The CCSK Study Guide

Revision : 0.7
Created Dated: January 5th, 2015
Last Modified: November 24th, 2015

Contributor Organization Country

Alejandro Castillo FireEye Inc United States of America

Peter HJ van Eijk Club Cloud Computing Netherlands

Ajay Chauhan SafeNet United Kingdom

Ash Thakrar PwC United Kingdom

David Glosser Regeneron Pharmaceuticals United States of America

Please Scroll down to find the actual study guide
If you found any part of this guide helpful please provide a like or some feedback to the
following link:

https://www.linkedin.com/groups/CCSK-study-guide-OpenSource-
4071935.S.5958007520671911936?view=&gid=4071935&item=5958007520671911936&typ
e=member&commentID=discussion%3A5958007520671911936%3Agroup%3A4071935

If you wish to contribute feel free to type your suggestions and they will be taken accordingly.
CCSK Key Examination Concepts
CSA Guidance For Critical Areas of Focus in Cloud Computing V3.0 English

Based on research that I have seen online, it is suggested that 2,5,10 and 12 are heavily
tested. Especially 5. Attention should be placed to Risk and Challenges.
Victor said this was the some of the most quizzed areas:
Reading the material is extremely time consuming, Incident response and Identity and Access
Management seem to have the most material.

Domain 1 Architecture
Summary
SPI = Software, Platform and Infrastructure as a service.
Cloud formations = the forms of cloud computing or the way it’s deployed.
Cloud benefits - collaboration, agility, scaling, availability, reduced cost, optimized and
efficient.
Steps for evaluating risk in the cloud
1. Determine what data to send to the cloud - (1) Data (2)
Application/Function/Processes
2. Determine the data or function is
3. Determine the best deployment model (For models look at NIST model below)
4. Evaluate the potential cloud providers
 NIST Definition of Cloud Computing (Essential Characteristics, Cloud Service
Models, Cloud Deployment Models)

 Multi-Tenancy (NIST doesn’t have it, but CSA’s cloud model includes it as an
essential:)
 Policy Enforce  Governance
 Segmentation  SLA
 Isolation  Chargeback
The problem with multi-tenancy is visibility of residual data or traces of operations of tenants.
 CSA Cloud Reference Model ( Also known as service models)
 IaaS - Most flexible, possibly the least secure, and customers responsible for
most of the security mechanisms
 PaaS - Enormous flexibility, but not quite as flexible.
 SaaS - Least Flexible, possibly most secure and dependency on provider

You can outsource a lot of manageability, but not accountability.
• Jericho Cloud Cube Model
The four sides/eight
dimensions
I/O - Insourced or
Outsourced
I/E - Internal or
External
O/P - Open or
Proprietary
P/D - Perimeter
Least to most
mature
1. Outcome/Va
lue
2. Process
3. Software
4. Platform
5. Infrastructur
e

• Cloud Security Reference Model - possible definition on page 20 third paragraph

manage and mitigate uncertainty  Avoidance. laws and institution  Enterprise and Information Risk Management  Measure. compliance. contractors.  Security Level.security.• Cloud Service Brokers .Middleman/Middleware act like proxies between the cloud and the consumer.  SLAs must cascade downwards from Provider to Third Party and supply chain .  • Service Level Agreements  Negotiable and nonnegotiable. governance.auditing provides affirmation and really specifies the level of security in SaaS Even Private Clouds may have multitenancy (multiple projects. Reduction. policies.etc…) Domain 2: Governance and Enterprise Risk Managementcvx  Contractual Security Requirements  processes. Share/Insure/Transfer and Accept  Third Party Management Recommendations  Contracts are risk management tools with metrics/audits to ensure accountability. third party consultants. part-timers. and liability expectation  Most of the control and security will be held in the SLA . This is done to provide an abstraction of incapabilities between the customer and the cloud to allow for fluidity and agility. customs.

and processes and procedures.geographical locations and legal jurisdictions.“Cloud aware” .laws and regulations one must comply with. CSP/Third party review of how information is stored. In terms ofjurisdiction it depends on where the legal court is in? • Liability for activities of subcontractors • Due diligence responsibility . Domain 3: Legal Issues: Contracts and Electronic Discovery • Consideration of cloud-related issues in three dimensions : Monitoring. along with review of co-locations and backup facilities must be part of the background check assessment. however it should be written into the contract. regulations. processed and transmitted across borders with many different laws in those places as well as the ones we must comply with. Thus they need the CSP[1]. Right to transparency . Domain 4: Compliance and Audit Management • Definition of Compliance: the awareness and adherence to obligations (laws. Audit might be hard due to an elastic environment The major part for most of the governance will be the contract between the provider and customer.In the US you must give everything to the requesting party even if it is not in your favor. business continuity. including the assessment and prioritization of corrective actions deemed necessary and appropriate. policies and various other things. SSAE 16 SOC2 or ISAE 3402 Type 2. • Right to audit . These will likely include contracts. etc…). evaluation??? • eDiscovery considerations .include legal. • Federal Rules of Civil Procedure and electronically stored information -ESI for holding • Metadata . • Auditor requirements . • Compliance analysis requirements . Domain 5: Information Management and Data Security  Six phases of the Data Security Lifecycle and their key elements: Create-Store-Use-Share-Archive-Destroy . policies. procurement and contract teams to identify them.  Supply chain examination  Risk is inherited throughout the supply chain  Use of Cost Savings for Cloud  Should be re-invested to scrutinize the security capabilities of the provider. Third parties should be picked out in advance and reviewed.gives customers the ability to audit the cloud provider and provide for transparency/accountability.The client is responsible for the data even though they might not have access. laws. testing. It must also be protected and well stored (this is called a legal hold) • Jurisdictions and data locations . • Audit scope and compliance scope .obligation to undertake reasonable steps to prevent destruction or modifications of data or the information processing. and disaster recovery policies.Identify legal barriers and insure they are addressed in contract. • Compliance impact on cloud contracts.  Incident Management . contracts.it’s data about data • Litigation hold .can view or request a push to view the stats of the environment.

