
d) This prevents the cloud provider from accessing cloud consumer data.
6) Which is a defining characteristic of Software Defined Networks
a) Uses OpenFlow
b) Decouples the control plane from the underlying physical network
c) Leverages packet tagging
d) Autoscaling for resiliency

7) Which SDN security capability often replaces the need for a physical or virtual appliance?
a) Default deny
b) Lack of support for packet sniffing
c) Security groups
d) Integrated isolation

8) The most effective way for an attacker to compromise a security group is to compromise the host/virtual machine and then
modify the rules.
a) True
b) False

9) Which of the following physical networks is used for Internet to instance traffic?
a) storage
b) Management
c) Virtual
d) Service

10) Why should cloud providers use multiple underlying physical networks? (select all that apply)
a) Cost management
b) Resiliency
c) Better performance
d) Better isolation

11) Which virtual network technology is best suited for cloud?

a) SDLN
b) VLAN
c) Token Ring
d) V-flow

12) Virtual networks:

a) Are more flexible, but more difficult to secure
b) Take fewer resources.
c) Substitute for physical networks
d) May include inherent security capabilities.

13) Which is a defining characteristic of Software Defined Networks

a) Uses OpenFlow
b) Decouples the control plane from the underlying physical network
c) Leverages packet tagging
d) Autoscaling for resiliency

14) Which SDN security capability often replaces the need for a physical or virtual appliance?
a) Default deny
b) Lack of support for packet sniffing
c) security groups
d) integrated isolation

15) The most effective way for an attacker to compromise a security group is to compromise the host/virtual machine and then
modify the rules.
a) True
b) False
16) Which of the following is the most effective security barrier to contain blast radius?
a) Cloud account/project/subscription
b) Virtual subnet (with or without ACLs)
c) Virtual network
d) security group

17) How does a virtual network affect network visibility?

a) An SDN can provide more visibility than a physical network
b) virtual machines the same physical host don’t use the physical network
c) Virtual networks block packet capture for better isolation
d) Virtual networks always encrypt traffic and break packet capturing

18) Place the following network security tools in the preferred order in most cloud deployments, from 1 (most preferred) to 4.

Answer

19) What is the purpose of a bastion network/transit VPC?

a) To better support multiple virtual networks and accounts in hybrid scenarios
b) To better lock down a hybrid cloud
c) To create a cloud DMZ
d) To improve internal routing and IP address space availability

20) Which of the following is primarily a responsibility of the cloud provider?

a) Configuring security groups.
b) Securing the underlying virtualization technology
c) Correct configuration in the management plane
d) Designing subnets, virtual networks, and ACLs2

21) Of the following, which is the most important use case for the Software Defined Perimeter?
a) To secure hybrid networks
b) To encrypt SDN traffic
c) For federated network identity
d) To improve and secure remote access

22) Which of the following are cloud workloads? Select all that apply:
a) Host servers.
b) containers
c) Virtual machines
d) Serverless/function as a service
23) Click on the pipeline component that executed security tests and builds images:

Answer

24) Which of the following *most* impacts traditional workload security controls when applied to cloud deployments?
a) hypervisors
b) serverless
c) low resiliency
d) security groups
e) High Volatility/rates of change

25) How can immutable workloads improve security?

a) They eliminate error-prone manual management
b) They scale for DDoS
c) They better meet performance requirements
d) They better support use of traditional security tools

26) Select the cloud workload security option that can most improve overall security and reduce attack surface:
a) select cloud aware host security gents
b) Use immutable as much as possible
c) Store logs external to instances
d) Leverage existing/Traditional vulnerability assessment tools

27) Which of the following is primarily a cloud consumer workload security responsibility?
a) Underlying infrastructure security
b) Hypervisor security
c) Volatile memory security
d) Monitoring and logging

28) Why is management plane security so critical?

a) Compromise of the management plane potential compromises all Cloud assets
b) REST APIs are inherently insecure
c) It is the primary integration point for hybrid cloud.
d) It is best way for oud consumers to protect themselves from hostile cloud provider employees
29) Click and drag the management plane security steps to the correct order

Answer

30) Multi factor authentication is the single most important management plane security control.
a) True
b) False

31) Identify one drawback to managing users in the management plane:

a) inefficient MFA support
b) The reliance on RBAC
c) High variability between cloud providers
d) Lack of SS0 support

32) What is the role of a service administrator?

a) To administer cloud platform/management Plane users.
b) To isolate application security
c) To administer a limited set of cloud services
d) They are the core administrators or a cloud account.

