The CCSK Study Guide

Revision : 0.7
Created Dated: January 5th, 2015
Last Modified: November 24th, 2015

Contributor Organization Country

Alejandro Castillo FireEye Inc United States of America

Peter HJ van Eijk Club Cloud Computing Netherlands

Ajay Chauhan SafeNet United Kingdom

Ash Thakrar PwC United Kingdom

David Glosser Regeneron Pharmaceuticals United States of America

Please Scroll down to find the actual study guide
If you found any part of this guide helpful please provide a like or some feedback to the
following link:

https://www.linkedin.com/groups/CCSK-study-guide-OpenSource-
4071935.S.5958007520671911936?view=&gid=4071935&item=5958007520671911936&typ
e=member&commentID=discussion%3A5958007520671911936%3Agroup%3A4071935

If you wish to contribute feel free to type your suggestions and they will be taken accordingly.
CCSK Key Examination Concepts
CSA Guidance For Critical Areas of Focus in Cloud Computing V3.0 English

Based on research that I have seen online, it is suggested that 2,5,10 and 12 are heavily
tested. Especially 5. Attention should be placed to Risk and Challenges.
Victor said this was the some of the most quizzed areas:
Reading the material is extremely time consuming, Incident response and Identity and Access
Management seem to have the most material.

Domain 1 Architecture
Summary
SPI = Software, Platform and Infrastructure as a service.
Cloud formations = the forms of cloud computing or the way it’s deployed.
Cloud benefits - collaboration, agility, scaling, availability, reduced cost, optimized and
efficient.
Steps for evaluating risk in the cloud
1. Determine what data to send to the cloud - (1) Data (2)
Application/Function/Processes
2. Determine the data or function is
3. Determine the best deployment model (For models look at NIST model below)
4. Evaluate the potential cloud providers
 NIST Definition of Cloud Computing (Essential Characteristics, Cloud Service
Models, Cloud Deployment Models)

 Multi-Tenancy (NIST doesn’t have it, but CSA’s cloud model includes it as an
essential:)
 Policy Enforce  Governance
 Segmentation  SLA
 Isolation  Chargeback
The problem with multi-tenancy is visibility of residual data or traces of operations of tenants.
 CSA Cloud Reference Model ( Also known as service models)
 IaaS - Most flexible, possibly the least secure, and customers responsible for
most of the security mechanisms
 PaaS - Enormous flexibility, but not quite as flexible.
 SaaS - Least Flexible, possibly most secure and dependency on provider

You can outsource a lot of manageability, but not accountability.
• Jericho Cloud Cube Model
The four sides/eight
dimensions
I/O - Insourced or
Outsourced
I/E - Internal or
External
O/P - Open or
Proprietary
P/D - Perimeter
Least to most
mature
1. Outcome/Va
lue
2. Process
3. Software
4. Platform
5. Infrastructur
e

• Cloud Security Reference Model - possible definition on page 20 third paragraph

governance. and liability expectation  Most of the control and security will be held in the SLA . part-timers. contractors. laws and institution  Enterprise and Information Risk Management  Measure. manage and mitigate uncertainty  Avoidance.auditing provides affirmation and really specifies the level of security in SaaS Even Private Clouds may have multitenancy (multiple projects.  SLAs must cascade downwards from Provider to Third Party and supply chain . third party consultants.  • Service Level Agreements  Negotiable and nonnegotiable.Middleman/Middleware act like proxies between the cloud and the consumer. Reduction. Share/Insure/Transfer and Accept  Third Party Management Recommendations  Contracts are risk management tools with metrics/audits to ensure accountability. This is done to provide an abstraction of incapabilities between the customer and the cloud to allow for fluidity and agility. compliance.• Cloud Service Brokers . policies.security.  Security Level. customs.etc…) Domain 2: Governance and Enterprise Risk Managementcvx  Contractual Security Requirements  processes.

 Incident Management . etc…). • Federal Rules of Civil Procedure and electronically stored information -ESI for holding • Metadata . including the assessment and prioritization of corrective actions deemed necessary and appropriate.geographical locations and legal jurisdictions.can view or request a push to view the stats of the environment.“Cloud aware” . CSP/Third party review of how information is stored. laws. SSAE 16 SOC2 or ISAE 3402 Type 2.obligation to undertake reasonable steps to prevent destruction or modifications of data or the information processing. policies.gives customers the ability to audit the cloud provider and provide for transparency/accountability.laws and regulations one must comply with. procurement and contract teams to identify them. • Auditor requirements . • Right to audit . • Compliance impact on cloud contracts. Right to transparency . These will likely include contracts. In terms ofjurisdiction it depends on where the legal court is in? • Liability for activities of subcontractors • Due diligence responsibility . and processes and procedures.Identify legal barriers and insure they are addressed in contract. Audit might be hard due to an elastic environment The major part for most of the governance will be the contract between the provider and customer.include legal. regulations.The client is responsible for the data even though they might not have access. • Audit scope and compliance scope . Domain 5: Information Management and Data Security  Six phases of the Data Security Lifecycle and their key elements: Create-Store-Use-Share-Archive-Destroy .it’s data about data • Litigation hold . • Compliance analysis requirements .  Supply chain examination  Risk is inherited throughout the supply chain  Use of Cost Savings for Cloud  Should be re-invested to scrutinize the security capabilities of the provider. Domain 3: Legal Issues: Contracts and Electronic Discovery • Consideration of cloud-related issues in three dimensions : Monitoring. processed and transmitted across borders with many different laws in those places as well as the ones we must comply with. and disaster recovery policies. Third parties should be picked out in advance and reviewed. Thus they need the CSP[1]. evaluation??? • eDiscovery considerations . It must also be protected and well stored (this is called a legal hold) • Jurisdictions and data locations . along with review of co-locations and backup facilities must be part of the background check assessment. Domain 4: Compliance and Audit Management • Definition of Compliance: the awareness and adherence to obligations (laws. business continuity. contracts. policies and various other things. testing. however it should be written into the contract.In the US you must give everything to the requesting party even if it is not in your favor.