Volume Storage Encryption  Instance Managed encryption  Externally Managed encryption  Proxy Encryption  PaaS  Client/Application encryption  Database Encryption  Proxy Encryption  SaaS  Provider-Managed Encryption  Proxy Encryption  Database Activity Monitoring (DAM) and File Activity Monitoring (FAM): Can be used to detect and monitor attacks. PGP)  Deployment may be done using any of the following:  Dedicated Appliance  Virtual Appliance  Endpoint agent  Hypervisor agent  DLP SaaS • Detection Data Migration to the Cloud  Encryption in IaaS. . contractual and other jurisdictional issues are extremely important to understand both the logical and physical location of the data.  Volume storage: virtual hard drives (data dispersion to support resiliency and security)  Object storage: File storage (Can typically be accessed y APIs or web interface)  Logical vs physical locations of data  Potential issues from regulatory.  Three valid options for protecting data  Client application Encryption  Link/Network Encryption  Proxy Based Encryption  Data Loss Prevention: Used for content delivery and to monitor data in motion  Actions: Block or allow to proceed after remediation (DRM[2]. ZIP. PaaS & SaaS  IaaS .

across multiple database platforms. maintained.????? • Data Dispersion: It spreads data across (Data fragmentation) make it more resilient and harder to compromise. Domain 6: Interoperability and Portability  Definitions of Portability and Interoperability  Interoperability: The requirement for the components in a cloud ecosystem to work together to produce the intended result  Portability: defines the ease of the ability to which applications components can be moved and reused elsewhere regardless of provider.how data is generated. although in the future may be available for PaaS)  FAM: Products that monitor and record all activity within a designated file repositories at the user level and can generate alerts based on violations.  Virtualization impacts on Portability and Interoperability .  Do testing prior to moving  SaaS  Determine which data can be preserved and migrated (escrow service?)  Perform regular data backups .  DAM: captures and records all DB SQL activity including database activity. • Data Fragmentation: When fragmentation is used along side encryption it becomes hard to compromise as you have to compromised m cloud nodes with fragments and then still break encryption. the format of the data or the API’s.Are authentication protocols that are interoperable with standard based systems.  FAM tools require agents or placing a physical appliance between the cloud storage and the cloud consumer. documented. infrastructure. backup and restore  For interoperability and portability use standard syntax. billing records  Interoperability and portability and feature sets moving from one cloud to another as well as understanding dependency on legacy IaaS (cost as well)  Who maintains crypto keys  PaaS  Tools available for secure data transfer. platform. Usually does it by using an Information DispersalAlgorithm (IDA).the sheer size can cause of disruption of service during transition or can make the transition longer than it needs too. PaaS & SaaS delivery models  IaaS  creation. and can generate alerts on policy violations. deletion and deprovisioning (removing residual data)  Hardware based dependencies moving to virtualization  Access to system logs.Can help abstract hardware for flexibility and using something like Open Virtual Format (OVF) can aid in portability. location. portability. storage.  SAML and WS-Security . performed. Open APIs and open standards such as Open Cloud Computing Interface (OCCI)  how to transfer to new vendor . OS.  DAM tools are typically agent-based connecting to a central collection server (which is typically virtualized). Using the open based SAML can help ensure portability of identities.  Size of Data Sets . (courier may be an option)  Lock-In considerations by IaaS. no encryption is used in dispersion. It is used with dedicated database instances for a single customer. • Data Backup . availible or dependent on provider. traces.

landslides or other natural disasters  not located in areas known to have high crimes. floods. retraining. avoidance of conflict of interests  Restoration Plan: should correlate directly to SLA. Business Continuity. pretty much anything you can get  Make sure that time is consistent (i. Crisis Management Team (CMT) and the Incident Response team (IRT)  Customer due diligence related to BCM/DR . on site assessments. business continuity. time sync)  Is the dynamic nature of the cloud accurately capture . Detect.e. political or social unrest  Check accessibility of the location and anything that might inhibit that.audit. Delay and Deny  Cloud backup and disaster recovery services  Main Challenges: mobility. availability. and Disaster Recovery  Four D's of perimeter security : Deter. Lock-in can also occur if the data can’t be easily exported thus the need for portability. performance.Table compromise of:  Application Mission : Contractual. Scalable file systems and a self service disaster recovery application. scalability and metered payments. Domain 8: Data Center Operations  Relation to Cloud Controls Matrix . separation of duties . loss of data) “Understand up-front and plan for how to exit the contract” meat of the security. Domain 7: Traditional Security. (costly conversion . when possible use open and published architectures with standards protocols.The British Standard for Business Continuity Management (BCM)  ISO 22301 is responsible for Business Continuity  Traditional audits. Non-disclosure agreements. background checks .review CSP’s BCP process  BS 25999 . error. transfers to and from cloud.  Things to review: Emergency Response team (ERT). transfer. direct examination or certifications  Business Continuity Management/Disaster Recovery due diligence  Providers should have a security baseline  compartmentalization .  Review/audit the consistency of controls • Mitigating hardware compatibility Lack of interoperability can lock you to a vendor. legal or regulatory requirement  Control: Security Concept that is meant to mitigate risk to accomplish mission  Specification: Details of said control that will actually mitigate said risk • Queries run by data center operators • Technical aspects of a Provider's data center operations customer should understand • Logging and report generation in multi-site clouds: it needs software to orchestrate the logging Domain 9: Incident Response  Factor allowing for more efficient and effective containment and recovery in a cloud  Can allow for faster incident response through continuous monitoring  Faster recovery through virtualization and elasticity resulting in fast containment and recovery  Easier portability and imaging thanks to VM moves.  Disaster Recovery is built on three layers : Virtual Storage.  Main data source for detection and analysis of an incident  Logs . as contractually committed and include both the Recovery Point Objective (RPO) and Recovery Time Objective (RTO)  Physical location of cloud provider  The consumer should conduct a critical evaluation of the data center’s physical location  not in areas known to have seismic activity.

