This cloud model is composed of five essential characteristics, three service models, and four deployment models.
Please match the characteristics
... [Show More] below with their descriptions
Characteristic Description
1. Broad Network a. The provider’s computing resources are combined to serve
Access multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand
2. Metered Access
b. Consumer can unilaterally provision computing capabilities as needed automatically
3. On-demand self- c. Capabilities are available over the network and accessed through service standard mechanisms that promote use by heterogeneous thin or
thick client platforms
4. Resource d. Capabilities can be provisioned and released, in some cases
Pooling automatically, to scale rapidly outward and inward commensurate with demand.
5. Rapid elasticity e. Cloud systems automatically control and optimize resource use by leveraging capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
Answers 1c 2e 3b 4a 5d
Question 2
What type of cloud deployment model is best for highly sensitive or proprietary information? a) Hybrid
b) Private
c) Public
d) Community
Answer B
Question 3
Which of the following pose the greatest challenge to security?
a) Process
b) Technology
c) People
d) None of the other choices presented
The correct answer is: c People
When looking to secure the key assets of any organization, three primary components are essential people, processes, and technology. People tend to present the single largest challenge to security due to the possibility of a disgruntled, rogue, or simply careless employee or contractor exposing sensitive data either by accident or on purpose.
Question 4
The hypervisor allows multiple OSs to share a single hardware host. Which statement pertaining to the hypervisor is FALSE?
a) Type 1 hypervisor runs directly on the guest OSs and reduces the likelihood of malicious software.
b) Type 2 hypervisor runs on host OSs and are more attractive to attackers.
c) Type 2 hypervisor runs directly on the guest OSs and reduces the likelihood of malicious software.
d) Type 1 hypervisor is also called bare metal hypervisors.
Answer
Answer C Type 2 security: Because Type 2 hypervisors are OS based, they are more attractive to attackers, given that there are far more vulnerabilities associated with the OS as well as other applications that reside within the OS layer. A lack of standardization on the OS and other layers can open up additional opportunities and exposures that might make the hypervisor susceptible to attack and compromise.
Question 5
Cloud Computing Top Threats include:
• Denial of Service, Data Remanence and Data Loss
• Data Loss, Account or Service Traffic Hijacking and Malicious Insiders
• Abuse of Cloud Services, Sufficient Due Diligence and Data Breaches
• Secure Interfaces and Application Programming Interfaces (APIs)
The correct answer is: B Data Loss, Account or Service Traffic Hijacking and Malicious Insiders
Answer
Nine critical threats to cloud security (ranked in order of severity):
• Data Breaches disclosure of sensitive information to a party
• Data Loss loss of information, deletion, overwriting, corruption or integrity related to the information stored, processed, or transmitted within cloud environment
• Account or Service Traffic Hijacking attackers are able to monitor or eavesdrop on communications, capture relevant credentials, access and alter account and user provides, etc.
• Insecure Interfaces and Application Programming Interfaces (APIs) third parties, organizations, customers, etc., adding on to the provider s cloud computing resources causing it to become insecure.
• Denial of Service preventing legitimate users from accessing a resource or service; does not always require large volumes of traffic to be successful such as asymmetric application-level payload attacks.
• Malicious Insiders people tend to present the single largest security challenge due to becoming rogue, disgruntled, or careless, exposing sensitive data by accident or on purpose
• Abuse of Cloud Services
• Insufficient Due Diligence
• Shared Technology Vulnerability Issues
Question 6
a) Critical cloud business continuity success elements include all, except:
b) Understanding interdependencies and supply chain risks.
c) Regularly auditing continuity capabilities and identifying on/off premise backup sites.
d) Treating all assets and services as equal and prioritizing restoration.
e) Understanding CSP and customer responsibilities.
The correct answer is: C Treating all assets and services as equal and prioritizing restoration
From the perspective of the cloud customer, business continuity elements include the relevant security pillars of availability, integrity, and confidentiality. The availability of the relevant resources and services is often the key requirement, along with the uptime and ability to access these on demand.
Failure to ensure this results in significant impacts, including loss of earnings, loss of opportunities, and loss of confidence for the customer and provider.