33) Select the best option for management plane monitoring, when it is available:
a) inherent cloud auditing since it captures the most activity
b) inherent cloud auditing since that offloads responsibility to the cloud provider
c) Proxy-based auditing since it eliminates the need to trust the loud provider
d) Proxy-based auditing since it captures more activity

34) What is the single most important rule for cloud BC/DR?
a) Use object storage for backups
b) snapshot regularly
c) Use multiple cloud providers
d) Architect for failure

35) Which is not a key aspect of cloud BC/DR?

a) Continuity within the provider/platform
b) Hypervisor resiliency
c) portability
d) Preparing for provider outages.
36)

Answer – Megastructure

37) Select a technique to manage continuity within the cloud provider.

a) Data portability
b) Multi-Cloud provider plans
c) Hybrid cloud backup
d) Cross-Location/region design
 MODULE 3: MANAGING CLOUD COMPUTING SECURITY AND RISK

1) Select the governance tool that is most affected by the transition to cloud computing:
a) Mission statement
b) Compliance reporting
c) Board of director reporting
d) Chart of accounts.

2) In terms of cloud computing and security... what is the primary governance role of a contract?
a) Regulatory Requirements
b) Defines how you extend internal controls to the cloud provider
c) Cost management
d) To define the data custodian

3) Does the shared responsibilities model define the contract or the contract define the shared responsibilities model?
a) The shared responsibilities model defines the contract.
b) The contract defines the shared responsibilities model.

4) Select the layer where you evaluate your providers in the diagram:

Answer: (C) SUPPLIER ASSESSMENT

5) What is the responsibility of information risk management?

a) Align risk management to the tolerance of the data owner
b) Manage overall risk to the organization
c) Determine the overall risk of cloud providers
d) Eliminate all risks to information assets

6) Your risk assessment effort should be equal for all information assets:
a) True
b) False

7) In which service model does the cloud consumer have to rely most on what is in the contract and documented to enforce and
manage security?
a) PaaS
b) Hybrid
c) IaaS
d) SaaS
8) Under which conditions is managing risk similar for public and private cloud?
a) No conditions; public cloud is always riskier
b) The risk profiles are always the same
c) When your private cloud is third party hosted and managed
d) When using a major public cloud provider

9) Which do you need to rely more on to manage risks when using public cloud computing?
a) Physical control of assets
b) Testing instead of assessments and attestations
c) Consultants
d) Contracts and SLAs

10) What is critical when evaluating a cloud service within your risk management program?
a) Ensuring the provider's security program supports your existing on-premise tools
b) Accounting for the context of the information assets involved
c) Minimizing regional harm
d) Eliminating all outsourcing risk

11) How can you manage risk if you can't negotiate a contract with the cloud provider?
a) Use compensating controls and your own risk mitigation mechanisms
b) Always choose a different provider
c) Obtain cyber insurance
d) Accept all potential risks.

12) Audits are only used to meet government regulatory requirements.

a) True
b) False

13) Cloud changes compliance. Select the statement that is incorrect:

a) There may be a greater reliance on third party audits
b) The cloud provider is ultimately responsible for their customer's compliance
c) There are large variations between the compliance capabilities of different cloud Providers
d) Meta Structure/management may span jurisdictions even if data is localized

14) Which is *not* a source of compliance obligations?

a) Contracts
b) Internal Audits
c) Legislation
d) Industry Standard

15) Compliance inheritance means that an application built on top of a cloud provider's service that is compliant with a
regulation/standard is always guaranteed to be compliant.
a) True
b) False

16) The Cloud Security Alliance Security Guidance provides:

a) Legal Guidance
b) Information you should discuss with your attorneys.
c) Legal Recommendation
d) Legal Advice

17) The Australian Privacy Act of 1988 can apply to Australian customers, even if the cloud service provider is based elsewhere:
a) True
b) False

18) What is the purpose of a data localization law?

a) To require that data about the country’s citizens be stored in the country
b) To require service providers to register with the country’s data protection commission
c) To require company to hire only local workers
d) To require that all business documents be in the country’s official language
19) Which of the following is Correct
a) GDPR Stands for “Government Data Privacy Rule’.
b) GDPR Establishes fines of $1,000 per credit card number compromised
c) GDPR prohibits the transfer of personal data outside the EU or EEA to a country that does not offer a similar privacy rights
d) GDPR requires that EU member states national laws impose network requirements on operators of essential services

