Professional Documents
Culture Documents
Revision : 0.7
Created Dated: January 5th, 2015
Last Modified: November 24th, 2015
https://www.linkedin.com/groups/CCSK-study-guide-OpenSource-
4071935.S.5958007520671911936?view=&gid=4071935&item=5958007520671911936&typ
e=member&commentID=discussion%3A5958007520671911936%3Agroup%3A4071935
If you wish to contribute feel free to type your suggestions and they will be taken accordingly.
CCSK Key Examination Concepts
CSA Guidance For Critical Areas of Focus in Cloud Computing V3.0 English
Based on research that I have seen online, it is suggested that 2,5,10 and 12 are heavily
tested. Especially 5. Attention should be placed to Risk and Challenges.
Victor said this was the some of the most quizzed areas:
Reading the material is extremely time consuming, Incident response and Identity and Access
Management seem to have the most material.
Domain 1 Architecture
Summary
SPI = Software, Platform and Infrastructure as a service.
Cloud formations = the forms of cloud computing or the way its deployed.
Cloud benefits - collaboration, agility, scaling, availability, reduced cost, optimized and
efficient.
Steps for evaluating risk in the cloud
1. Determine what data to send to the cloud - (1) Data (2)
Application/Function/Processes
2. Determine the data or function is
3. Determine the best deployment model (For models look at NIST model below)
4. Evaluate the potential cloud providers
NIST Definition of Cloud Computing (Essential Characteristics, Cloud Service
Models, Cloud Deployment Models)
Multi-Tenancy (NIST doesnt have it, but CSAs cloud model includes it as an
essential:)
Policy Enforce Governance
Segmentation SLA
Isolation Chargeback
The problem with multi-tenancy is visibility of residual data or traces of operations of tenants.
CSA Cloud Reference Model ( Also known as service models)
IaaS - Most flexible, possibly the least secure, and customers responsible for
most of the security mechanisms
PaaS - Enormous flexibility, but not quite as flexible.
SaaS - Least Flexible, possibly most secure and dependency on provider
You can outsource a lot of manageability, but not accountability.
Jericho Cloud Cube Model
The four sides/eight
dimensions
I/O - Insourced or
Outsourced
I/E - Internal or
External
O/P - Open or
Proprietary
P/D - Perimeter
Least to most
mature
1. Outcome/Va
lue
2. Process
3. Software
4. Platform
5. Infrastructur
e
47. In which of these models, does the consumer have limited user-specific configuration
settings?
A. SaaS
B. PaaS
C. laaS
D. none of the above
48. SOC refers to:
A. Strategic Overview Card
B. Standard Operations Credentials
C. Security Operations Center
D. Service Office Catalogue
49. When considering compliance with accepted frameworks and standards, one should
consider --
A. Cloud service classroom; security architecture and cloud architecture
B. Compliance architecture; cloud architecture; cloud service classification
C. Security architecture; compliance architecture; cloud architecture
D. All of the above
50. In a cloud environment, the number of security notifications:
A. Are the same as in any other computing environment
B. Increase minimally
C. Decrease substantially
D. Increase exponentially
ANSWERS(
51. Suspicious intrusion detection alerts is part of
Original number +50 )
A. Events management
B. Incidents management
C. Risks management
D. None of these
Explanation: Suspicious intrusion detection alerts is part of incident management.
52. Cloud providers that have not achieved ISO/IEC 27001 certification should align
themselves with:
A. ISO/IEC 27000
B. ISO/IEC 27002
C. SAS 70 practices
D. CSA SaaS v.2
Explanation: Providers that have not achieved ISO/IEC 27001 certification should align
themselves with ISO/IEC 27002
53. According to ENISA, which service model implies the highest level of liability?
A. Public cloud
B. Partner cloud
C. Private cloud
D. Non cloud
Explanation: According to ENISA, private cloud model implies the highest level of liability
54. Over time, the right to audit clause should be:
A. Increased
B. Reduced
C. Replaced with the compliance and monitoring clause
D. Both B and C
Explanation: Over a period of time, the need to audit should get reduced and should be
replaced by a compliance and monitoring clause
55. SIEM refers to:
A. Security Information and Event Management
B. Strategic Implementation of Electronic Management
C. Service Improvement of in End-User Markets
D. Software Intrusion and External Models
Explanation: SIEM stands for Security Information and Event Management
56. Which of the following audits ensures that controls are implemented and
documented?