Two critical success factors for business continuity when utilizing cloud-based services are as follows:
1. Understanding CSP and customer responsibilities;
• Customer responsibilities
• CSP responsibilities
• Understanding any interdependencies or third parties (supply chain risks)
• Order of restoration (priority)
• Appropriate frameworks and certifications held by the facility, services, and processes
• Right to audit and make regular assessments of continuity capabilities
• Communications of any issues or limited services
2. Identification of need for backups to be held onsite or offsite or with another CSP. Regularly auditing continuity capabilities and identifying on/off premise backup sites.
• Penalties and compensation for loss of service
• RTOs and RPOs
• Loss of integrity or confidentiality
• Points of contact and escalation processes
• Failover to maintain compliance
• Changes being communicated in a timely manner
• Clearly defined responsibilities
• Where usage of third parties is required per the agreed-upon SLA
Question 7
A system design that does not create a single point of failure is the best defense against which of the following common threats?
a) Denial of Service
b) Abuse of Cloud Service
c) Traffic Hijacking
d) Malicious Insider
The correct answer is: Denial of Service
Question 8
Which of the following is true of "bolt-on " components to cloud APIs?
a) Bolt-on components are good because they build extra security into an existing API.
b) Bolt-on components are good because they increase productivity.
c) Bolt-on components are bad because they increase complexity and decrease security.
d) Bolt-on components are bad because they decrease the complexity of cloud security.
The correct answer is: C Bolt-on components are bad because they increase complexity and decrease security.
Regardless of productivity, the increased complexity that is introduced through bolt-on components is always a security risk.
Bolt-on components may attempt to build extra security into an API, but the added complexity usually decreases security.
Question 9
It is incumbent on the cloud professional to ensure that both Due Care and Due Diligence are exercised in the drive to the cloud. Due Diligence and Due Care are defined as:
a) Due Care is the methodology required for certifying a site as "cloud ready", and Due Diligence is the process of accreditation of a site.
b) Due Diligence is the act of investigating and understanding the risks a company faces, and Due Care is the development and implementation of policies and procedures to aid in protectng the company, its assets, and its people from threats.
c) Due Care is the act of investigating and understanding the risks a company faces, and Due Diligence is the development and implementation of policies and procedures to aid in protectng the company, its assets, and its people from threats.
d) Due Diligence is the development of remediation of risks to people, processes and technology, and Due Care is the act of citing risks in an implementation process in an organization.
The correct answer is: B Due Diligence is the act of investigating and understanding the risk a company faces, and Due Care is the development and implementation of policies and procedures to aid in protecting the company, its assets, and its people from threats.
Due Diligence = Do Detect
Due Care = Do Correct
Due Diligence is following Standards, Best Practices, Consensus of expert in order to identify potential threats what could affect you.
Due care is what action your are going to take once the threats have been identified and how are you going to bring the threat level down to an acceptable level and maintain it at that level.
Question 10
The Trusted Computer System Evaluation Criteria (TCSEC) are guidelines are known as the Common
Criteria and have 7 Evaluation Assurance Levels. Which level indicates the highest testing evaluation?
a) Level 7 is the highest level, indicating the most rigorous testing.
b) Each level is separate and is not graded on a scale of lowest to highest.
c) Level 1 is the highest level, indicating the most rigorous testing.
d) Level 4 is the highest, as it is in the exact middle of one and seven.
The correct answer is: A Level 7 is the highest level, indicating the most rigorous testing.
The goal of CC certification is to ensure customers that the products they are buying have been evaluated and that a vendor-neutral third party has verified the vendor’s claims.
To submit a product for evaluation, follow these steps:
• The vendor must complete a Security Target (ST) description that provides an overview of the product‚„¢s security features.
• A certified laboratory then tests the product to evaluate how well it meets the specifications defined in the protection profile.
• A successful evaluation leads to an official certification of the product.
The Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to achieve Common Criteria certification. The intent of the higher levels is to provide higher confidence that the system's principal security features are reliably implemented. The EAL level does not measure the security of the system itself, it simply states at what level the system was tested.
To achieve a particular EAL, the computer system must meet specific assurance requirements. Most of these requirements involve design documentation, design analysis, functional testing, or penetration testing. The higher EALs involve more detailed documentation, analysis, and testing than the lower ones. Achieving a higher EAL certification generally costs more money and takes more time than achieving a lower one. The EAL number assigned to a certified system indicates that the system completed all requirements for that level. [Show Less]