The CCSK Study Guide

Revision : 0.7
Created Dated: January 5th, 2015
Last Modified: November 24th, 2015

Contributor Organization Country

Alejandro Castillo FireEye Inc United States of America

Peter HJ van Eijk Club Cloud Computing Netherlands

Ajay Chauhan SafeNet United Kingdom

Ash Thakrar PwC United Kingdom

David Glosser Regeneron Pharmaceuticals United States of America

Please Scroll down to find the actual study guide
If you found any part of this guide helpful please provide a like or some feedback to the
following link:

https://www.linkedin.com/groups/CCSK-study-guide-OpenSource-
4071935.S.5958007520671911936?view=&gid=4071935&item=5958007520671911936&typ
e=member&commentID=discussion%3A5958007520671911936%3Agroup%3A4071935

If you wish to contribute feel free to type your suggestions and they will be taken accordingly.
CCSK Key Examination Concepts
CSA Guidance For Critical Areas of Focus in Cloud Computing V3.0 English

Based on research that I have seen online, it is suggested that 2,5,10 and 12 are heavily
tested. Especially 5. Attention should be placed to Risk and Challenges.
Victor said this was the some of the most quizzed areas:
Reading the material is extremely time consuming, Incident response and Identity and Access
Management seem to have the most material.

Domain 1 Architecture
Summary
SPI = Software, Platform and Infrastructure as a service.
Cloud formations = the forms of cloud computing or the way it’s deployed.
Cloud benefits - collaboration, agility, scaling, availability, reduced cost, optimized and
efficient.
Steps for evaluating risk in the cloud
1. Determine what data to send to the cloud - (1) Data (2)
Application/Function/Processes
2. Determine the data or function is
3. Determine the best deployment model (For models look at NIST model below)
4. Evaluate the potential cloud providers
 NIST Definition of Cloud Computing (Essential Characteristics, Cloud Service
Models, Cloud Deployment Models)

 Multi-Tenancy (NIST doesn’t have it, but CSA’s cloud model includes it as an
essential:)
 Policy Enforce  Governance
 Segmentation  SLA
 Isolation  Chargeback
The problem with multi-tenancy is visibility of residual data or traces of operations of tenants.
 CSA Cloud Reference Model ( Also known as service models)
 IaaS - Most flexible, possibly the least secure, and customers responsible for
most of the security mechanisms
 PaaS - Enormous flexibility, but not quite as flexible.
 SaaS - Least Flexible, possibly most secure and dependency on provider

You can outsource a lot of manageability, but not accountability.
• Jericho Cloud Cube Model
The four sides/eight
dimensions
I/O - Insourced or
Outsourced
I/E - Internal or
External
O/P - Open or
Proprietary
P/D - Perimeter
Least to most
mature
1. Outcome/Va
lue
2. Process
3. Software
4. Platform
5. Infrastructur
e

• Cloud Security Reference Model - possible definition on page 20 third paragraph

third party consultants. compliance.etc…) Domain 2: Governance and Enterprise Risk Managementcvx  Contractual Security Requirements  processes. Share/Insure/Transfer and Accept  Third Party Management Recommendations  Contracts are risk management tools with metrics/audits to ensure accountability. contractors.Middleman/Middleware act like proxies between the cloud and the consumer. policies. Reduction.  Security Level. laws and institution  Enterprise and Information Risk Management  Measure. and liability expectation  Most of the control and security will be held in the SLA .• Cloud Service Brokers . This is done to provide an abstraction of incapabilities between the customer and the cloud to allow for fluidity and agility.auditing provides affirmation and really specifies the level of security in SaaS Even Private Clouds may have multitenancy (multiple projects. part-timers. governance. manage and mitigate uncertainty  Avoidance. customs.security.  • Service Level Agreements  Negotiable and nonnegotiable.  SLAs must cascade downwards from Provider to Third Party and supply chain .