generating snapshots. and Access Management (IdEA)  Authentication  Authorization  Administration  Audit & Compliance  Policy  SDLC impact and implications  It’s typically harder in the cloud  control over physical is harder  potential incompatibilities  protection of data through lifecycle (transit.  Are legal requirements met  log retention patterns and tamper resistant  Investigating and containing an incident in an Infrastructure as a Service environment  snapshots of memory  creation of hard disk images require the CSP  advance forensics techniques.VM introspection or live forensic system support require the CSP  Reducing the occurrence of application level incidents  SLAs and IR plans should include “Lesson Learned” after the recovery  How often should incident response testing occur  At least once a year  Offline analysis of potential incidents -???????? Challenges for Incident Response in the cloud  Automated environment does not help.  Differences in S-P-I models  Consideration when performing a remote vulnerability test of a cloud-based application  Is the multi-tenancy of it??????  Categories of security monitoring for applications  Log Monitoring  Performance Monitoring  Monitoring for Malicious use  Monitoring for compromise  Monitoring for policy violations  Entitlement matrix . rest)  web services can introduce more vulnerability  harder to get to logs or to demonstrate compliance  Mitigation  Least Privilege/Segregation of duties/Defense in depth/fail safe/…. Entitlement. but destroys evidence  Elastic environment makes forensic especially hard  There might be privacy issues in doing forensics Investigating and containing an incident in an PaaS/SaaS environment  Requires almost all CSP support and has to be negotiated in the Service Contract Domain 10: Application Security  Identity.set of rules into entitlement layer  fed by claims  assertion  attributes .

access control based on segregation levels Domain 12: Identity. masking.  Identity Federation  The ability to use one identity repository in another for authentication or validation purposes . keys per user  best practice  location of keys  Whenever possible keys should reside with the user/enterprise. The process of mapping identities to attributes is called entitlement. So entitlement is what ultimately dictates access. This way in case of compromise the data can not be easily decrypted  Application or process may need keys so be aware…  Use KEK (Key Encrypting Keys) or in memory keys  keys per user  There should be one key per user so they can only encrypt/decrypt their own data  There should be a group key for when users need to share data. and Access Management  Relationship between identities and attributes  Identity is something you are and attributes are the characteristics.Another word for format preserving encryption?????  Utilizing Cloud database controls .  Relationship to tokenization. location of keys. Based on the two a characteristics a risk based decision done to allow access to resources or services.The above is simply an example of an entitlement matrix Domain 11: Encryption and Key Management  Adequate encryption protection of data in the cloud  Key management best practices. anonymization and cloud database controls  Tokenization (Basically doing reference substitutions  Data Anonymization (Stripping out sensitive data)  Masking . Entitlement.

the state of being first principle .the nature of having multi-vm on the same physical hardware means that the data of one VM and another type of VM is on the same hardware  instant-on gaps . test/development and highly sensitive data Domain 14: Security as a Service  10 categories  Identity and Access Management  Data Loss Prevention  Web Security  Email Security  Security Assessments  Intrusion Management  Security Information and Event Management (SIEM)  Encryption  Business Continuity and Disaster Recovery  Network Security .password synchronization SSO . they can moved geographically without alert or traceable audit trail.  VM Sprawl .The network security appliances are blind to data that doesn’t transverse the network (i.  How can virtual machine communications bypass network security controls  If it passes the data between VMs in the data plane as opposed to the network plane  VM attack surfaces  What else is there besides the ones mentioned and VM image tampering???  Compartmentalization of VMs  Zoned approach for production.typical OS and app hardening best practices  Blind Spot .ability to pass identity and attributes to other services Federation .Discretes types that will have identities Identity .determines access to resources (service provider)  SAML and WS-Federation  Provisioning and authoritative sources You may want to check out the videos at the end of this guide to understand the whole entitlement process.is user centric authorization (user)  PDP . instant-on gaps  VM Guest Hardening .Pausing a VM and turning it back on (after a long time) can introduce vulnerabilities  In-Motion VM characteristics that can create a serious complexity for audits  Because VM are portable.VMs are so easy to deploy they can spiral out of control without process  Data co-mingling .Unique id person . data co-mingling.e. I found it easier to watch the videos and then come back to read this doc then tackling this doc heads on.the connection of one identity repository to another. blind spots.process mapping privileges to identities and the related attributes RSO .  Relationship between Policy Decision Point (PDP) and Policy Enforcement Point (PEP)  PEP . Entity . VM Sprawl.identity plus attributes Entitlement . Primacy . inter-VM traffic).entity who can be authenticated Entitlement is the process of mapping privileges Domain 13: Virtualization  VM guest hardening. Insert security APIs at the hypervisors.