 Three valid options for protecting data  Client application Encryption  Link/Network Encryption  Proxy Based Encryption  Data Loss Prevention: Used for content delivery and to monitor data in motion  Actions: Block or allow to proceed after remediation (DRM[2]. contractual and other jurisdictional issues are extremely important to understand both the logical and physical location of the data. . PaaS & SaaS  IaaS . ZIP. PGP)  Deployment may be done using any of the following:  Dedicated Appliance  Virtual Appliance  Endpoint agent  Hypervisor agent  DLP SaaS • Detection Data Migration to the Cloud  Encryption in IaaS.  Volume storage: virtual hard drives (data dispersion to support resiliency and security)  Object storage: File storage (Can typically be accessed y APIs or web interface)  Logical vs physical locations of data  Potential issues from regulatory.Volume Storage Encryption  Instance Managed encryption  Externally Managed encryption  Proxy Encryption  PaaS  Client/Application encryption  Database Encryption  Proxy Encryption  SaaS  Provider-Managed Encryption  Proxy Encryption  Database Activity Monitoring (DAM) and File Activity Monitoring (FAM): Can be used to detect and monitor attacks.

 Do testing prior to moving  SaaS  Determine which data can be preserved and migrated (escrow service?)  Perform regular data backups . Using the open based SAML can help ensure portability of identities. backup and restore  For interoperability and portability use standard syntax.how data is generated.the sheer size can cause of disruption of service during transition or can make the transition longer than it needs too. It is used with dedicated database instances for a single customer.Can help abstract hardware for flexibility and using something like Open Virtual Format (OVF) can aid in portability. no encryption is used in dispersion.Are authentication protocols that are interoperable with standard based systems. billing records  Interoperability and portability and feature sets moving from one cloud to another as well as understanding dependency on legacy IaaS (cost as well)  Who maintains crypto keys  PaaS  Tools available for secure data transfer. traces. Domain 6: Interoperability and Portability  Definitions of Portability and Interoperability  Interoperability: The requirement for the components in a cloud ecosystem to work together to produce the intended result  Portability: defines the ease of the ability to which applications components can be moved and reused elsewhere regardless of provider.  DAM tools are typically agent-based connecting to a central collection server (which is typically virtualized). infrastructure. although in the future may be available for PaaS)  FAM: Products that monitor and record all activity within a designated file repositories at the user level and can generate alerts based on violations.  SAML and WS-Security . across multiple database platforms. Open APIs and open standards such as Open Cloud Computing Interface (OCCI)  how to transfer to new vendor . PaaS & SaaS delivery models  IaaS  creation.????? • Data Dispersion: It spreads data across (Data fragmentation) make it more resilient and harder to compromise. platform. • Data Fragmentation: When fragmentation is used along side encryption it becomes hard to compromise as you have to compromised m cloud nodes with fragments and then still break encryption. • Data Backup . deletion and deprovisioning (removing residual data)  Hardware based dependencies moving to virtualization  Access to system logs. Usually does it by using an Information DispersalAlgorithm (IDA). availible or dependent on provider. maintained. (courier may be an option)  Lock-In considerations by IaaS. performed. storage.  FAM tools require agents or placing a physical appliance between the cloud storage and the cloud consumer. documented. portability. OS.  Virtualization impacts on Portability and Interoperability .  Size of Data Sets . the format of the data or the API’s.  DAM: captures and records all DB SQL activity including database activity. and can generate alerts on policy violations. location.

landslides or other natural disasters  not located in areas known to have high crimes. direct examination or certifications  Business Continuity Management/Disaster Recovery due diligence  Providers should have a security baseline  compartmentalization . on site assessments. separation of duties . error. Business Continuity. retraining.audit. Non-disclosure agreements. when possible use open and published architectures with standards protocols. Domain 7: Traditional Security. business continuity. loss of data) “Understand up-front and plan for how to exit the contract” meat of the security.review CSP’s BCP process  BS 25999 . Scalable file systems and a self service disaster recovery application.  Review/audit the consistency of controls • Mitigating hardware compatibility Lack of interoperability can lock you to a vendor. scalability and metered payments. floods. performance. background checks .  Things to review: Emergency Response team (ERT).The British Standard for Business Continuity Management (BCM)  ISO 22301 is responsible for Business Continuity  Traditional audits. pretty much anything you can get  Make sure that time is consistent (i.  Disaster Recovery is built on three layers : Virtual Storage. Detect. Delay and Deny  Cloud backup and disaster recovery services  Main Challenges: mobility. Domain 8: Data Center Operations  Relation to Cloud Controls Matrix . political or social unrest  Check accessibility of the location and anything that might inhibit that. transfer. and Disaster Recovery  Four D's of perimeter security : Deter. Crisis Management Team (CMT) and the Incident Response team (IRT)  Customer due diligence related to BCM/DR . availability. transfers to and from cloud. (costly conversion .Table compromise of:  Application Mission : Contractual.  Main data source for detection and analysis of an incident  Logs . as contractually committed and include both the Recovery Point Objective (RPO) and Recovery Time Objective (RTO)  Physical location of cloud provider  The consumer should conduct a critical evaluation of the data center’s physical location  not in areas known to have seismic activity.e. time sync)  Is the dynamic nature of the cloud accurately capture . avoidance of conflict of interests  Restoration Plan: should correlate directly to SLA. legal or regulatory requirement  Control: Security Concept that is meant to mitigate risk to accomplish mission  Specification: Details of said control that will actually mitigate said risk • Queries run by data center operators • Technical aspects of a Provider's data center operations customer should understand • Logging and report generation in multi-site clouds: it needs software to orchestrate the logging Domain 9: Incident Response  Factor allowing for more efficient and effective containment and recovery in a cloud  Can allow for faster incident response through continuous monitoring  Faster recovery through virtualization and elasticity resulting in fast containment and recovery  Easier portability and imaging thanks to VM moves. Lock-in can also occur if the data can’t be easily exported thus the need for portability.