policies and various other things. • Federal Rules of Civil Procedure and electronically stored information -ESI for holding • Metadata . including the assessment and prioritization of corrective actions deemed necessary and appropriate.In the US you must give everything to the requesting party even if it is not in your favor. Thus they need the CSP[1].Identify legal barriers and insure they are addressed in contract. processed and transmitted across borders with many different laws in those places as well as the ones we must comply with. and disaster recovery policies. regulations. These will likely include contracts. SSAE 16 SOC2 or ISAE 3402 Type 2.“Cloud aware” .  Incident Management .laws and regulations one must comply with. etc…).geographical locations and legal jurisdictions. Right to transparency . Third parties should be picked out in advance and reviewed. It must also be protected and well stored (this is called a legal hold) • Jurisdictions and data locations .obligation to undertake reasonable steps to prevent destruction or modifications of data or the information processing. policies. Domain 3: Legal Issues: Contracts and Electronic Discovery • Consideration of cloud-related issues in three dimensions : Monitoring. Domain 5: Information Management and Data Security  Six phases of the Data Security Lifecycle and their key elements: Create-Store-Use-Share-Archive-Destroy . • Compliance analysis requirements . CSP/Third party review of how information is stored.  Supply chain examination  Risk is inherited throughout the supply chain  Use of Cost Savings for Cloud  Should be re-invested to scrutinize the security capabilities of the provider. Audit might be hard due to an elastic environment The major part for most of the governance will be the contract between the provider and customer. contracts. business continuity. procurement and contract teams to identify them.can view or request a push to view the stats of the environment. along with review of co-locations and backup facilities must be part of the background check assessment. laws. testing. • Auditor requirements .it’s data about data • Litigation hold . • Right to audit . • Audit scope and compliance scope . and processes and procedures. however it should be written into the contract. In terms ofjurisdiction it depends on where the legal court is in? • Liability for activities of subcontractors • Due diligence responsibility .include legal. evaluation??? • eDiscovery considerations .The client is responsible for the data even though they might not have access. • Compliance impact on cloud contracts. Domain 4: Compliance and Audit Management • Definition of Compliance: the awareness and adherence to obligations (laws.gives customers the ability to audit the cloud provider and provide for transparency/accountability.

. PaaS & SaaS  IaaS .Volume Storage Encryption  Instance Managed encryption  Externally Managed encryption  Proxy Encryption  PaaS  Client/Application encryption  Database Encryption  Proxy Encryption  SaaS  Provider-Managed Encryption  Proxy Encryption  Database Activity Monitoring (DAM) and File Activity Monitoring (FAM): Can be used to detect and monitor attacks. ZIP.  Volume storage: virtual hard drives (data dispersion to support resiliency and security)  Object storage: File storage (Can typically be accessed y APIs or web interface)  Logical vs physical locations of data  Potential issues from regulatory. PGP)  Deployment may be done using any of the following:  Dedicated Appliance  Virtual Appliance  Endpoint agent  Hypervisor agent  DLP SaaS • Detection Data Migration to the Cloud  Encryption in IaaS. contractual and other jurisdictional issues are extremely important to understand both the logical and physical location of the data.  Three valid options for protecting data  Client application Encryption  Link/Network Encryption  Proxy Based Encryption  Data Loss Prevention: Used for content delivery and to monitor data in motion  Actions: Block or allow to proceed after remediation (DRM[2].

