With the rise in popularity and practicality of Cloud computing in the past few years, organizations of all size and type are realizing that it is important to not only utilize Cloud strategies for their business, but also to require that their staff is formally certified in this ever-changing discipline.
To help meet the rising demand, InfoSec Resources is now offering training for the Certified Cloud Security Professionals (CSSP) certification.
If you’ve dabbled in Cloud technologies but want to find out how much you really know, take our 10-question quiz!
Question No 1
What is the key benefit provided to a customer when using Infrastructure as a Service (IaaS) solution?
- Ability to scale up infrastructure services on the basis of projected usage
- Transfer in the cost of ownership
- Usage is measured and priced on basis of consumed units
- Efficiency of cooling system and increased energy
Answer: 3. Usage is measured and priced on basis of consumed units
Explanation: Infrastructure as a Service (IaaS) has many key advantages for its customers, some of which are:
- The ability to scale infrastructure services up and down on the basis of actual usage.
- Usage is priced and measured on the basis of consumed units or instances.
- Ownership cost is reduced as asset for everyday use are not needed and there is no loss of asset value over the passage of time.
- Reduced cooling and energy costs.
Question No. 2
Which of these are the four cloud deployment models?
- Public, Private, Joint, Community
- Public Private, Hybrid, Community
- External, Private, Hybrid, Community
- Public, Internal, Hybrid, Community
Answer: 2. Public, Private, Hybrid, Community
Explanation: According to the definition of Cloud Computing by NIST, the four Cloud deployment models are as follows:
Public: The cloud infrastructure is open for usage by general public. It can be owned, operated and managed by a government organization or a business or both and exists in the cloud provider’s premises.
Private: Cloud infrastructure can only be used by a single organization that comprises a number of consumers or business units. It may exist in or out of the cloud provider’s premises.
Hybrid: Cloud infrastructure is a combination of two or more than two cloud infrastructures i.e. private, public or community. These infrastructures remain as separate entities in themselves but are linked together by a standardized technology that allows data portability such as load balancing or cloud bursting between clouds.
Community: The cloud infrastructure can only be used by a distinct community of users organizations with shared interests. It may be owned, operated and managed by one or more organizations of the community and exists on or off cloud provider’s premises.
Question No. 3
Which of the following are the six components of the STRIDE Threat Model?
- Spoofing, Repudiation, Tampering, Information Disclosure, Social Engineering and Denial of Service
- Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege
- Tampering, Spoofing, Non-Repudiation, Denial of Service, Information Disclosure and Elevation of Privilege
- Spoofing, Tampering, Information Disclosure, Repudiation, Distributed Denial of Service, Elevation of Privilege
Answer: 2. Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege
The STRIDE threat model is based upon the following threats:
- Spoofing: Attacker takes over the subject’s identity.
- Tampering: Attacker alters data
- Repudiation: Event is denied illegitimately
- Information Disclosure: Information is access without authorization
- Denial of Service: System is overloaded by attacker to deny legitimate access
- Elevation of Privilege: Attacker gains privilege above the permitted level.
Question No 4
Who is the Relying Party in a federated environment, and what do they do?
- The Customer. They consume tokens generated by the Identity Provider.
- The Service Provider. They consume tokens generated by the customer.
- The Identity Provider. They consume tokens generated by the service provider.
- The Service Provider. They consume tokens generated by the Identity Provider.
Answer: 4. The Service Provider. They consume tokens generated by the Identity Provider.
Explanation: In a federated environment there is a Relying Party (RP) and an Identity Provider (IP). The Service Provider is the relying party that consumes tokens generated by the Identity Provider for all known identities.
Question No. 5
Which of these are data storage types that can be used with Platform as a Service?
- Unstructured and Ephemeral
- Tabular and Object
- Structured and Unstructured
- Raw and Block
Answer: 3. Structured and Unstructured
Structured data pertains to highly organized information, so that it is readily available and easily searchable by simple search algorithms and operations.
Unstructured data is cannot properly fit into a database and often consists of text and multimedia. Some examples of unstructured data are emails, word processing documents, photos, audios, presentations, videos, etc.
Question No 6
What is Cloud Security Alliance Cloud Controls Matrix?