multi-tenancy and vendor lock-in  Lack of visibilities into control. Is the cloud control matrix relevant to the CCSK test??????? https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3/ ENISA Cloud Computing: Benefits. This can in turn be used to enforce the contract or prematurely end a contract of service  Logging and reporting implications  Is this related to SIEM?????????  How can web security as a service be deployed  on premise through software/appliance installation  Cloud by proxy  redirecting web traffic through cloud provider infrastructure  What measures do Security as a Service providers take to earn the trust of their customers  run constant background checks that rival government background checks  they meet and exceed requirement geographical and regional regulations  enlist legal services to meet regional regulatory requirement  Data is compartmentalized and data is shared anonymously  Data monitored and held by the provider is anonymized in logs and audit data.youtube.youtube.org/jericho/cloud_cube_model_v1. https://collaboration.pdf How Identity.youtube.0.com/watch?v=6FHGe8yHeQE The best practices for Entitlement.0.com/watch?v=LhDZe7ZntvE CCSK overview: https://www.com/watch?v=mniY-Jay5cY&list=PL6ASplUnEA8KQsg2Czr8y5a- ICJujSW9W&index=1 .  Barriers to developing full confidence in security as a service (SECaaS)  Some security concerns: compliance.35 and underlying vulnerabilities • Data controller vs data processor definitions • in Infrastructure as a Service (IaaS). personnel and general compliance  Data leakage between virtual machine instances  When deploying Security as a Service in a highly regulated industry or environment. what should both parties agree on in advance and include in the SLA  Metrics that describe how the provider is keeping in compliance. who is responsible for guest systems monitoring Additional Study Resources Here is a list of additional resources if you want to study for CCSK: https://collaboration.  Increased analytics with semantic processing.opengroup. Entity and Entitlement work in the cloud: https://www.1 – R.opengroup.pdf CCSK overview: https://www.org/jericho/Jericho%20Forum%20Identity%20Commandmen ts%20v1. Risks and Recommendations for Information Security • Isolation failure • Economic Denial of Service • Licensing Risks • VM hopping • Five key legal issues common across all scenarios • Top security risks in ENISA research • OVF • Underlying vulnerability in Loss of Governance • User provisioning vulnerability • Risk concerns of a cloud provider being acquired • Security benefits of cloud • Risks R.

Replaced with the compliance and monitoring clause D. Infrastructure as a Service D. Platform as a Service C. ISO/IEC 27002 C. Suspicious intrusion detection alerts is part of A.nist. Reduced C.Defined Categories of service 2011 https://cloudsecurityalliance. Cloud providers that have not achieved ISO/IEC 27001 certification should align themselves with: A. Private cloud] D. None of the above 9.2] 7. Storage as a service is a sub-offering under which of the following categories? A. SAS 70 Type III D. CSA SaaS v. None of these ] 2. Which of the following audits ensures that controls are implemented and documented? A. Both A and C 8. Risks management D. Security Information and Event Management] B. Incidents management C. According to ENISA. SAS 70 Type II C. SaaS . Software as a Service B. Platform as a Service C. SIEM refers to: A. Over time. the right to audit clause should be: A. Events management B. Infrastructure as a Service D. CSA SaaS v. SAS 70 Type I B. Online word processing and spreadsheet tools would fall under which of the following service models? A.gov/publications/nistpubs/800-145/SP800-145.pdf Cloud Security Alliance (SecaaS) .NIST SP800-145 (NIST Definition of Cloud Computing) http://csrc. Software as a Service B. Increased B. ISO/IEC 27000 B. Service Improvement of in End-User Markets D. Strategic Implementation of Electronic Management C.pdf Practice Questions (From SimpliLearn): 1. Partner cloud C. Public cloud B. SAS 70 practices D.2] 3. Software Intrusion and External Models 6.org/wp-content/uploads/2011/09/SecaaS_V1_0. Non cloud 4. Both B and C 5. which service model implies the highest level of liability? A. Google Docs is an example of: A.

Increase exponentially 15. IR C. Determine important of data or function D. ESI stands for: A. None of the above 16. laaS D. The nature of cloud computing means that it is more difficult to: A. compliance and liability are stipulated and enforced in which of the following service models? A. Detection. A. eradication. Both SaaS and laaS 10. All of these 11. the number of sources that must be monitored: A.has to be signed. cloud service providers should use which of the following as a guideline? A. ISO/IEC 35000 19. Determine who to contact in case of a security incident or data breach C. Analysis. ISO/IEC 27000 B. Are the same as in any other computing environment B. None of the above 13. According to the Cloud Security Alliance (CSA). Increase minimally C. incidence. governance. Which of the following are the phases of incident recovery should the SLA guarantee support? A. the cloud customer must understand: A. Determine data or function considered for cloud C. laaS D. all of the above 18. HIPAA B. Make commitments to customers regarding security D. the first step is? A. Determine strategy of adopting cloud 14. SaaS B. containment. response and recovery C. Removed 17. None of the above 12. incident. and recovery D. ISO/IEC 27003 D. Electronic Stored Interface C. B. Service levels. Ensure adequate resource division B. Electronically Stored Information D. E-mail Storage interface B. NDA D. According to the Cloud Security Alliance (CSA). PaaS C. Determine initial costs B. In a cloud environment. The provider's ability to produce evidence needed for compliance . response and recovery B. PaaS C. When any expertise is outsourced --. Detection. analysis. Decrease substantially D. While evaluating risk for cloud. ISO/IEC 27001 C.

Infrastructure as a Service D. Platform as a Service C. User tagging to classify data. The division of compliance responsibilities between the consumer and provider C. Identification of data labeling and classification capabilities. Accepted B. Environmental Domain of Service C. Four deployment models for cloud services 24. Monitor the service provider's performance and test for system vulnerabilities. Agile computing D. Tools B. One deployment model for cloud services B. The 'ability to run multiple operating systems on a single physical system and share the underlying hardware resources' is referred as: A. Software as a Service B. All of the above 23. Have reasonable security that data breaches will not happen. B. Enterprise digital rights management 27. Improvements in which of the following areas would lead to improvements for all cloud service customers? A. there are A. According to the CSA's (Cloud security alliance's) risk assessment framework. Processes D. Two deployment models for cloud services C. In SaaS. the cloud services agreement must allow the client or third party to: A. 28. Virtualization 21. The acronym EDoS refers to: A. None of the above 25. C. Policies C. Encrypted Disaster or Solution D. risks may be --- A. All of the above 20. Rackspace Cloud is an example of: A. C. Retain ownership of the data in original format. Engineered Data on Servers 26. Economic Denial of Service B. Physical location of deployment models . D. Grid computing C. B. Three deployment models for cloud services D. Transferred C. Which of the following is NOT a recommendation for the 'create' phase of the data security lifecycle? A. Mitigated D. All of these 22. B. Leveraging of content discovery tools D. Cloud computing B. The customer's role in bridging the gap between auditor and service provider D. Adjust the process for responding to legal requests at any time. According to the Cloud Security Alliance (CSA). Cloud cube model illustrates -- A.