documented. platform. performed. • Data Backup .  DAM tools are typically agent-based connecting to a central collection server (which is typically virtualized). PaaS & SaaS delivery models  IaaS  creation. billing records  Interoperability and portability and feature sets moving from one cloud to another as well as understanding dependency on legacy IaaS (cost as well)  Who maintains crypto keys  PaaS  Tools available for secure data transfer. the format of the data or the API’s. Usually does it by using an Information DispersalAlgorithm (IDA).how data is generated.  SAML and WS-Security . maintained.  Size of Data Sets . and can generate alerts on policy violations. although in the future may be available for PaaS)  FAM: Products that monitor and record all activity within a designated file repositories at the user level and can generate alerts based on violations.????? • Data Dispersion: It spreads data across (Data fragmentation) make it more resilient and harder to compromise. Domain 6: Interoperability and Portability  Definitions of Portability and Interoperability  Interoperability: The requirement for the components in a cloud ecosystem to work together to produce the intended result  Portability: defines the ease of the ability to which applications components can be moved and reused elsewhere regardless of provider. portability.  Virtualization impacts on Portability and Interoperability .Can help abstract hardware for flexibility and using something like Open Virtual Format (OVF) can aid in portability. location.Are authentication protocols that are interoperable with standard based systems.  Do testing prior to moving  SaaS  Determine which data can be preserved and migrated (escrow service?)  Perform regular data backups . • Data Fragmentation: When fragmentation is used along side encryption it becomes hard to compromise as you have to compromised m cloud nodes with fragments and then still break encryption. (courier may be an option)  Lock-In considerations by IaaS. availible or dependent on provider. Open APIs and open standards such as Open Cloud Computing Interface (OCCI)  how to transfer to new vendor .  DAM: captures and records all DB SQL activity including database activity. no encryption is used in dispersion.the sheer size can cause of disruption of service during transition or can make the transition longer than it needs too. backup and restore  For interoperability and portability use standard syntax. Using the open based SAML can help ensure portability of identities. It is used with dedicated database instances for a single customer. storage. across multiple database platforms. deletion and deprovisioning (removing residual data)  Hardware based dependencies moving to virtualization  Access to system logs. traces.  FAM tools require agents or placing a physical appliance between the cloud storage and the cloud consumer. infrastructure. OS.

review CSP’s BCP process  BS 25999 . availability. direct examination or certifications  Business Continuity Management/Disaster Recovery due diligence  Providers should have a security baseline  compartmentalization . Non-disclosure agreements. retraining. as contractually committed and include both the Recovery Point Objective (RPO) and Recovery Time Objective (RTO)  Physical location of cloud provider  The consumer should conduct a critical evaluation of the data center’s physical location  not in areas known to have seismic activity.e. transfers to and from cloud. pretty much anything you can get  Make sure that time is consistent (i.Table compromise of:  Application Mission : Contractual. Lock-in can also occur if the data can’t be easily exported thus the need for portability. legal or regulatory requirement  Control: Security Concept that is meant to mitigate risk to accomplish mission  Specification: Details of said control that will actually mitigate said risk • Queries run by data center operators • Technical aspects of a Provider's data center operations customer should understand • Logging and report generation in multi-site clouds: it needs software to orchestrate the logging Domain 9: Incident Response  Factor allowing for more efficient and effective containment and recovery in a cloud  Can allow for faster incident response through continuous monitoring  Faster recovery through virtualization and elasticity resulting in fast containment and recovery  Easier portability and imaging thanks to VM moves. Domain 8: Data Center Operations  Relation to Cloud Controls Matrix . Business Continuity.  Things to review: Emergency Response team (ERT). (costly conversion . business continuity. landslides or other natural disasters  not located in areas known to have high crimes. loss of data) “Understand up-front and plan for how to exit the contract” meat of the security. Delay and Deny  Cloud backup and disaster recovery services  Main Challenges: mobility.  Review/audit the consistency of controls • Mitigating hardware compatibility Lack of interoperability can lock you to a vendor. on site assessments. and Disaster Recovery  Four D's of perimeter security : Deter. background checks . political or social unrest  Check accessibility of the location and anything that might inhibit that. floods. avoidance of conflict of interests  Restoration Plan: should correlate directly to SLA. time sync)  Is the dynamic nature of the cloud accurately capture . scalability and metered payments.The British Standard for Business Continuity Management (BCM)  ISO 22301 is responsible for Business Continuity  Traditional audits. error. transfer.audit. Detect. when possible use open and published architectures with standards protocols. separation of duties .  Main data source for detection and analysis of an incident  Logs . Domain 7: Traditional Security.  Disaster Recovery is built on three layers : Virtual Storage. performance. Scalable file systems and a self service disaster recovery application. Crisis Management Team (CMT) and the Incident Response team (IRT)  Customer due diligence related to BCM/DR .