20) The Federal Government in the United States does not directly address issues of data privacy, but instead leave it up to the
states to create laws that address privacy concerns:
a) True
b) False

21) If a business is located outside the European Union it does not have to comply with the privacy laws of the European Union
a) True
b) False

22) In the United States, only entities that collect or process financial data or health data must comply with privacy or security laws
a) True
b) False

23) Which of the following is a standard?

a) APPI
b) COPPA
c) PCI DSS
d) GDPR

24) When selecting a cloud provider, if a provider won't negotiate a contract:

a) Always choose another provider
b) Read the contact carefully, and consult with your advisors, to evaluate the terms and understand the potential risks.
c) Always trust the provider
d) Contracts are not enforceable in cloud due to the wide range of jurisdictions

25) Cloud consumers are ultimately responsible for understanding the legal implications of using a particular cloud provider and
service.
a) True
b) False

26) A contract with a cloud service provider can fulfill all of the following except one
a) Clarify what happen when the service is terminated
b) Clarify whether metadata can be reused for secondary purposes
c) Clarify the price for the service
d) Define the minimum-security measures taken by the cloud provider
e) Prevent a breach of security

27) If you own the data, ii till possible for your CSP to own the metadata:
a) True
b) False

28) Why do cloud providers typically limit their customers’ ability to directly assess and inspect their facilities and services?
a) They are worried customers will find vulnerabilities and they will lose business
b) Cost management
c) On-site inspections can be a security risk, and remote assessments are hard to distinguish from real attacks
d) Do deter paying out bug bounties

29) Audio scopes for any given standard, like an SSAE1G are always consistent.
a) True
b) False

30) Select all the following sources that are considered artifacts of compliance
a) Activity reports
b) System configuration details
c) Logfiles
d) Change management details
31) Should you assess or review the audits of a cloud provider more or less frequently than traditional outsourcers?
a) More
b) Less

32) Which CSA tool maps cloud security control specifications to architectural relevance?
a) STARWatch
b) Cloud Controls Matrix
c) The Security, Trust and Assurance Registry (STAR)
d) Consensus Assessment Initiative Questionnaire

33) You are a cloud provider and struggling to respond to a large amount of highly variable customer RFP requests for security
controls documentation. Which CSA document could you instead complete and send to customers:
a) cloud Controls Matrix
b) STARWatch
c) The security, Trust and Assurance Registry (STAR)
d) Consensus Assessment Initiative Questionnaire

34) Where can cloud providers publish their CAIQ and other security/compliance documents to help cloud prospects and customers
assess the provider's current security posture?
a) The Security, Trust and Assurance Registry (STAR)
b) The AWS marketplace
c) The United States Federal Register of Cloud Providers
d) Google

35) Which CSA tool allows you to quickly search a providers assessment for controls that map to regulations you care about and see
the responses to those controls?
a) CCM
b) CAIQ
c) STAR
d) STARWatch

36) The CSA Cloud Controls Matrix v3.0.1 maps control specifications to FedRAMP High Impact Level.
a) True
b) False

37) The CSA Cloud Controls Matrix v3.0.1 contains how many control specifications?
a) 57
b) 16
c) 133
d) 295
 MODULE 4: DATA SECURITY FOR CLOUD COMPUTING

1) All cloud data is eventually stored on a physical device, like a hard drive
a) True
b) False

2) Which of the following cloud data storage types can be described as “a database for files":
a) Object storage
b) Database storage
c) Volume storage
d) Platform storage

3) Why do we use data dispersion in cloud computing?

a) To improve resiliency by eliminating the need for physical drives
b) To improve security by obviating the need for encryption
c) To improve resiliency in case of individual drive failure
d) To improve security by reducing the chances a complete file can be stolen

4) Which security tool can help detect sensitive data migrating to the cloud?
a) Data security proxies (DSP)
b) firewalls
c) Data Loss Prevention (DLP)
d) IPS

5) Which of the available CASB modes is most cloud-native but often not supported by smaller, especially SaaS, providers:
a) API
b) Inline (cloud)
c) Inline (local)
d) Cloud-integrated

6) Which is the preferred model of protecting data migrating to the cloud:

a) Encryption proxies, because they are the most efficient
b) Encrypting network connections, since you can't trust file encryption
c) Encrypting files, since you can't trust network encryption
d) All are equally effective