Cloud service customers should develop evidence-collecting processes for which of the following areas? A. A 'run on the banks' scenario D. Highly Interfering Performance and Auditing C. PaaS C. Which of the following is NOT true about PaaS? A. Jericho forum D. It enables developers to build their own applications on top of the platform B. does the consumer have control over application hosting environment configurations? A. OpenCrowd cloud solutions C. None of the above 32. It is more extensible than the SaaS model D. All of the above 29. Customers may be locked into a contract with a provider for many years B. B. Customer data may be made publicly available 34. In which of the following cases. laaS D. Be done by the customer only B. Which of the following scenarios begins with a crisis of confidence in the cloud provider's financial position? A. Deployment models C. Cloud Security Alliance B. GoGrid 30. Be done regardless of the provider's certifications C. An upcoming financial audit B. Providers may be able to leak customer data to third parties D. SaaS B. HIPAA stands for: A. Customers may not be able to retrieve their data C. All of the above 33. Audit logs C. According to the Cloud Security Alliance (CSA). Cloud cube model was developed by --- A. In which model. All of the above 36. Change management reports D. None of the above 37. Health Insurance Portability and Accountability D. Right to Audit Clause B. There are not as many security options as SaaS within this model\ 35. if the provider has adequate certifications D. None of the above 31. The worst case scenario in a 'run on the banks' situation is that: A. System configurations B. A 'mass exodus' scenario C. It offers less customer ready features than SaaS C. Be waived. Right to Withdraw Clause . Management and ownership D. Highly Intelligent Performance and Accounting B. cloud service providers audit should be done? A. which of the following clauses should be obtained whenever possible? A.

Economic Denial of Service D. Incidents management D. Data and applications/functions/processes D. Disaster management C. Software and hardware are tightly coupled 45. Data and resources B. 2002 C. All of the above 40. Data Transferability Clause 38. Systems B. Lateral provisioning B. Inflexible. Engineered Denial of Service 42. Diminished Domain of Service B. Profit based approach B. Compute C. Events management B. Provisioning C. 2004 D. Services Management D. Applications and processes/functions C. Security based approach . Personnel D. this may be referred to as: A. according to the Cloud Security Alliance (CSA)? A. Pull-style provisioning 39. Security Breach Clause D. 2006 46. C. Push-style provisioning D. Hardware-independence of operating system and applications C. Single OS image per machine B. costly infrastructure D. None of the above 41. Since ----. Which of the following is not a category of infrastructure services? A. What kind of provisioning is standardized in OASIS' Service Provision Markup Language (SPML)? A. A. Transport provisioning C. Storage B. Integration 43. Distributed Denial of Service C. Data breaches is a part of: A. When an attacker uses a customer' resources for his/her own gain. Risk based approach C. Which of the following should not demonstrate compartmentalization by cloud providers. Which of the following is a characteristic of virtualization? A. 2000 B. Resources 44. What is recommended to enterprises adopting cloud? A. Which of the following assets are supported by cloud? A. the Federal Rules of Civil Procedure require the inclusion of electronically- stored information when responding to discovery requests.

Events management B. SaaS B. CSA SaaS v. cloud architecture. cloud service classification C. Are the same as in any other computing environment B. Over time. None of these Explanation: Suspicious intrusion detection alerts is part of incident management. Increase minimally C. Service Office Catalogue 49. Cloud service classroom. Private cloud D. ISO/IEC 27000 B. In which of these models. ISO/IEC 27002 C.2 Explanation: Providers that have not achieved ISO/IEC 27001 certification should align themselves with ISO/IEC 27002 53. one should consider -- A. Risks management D. Security Operations Center D. Cloud providers that have not achieved ISO/IEC 27001 certification should align themselves with: A. Compliance architecture. Privacy based approach 47. All of the above 50. According to ENISA. D. Incidents management C. Suspicious intrusion detection alerts is part of Original number +50 ) A. 52. Strategic Overview Card B. SOC refers to: A. Decrease substantially D. none of the above 48. does the consumer have limited user-specific configuration settings? A. Increase exponentially ANSWERS( 51. Standard Operations Credentials C. Partner cloud C. When considering compliance with accepted frameworks and standards. private cloud model implies the highest level of liability 54. SAS 70 practices D. compliance architecture. Security architecture. In a cloud environment. PaaS C. laaS D. which service model implies the highest level of liability? A. the right to audit clause should be: . security architecture and cloud architecture B. the number of security notifications: A. Public cloud B. cloud architecture D. Non cloud Explanation: According to ENISA.

Online word processing and spreadsheet tools would fall under which of the following service models? A. response and recovery C. response and recovery B. SAS 70 Type II C. Which of the following are the phases of incident recovery should the SLA guarantee support? A. Software Intrusion and External Models Explanation: SIEM stands for Security Information and Event Management 56. Detection. Analysis. SAS 70 Type III D. Both B and C Explanation: Over a period of time. Infrastructure as a Service D. SAS 70 Type I B. Platform as a Service C. Software as a Service B. Service Improvement of in End-User Markets D. SaaS B.2 ensures that controls are implemented and documented. incident. incidence. Both A and C Explanation: Online tools are examples of Software as a Service. Both SaaS and laaS Explanation: It is an offering of laaS 60. eradication. laaS D. the need to audit should get reduced and should be replaced by a compliance and monitoring clause 55. Ensure adequate resource division B. Make commitments to customers regarding security D. All of these Explanation:All of the above mentioned reasons together make up cloud computing 61. containment. Software as a Service B.2 Explanation: CSA SaaS v. Security Information and Event Management B. Strategic Implementation of Electronic Management C. SIEM refers to: A. Storage as a service is a sub-offering under which of the following categories? A. Replaced with the compliance and monitoring clause D. and recovery D. Infrastructure as a Service D. Determine who to contact in case of a security incident or data breach C. The nature of cloud computing means that it is more difficult to: A. None of the above . None of the above Explanation: Google doc is an example of SaaS 59. PaaS C. 58. Detection. Reduced C. Increased B. A. Google Docs is an example of: A. Which of the following audits ensures that controls are implemented and documented? A. CSA SaaS v. 57. Platform as a Service C. analysis.