VM introspection or live forensic system support require the CSP  Reducing the occurrence of application level incidents  SLAs and IR plans should include “Lesson Learned” after the recovery  How often should incident response testing occur  At least once a year  Offline analysis of potential incidents -???????? Challenges for Incident Response in the cloud  Automated environment does not help.  Are legal requirements met  log retention patterns and tamper resistant  Investigating and containing an incident in an Infrastructure as a Service environment  snapshots of memory  creation of hard disk images require the CSP  advance forensics techniques. rest)  web services can introduce more vulnerability  harder to get to logs or to demonstrate compliance  Mitigation  Least Privilege/Segregation of duties/Defense in depth/fail safe/…. Entitlement. and Access Management (IdEA)  Authentication  Authorization  Administration  Audit & Compliance  Policy  SDLC impact and implications  It’s typically harder in the cloud  control over physical is harder  potential incompatibilities  protection of data through lifecycle (transit. but destroys evidence  Elastic environment makes forensic especially hard  There might be privacy issues in doing forensics Investigating and containing an incident in an PaaS/SaaS environment  Requires almost all CSP support and has to be negotiated in the Service Contract Domain 10: Application Security  Identity.set of rules into entitlement layer  fed by claims  assertion  attributes .  Differences in S-P-I models  Consideration when performing a remote vulnerability test of a cloud-based application  Is the multi-tenancy of it??????  Categories of security monitoring for applications  Log Monitoring  Performance Monitoring  Monitoring for Malicious use  Monitoring for compromise  Monitoring for policy violations  Entitlement matrix . generating snapshots.

Entitlement. anonymization and cloud database controls  Tokenization (Basically doing reference substitutions  Data Anonymization (Stripping out sensitive data)  Masking .The above is simply an example of an entitlement matrix Domain 11: Encryption and Key Management  Adequate encryption protection of data in the cloud  Key management best practices. and Access Management  Relationship between identities and attributes  Identity is something you are and attributes are the characteristics. keys per user  best practice  location of keys  Whenever possible keys should reside with the user/enterprise. This way in case of compromise the data can not be easily decrypted  Application or process may need keys so be aware…  Use KEK (Key Encrypting Keys) or in memory keys  keys per user  There should be one key per user so they can only encrypt/decrypt their own data  There should be a group key for when users need to share data.access control based on segregation levels Domain 12: Identity. The process of mapping identities to attributes is called entitlement. masking.  Relationship to tokenization. Based on the two a characteristics a risk based decision done to allow access to resources or services.  Identity Federation  The ability to use one identity repository in another for authentication or validation purposes .Another word for format preserving encryption?????  Utilizing Cloud database controls . location of keys. So entitlement is what ultimately dictates access.