7) How does cloud complicate access controls as compared to traditional data storage?
a) There is no difference; they are not more complicated
b) cloud storage may offer more options, such a sharing privileges access to the data’s metadata
c) Cloud access controls are less reliable
d) provides must super the same access control, which makes bud the cloud more complex

8) In a Cloud Computing Environment, what is always your most significant security control?
a) encryption controls
b) access control
c) Provider-specific controls
d) Management controls

9) In the entitlement matrix below, click the boxes to allow the service administrator to describe and modify volumes but not
access logs or object storage:
Answer

10) In the entitlement matrix below, select which entitlement allows users to view metadata:

Answer

11) Click on the layer in the stack where encryption is best for protecting discrete data throughout the layers, but may be more
complex and is less effective for bulk data.
12) Select the 3 components of an encryption system.
a) Protocol
b) encryption engine
c) key
d) Data

13) Instance managed encryption is:

a) Your preferred option for volume encryption
b) An example of what not to do

14) Which of the following options encrypts data before you transfer it to object storage:
a) Externally managed encryption
b) Application encryption
c) server-side encryption
d) Client-side encryption

15) Select all *potential* options for encrypting data in PaaS, if they are supported by the platform:
a) Database
b) Application level (in your own code)
c) Provider-integrated
d) Volume storage

16) Click on the location that would provide the most secure place to keep encryption keys:

17) When using provider managed encryption you are always sharing the same keys with other tenants.
a) True
b) False

18) Proxy-encryption requires you to break any existing secure connection to your cloud provider:
a) True
b) False

19) Which is the most inherently secure key management option, but it may not be viable or even needed depending on your
project requirements and platform/provider support:
a) Virtual Appliance
b) Third party service
c) Cloud Provider service
d) HSM/Appliance

20) To be considered Bring Your Own Key (BYOK) the provider must not be able to ever see or manage your keys:
a) False
b) True
21) Which key management option should you select if you are dealing with highly sensitive data that you don’t want your provider
to potentially access under any circumstances:
a) Virtual appliance
b) BYOK
c) 3rd party key management service
d) HSM/Appliance

22) Which option allows you to use an existing build for key management without replicating everything in the cloud?
a) Virtual Appliance
b) Third party service
c) Hybrid
d) HSM/Appliance

23) In the diagram below, what area shows the greatest reduction in attack surface?
a) Network attack paths
b) The cloud provider
c) The data canter
d) Application logic attacks

24) For cloud, where is DLP often best integrated?

a) secure Web Gateway
b) NGFW
c) The Cloud virtual network/VPC
d) CASB

25) What Is the primary goal of data masking?

a) stop hackers
b) Generate test data that still resemble production data
c) Hide production data from employees
d) Turn test data back into production data

26) Logs of some events in a cloud environment may not be available to you depending on your choice of cloud provider.
a) False
b) True

27) How should the data security lifecycle be used?

a) To create granular documentation for all sensitive data in the cloud.
b) To create granular documentation for all data, sensitive or not. in the cloud.
c) To replace existing data security architectures.
d) As a lightweight tool to better understand data flow and potential vs. desired data usage.

28) Place the lifecycle phases in order:

Answer

29) Why do we map locations and access?

a) To know when to force users to use a VPN
b) To replace dataflow diagrams
c) To understand where data flows. In what phases and how it might be accessed (e.g, devices)
d) To find the security boundary between internal and external

30) What is the primary objective of mapping functions, actors, and locations?
a) To list a potential security controls
b) To replace data flow diagrams
c) To determine what’s possible vs. what should be allowed
d) To document information risk

31) What do we use to reduce what is possible to what should be allowed within the context of the lifecycle?
a) Entitlement matrix
b) CASB or DLP
c) Key management
d) security control
 MODULE 5: SECURING CLOUD APPLICATIONS AND USERS

1) When moving to cloud, what now becomes within the scope of application security unlike with traditional infrastructure?
a) Management Plane
b) SAST
c) Source code
d) Architecture

2) Click and drag the phases of the lifecycle to the correct order.