 Are legal requirements met  log retention patterns and tamper resistant  Investigating and containing an incident in an Infrastructure as a Service environment  snapshots of memory  creation of hard disk images require the CSP  advance forensics techniques. generating snapshots. and Access Management (IdEA)  Authentication  Authorization  Administration  Audit & Compliance  Policy  SDLC impact and implications  It’s typically harder in the cloud  control over physical is harder  potential incompatibilities  protection of data through lifecycle (transit. rest)  web services can introduce more vulnerability  harder to get to logs or to demonstrate compliance  Mitigation  Least Privilege/Segregation of duties/Defense in depth/fail safe/…. but destroys evidence  Elastic environment makes forensic especially hard  There might be privacy issues in doing forensics Investigating and containing an incident in an PaaS/SaaS environment  Requires almost all CSP support and has to be negotiated in the Service Contract Domain 10: Application Security  Identity.set of rules into entitlement layer  fed by claims  assertion  attributes . Entitlement.  Differences in S-P-I models  Consideration when performing a remote vulnerability test of a cloud-based application  Is the multi-tenancy of it??????  Categories of security monitoring for applications  Log Monitoring  Performance Monitoring  Monitoring for Malicious use  Monitoring for compromise  Monitoring for policy violations  Entitlement matrix .VM introspection or live forensic system support require the CSP  Reducing the occurrence of application level incidents  SLAs and IR plans should include “Lesson Learned” after the recovery  How often should incident response testing occur  At least once a year  Offline analysis of potential incidents -???????? Challenges for Incident Response in the cloud  Automated environment does not help.

Another word for format preserving encryption?????  Utilizing Cloud database controls .  Relationship to tokenization.The above is simply an example of an entitlement matrix Domain 11: Encryption and Key Management  Adequate encryption protection of data in the cloud  Key management best practices.  Identity Federation  The ability to use one identity repository in another for authentication or validation purposes . Entitlement. So entitlement is what ultimately dictates access. This way in case of compromise the data can not be easily decrypted  Application or process may need keys so be aware…  Use KEK (Key Encrypting Keys) or in memory keys  keys per user  There should be one key per user so they can only encrypt/decrypt their own data  There should be a group key for when users need to share data. keys per user  best practice  location of keys  Whenever possible keys should reside with the user/enterprise.access control based on segregation levels Domain 12: Identity. and Access Management  Relationship between identities and attributes  Identity is something you are and attributes are the characteristics. masking. location of keys. anonymization and cloud database controls  Tokenization (Basically doing reference substitutions  Data Anonymization (Stripping out sensitive data)  Masking . Based on the two a characteristics a risk based decision done to allow access to resources or services. The process of mapping identities to attributes is called entitlement.

instant-on gaps  VM Guest Hardening .Pausing a VM and turning it back on (after a long time) can introduce vulnerabilities  In-Motion VM characteristics that can create a serious complexity for audits  Because VM are portable.  How can virtual machine communications bypass network security controls  If it passes the data between VMs in the data plane as opposed to the network plane  VM attack surfaces  What else is there besides the ones mentioned and VM image tampering???  Compartmentalization of VMs  Zoned approach for production.the state of being first principle .password synchronization SSO .Discretes types that will have identities Identity .  VM Sprawl .entity who can be authenticated Entitlement is the process of mapping privileges Domain 13: Virtualization  VM guest hardening.the nature of having multi-vm on the same physical hardware means that the data of one VM and another type of VM is on the same hardware  instant-on gaps . blind spots.identity plus attributes Entitlement .e.The network security appliances are blind to data that doesn’t transverse the network (i. Entity . test/development and highly sensitive data Domain 14: Security as a Service  10 categories  Identity and Access Management  Data Loss Prevention  Web Security  Email Security  Security Assessments  Intrusion Management  Security Information and Event Management (SIEM)  Encryption  Business Continuity and Disaster Recovery  Network Security . VM Sprawl. Insert security APIs at the hypervisors. data co-mingling.ability to pass identity and attributes to other services Federation . I found it easier to watch the videos and then come back to read this doc then tackling this doc heads on.determines access to resources (service provider)  SAML and WS-Federation  Provisioning and authoritative sources You may want to check out the videos at the end of this guide to understand the whole entitlement process.  Relationship between Policy Decision Point (PDP) and Policy Enforcement Point (PEP)  PEP .process mapping privileges to identities and the related attributes RSO .the connection of one identity repository to another. inter-VM traffic). Primacy .is user centric authorization (user)  PDP .typical OS and app hardening best practices  Blind Spot . they can moved geographically without alert or traceable audit trail.VMs are so easy to deploy they can spiral out of control without process  Data co-mingling .Unique id person .