VMs are so easy to deploy they can spiral out of control without process  Data co-mingling . blind spots. I found it easier to watch the videos and then come back to read this doc then tackling this doc heads on.the state of being first principle .identity plus attributes Entitlement . inter-VM traffic).Discretes types that will have identities Identity .  How can virtual machine communications bypass network security controls  If it passes the data between VMs in the data plane as opposed to the network plane  VM attack surfaces  What else is there besides the ones mentioned and VM image tampering???  Compartmentalization of VMs  Zoned approach for production.  Relationship between Policy Decision Point (PDP) and Policy Enforcement Point (PEP)  PEP .Pausing a VM and turning it back on (after a long time) can introduce vulnerabilities  In-Motion VM characteristics that can create a serious complexity for audits  Because VM are portable. Primacy .  VM Sprawl .typical OS and app hardening best practices  Blind Spot . Entity .determines access to resources (service provider)  SAML and WS-Federation  Provisioning and authoritative sources You may want to check out the videos at the end of this guide to understand the whole entitlement process.ability to pass identity and attributes to other services Federation .is user centric authorization (user)  PDP .entity who can be authenticated Entitlement is the process of mapping privileges Domain 13: Virtualization  VM guest hardening.process mapping privileges to identities and the related attributes RSO . instant-on gaps  VM Guest Hardening . VM Sprawl. Insert security APIs at the hypervisors.password synchronization SSO .The network security appliances are blind to data that doesn’t transverse the network (i.e.the connection of one identity repository to another.the nature of having multi-vm on the same physical hardware means that the data of one VM and another type of VM is on the same hardware  instant-on gaps . test/development and highly sensitive data Domain 14: Security as a Service  10 categories  Identity and Access Management  Data Loss Prevention  Web Security  Email Security  Security Assessments  Intrusion Management  Security Information and Event Management (SIEM)  Encryption  Business Continuity and Disaster Recovery  Network Security . data co-mingling.Unique id person . they can moved geographically without alert or traceable audit trail.

com/watch?v=mniY-Jay5cY&list=PL6ASplUnEA8KQsg2Czr8y5a- ICJujSW9W&index=1 .com/watch?v=6FHGe8yHeQE The best practices for Entitlement.youtube.org/jericho/Jericho%20Forum%20Identity%20Commandmen ts%20v1.pdf How Identity.opengroup. This can in turn be used to enforce the contract or prematurely end a contract of service  Logging and reporting implications  Is this related to SIEM?????????  How can web security as a service be deployed  on premise through software/appliance installation  Cloud by proxy  redirecting web traffic through cloud provider infrastructure  What measures do Security as a Service providers take to earn the trust of their customers  run constant background checks that rival government background checks  they meet and exceed requirement geographical and regional regulations  enlist legal services to meet regional regulatory requirement  Data is compartmentalized and data is shared anonymously  Data monitored and held by the provider is anonymized in logs and audit data. who is responsible for guest systems monitoring Additional Study Resources Here is a list of additional resources if you want to study for CCSK: https://collaboration.35 and underlying vulnerabilities • Data controller vs data processor definitions • in Infrastructure as a Service (IaaS).  Barriers to developing full confidence in security as a service (SECaaS)  Some security concerns: compliance.youtube.opengroup.org/jericho/cloud_cube_model_v1.youtube. what should both parties agree on in advance and include in the SLA  Metrics that describe how the provider is keeping in compliance.com/watch?v=LhDZe7ZntvE CCSK overview: https://www. personnel and general compliance  Data leakage between virtual machine instances  When deploying Security as a Service in a highly regulated industry or environment.0. Entity and Entitlement work in the cloud: https://www.1 – R. multi-tenancy and vendor lock-in  Lack of visibilities into control. Risks and Recommendations for Information Security • Isolation failure • Economic Denial of Service • Licensing Risks • VM hopping • Five key legal issues common across all scenarios • Top security risks in ENISA research • OVF • Underlying vulnerability in Loss of Governance • User provisioning vulnerability • Risk concerns of a cloud provider being acquired • Security benefits of cloud • Risks R. Is the cloud control matrix relevant to the CCSK test??????? https://cloudsecurityalliance.  Increased analytics with semantic processing. https://collaboration.org/download/cloud-controls-matrix-v3/ ENISA Cloud Computing: Benefits.0.pdf CCSK overview: https://www.