A. SAS 70 Type I
B. SAS 70 Type II
C. SAS 70 Type III
D. CSA SaaS v.2
Explanation: CSA SaaS v.2 ensures that controls are implemented and documented.
57. Online word processing and spreadsheet tools would fall under which of the following
service models?
A. Software as a Service
B. Platform as a Service
C. Infrastructure as a Service
D. Both A and C
Explanation: Online tools are examples of Software as a Service.
58. Google Docs is an example of:
A. Software as a Service
B. Platform as a Service
C. Infrastructure as a Service
D. None of the above
Explanation: Google doc is an example of SaaS
59. Storage as a service is a sub-offering under which of the following categories?
A. SaaS
B. PaaS
C. laaS
D. Both SaaS and laaS
Explanation: It is an offering of laaS
60. The nature of cloud computing means that it is more difficult to:
A. Ensure adequate resource division
B. Determine who to contact in case of a security incident or data breach
C. Make commitments to customers regarding security
D. All of these
Explanation:All of the above mentioned reasons together make up cloud computing
61. Which of the following are the phases of incident recovery should the SLA guarantee
support?
A. Analysis, incident, response and recovery
B. Detection, incidence, response and recovery
C. Detection, analysis, containment, eradication, and recovery
D. None of the above
Explanation: Detection, analysis, containment, eradication and recovery are the phases of
incident recovery and SLA must ensure it is covered.
62. When any expertise is outsourced --- has to be signed.
A. HIPAA
B. IR
C. NDA
D. None of the above
Explanation: NDA has to be signed while outsourcing expertise. NDA stands for Non-
Disclosure Agreement.
63. While evaluating risk for cloud, the first step is?
A. Determine initial costs
B. Determine data or function considered for cloud
C. Determine important of data or function
D. Determine strategy of adopting cloud
Explanation: While evaluating risk for cloud, the first step is to determine data or function
considered for cloud
64. In a cloud environment, the number of sources that must be monitored:
A. Are the same as in any other computing environment
B. Increase minimally
C. Decrease substantially
D. Increase exponentially
Explanation: Since resources grow depending upon the demand it grows exponentially
65. ESI stands for:
A. E-mail Storage interface
B. Electronic Stored Interface
C. Electronically Stored Information
D. None of the above
Explanation:ESI stands for Electronically Stored Information
66. Remove
67. Service levels, governance, compliance and liability are stipulated and enforced in
which of the following service models?
A. SaaS
B. PaaS
C. laaS
D. all of the above
Explanation: Irrespective of the models, service levels, governance, compliance and liability
are stipulated and enforced
68. According to the Cloud Security Alliance (CSA), cloud service providers should use
which of the following as a guideline?
A. ISO/IEC 27000
B. ISO/IEC 27001
C. ISO/IEC 27003
D. ISO/IEC 35000
Explanation: According to the Cloud Security Alliance (CLA), cloud service providers
should use ISO/IEC 27001 as a guideline
69. According to the Cloud Security Alliance (CSA), the cloud customer must
understand:
A. The provider's ability to produce evidence needed for compliance
B. The division of compliance responsibilities between the consumer and provider
C. The customer's role in bridging the gap between auditor and service provider
D. All of the above
Explanation: The cloud customer must understand; the providers ability to produce evidence
needed for compliance, the division of compliance responsibilities between consumer and
provider and the customer's role in bridging the gap between auditor and service provider.
70. The 'ability to run multiple operating systems on a single physical system and share
the underlying hardware resources' is referred as:
A. Cloud computing
B. Grid computing
C. Agile computing
D. Virtualization
Explanation: Ability to run multiple operating systems in a single hardware is called
virtualization.