what should both parties agree on in advance and include in the SLA  Metrics that describe how the provider is keeping in compliance.youtube.  Increased analytics with semantic processing. This can in turn be used to enforce the contract or prematurely end a contract of service  Logging and reporting implications  Is this related to SIEM?????????  How can web security as a service be deployed  on premise through software/appliance installation  Cloud by proxy  redirecting web traffic through cloud provider infrastructure  What measures do Security as a Service providers take to earn the trust of their customers  run constant background checks that rival government background checks  they meet and exceed requirement geographical and regional regulations  enlist legal services to meet regional regulatory requirement  Data is compartmentalized and data is shared anonymously  Data monitored and held by the provider is anonymized in logs and audit data. personnel and general compliance  Data leakage between virtual machine instances  When deploying Security as a Service in a highly regulated industry or environment.35 and underlying vulnerabilities • Data controller vs data processor definitions • in Infrastructure as a Service (IaaS).pdf CCSK overview: https://www. who is responsible for guest systems monitoring Additional Study Resources Here is a list of additional resources if you want to study for CCSK: https://collaboration. https://collaboration.0.1 – R.com/watch?v=mniY-Jay5cY&list=PL6ASplUnEA8KQsg2Czr8y5a- ICJujSW9W&index=1 .com/watch?v=LhDZe7ZntvE CCSK overview: https://www.opengroup. multi-tenancy and vendor lock-in  Lack of visibilities into control. Risks and Recommendations for Information Security • Isolation failure • Economic Denial of Service • Licensing Risks • VM hopping • Five key legal issues common across all scenarios • Top security risks in ENISA research • OVF • Underlying vulnerability in Loss of Governance • User provisioning vulnerability • Risk concerns of a cloud provider being acquired • Security benefits of cloud • Risks R.opengroup. Is the cloud control matrix relevant to the CCSK test??????? https://cloudsecurityalliance.org/jericho/cloud_cube_model_v1.org/download/cloud-controls-matrix-v3/ ENISA Cloud Computing: Benefits. Entity and Entitlement work in the cloud: https://www.pdf How Identity.0.com/watch?v=6FHGe8yHeQE The best practices for Entitlement.youtube.youtube.org/jericho/Jericho%20Forum%20Identity%20Commandmen ts%20v1.  Barriers to developing full confidence in security as a service (SECaaS)  Some security concerns: compliance.

Incidents management C. ISO/IEC 27000 B. Risks management D. None of the above 9. Suspicious intrusion detection alerts is part of A. Infrastructure as a Service D. SIEM refers to: A. Events management B. Increased B. ISO/IEC 27002 C. CSA SaaS v. Platform as a Service C. Non cloud 4. Online word processing and spreadsheet tools would fall under which of the following service models? A. Both A and C 8.org/wp-content/uploads/2011/09/SecaaS_V1_0. Software as a Service B. Strategic Implementation of Electronic Management C. According to ENISA. the right to audit clause should be: A. Public cloud B.Defined Categories of service 2011 https://cloudsecurityalliance. CSA SaaS v. Security Information and Event Management] B. Both B and C 5. Private cloud] D. SAS 70 Type II C. SAS 70 Type III D.pdf Cloud Security Alliance (SecaaS) . Software as a Service B. which service model implies the highest level of liability? A. Platform as a Service C. Software Intrusion and External Models 6. Google Docs is an example of: A.nist. Service Improvement of in End-User Markets D. Storage as a service is a sub-offering under which of the following categories? A.NIST SP800-145 (NIST Definition of Cloud Computing) http://csrc. Which of the following audits ensures that controls are implemented and documented? A.2] 3. SaaS . SAS 70 practices D. Replaced with the compliance and monitoring clause D.gov/publications/nistpubs/800-145/SP800-145.pdf Practice Questions (From SimpliLearn): 1. Over time. Reduced C. SAS 70 Type I B. None of these ] 2.2] 7. Cloud providers that have not achieved ISO/IEC 27001 certification should align themselves with: A. Infrastructure as a Service D. Partner cloud C.

the number of sources that must be monitored: A. Determine data or function considered for cloud C. Electronically Stored Information D. Removed 17. PaaS C. Are the same as in any other computing environment B. HIPAA B. containment. the cloud customer must understand: A. Ensure adequate resource division B. None of the above 16. compliance and liability are stipulated and enforced in which of the following service models? A. ISO/IEC 27000 B. cloud service providers should use which of the following as a guideline? A. Determine initial costs B.has to be signed. and recovery D. ESI stands for: A. None of the above 13. ISO/IEC 27003 D. The nature of cloud computing means that it is more difficult to: A. According to the Cloud Security Alliance (CSA). Which of the following are the phases of incident recovery should the SLA guarantee support? A. response and recovery B. Determine strategy of adopting cloud 14. All of these 11. ISO/IEC 35000 19. eradication. laaS D. governance. all of the above 18. None of the above 12. Both SaaS and laaS 10. In a cloud environment. Detection. incidence. response and recovery C. Increase exponentially 15. A. While evaluating risk for cloud. Service levels. incident. Analysis. Decrease substantially D. B. Make commitments to customers regarding security D. Increase minimally C. Detection. the first step is? A. Electronic Stored Interface C. analysis. laaS D. When any expertise is outsourced --. Determine who to contact in case of a security incident or data breach C. The provider's ability to produce evidence needed for compliance . E-mail Storage interface B. IR C. Determine important of data or function D. NDA D. ISO/IEC 27001 C. According to the Cloud Security Alliance (CSA). PaaS C. SaaS B.

Adjust the process for responding to legal requests at any time. In SaaS. One deployment model for cloud services B. Transferred C. Tools B. C. Software as a Service B. Economic Denial of Service B. Agile computing D. C. All of the above 20. Infrastructure as a Service D. All of the above 23. Rackspace Cloud is an example of: A. Which of the following is NOT a recommendation for the 'create' phase of the data security lifecycle? A. Improvements in which of the following areas would lead to improvements for all cloud service customers? A. Enterprise digital rights management 27. Cloud computing B. Virtualization 21. Platform as a Service C. User tagging to classify data. B. B. Identification of data labeling and classification capabilities. Monitor the service provider's performance and test for system vulnerabilities. According to the CSA's (Cloud security alliance's) risk assessment framework. Accepted B. D. Encrypted Disaster or Solution D. None of the above 25. Have reasonable security that data breaches will not happen. Cloud cube model illustrates -- A. 28. Four deployment models for cloud services 24. Two deployment models for cloud services C. Grid computing C. Physical location of deployment models . Policies C. Environmental Domain of Service C. B. The 'ability to run multiple operating systems on a single physical system and share the underlying hardware resources' is referred as: A. Retain ownership of the data in original format. risks may be --- A. the cloud services agreement must allow the client or third party to: A. All of these 22. The customer's role in bridging the gap between auditor and service provider D. The acronym EDoS refers to: A. Engineered Data on Servers 26. The division of compliance responsibilities between the consumer and provider C. Mitigated D. According to the Cloud Security Alliance (CSA). Leveraging of content discovery tools D. there are A. Processes D. Three deployment models for cloud services D.