Answer

3) STRIDE is a common thread modelling framework. Which of the four categories does a cloud provider typically take more
responsibility to manage:
a) information disclosure
b) spoofing
c) Denial of service
d) privilege escalation

4) What is one example of a control that can reduce the potential of spoofing:
a) Encryption
b) Authentication
c) Audit logging
d) Authorization

5) Specific testing techniques are tightly aligned and should only be performed during their designated phase in the secure
software development process:
a) True
b) False

6) Which kind of test should be added to static analysis for cloud deployments?
a) Regression tests.
b) API resiliency
c) Code completion
d) Scanning for stored cloud credentials
7) Which kind of testing will most likely require permission from your cloud provider before performing?
a) Vulnerability assessment
b) Security unit tests
c) SAST
d) Composition analysis

8) Which vulnerability analysis option will always comply with the terms of service of the cloud provider, but may require paying
close attention to network architecture:
a) Penetration testing
b) Traditional network-based
c) Host-based
d) Deployment pipeline testing

9) While there are many definitions of DevOps, one technology/process is typically considered to be central to any DevOps
program. Which technology is that?
a) Continuous integration
b) Configuration management
c) Composition management
d) static analysis

10) Click and drag the version control repository and the continuous integration server to the correct location.

ANSWER

11) Identify the core security benefit of immutable:

a) it fully isolates operations from production environments.
b) It fully isolates developers from production environment
c) All security updates are automatically applied
d) There are no manual changes, so everything is consistent and administrative access can be disabled.
12) Which of the following are security benefits of DevOps?
a) Greater Standardization
b) Automated Testing
c) Improved Security Operations.
d) Improved Auditing

13) Which of the following is not a new concern of secure operations for applications in the cloud?
a) WAF limitations/differences
b) The cloud configuration
c) SAST
d) The management plane

14) Which of the following is an inherent architectural security advantage of cloud?

a) The management plane
b) segregation
c) containers
d) 12 factor applications

15) How can serverless improve security?

a) Through automation
b) Some attack surface is the responsibility of the cloud provider in the shared responsibilities model
c) Better visibility due to the management plane
d) serverless actually reduces security

16) Many of the new architectural options for cloud offer security benefits over what is possible in traditional infrastructure
a) True
b) False

17) What could an email address be considered?

a) Entity
b) identifier
c) Identity
d) Authorization

18) What is the technical definition of authentication?

a) Allowing a user to perform an action
b) The process of confirming an identity
c) Providing a user access to a resource
d) The process of validating an entity

19) What is the defining characteristic of federated identity?

a) It’s supports government identity management
b) it allows a user to manage multiple identities for a single system
c) it can manage an identity within a given application
d) It inserts an identity across different systems or organizations

20) Which of the following is a discrete type that will have an identity? Examples include users and organizations.
a) persona
b) Attributes
c) Entity
d) Role

21) What is the biggest difference between IAM in cloud and in traditional environments?
a) IAM Must span at least two organizational boundaries
b) Cloud is more secure
c) They use different standards
d) Cloud is less secure

22) Which IAM standard is best suited for enterprises federating with cloud providers?
a) SAML
b) XACML
c) Kerberos
d) OATH
23) Which of the following is one of the 3 most common identity standards in cloud environments?
a) SCIM
b) OATH
c) Kerberos
d) XACML

24) In the OpenID exchange below, click on the element that represents the enterprise’ directory server? Select the correct item
below.

25) In a hub and spoke model, which technology mediates between directory servers/identity providers and the service
providers/relying parties:
a) Federated identity brokers.
b) Attribute services
c) CASB
d) Directory servers

26) Which of the following IAM security incidents is more likely in cloud versus traditional infrastructure and requires a dedicated
incident response focus?
a) Account takeover
b) Account abuse
c) Privilege escalation
d) Pass the hash

27) Multifactor authentication is absolutely mandatory for cloud computing due to the higher potential for remote account
takeovers.
a) True
b) False

28) Checking to see if a user authenticated with MFA from a corporate IP address to authorize an action is an example of?
a) Multifactor authorization
b) Authentication
c) Role-based access controls.
d) Attribute based access controls

29) What is an entitlement matrix used for?

a) To document authorizations
b) To communicate security controls to a cloud provider
c) To map the directory servers to the appropriate cloud provider
d) To translate physical security controls to cloud controls
 MODULE 6: SELECTING A CLOUD PROVIDER

1) Why are elasticity and infrastructure templating critical IaaS security capabilities?
a) They improve scalability
b) They optimize performance
c) These are operational capabilities, not security capabilities
d) They enable immutable deployments.