71. Improvements in which of the following areas would lead to improvements for all
cloud service customers?
A. Tools
B. Policies
C. Processes
D. All of these
Explanation: Tools, policies and processes are equally important and can have varied
benefits.
72. According to the CSA's (Cloud security alliance's) risk assessment framework, risks
may be ---
A. Accepted
B. Transferred
C. Mitigated
D. All of the above
Explanation: Risk may be mitigated, accepted or transferred as per CSA guidelines
73. In SaaS, there are
A. One deployment model for cloud services
B. Two deployment models for cloud services
C. Three deployment models for cloud services
D. Four deployment models for cloud services
Explanation: NONE
74. Rackspace Cloud is an example of:
A. Software as a Service
B. Platform as a Service
C. Infrastructure as a Service
D. None of the above
Explanation: Rackspace is an example of infrastructure as a Service.
75. The acronym EDoS refers to:
A. Economic Denial of Service
B. Environmental Domain of Service
C. Encrypted Disaster or Solution
D. Engineered Data on Servers
Explanation: EdoS stands for Economic Denial of Service
76. Which of the following is NOT a recommendation for the 'create' phase of the data
security lifecycle?
A. Identification of data labeling and classification capabilities.
B. User tagging to classify data.
C. Leveraging of content discovery tools
D. Enterprise digital rights management
Explanation: Content discovery tools usage is not part of 'create' phase
77. According to the Cloud Security Alliance (CSA), the cloud services agreement must
allow the client or third party to:
A. Have reasonable security that data breaches will not happen.
B. Monitor the service provider's performance and test for system vulnerabilities.
C. Retain ownership of the data in original format.
D. Adjust the process for responding to legal requests at any time.
Explanation: According to the Cloud Security Alliance (CSA) the cloud services agreement
must allow the client or party to retain ownership of the data in original format
78. Cloud cube model illustrates --
A. Physical location of deployment models
B. Deployment models
C. Management and ownership
D. All of the above
Explanation: Cloud cube model illustrates physical location of deployment models.
79. Cloud cube model was developed by ---
A. Cloud Security Alliance
B. OpenCrowd cloud solutions
C. Jericho forum
D. GoGrid
Explanation:Jericho forum developed cloud cube model.
80. In which model, does the consumer have control over application hosting
environment configurations?
A. SaaS
B. PaaS
C. laaS
D. None of the above
Explanation: In PaaS, applications can be built and hosted
81. HIPAA stands for:
A. Highly Intelligent Performance and Accounting
B. Highly Interfering Performance and Auditing
C. Health Insurance Portability and Accountability
D. None of the above
Explanation: HIPAA stands for Health Insurance Portability and Accountability. It is
compliance,
82. Which of the following scenarios begins with a crisis of confidence in the cloud
provider's financial position?
A. An upcoming financial audit
B. A 'mass exodus' scenario
C. A 'run on the banks' scenario
D. All of the above
Explanation: A run on the banks scenario can lead to crisis of confidence.
83. The worst case scenario in a 'run on the banks' situation is that:
A. Customers may be locked into a contract with a provider for many years
B. Customers may not be able to retrieve their data
C. Providers may be able to leak customer data to third parties
D. Customer data may be made publicly available
Explanation: In case of the provider going bankrupt, then there is a chance that the customers
might not be able to retrieve their data
84. Which of the following is NOT true about PaaS?
A. It enables developers to build their own applications on top of the platform
B. It offers less customer ready features than SaaS
C. It is more extensible than the SaaS model
D. There are not as many security options as SaaS within this model
Explanation: PaaS offers multiple security options for customers
85. Cloud service customers should develop evidence-collecting processes for which of
the following areas?
A. System configurations
B. Audit logs
C. Change management reports
D. All of the above
Explanation: Cloud service customers should develop evidence-collecting processes for
system configurations, audit logs, and change management reports.