Over time. SAS 70 Type III D. Online word processing and spreadsheet tools would fall under which of the following service models? A. CSA SaaS v. Software as a Service B. Storage as a service is a sub-offering under which of the following categories? A. SAS 70 practices D. Cloud providers that have not achieved ISO/IEC 27001 certification should align themselves with: A. ISO/IEC 27002 C. Infrastructure as a Service D. the right to audit clause should be: A. Software Intrusion and External Models 6.nist.gov/publications/nistpubs/800-145/SP800-145. SaaS . SAS 70 Type I B.pdf Practice Questions (From SimpliLearn): 1. Infrastructure as a Service D. which service model implies the highest level of liability? A. Both B and C 5. Private cloud] D. SAS 70 Type II C.NIST SP800-145 (NIST Definition of Cloud Computing) http://csrc.org/wp-content/uploads/2011/09/SecaaS_V1_0. None of these ] 2. Which of the following audits ensures that controls are implemented and documented? A. Public cloud B. SIEM refers to: A. Risks management D. Service Improvement of in End-User Markets D. Non cloud 4. Events management B. ISO/IEC 27000 B. Incidents management C. Platform as a Service C. Platform as a Service C. Strategic Implementation of Electronic Management C. Both A and C 8. None of the above 9. Increased B.2] 3. Replaced with the compliance and monitoring clause D.pdf Cloud Security Alliance (SecaaS) . According to ENISA.2] 7. Google Docs is an example of: A.Defined Categories of service 2011 https://cloudsecurityalliance. Software as a Service B. Partner cloud C. CSA SaaS v. Security Information and Event Management] B. Reduced C. Suspicious intrusion detection alerts is part of A.

and recovery D. governance. Determine important of data or function D. None of the above 16. the number of sources that must be monitored: A. PaaS C. Analysis. None of the above 13. response and recovery C. Determine who to contact in case of a security incident or data breach C. PaaS C. ISO/IEC 35000 19. A. SaaS B. compliance and liability are stipulated and enforced in which of the following service models? A. Both SaaS and laaS 10. eradication. the cloud customer must understand: A. All of these 11. ESI stands for: A. According to the Cloud Security Alliance (CSA). Increase minimally C. HIPAA B. analysis. NDA D. Determine strategy of adopting cloud 14. incident. While evaluating risk for cloud.has to be signed. Determine data or function considered for cloud C. containment. Determine initial costs B. The provider's ability to produce evidence needed for compliance . laaS D. response and recovery B. IR C. Decrease substantially D. Which of the following are the phases of incident recovery should the SLA guarantee support? A. Detection. cloud service providers should use which of the following as a guideline? A. ISO/IEC 27003 D. Service levels. None of the above 12. Detection. Electronic Stored Interface C. According to the Cloud Security Alliance (CSA). the first step is? A. In a cloud environment. incidence. Removed 17. Are the same as in any other computing environment B. Electronically Stored Information D. all of the above 18. E-mail Storage interface B. Increase exponentially 15. The nature of cloud computing means that it is more difficult to: A. When any expertise is outsourced --. Make commitments to customers regarding security D. B. ISO/IEC 27001 C. ISO/IEC 27000 B. laaS D. Ensure adequate resource division B.

Three deployment models for cloud services D. C. Grid computing C. B. Economic Denial of Service B. Cloud computing B. Leveraging of content discovery tools D. the cloud services agreement must allow the client or third party to: A. According to the Cloud Security Alliance (CSA). C. The division of compliance responsibilities between the consumer and provider C. Have reasonable security that data breaches will not happen. Improvements in which of the following areas would lead to improvements for all cloud service customers? A. Rackspace Cloud is an example of: A. Software as a Service B. there are A. Enterprise digital rights management 27. Transferred C. According to the CSA's (Cloud security alliance's) risk assessment framework. None of the above 25. Agile computing D. Two deployment models for cloud services C. Platform as a Service C. Which of the following is NOT a recommendation for the 'create' phase of the data security lifecycle? A. Cloud cube model illustrates -- A. risks may be --- A. Four deployment models for cloud services 24. Engineered Data on Servers 26. Physical location of deployment models . Infrastructure as a Service D. Processes D. Monitor the service provider's performance and test for system vulnerabilities. User tagging to classify data. Policies C. One deployment model for cloud services B. Virtualization 21. The acronym EDoS refers to: A. All of these 22. Mitigated D. B. Accepted B. 28. Encrypted Disaster or Solution D. Identification of data labeling and classification capabilities. The customer's role in bridging the gap between auditor and service provider D. D. The 'ability to run multiple operating systems on a single physical system and share the underlying hardware resources' is referred as: A. Environmental Domain of Service C. Retain ownership of the data in original format. In SaaS. Adjust the process for responding to legal requests at any time. B. All of the above 23. All of the above 20. Tools B.