Highly Interfering Performance and Auditing C. System configurations B. Which of the following scenarios begins with a crisis of confidence in the cloud provider's financial position? A. None of the above 32. Right to Withdraw Clause . Highly Intelligent Performance and Accounting B. does the consumer have control over application hosting environment configurations? A. None of the above 31. Management and ownership D. Be done by the customer only B. It enables developers to build their own applications on top of the platform B. A 'run on the banks' scenario D. Cloud cube model was developed by --- A. None of the above 37. Which of the following is NOT true about PaaS? A. All of the above 33. PaaS C. B. Jericho forum D. Right to Audit Clause B. According to the Cloud Security Alliance (CSA). In which model. Customers may not be able to retrieve their data C. Health Insurance Portability and Accountability D. Cloud service customers should develop evidence-collecting processes for which of the following areas? A. There are not as many security options as SaaS within this model\ 35. It is more extensible than the SaaS model D. Customers may be locked into a contract with a provider for many years B. In which of the following cases. Change management reports D. cloud service providers audit should be done? A. An upcoming financial audit B. A 'mass exodus' scenario C. Deployment models C. All of the above 36. SaaS B. laaS D. Cloud Security Alliance B. HIPAA stands for: A. OpenCrowd cloud solutions C. GoGrid 30. All of the above 29. which of the following clauses should be obtained whenever possible? A. Be waived. It offers less customer ready features than SaaS C. if the provider has adequate certifications D. Customer data may be made publicly available 34. Be done regardless of the provider's certifications C. Providers may be able to leak customer data to third parties D. Audit logs C. The worst case scenario in a 'run on the banks' situation is that: A.

Transport provisioning C. Which of the following is not a category of infrastructure services? A. Applications and processes/functions C. Profit based approach B. Disaster management C. Security Breach Clause D. Provisioning C. Services Management D. Data breaches is a part of: A. 2002 C. Storage B. this may be referred to as: A. Incidents management D. Which of the following assets are supported by cloud? A. Hardware-independence of operating system and applications C. Since ----. Compute C. according to the Cloud Security Alliance (CSA)? A. What is recommended to enterprises adopting cloud? A. Inflexible. None of the above 41. Economic Denial of Service D. Security based approach . Resources 44. Integration 43. Risk based approach C. Personnel D. Diminished Domain of Service B. What kind of provisioning is standardized in OASIS' Service Provision Markup Language (SPML)? A. costly infrastructure D. Software and hardware are tightly coupled 45. Data and resources B. Push-style provisioning D. Data and applications/functions/processes D. Engineered Denial of Service 42. Systems B. A. 2000 B. Distributed Denial of Service C. Data Transferability Clause 38. All of the above 40. the Federal Rules of Civil Procedure require the inclusion of electronically- stored information when responding to discovery requests. Single OS image per machine B. Which of the following is a characteristic of virtualization? A. Which of the following should not demonstrate compartmentalization by cloud providers. Lateral provisioning B. 2004 D. 2006 46. Pull-style provisioning 39. Events management B. When an attacker uses a customer' resources for his/her own gain. C.

D. cloud architecture D. compliance architecture. ISO/IEC 27002 C. SOC refers to: A. cloud architecture. In which of these models. CSA SaaS v. In a cloud environment. one should consider -- A. SaaS B. None of these Explanation: Suspicious intrusion detection alerts is part of incident management. Incidents management C. Increase minimally C. Over time. Privacy based approach 47. According to ENISA. Public cloud B. private cloud model implies the highest level of liability 54. Risks management D. Decrease substantially D. which service model implies the highest level of liability? A. Standard Operations Credentials C. SAS 70 practices D. Partner cloud C. cloud service classification C. Are the same as in any other computing environment B. Service Office Catalogue 49. none of the above 48. Increase exponentially ANSWERS( 51. Private cloud D. Compliance architecture. PaaS C. does the consumer have limited user-specific configuration settings? A. Cloud service classroom. the right to audit clause should be: . laaS D. Security architecture. Non cloud Explanation: According to ENISA. ISO/IEC 27000 B. Suspicious intrusion detection alerts is part of Original number +50 ) A. security architecture and cloud architecture B. All of the above 50. Events management B. When considering compliance with accepted frameworks and standards. Cloud providers that have not achieved ISO/IEC 27001 certification should align themselves with: A.2 Explanation: Providers that have not achieved ISO/IEC 27001 certification should align themselves with ISO/IEC 27002 53. Security Operations Center D. the number of security notifications: A. 52. Strategic Overview Card B.

All of these Explanation:All of the above mentioned reasons together make up cloud computing 61. Software Intrusion and External Models Explanation: SIEM stands for Security Information and Event Management 56. containment. laaS D. Infrastructure as a Service D.2 ensures that controls are implemented and documented. Which of the following are the phases of incident recovery should the SLA guarantee support? A. PaaS C. CSA SaaS v. A. Increased B. Make commitments to customers regarding security D. Determine who to contact in case of a security incident or data breach C. The nature of cloud computing means that it is more difficult to: A. SaaS B. response and recovery C. analysis. None of the above Explanation: Google doc is an example of SaaS 59. eradication. Strategic Implementation of Electronic Management C. Online word processing and spreadsheet tools would fall under which of the following service models? A. Both B and C Explanation: Over a period of time. Platform as a Service C. Infrastructure as a Service D. Detection. Both SaaS and laaS Explanation: It is an offering of laaS 60. Storage as a service is a sub-offering under which of the following categories? A. incident. SIEM refers to: A. Analysis. 57. None of the above . Ensure adequate resource division B. the need to audit should get reduced and should be replaced by a compliance and monitoring clause 55. Software as a Service B. Which of the following audits ensures that controls are implemented and documented? A. Service Improvement of in End-User Markets D. 58. and recovery D. Reduced C. Replaced with the compliance and monitoring clause D. SAS 70 Type II C. Software as a Service B. SAS 70 Type III D. Detection. Platform as a Service C. Google Docs is an example of: A.2 Explanation: CSA SaaS v. Security Information and Event Management B. response and recovery B. incidence. Both A and C Explanation: Online tools are examples of Software as a Service. SAS 70 Type I B.