86. In which of the following cases, cloud service providers audit should be done?
A. Be done by the customer only
B. Be done regardless of the provider's certifications
C. Be waived, if the provider has adequate certifications
D. None of the above
Explanation: No matter what certifications provider has, cloud service providers need to be
audited.
87. According to the Cloud Security Alliance (CSA), which of the following clauses
should be obtained whenever possible?
A. Right to Audit Clause
B. Right to Withdraw Clause
C. Security Breach Clause
D. Data Transferability Clause
Explanation: Right to Audit Clause should be given from time to time to ensure everything is
as per the agreement.
88.
89. What kind of provisioning is standardized in OASIS' Service Provision Markup
Language (SPML)?
A. Lateral provisioning
B. Transport provisioning
C. Push-style provisioning
D. Pull-style provisioning
Explanation: Service Provision Markup Language uses push-style provisioning.
90. Which of the following assets are supported by cloud?
A. Data and resources
B. Applications and processes/functions
C. Data and applications/functions/processes
D. All of the above
Explanation: All the mentioned functions are actively supported by cloud
91. Data breaches is a part of:
A. Events management
B. Disaster management
C. Incidents management
D. None of the above
Explanation: Data breaches is part of disaster management.
92. When an attacker uses a customer' resources for his/her own gain, this may be
referred to as:
A. Diminished Domain of Service
B. Distributed Denial of Service
C. Economic Denial of Service
D. Engineered Denial of Service
Explanation: When an attacker uses a customer's resources for his/her own gain, this may be
referred to as Distributed Denial of Service
93. Which of the following is not a category of infrastructure services?
A. Storage
B. Compute
C. Services Management
D. Integration
Explanation: Integration is not a category of infrastructure services
94. Which of the following should not demonstrate compartmentalization by cloud
providers, according to the Cloud Security Alliance (CSA)?
A. Systems
B. Provisioning
C. Personnel
D. Resources
Explanation: Personnel compartmentalization should not be demonstrated by the cloud
providers.
95. Which of the following is a characteristic of virtualization?
A. Single OS image per machine
B. Hardware-independence of operating system and applications
C. Inflexible, costly infrastructure
D. Software and hardware are tightly coupled
Explanation: Through hypervisor, virtualization separates hardware and OS+ applications.
96. Since ----, the Federal Rules of Civil Procedure require the inclusion of electronically-
stored information when responding to discovery requests.
A. 2000
B. 2002
C. 2004
D. 2006
Explanation: Since 2006, the Federal Rules of Civil Procedure require the inclusion of
electronically-stored information when responding to discovery requests.
97. What is recommended to enterprises adopting cloud?
A. Profit based approach
B. Risk based approach
C. Security based approach
D. Privacy based approach
Explanation: Risk based approach is an important factor to consider
98. In which of these models, does the consumer have limited user-specific configuration
settings?
A. SaaS
B. PaaS
C. laaS
D. none of the above
Explanation: Consumers do not have much of a say in SaaS offerings.
99. SOC refers to:
A. Strategic Overview Card
B. Standard Operations Credentials
C. Security Operations Center
D. Service Office Catalogue
Explanation: SOC refers to Security Operations Center.
100. When considering compliance with accepted frameworks and standards, one
should consider --
A. Cloud service classroom; security architecture and cloud architecture
B. Compliance architecture; cloud architecture; cloud service classification
C. Security architecture; compliance architecture; cloud architecture
D. All of the above
Explanation: All these should be taken into serious consideration
101. In a cloud environment, the number of security notifications:
A. Are the same as in any other computing environment
B. Increase minimally
C. Decrease substantially
D. Increase exponentially
Explanation: With cloud all security measure have only been increased exponentially.
Adding Flash Card information I have received from a websiste - Thanks to Ajay
Chauhan (http://www.cram.com/flashcards/ccsk-3657367)
What are the five essential characteristics of 1 - Broad Network Access. 2 - Resource
Cloud computing as defined by NIST - Pooling. 3 - On-Demand service. 4 - Rapid
Elasticity. 5 - Measured Service
What is the most important reason for So that it can address the specific
knowing where the cloud service provider will restrictions that foreign data protection
host the data? laws may impose.