E-mail Storage interface B. NDA stands for Non- Disclosure Agreement. IR C. service levels. Determine important of data or function D. cloud service providers should use which of the following as a guideline? A. the cloud customer must understand: A. Are the same as in any other computing environment B. Determine data or function considered for cloud C. analysis. Remove 67. HIPAA B. None of the above Explanation:ESI stands for Electronically Stored Information 66. A. the number of sources that must be monitored: A. SaaS B. PaaS C. eradication and recovery are the phases of incident recovery and SLA must ensure it is covered. ISO/IEC 27003 D. ISO/IEC 27000 B. governance. The division of compliance responsibilities between the consumer and provider C. ISO/IEC 35000 Explanation: According to the Cloud Security Alliance (CLA). laaS D. While evaluating risk for cloud. 62. all of the above Explanation: Irrespective of the models. None of the above Explanation: NDA has to be signed while outsourcing expertise. Determine strategy of adopting cloud Explanation: While evaluating risk for cloud. In a cloud environment. Increase exponentially Explanation: Since resources grow depending upon the demand it grows exponentially 65. Service levels. Increase minimally C. When any expertise is outsourced --. The provider's ability to produce evidence needed for compliance B. Decrease substantially D. containment. Electronically Stored Information D. the first step is? A.has to be signed. 63. According to the Cloud Security Alliance (CSA). compliance and liability are stipulated and enforced in which of the following service models? A. The customer's role in bridging the gap between auditor and service provider . Electronic Stored Interface C. cloud service providers should use ISO/IEC 27001 as a guideline 69. compliance and liability are stipulated and enforced 68. ISO/IEC 27001 C. NDA D. the first step is to determine data or function considered for cloud 64. Determine initial costs B. ESI stands for: A. According to the Cloud Security Alliance (CSA). governance.Explanation: Detection.

71. B. User tagging to classify data. According to the CSA's (Cloud security alliance's) risk assessment framework. The 'ability to run multiple operating systems on a single physical system and share the underlying hardware resources' is referred as: A. Environmental Domain of Service C. Policies C. policies and processes are equally important and can have varied benefits. Four deployment models for cloud services Explanation: NONE 74. 75. C. Identification of data labeling and classification capabilities. Mitigated D. Virtualization Explanation: Ability to run multiple operating systems in a single hardware is called virtualization. All of the above Explanation: The cloud customer must understand. In SaaS. The acronym EDoS refers to: A. Tools B. the division of compliance responsibilities between consumer and provider and the customer's role in bridging the gap between auditor and service provider. Platform as a Service C. the providers ability to produce evidence needed for compliance. Transferred C. Three deployment models for cloud services D. there are A. Two deployment models for cloud services C. accepted or transferred as per CSA guidelines 73. One deployment model for cloud services B. Accepted B. risks may be --- A. Economic Denial of Service B. 72. Engineered Data on Servers Explanation: EdoS stands for Economic Denial of Service 76. All of these Explanation: Tools. Rackspace Cloud is an example of: A. D. Improvements in which of the following areas would lead to improvements for all cloud service customers? A. Grid computing C. 70. Cloud computing B. Agile computing D. Which of the following is NOT a recommendation for the 'create' phase of the data security lifecycle? A. None of the above Explanation: Rackspace is an example of infrastructure as a Service. Infrastructure as a Service D. Leveraging of content discovery tools . Software as a Service B. All of the above Explanation: Risk may be mitigated. Encrypted Disaster or Solution D. Processes D.

Enterprise digital rights management Explanation: Content discovery tools usage is not part of 'create' phase 77. Jericho forum D. SaaS B. D. None of the above Explanation: HIPAA stands for Health Insurance Portability and Accountability. The worst case scenario in a 'run on the banks' situation is that: A. applications can be built and hosted 81. PaaS C. Customer data may be made publicly available Explanation: In case of the provider going bankrupt. Health Insurance Portability and Accountability D. A 'mass exodus' scenario C. It is compliance. 83. Adjust the process for responding to legal requests at any time. 80. Cloud cube model illustrates -- A. Which of the following scenarios begins with a crisis of confidence in the cloud provider's financial position? A. Retain ownership of the data in original format. A 'run on the banks' scenario D. Management and ownership D. HIPAA stands for: A. C. laaS D. D. An upcoming financial audit B. Cloud Security Alliance B. Have reasonable security that data breaches will not happen. Explanation: According to the Cloud Security Alliance (CSA) the cloud services agreement must allow the client or party to retain ownership of the data in original format 78. OpenCrowd cloud solutions C. According to the Cloud Security Alliance (CSA). Highly Intelligent Performance and Accounting B. Deployment models C. B. Customers may be locked into a contract with a provider for many years B. Highly Interfering Performance and Auditing C. 82. In which model. Physical location of deployment models B. None of the above Explanation: In PaaS. All of the above Explanation: Cloud cube model illustrates physical location of deployment models. GoGrid Explanation:Jericho forum developed cloud cube model. Customers may not be able to retrieve their data C. does the consumer have control over application hosting environment configurations? A. Cloud cube model was developed by --- A. then there is a chance that the customers might not be able to retrieve their data . Monitor the service provider's performance and test for system vulnerabilities. Providers may be able to leak customer data to third parties D. All of the above Explanation: A run on the banks scenario can lead to crisis of confidence. the cloud services agreement must allow the client or third party to: A. 79.