- Regulatory requirements for Cloud Service Providers
- A set of SDLC requirements for Cloud Service Providers
- An inventory of security controls for Cloud Service arranged into distinct security domains
- An inventory of security controls for Cloud Service arranged into security domains hierarchy
Answer: 3. An inventory of security controls for Cloud Service arranged into distinct security domains
Explanation: The Cloud Security Alliance Cloud Controls Matrix is a framework for security controls designed for the cloud community. It can be considered as an inventory of Cloud Service security controls arranged into the following distinct security domains:
- Application & Interface Security
- Audit Assurance & Compliance
- Business Continuity Management & Operational Resilience
- Change Control & Configuration Management
- Data Security & Information Lifecycle Management
- Datacenter Security
- Encryption & Key Management
- Governance and Risk Management
- Human Resources
- Identity & Access Management
- Infrastructure & Virtualization Security
- Interoperability & Portability
- Mobile Security
- Security Incident Management, E-Discovery & Cloud
- Supply Chain Management, Transparency and Accountability
- Threat and Vulnerability Management
Question No. 7
Where does the encryption engine reside when using transparent encryption of database?
- In Key Management System
- Within the database
- On instance(s) attached to the volume
- At the database-using application
Answer: 2. Within the database
Explanation: Database encryption comes with the following options, each of which is explained.
Transparent Encryption: A large number of database management systems have the ability to encrypt the complete database or even some portions of it. In transparent encryption, the encryption engine resides in the database and is transparent to the application. The Keys reside within the instances while their management and processing may be offloaded to an external Key Management System. This type of encryption is effective in protecting from database and application-level attacks, media theft and backup system intrusion.
File Level Encryption: Database server resides on volume storage. The database folder or volume is encrypted, and encryption engine and keys reside on instances attached to volume. It protects against lost backup, external attacks and media theft.
Application Level Encryption: Encryption engine resides at the application using the database. It protects against a wide array of threats that include application-level attacks, compromised database and administrative accounts.
Question No. 8
Which of the following electronic records disposal method can always be used in a Cloud environment?
- Physical Destruction
Answer: 2. Encryption
Explanation: Safe disposal of electronic data can be done in the following ways:
Degaussing: The use of strong magnets to scramble data on magnetic tapes and hard drives
Physical Destruction: Physically shredding or incinerating the records to destroy them completely
Overwriting: Writing unimportant or random data over the real data to make the real data unreadable. More overwrites ensure better destruction of data.
Encryption: Rewriting the data in encrypted format so that it cannot be read without an encryption key.
As first three methods of destroying digital data are not relevant to cloud computing, the only suitable option is encryption. Encrypting the data for its disposal is called crypto-shredding or digital shredding. In crypto-shredding, encryption keys required to read the data are deliberately destroyed. Moreover, it is ensured that the keys are completely unrecoverable.
Question No. 9
What is presented to a cloud service organization or customer in an audit scope statement?
- List of security controls at are to be audited
- Results of the audit, findings and recommendations
- Required level of information for the organization or client being audited in order to understand and agree with the focus, scope and type of assessment that is to be performed
- The projected cost of audit and auditor credentials
Answer: 3. Required level of information for the organization or client being audited in order to understand and agree with the focus, scope and type of assessment that is to be performed
Explanation: An audit scope statement typically includes all the required information such as:
- General objectives and focus statement
- Scope of audit (along with the exclusions).
- Acceptance criteria.
- Audit type (attestation, certification, etc.).
- Classification (Secret, Confidential, Public, etc.)
- Security assessment requirements.
- Assessment criteria
Question No 10
Which key issue related to the Object Storage type should the Cloud Service Provider be aware of?
- Access Control
- Data consistency can only be achieved after change propagation to all replica instances occurs
- Continuous Monitoring
- Data consistency can only be achieved after change propagation to specific percentage of replica instances occurs
Answer: 2. Data consistency can only be achieved after change propagation to all replica instances occurs
Explanation: An object storage system typically comes with minimal features. It gives the ability to store, copy, retrieve and delete files and also gives authority to control which user can perform these actions. If you want to be able to search or have an object metadata central repository for other apps to draw on, you have to do it by yourself. Many storage systems such as Amazon S3 provide REST APIs to let programmers work with objects and containers. However, what Cloud Service Providers need to know about object storage systems is that they can only achieve data consistency in the end. Whenever a file is updated, you have to wait for the change to be propagated to all replicas before requests can return latest version. This is why object storage is unsuitable for data that constantly changes. But it can be a good solution for stagnant data like audio and video files, archives, backups and machine images.