Providers may be able to leak customer data to third parties D. cloud service providers audit should be done? A. does the consumer have control over application hosting environment configurations? A. Customer data may be made publicly available 34. Highly Intelligent Performance and Accounting B. A 'run on the banks' scenario D. All of the above 33. There are not as many security options as SaaS within this model\ 35. In which of the following cases. It offers less customer ready features than SaaS C. HIPAA stands for: A. Change management reports D. GoGrid 30. A 'mass exodus' scenario C. Which of the following is NOT true about PaaS? A. According to the Cloud Security Alliance (CSA). B. None of the above 37. Be done regardless of the provider's certifications C. The worst case scenario in a 'run on the banks' situation is that: A. SaaS B. Which of the following scenarios begins with a crisis of confidence in the cloud provider's financial position? A. if the provider has adequate certifications D. Right to Audit Clause B. Cloud cube model was developed by --- A. Be done by the customer only B. It enables developers to build their own applications on top of the platform B. Highly Interfering Performance and Auditing C. It is more extensible than the SaaS model D. Cloud Security Alliance B. None of the above 31. Right to Withdraw Clause . Deployment models C. All of the above 36. PaaS C. All of the above 29. None of the above 32. Customers may not be able to retrieve their data C. laaS D. Be waived. Audit logs C. OpenCrowd cloud solutions C. Jericho forum D. Customers may be locked into a contract with a provider for many years B. Health Insurance Portability and Accountability D. System configurations B. which of the following clauses should be obtained whenever possible? A. An upcoming financial audit B. In which model. Cloud service customers should develop evidence-collecting processes for which of the following areas? A. Management and ownership D.

Provisioning C. Security based approach . Storage B. Which of the following is not a category of infrastructure services? A. Data Transferability Clause 38. costly infrastructure D. Services Management D. Software and hardware are tightly coupled 45. Which of the following should not demonstrate compartmentalization by cloud providers. Events management B. 2002 C. Single OS image per machine B. Applications and processes/functions C. Data and applications/functions/processes D. the Federal Rules of Civil Procedure require the inclusion of electronically- stored information when responding to discovery requests. Compute C. Which of the following assets are supported by cloud? A. Disaster management C. Resources 44. Transport provisioning C. A. Lateral provisioning B. None of the above 41. 2004 D. Pull-style provisioning 39. Incidents management D. Distributed Denial of Service C. Integration 43. What kind of provisioning is standardized in OASIS' Service Provision Markup Language (SPML)? A. Data and resources B. Personnel D. Risk based approach C. Engineered Denial of Service 42. Economic Denial of Service D. this may be referred to as: A. 2006 46. Profit based approach B. Inflexible. Systems B. Data breaches is a part of: A. What is recommended to enterprises adopting cloud? A. Security Breach Clause D. Hardware-independence of operating system and applications C. Since ----. 2000 B. Which of the following is a characteristic of virtualization? A. Push-style provisioning D. When an attacker uses a customer' resources for his/her own gain. C. Diminished Domain of Service B. according to the Cloud Security Alliance (CSA)? A. All of the above 40.