2) Why are reviewable audits important when evaluating a cloud provider?

a) Third party auditors provide better results than internal auditors
b) They will meet all regulatory and compliance standards
c) They fill the gaps in any cloud provider security documentation
d) They provide third party validation when you cannot audit a provider yourself

3) Frequent audits and assessments are important when looking at a cloud provider due to how rapidly they evolved their services
a) Ture
b) False

4) Which of the following protocols should a SaaS provider support to help extend an enterprises existing user management
security control and is considered a critical security capability?
a) AuthZ
b) LDAP
c) SAML
d) IPV6

5) Security as a Service is only used to secure cloud services.

a) True
b) False

6) Select al of the following characteristics that are required for something to be considered Security as a Service:
a) It has a hosted web interface
b) it meets the NIST essential characteristics
c) Itis built on a laaS provider
d) It is a security product or service delivered as a cloud service
e) it is marketed as SecaaS

7) Which of the following is one of the more unique potential benefits of Security as a Service:
a) Transparency
b) compliance
c) customer visibility
d) Intelligence Sharing

8) Why are regulation differences a potential concern of using Security as a Service?

a) The cloud consumer may have regulatory obligations the SecaaS provider can’t meet
b) SecaaS is unregulated
c) SecaaS is highly regulated
d) The cloud provider may have regulatory obligations the customer cart meet

9) Using SecaaS removes accountability for the client, but only for the particular security control the service addresses.
a) Ture
b) False

10) What characteristic would make a Federated Identity Broker be considered SECaaS vs. a traditional tool?
a) It supports SAML
b) It supports multiple cloud providers AND on premise directories
c) it brokers authentication to cloud services
d) It is hosted in the cloud, elastic, and you pay per user
11) What is a potential advantage of a web security gateway SECaaS over an on-premise tool?
a) supports HTTPS.
b) They are always less expensive:
c) It will generally catch more malware
d) You can protect mobile users without requiring a VPN to the corporate network

12) What is required to redirect traffic to a cloud WAF?

a) An on-premise proxy
b) GRE tunnelling
c) A VPN
d) DNS changes

13) Can a cloud-based key management service be integrated with on- premise encryption?
a) No
b) Yes

14) If an attacker compromises one of your virtual machines, and then uses it to attack other clients on the same cloud platform,
what is the cloud provider's likely action?
a) The CP will prioritize defending the rest of your deployment from the attack.”
b) The CSP Will first protect the rest of their broader client which may mean disrupting your development
c) The CSP will prioritize alerting you and providing information needed for you to respond to the attack.
d) The CSP has no responsibility in this situation pr the shared responsibilities model.

15) Click and drag the incident response phases in the proper order.

Answer

16) In which phase would you build a cloud ‘jump Kit’ of Detection and analysis
a) Detection and analysis
b) containment and response
c) Postmortem
d) preparation

17) In which phase would you snapshot a virtual machine for forensics?
a) Preparation
b) Detection and analysis
c) Postmortem
d) Containment and response
18) Which of the following most helps you quickly build parallel infrastructure, so that you can rapidly restore operations while still
having the compromised environment for analysis?
a) snapshots
b) Infrastructure as code templates
c) PaaS
d) SaaS

19) In a postmortem what would be your highest priority to review and remediate if it was a blocker in your incident response?
a) Operating system vulnerabilities
b) internal communications
c) Communications with the cloud provider
d) Container Vulnerabilities

20) Which of the following is not considered a related technology?

a) Mobile Computing
b) Internet of Things
c) serverless
d) Security as a Service

21) Big Data is often defined as "high volume, high velocity, and high variety’ What does “high velocity” mean?
a) Fast raw storage speeds
b) Storage elasticity
c) Fast transfer speeds.
d) The data changes constantly/rapidly

22) Why should you consider relying extensively on the isolation capabilities of cloud to defend a big data deployment?
a) The distributed storage is always isolated by nature
b) Big data platforms tend to have low inherent security
c) Isolation Improve encryption
d) To meet compliance requirements

23) While not directly related to cloud, which loT principle is critical for long- term security?
a) Data encryption
b) The ability to patch/update the “things" (devices)
c) Elasticity
d) Public APIs

24) Which of the following issues on a mobile device can actually create security risks for the cloud deployment?
a) Insecure wireless networks.
b) Embedded/static/stored credentials
c) A malicious app.
d) Use of an out of date operating system

25) Serverless, used properly, can offer more security benefits than risks.
a) Ture
b) False