cloud service providers need to be audited. which of the following clauses should be obtained whenever possible? A. Lateral provisioning B. Data breaches is a part of: A. It enables developers to build their own applications on top of the platform B. Be done by the customer only B. Right to Withdraw Clause C. 88. 84. Transport provisioning C. 89. Audit logs C. In which of the following cases. Data Transferability Clause Explanation: Right to Audit Clause should be given from time to time to ensure everything is as per the agreement. Right to Audit Clause B. Be done regardless of the provider's certifications C. According to the Cloud Security Alliance (CSA). 90. if the provider has adequate certifications D. System configurations B. Change management reports D. Data and resources B. It offers less customer ready features than SaaS C. Push-style provisioning D. Security Breach Clause D. 86. It is more extensible than the SaaS model D. and change management reports. Events management B. Be waived. There are not as many security options as SaaS within this model Explanation: PaaS offers multiple security options for customers 85. What kind of provisioning is standardized in OASIS' Service Provision Markup Language (SPML)? A. All of the above Explanation: All the mentioned functions are actively supported by cloud 91. Incidents management D. cloud service providers audit should be done? A. audit logs. Cloud service customers should develop evidence-collecting processes for which of the following areas? A. Pull-style provisioning Explanation: Service Provision Markup Language uses push-style provisioning. 87. Which of the following assets are supported by cloud? A. Data and applications/functions/processes D. Disaster management C. None of the above Explanation: No matter what certifications provider has. None of the above Explanation: Data breaches is part of disaster management. Applications and processes/functions C. . Which of the following is NOT true about PaaS? A. All of the above Explanation: Cloud service customers should develop evidence-collecting processes for system configurations.

Profit based approach B. 2006 Explanation: Since 2006. Which of the following is not a category of infrastructure services? A. Integration Explanation: Integration is not a category of infrastructure services 94. A. Since ----. 99. Hardware-independence of operating system and applications C. Storage B. the Federal Rules of Civil Procedure require the inclusion of electronically-stored information when responding to discovery requests. according to the Cloud Security Alliance (CSA)? A. 95. this may be referred to as: A. Security based approach D. Single OS image per machine B. laaS D. Systems B. PaaS C. SaaS B. 97. What is recommended to enterprises adopting cloud? A. 2000 B. When an attacker uses a customer' resources for his/her own gain. costly infrastructure D. Inflexible. 2004 D. Risk based approach C. Compute C. Services Management D. Personnel D. none of the above Explanation: Consumers do not have much of a say in SaaS offerings. SOC refers to: . Which of the following is a characteristic of virtualization? A. 2002 C. In which of these models. Engineered Denial of Service Explanation: When an attacker uses a customer's resources for his/her own gain. Diminished Domain of Service B. Distributed Denial of Service C. Which of the following should not demonstrate compartmentalization by cloud providers. Provisioning C. 96. virtualization separates hardware and OS+ applications. 92. Economic Denial of Service D. this may be referred to as Distributed Denial of Service 93. Privacy based approach Explanation: Risk based approach is an important factor to consider 98. Resources Explanation: Personnel compartmentalization should not be demonstrated by the cloud providers. Software and hardware are tightly coupled Explanation: Through hypervisor. the Federal Rules of Civil Procedure require the inclusion of electronically- stored information when responding to discovery requests. does the consumer have limited user-specific configuration settings? A.

Cloud service classroom. Increase minimally C. 4 . Share. Decrease substantially D. providers? or a longer transition period than anticipated. Service Office Catalogue Explanation: SOC refers to Security Operations Center. 100. Standard Operations Credentials C. the number of security notifications: A. Deny In which type of environment is it impractical In multi-tenant environments the operator to allow the customer to conduct their own or provider cannot normally accommodate audit. What are the six phases of the data security Create. Use. one should consider -- A. Why is the size of data sets a consideration The sheer size of data may cause an in portability between cloud service interruption of service during a transition. security architecture and cloud architecture B. Detect. Are the same as in any other computing environment B. In a cloud environment. 5 . 3 . What are the four D's of perimeter security? Deter. Archive. Delay. A. Compliance architecture. making it important that the data center visits by every customer to conduct an operators are required to provide auditing for audit.Thanks to Ajay Chauhan (http://www. when The Data Controller the data is transferred to a third party custodian.Measured Service The level of attention and scrutiny paid to The valued Risk enterprise risk assessments should be directly related to what? In the majority of data protection laws.com/flashcards/ccsk-3657367) What are the five essential characteristics of 1 . compliance architecture. Security Operations Center D. the customers? . cloud architecture. Pooling.Broad Network Access. 2 . All of the above Explanation: All these should be taken into serious consideration 101. Strategic Overview Card B.Resource Cloud computing as defined by NIST . Security architecture.Rapid Elasticity. cloud service classification C. Adding Flash Card information I have received from a websiste . When considering compliance with accepted frameworks and standards. Store. lifecycle? destroy.cram. who is ultimately responsible for the security of the data? What is the most important reason for So that it can address the specific knowing where the cloud service provider will restrictions that foreign data protection host the data? laws may impose. cloud architecture D.On-Demand service. Increase exponentially Explanation: With cloud all security measure have only been increased exponentially.