PaaS C. Electronically Stored Information D. the number of sources that must be monitored: A. While evaluating risk for cloud. Remove 67. ISO/IEC 27001 C. containment. 62. ISO/IEC 27003 D. the cloud customer must understand: A.has to be signed. The division of compliance responsibilities between the consumer and provider C. NDA D. NDA stands for Non- Disclosure Agreement. governance. Service levels. cloud service providers should use which of the following as a guideline? A. E-mail Storage interface B. compliance and liability are stipulated and enforced in which of the following service models? A. the first step is? A. ESI stands for: A. Decrease substantially D. governance. Are the same as in any other computing environment B. the first step is to determine data or function considered for cloud 64. According to the Cloud Security Alliance (CSA). IR C. 63. In a cloud environment. SaaS B. Increase exponentially Explanation: Since resources grow depending upon the demand it grows exponentially 65. laaS D. Increase minimally C. cloud service providers should use ISO/IEC 27001 as a guideline 69. compliance and liability are stipulated and enforced 68. Determine initial costs B. HIPAA B. Electronic Stored Interface C. Determine strategy of adopting cloud Explanation: While evaluating risk for cloud. service levels. ISO/IEC 27000 B. ISO/IEC 35000 Explanation: According to the Cloud Security Alliance (CLA). Determine data or function considered for cloud C. Determine important of data or function D. A. all of the above Explanation: Irrespective of the models.Explanation: Detection. None of the above Explanation: NDA has to be signed while outsourcing expertise. None of the above Explanation:ESI stands for Electronically Stored Information 66. eradication and recovery are the phases of incident recovery and SLA must ensure it is covered. analysis. The customer's role in bridging the gap between auditor and service provider . When any expertise is outsourced --. The provider's ability to produce evidence needed for compliance B. According to the Cloud Security Alliance (CSA).

User tagging to classify data. The acronym EDoS refers to: A. 75. the providers ability to produce evidence needed for compliance. D. Four deployment models for cloud services Explanation: NONE 74. Agile computing D. Transferred C. Processes D. B. All of the above Explanation: The cloud customer must understand. All of these Explanation: Tools. The 'ability to run multiple operating systems on a single physical system and share the underlying hardware resources' is referred as: A. Economic Denial of Service B. Software as a Service B. Identification of data labeling and classification capabilities. Cloud computing B. Three deployment models for cloud services D. None of the above Explanation: Rackspace is an example of infrastructure as a Service. Policies C. Improvements in which of the following areas would lead to improvements for all cloud service customers? A. there are A. Engineered Data on Servers Explanation: EdoS stands for Economic Denial of Service 76. accepted or transferred as per CSA guidelines 73. Two deployment models for cloud services C. One deployment model for cloud services B. Mitigated D. Encrypted Disaster or Solution D. Virtualization Explanation: Ability to run multiple operating systems in a single hardware is called virtualization. Rackspace Cloud is an example of: A. Infrastructure as a Service D. All of the above Explanation: Risk may be mitigated. C. 72. the division of compliance responsibilities between consumer and provider and the customer's role in bridging the gap between auditor and service provider. Accepted B. Grid computing C. Platform as a Service C. Environmental Domain of Service C. 70. In SaaS. Which of the following is NOT a recommendation for the 'create' phase of the data security lifecycle? A. 71. According to the CSA's (Cloud security alliance's) risk assessment framework. Tools B. policies and processes are equally important and can have varied benefits. risks may be --- A. Leveraging of content discovery tools .

Customers may be locked into a contract with a provider for many years B. All of the above Explanation: A run on the banks scenario can lead to crisis of confidence. Jericho forum D. In which model. Highly Intelligent Performance and Accounting B. D. All of the above Explanation: Cloud cube model illustrates physical location of deployment models. None of the above Explanation: In PaaS. 82. According to the Cloud Security Alliance (CSA). 83. Retain ownership of the data in original format. Highly Interfering Performance and Auditing C. the cloud services agreement must allow the client or third party to: A. Customer data may be made publicly available Explanation: In case of the provider going bankrupt. Monitor the service provider's performance and test for system vulnerabilities. An upcoming financial audit B. then there is a chance that the customers might not be able to retrieve their data . 80. Cloud cube model was developed by --- A. A 'mass exodus' scenario C. OpenCrowd cloud solutions C. SaaS B. PaaS C. Cloud Security Alliance B. C. Which of the following scenarios begins with a crisis of confidence in the cloud provider's financial position? A. A 'run on the banks' scenario D. laaS D. Customers may not be able to retrieve their data C. B. applications can be built and hosted 81. Providers may be able to leak customer data to third parties D. 79. Enterprise digital rights management Explanation: Content discovery tools usage is not part of 'create' phase 77. Adjust the process for responding to legal requests at any time. Health Insurance Portability and Accountability D. Have reasonable security that data breaches will not happen. GoGrid Explanation:Jericho forum developed cloud cube model. None of the above Explanation: HIPAA stands for Health Insurance Portability and Accountability. Explanation: According to the Cloud Security Alliance (CSA) the cloud services agreement must allow the client or party to retain ownership of the data in original format 78. Physical location of deployment models B. It is compliance. does the consumer have control over application hosting environment configurations? A. Deployment models C. Management and ownership D. The worst case scenario in a 'run on the banks' situation is that: A. D. Cloud cube model illustrates -- A. HIPAA stands for: A.