What are the six phases of the data security Create, Store, Use, Share, Archive,
lifecycle? destroy.
Why is the size of data sets a consideration The sheer size of data may cause an
in portability between cloud service interruption of service during a transition,
providers? or a longer transition period than
anticipated.
What are the four D's of perimeter security? Deter, Detect, Delay, Deny
How should an SDLC be modified to address Organizations must adopt best practices
application security in a Cloud Computing for development, either by having a good
environment? blend of processes, tools, and
technologies of their own or adopting one
of the maturity models.
What is the most significant reason that To be able to prove that all data has been
customers are advised to maintain in-house deleted from the public cloud environment
key management? when exiting that environment.
What two types of information will cause PII - Personal Identifiable Information
additional regulatory issues for all SPI - Sensitive Personal Information
organizations if held as an aspect of an
Identity?
Why do blind spots occur in a virtualized Virtual machines may communicate with
environment, where network-based security each other over a hardware backplane,
controls may not be able to monitor certain rather than a network.
types of traffic?
How does SaaS alleviate much of the The provider is not only responsible for the
consumer's direct operational responsibility? physical and environmental security
controls, but it must also address the
security controls on the infrastructure, the
applications, and the data.
In Europe, name the group that has enacted The European Economic Area (EEA)
data protection laws and the principles on Member States follow principles set forth
which they follow. in the 1995 European Union (EU) Data
Protective Directive and the 2002 ePrivacy
Directive as amended in 2009.
What is the minimum that U.S. state laws Written contract with the service provider
require when using a Cloud Service with reasonable security measures.
Provider?
How does an organization respond to the How does an organization respond to the
evolving nature of the cloud environment? evolving nature of the cloud environment?
How does an organization respond to the All documents that pertain to the case
evolving nature of the cloud environment? whether favorable to its case or the other
litigant's case.
What role do audits perform in the cloud Audits must be independently conducted
relationships? and should be robustly designed to reflect
best practice, appropriate resources, and
tested protocols and standards.
What three cloud services make up the Cloud Infrastructure as a Service (IaaS)
Reference Model? Platform as a Service (PaaS)
Software as a Service (SaaS)
Define IaaS IaaS delivers computer infrastructure as a
service along with raw storage and
networking.
List the four dimensions in the Jericho Cloud Internal (I) / External (E): Physical
Cube Model Location
- Proprietary (P) / Open (O): State of
Ownership
- Perimeterised (Per) / De-perimeterised
(D-p): Architectural mindset
- Insourced / Outsourced: Who provides
the cloud service
What is the key takeaway for security The lower down the stack the CSP stops,
architecture? the more security capabilities and
management consumers are responsible
for implementing and managing
themselves.
What are the risks and pitfalls to consider in How / where cloud service are deployed
the Cloud Security Reference Model? - Manner in which cloud services are
consumed
- Re-perimeterization of enterprise
networks
- Types of assets, resources and
information being managed
- Who manages them and How
- which controls are selected and How
they are integrated
- compliance issues
How do you determine the general security Classify a cloud service against the cloud
posture of a service and how it relates to an architectural model
asset's assurance and protection - Map the security architecture and
requirements? business, regulatory, and other
compliance requirements as a gap-
analysis exercise
List four of the specific risks identified and Avoidance: exiting the activities giving rise
analyzed by management in a cloud to risk
environment. - Reduction: taking action to reduce the
likelihood or impact related to the risk
- Share or insure: transferring or sharing a
portion of the risk to finance it
- Accept: no action is taken due to a
cost/benefit decision
How should the cost savings obtained by Reinvest into increased scrutiny of the
cloud computing services be utilized? security capabilities of the provider,
application of security controls, and
ongoing detailed assessments and audits
to ensure requirements are continuously
met.