and technologies of their own or adopting one of the maturity models. What is the minimum that U.What measures could be taken by the cloud SaaS providers that generate extensive service provider (CSP) that might reduce the customer-specific application logs and occurrence of application level incidents? provide secure storage as well as analysis facilities will ease the IR burden on the customer. What is the most significant reason that To be able to prove that all data has been customers are advised to maintain in-house deleted from the public cloud environment key management? when exiting that environment.S. controls may not be able to monitor certain rather than a network. Provider? What must be included between an What must be included between an organization and a Cloud Service Provider organization and a Cloud Service Provider when the organization has contractual when the organization has contractual . refers The destruction of economic resources. either by having a good environment? blend of processes. In Europe. the applications. service level required to achieve what should both parties agree on in advance regulatory objectives and include in the SLA? Economic Denial of Service (EDOS). in the 1995 European Union (EU) Data Protective Directive and the 2002 ePrivacy Directive as amended in 2009. How should an SDLC be modified to address Organizations must adopt best practices application security in a Cloud Computing for development. types of traffic? When deploying Security as a Service in a Agreement on the metrics defining the highly regulated industry or environment. and the data. tools.Sensitive Personal Information organizations if held as an aspect of an Identity? Why do blind spots occur in a virtualized Virtual machines may communicate with environment. state laws Written contract with the service provider require when using a Cloud Service with reasonable security measures. name the group that has enacted The European Economic Area (EEA) data protection laws and the principles on Member States follow principles set forth which they follow. to… the worst case scenario would be bankruptcy of the customer or a serious economic impact How does SaaS alleviate much of the The provider is not only responsible for the consumer's direct operational responsibility? physical and environmental security controls. What two types of information will cause PII . where network-based security each other over a hardware backplane. but it must also address the security controls on the infrastructure.Personal Identifiable Information additional regulatory issues for all SPI .

to ensure that the data are not used for secondary use and are not disclosed used for secondary use and are not to third parties? disclosed to third parties? What is a click-wrap agreement? What is a click-wrap agreement? How does an organization respond to the How does an organization respond to the evolving nature of the cloud environment? evolving nature of the cloud environment? How does an organization respond to the All documents that pertain to the case evolving nature of the cloud environment? whether favorable to its case or the other litigant's case. appropriate resources. auditors and CSP providers What role do audits perform in the cloud Audits must be independently conducted relationships? and should be robustly designed to reflect best practice. to ensure that the data are not employees.Relationship between all parties including customer. At what stage should compliance be Requirement identification stage addressed between an organization and CSP? What is multi-tenancy? Use of same resources or application by multiple customers that may belong to the same organization or a different organization.Assignment of compliance regulatory compliance? responsibilities including the providers .obligations to protect the personal obligations to protect the personal information of their clients.CSP capability to show compliance . What does a cloud service model need to Policy-driven enforcement include for multi-tenancy consumers? Segmentation Isolation Governance Service Levels Chargeback/billing models What services can be shared in multi-tenancy Infrastructure cloud service models? Data Metadata Services Applications What three cloud services make up the Cloud Infrastructure as a Service (IaaS) Reference Model? Platform as a Service (PaaS) Software as a Service (SaaS) . What is ESI? Electronically Stored Information What are four considerations for a cloud Cross-border or multi-jurisdiction customer to understand in reference to . and tested protocols and standards. CSP. contacts or employees. contacts or information of their clients.

Proprietary (P) / Open (O): State of Ownership .Re-perimeterization of enterprise networks .Transformation/portability . architecture? the more security capabilities and management consumers are responsible for implementing and managing themselves.Who manages them and How . Define PaaS PaaS delivers computing platform and solution stack as a service.Map the security architecture and requirements? business. Define SaaS SaaS delivers software and its associated data hosted centrally typically in the cloud and are usually accessed by users via a web browser over the Internet.which controls are selected and How they are integrated .Governance .Define IaaS IaaS delivers computer infrastructure as a service along with raw storage and networking.Manner in which cloud services are consumed .Insourced / Outsourced: Who provides the cloud service List the four cloud deployment models Public Private . and other compliance requirements as a gap- analysis exercise What do cloud service brokers provide? Intermediation . What are the risks and pitfalls to consider in How / where cloud service are deployed the Cloud Security Reference Model? . List the four dimensions in the Jericho Cloud Internal (I) / External (E): Physical Cube Model Location .Types of assets.Perimeterised (Per) / De-perimeterised (D-p): Architectural mindset .Monitoring .internal/external Hybrid Community What is the key takeaway for security The lower down the stack the CSP stops.compliance issues How do you determine the general security Classify a cloud service against the cloud posture of a service and how it relates to an architectural model asset's assurance and protection . regulatory. resources and information being managed .

Financial transparency and information disclosure . aligned with the risk appetite and tolerance of the data owner.Compliance . processes and procedures . Define Information Risk Management The process of identifying and understanding exposure to risk and the capability of managing it.Relationship negotiation between CSP and consumers What are included in a Service Level Service levels Agreement (SLA)? .Review of co-location and back-up facilities .Ownership structure and exercise of control rights Define Corporate Governance The set of processes.Provisioning . .Reduction: taking action to reduce the likelihood or impact related to the risk .Security . Define Enterprise Risk Management The methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives.business continuity providers? .Share or insure: transferring or sharing a portion of the risk to finance it .Accept: no action is taken due to a cost/benefit decision What should be specifically targeted in the Incident management assessment of a CSP's third party service .Governance .Disaster recovery policies.Corporate responsibility and compliance .Integration services . . .Liability expectations of the service and provider What are two types of Service Level Negotiable Agreements (SLA)? Non-negotiable Name the five basic principles followed in Auditing supply chains Corporate Governance. policies.Board and management structure and process . administered or controlled. technologies. List four of the specific risks identified and Avoidance: exiting the activities giving rise analyzed by management in a cloud to risk environment. customs. laws and institutions affecting the way an enterprise is directed.

What is a CSP's supply chain? Their service provider relationships and dependencies How should the cost savings obtained by Reinvest into increased scrutiny of the cloud computing services be utilized? security capabilities of the provider. and ongoing detailed assessments and audits to ensure requirements are continuously met. application of security controls. Define Private Cloud The cloud infrastructure is operated solely for a single organization. Define Public Cloud? The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. It may be managed by the organization or by a third party and may be located on-premise or off-premise. CCSK Training Link [1] Cloud Service Provider [2] Digital Rights Management . It may also be worth visiting the following site for additional CCSK training information.

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.