Right to Withdraw Clause C. 87. What kind of provisioning is standardized in OASIS' Service Provision Markup Language (SPML)? A. Cloud service customers should develop evidence-collecting processes for which of the following areas? A. 90. Be done regardless of the provider's certifications C. Which of the following is NOT true about PaaS? A. which of the following clauses should be obtained whenever possible? A. Be done by the customer only B. 86. Change management reports D. Push-style provisioning D. Lateral provisioning B. According to the Cloud Security Alliance (CSA). There are not as many security options as SaaS within this model Explanation: PaaS offers multiple security options for customers 85. and change management reports. Events management B. Audit logs C. Which of the following assets are supported by cloud? A. Data Transferability Clause Explanation: Right to Audit Clause should be given from time to time to ensure everything is as per the agreement. audit logs. Incidents management D. None of the above Explanation: Data breaches is part of disaster management. cloud service providers need to be audited. It is more extensible than the SaaS model D. It enables developers to build their own applications on top of the platform B. . Be waived. Data and resources B. Data breaches is a part of: A. Applications and processes/functions C. 84. Data and applications/functions/processes D. Pull-style provisioning Explanation: Service Provision Markup Language uses push-style provisioning. 88. cloud service providers audit should be done? A. Right to Audit Clause B. System configurations B. None of the above Explanation: No matter what certifications provider has. Security Breach Clause D. All of the above Explanation: Cloud service customers should develop evidence-collecting processes for system configurations. It offers less customer ready features than SaaS C. All of the above Explanation: All the mentioned functions are actively supported by cloud 91. Transport provisioning C. 89. Disaster management C. In which of the following cases. if the provider has adequate certifications D.

2006 Explanation: Since 2006. Security based approach D. Software and hardware are tightly coupled Explanation: Through hypervisor. Which of the following is not a category of infrastructure services? A. 95. SOC refers to: . Which of the following should not demonstrate compartmentalization by cloud providers. according to the Cloud Security Alliance (CSA)? A. Compute C. Risk based approach C. Storage B. laaS D. 97. none of the above Explanation: Consumers do not have much of a say in SaaS offerings. Services Management D. Economic Denial of Service D. 2002 C. In which of these models. 2000 B. SaaS B. this may be referred to as Distributed Denial of Service 93. costly infrastructure D. Which of the following is a characteristic of virtualization? A. virtualization separates hardware and OS+ applications. Distributed Denial of Service C. this may be referred to as: A. 99. A. Inflexible. Diminished Domain of Service B. Hardware-independence of operating system and applications C. Since ----. Resources Explanation: Personnel compartmentalization should not be demonstrated by the cloud providers. Personnel D. When an attacker uses a customer' resources for his/her own gain. 92. Profit based approach B. What is recommended to enterprises adopting cloud? A. 2004 D. Single OS image per machine B. PaaS C. Integration Explanation: Integration is not a category of infrastructure services 94. does the consumer have limited user-specific configuration settings? A. the Federal Rules of Civil Procedure require the inclusion of electronically- stored information when responding to discovery requests. Engineered Denial of Service Explanation: When an attacker uses a customer's resources for his/her own gain. Privacy based approach Explanation: Risk based approach is an important factor to consider 98. Provisioning C. the Federal Rules of Civil Procedure require the inclusion of electronically-stored information when responding to discovery requests. Systems B. 96.

Why is the size of data sets a consideration The sheer size of data may cause an in portability between cloud service interruption of service during a transition. Increase minimally C.Measured Service The level of attention and scrutiny paid to The valued Risk enterprise risk assessments should be directly related to what? In the majority of data protection laws.com/flashcards/ccsk-3657367) What are the five essential characteristics of 1 . A.On-Demand service. What are the six phases of the data security Create.Broad Network Access. When considering compliance with accepted frameworks and standards. making it important that the data center visits by every customer to conduct an operators are required to provide auditing for audit. Deny In which type of environment is it impractical In multi-tenant environments the operator to allow the customer to conduct their own or provider cannot normally accommodate audit. cloud architecture D. Decrease substantially D. cloud architecture. providers? or a longer transition period than anticipated. Archive. Are the same as in any other computing environment B. when The Data Controller the data is transferred to a third party custodian.cram. Delay. Detect. cloud service classification C. Security architecture. 5 . the number of security notifications: A. 100. Share. Increase exponentially Explanation: With cloud all security measure have only been increased exponentially. security architecture and cloud architecture B.Resource Cloud computing as defined by NIST . the customers? . Service Office Catalogue Explanation: SOC refers to Security Operations Center. compliance architecture.Rapid Elasticity. Pooling. Adding Flash Card information I have received from a websiste . one should consider -- A. Compliance architecture. Use. What are the four D's of perimeter security? Deter. All of the above Explanation: All these should be taken into serious consideration 101. Standard Operations Credentials C. 2 . Cloud service classroom. Strategic Overview Card B. who is ultimately responsible for the security of the data? What is the most important reason for So that it can address the specific knowing where the cloud service provider will restrictions that foreign data protection host the data? laws may impose. 3 . 4 . lifecycle? destroy. In a cloud environment. Security Operations Center D. Store.Thanks to Ajay Chauhan (http://www.

to… the worst case scenario would be bankruptcy of the customer or a serious economic impact How does SaaS alleviate much of the The provider is not only responsible for the consumer's direct operational responsibility? physical and environmental security controls. controls may not be able to monitor certain rather than a network. in the 1995 European Union (EU) Data Protective Directive and the 2002 ePrivacy Directive as amended in 2009. and technologies of their own or adopting one of the maturity models. What is the most significant reason that To be able to prove that all data has been customers are advised to maintain in-house deleted from the public cloud environment key management? when exiting that environment. types of traffic? When deploying Security as a Service in a Agreement on the metrics defining the highly regulated industry or environment. service level required to achieve what should both parties agree on in advance regulatory objectives and include in the SLA? Economic Denial of Service (EDOS). where network-based security each other over a hardware backplane. name the group that has enacted The European Economic Area (EEA) data protection laws and the principles on Member States follow principles set forth which they follow. refers The destruction of economic resources. and the data. How should an SDLC be modified to address Organizations must adopt best practices application security in a Cloud Computing for development. state laws Written contract with the service provider require when using a Cloud Service with reasonable security measures. either by having a good environment? blend of processes. What two types of information will cause PII .What measures could be taken by the cloud SaaS providers that generate extensive service provider (CSP) that might reduce the customer-specific application logs and occurrence of application level incidents? provide secure storage as well as analysis facilities will ease the IR burden on the customer.Personal Identifiable Information additional regulatory issues for all SPI . tools. Provider? What must be included between an What must be included between an organization and a Cloud Service Provider organization and a Cloud Service Provider when the organization has contractual when the organization has contractual .S. In Europe. What is the minimum that U.Sensitive Personal Information organizations if held as an aspect of an Identity? Why do blind spots occur in a virtualized Virtual machines may communicate with environment. but it must also address the security controls on the infrastructure. the applications.

Assignment of compliance regulatory compliance? responsibilities including the providers . At what stage should compliance be Requirement identification stage addressed between an organization and CSP? What is multi-tenancy? Use of same resources or application by multiple customers that may belong to the same organization or a different organization. contacts or information of their clients. CSP. contacts or employees.Relationship between all parties including customer.CSP capability to show compliance . to ensure that the data are not used for secondary use and are not disclosed used for secondary use and are not to third parties? disclosed to third parties? What is a click-wrap agreement? What is a click-wrap agreement? How does an organization respond to the How does an organization respond to the evolving nature of the cloud environment? evolving nature of the cloud environment? How does an organization respond to the All documents that pertain to the case evolving nature of the cloud environment? whether favorable to its case or the other litigant's case.obligations to protect the personal obligations to protect the personal information of their clients. and tested protocols and standards. appropriate resources. What is ESI? Electronically Stored Information What are four considerations for a cloud Cross-border or multi-jurisdiction customer to understand in reference to . to ensure that the data are not employees. auditors and CSP providers What role do audits perform in the cloud Audits must be independently conducted relationships? and should be robustly designed to reflect best practice. What does a cloud service model need to Policy-driven enforcement include for multi-tenancy consumers? Segmentation Isolation Governance Service Levels Chargeback/billing models What services can be shared in multi-tenancy Infrastructure cloud service models? Data Metadata Services Applications What three cloud services make up the Cloud Infrastructure as a Service (IaaS) Reference Model? Platform as a Service (PaaS) Software as a Service (SaaS) .

Types of assets.Manner in which cloud services are consumed .Governance .Insourced / Outsourced: Who provides the cloud service List the four cloud deployment models Public Private .Define IaaS IaaS delivers computer infrastructure as a service along with raw storage and networking.Monitoring .internal/external Hybrid Community What is the key takeaway for security The lower down the stack the CSP stops. Define SaaS SaaS delivers software and its associated data hosted centrally typically in the cloud and are usually accessed by users via a web browser over the Internet.Map the security architecture and requirements? business. What are the risks and pitfalls to consider in How / where cloud service are deployed the Cloud Security Reference Model? .Who manages them and How .Re-perimeterization of enterprise networks .Transformation/portability .which controls are selected and How they are integrated . List the four dimensions in the Jericho Cloud Internal (I) / External (E): Physical Cube Model Location . resources and information being managed .Proprietary (P) / Open (O): State of Ownership . architecture? the more security capabilities and management consumers are responsible for implementing and managing themselves. regulatory.Perimeterised (Per) / De-perimeterised (D-p): Architectural mindset . and other compliance requirements as a gap- analysis exercise What do cloud service brokers provide? Intermediation .compliance issues How do you determine the general security Classify a cloud service against the cloud posture of a service and how it relates to an architectural model asset's assurance and protection . Define PaaS PaaS delivers computing platform and solution stack as a service.

Accept: no action is taken due to a cost/benefit decision What should be specifically targeted in the Incident management assessment of a CSP's third party service . List four of the specific risks identified and Avoidance: exiting the activities giving rise analyzed by management in a cloud to risk environment.Disaster recovery policies.Compliance . aligned with the risk appetite and tolerance of the data owner.Financial transparency and information disclosure .Governance .Corporate responsibility and compliance . technologies. administered or controlled. Define Enterprise Risk Management The methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. .Integration services .Provisioning .Reduction: taking action to reduce the likelihood or impact related to the risk . laws and institutions affecting the way an enterprise is directed. policies.Share or insure: transferring or sharing a portion of the risk to finance it . .Relationship negotiation between CSP and consumers What are included in a Service Level Service levels Agreement (SLA)? .Ownership structure and exercise of control rights Define Corporate Governance The set of processes. processes and procedures . customs.Board and management structure and process . . Define Information Risk Management The process of identifying and understanding exposure to risk and the capability of managing it.Security .Liability expectations of the service and provider What are two types of Service Level Negotiable Agreements (SLA)? Non-negotiable Name the five basic principles followed in Auditing supply chains Corporate Governance.business continuity providers? .Review of co-location and back-up facilities .

Define Public Cloud? The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. CCSK Training Link [1] Cloud Service Provider [2] Digital Rights Management . application of security controls. What is a CSP's supply chain? Their service provider relationships and dependencies How should the cost savings obtained by Reinvest into increased scrutiny of the cloud computing services be utilized? security capabilities of the provider. and ongoing detailed assessments and audits to ensure requirements are continuously met. It may be managed by the organization or by a third party and may be located on-premise or off-premise. Define Private Cloud The cloud infrastructure is operated solely for a single organization. It may also be worth visiting the following site for additional CCSK training information.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.