52. PaaS C. does the consumer have limited user-specific configuration settings? A. Partner cloud C. ISO/IEC 27002 C. which service model implies the highest level of liability? A. D. Cloud service classroom. Are the same as in any other computing environment B. None of these Explanation: Suspicious intrusion detection alerts is part of incident management. Private cloud D. Over time. Security Operations Center D. none of the above 48. ISO/IEC 27000 B. All of the above 50. Incidents management C. the right to audit clause should be: . Privacy based approach 47. Decrease substantially D. laaS D. Public cloud B. Risks management D. cloud service classification C. compliance architecture. When considering compliance with accepted frameworks and standards. cloud architecture D. SOC refers to: A. Cloud providers that have not achieved ISO/IEC 27001 certification should align themselves with: A. Non cloud Explanation: According to ENISA. Service Office Catalogue 49. the number of security notifications: A. cloud architecture. According to ENISA. SaaS B. CSA SaaS v. In a cloud environment.2 Explanation: Providers that have not achieved ISO/IEC 27001 certification should align themselves with ISO/IEC 27002 53. SAS 70 practices D. Increase minimally C. Strategic Overview Card B. Increase exponentially ANSWERS( 51. Standard Operations Credentials C. Compliance architecture. Security architecture. private cloud model implies the highest level of liability 54. In which of these models. security architecture and cloud architecture B. one should consider -- A. Suspicious intrusion detection alerts is part of Original number +50 ) A. Events management B.

Ensure adequate resource division B.2 Explanation: CSA SaaS v. Analysis. Both SaaS and laaS Explanation: It is an offering of laaS 60. SAS 70 Type II C. SAS 70 Type I B.2 ensures that controls are implemented and documented. Which of the following audits ensures that controls are implemented and documented? A. Online word processing and spreadsheet tools would fall under which of the following service models? A. Both B and C Explanation: Over a period of time. Strategic Implementation of Electronic Management C. 57. 58. Which of the following are the phases of incident recovery should the SLA guarantee support? A. analysis. the need to audit should get reduced and should be replaced by a compliance and monitoring clause 55. laaS D. and recovery D. Security Information and Event Management B. Increased B. response and recovery C. Both A and C Explanation: Online tools are examples of Software as a Service. None of the above . incident. Make commitments to customers regarding security D. The nature of cloud computing means that it is more difficult to: A. SAS 70 Type III D. Storage as a service is a sub-offering under which of the following categories? A. incidence. Replaced with the compliance and monitoring clause D. Platform as a Service C. Detection. eradication. Google Docs is an example of: A. None of the above Explanation: Google doc is an example of SaaS 59. PaaS C. Infrastructure as a Service D. Detection. A. response and recovery B. Software Intrusion and External Models Explanation: SIEM stands for Security Information and Event Management 56. All of these Explanation:All of the above mentioned reasons together make up cloud computing 61. Infrastructure as a Service D. Service Improvement of in End-User Markets D. SaaS B. Reduced C. Platform as a Service C. CSA SaaS v. SIEM refers to: A. Software as a Service B. containment. Software as a Service B. Determine who to contact in case of a security incident or data breach C.

In a cloud environment. Service levels. Are the same as in any other computing environment B. analysis. While evaluating risk for cloud. Remove 67. ISO/IEC 27003 D. None of the above Explanation: NDA has to be signed while outsourcing expertise. governance. eradication and recovery are the phases of incident recovery and SLA must ensure it is covered. The customer's role in bridging the gap between auditor and service provider . cloud service providers should use ISO/IEC 27001 as a guideline 69. the cloud customer must understand: A. Decrease substantially D. IR C. cloud service providers should use which of the following as a guideline? A. PaaS C. SaaS B. HIPAA B. Determine data or function considered for cloud C. Increase exponentially Explanation: Since resources grow depending upon the demand it grows exponentially 65. the first step is? A. service levels. NDA stands for Non- Disclosure Agreement. laaS D. ISO/IEC 35000 Explanation: According to the Cloud Security Alliance (CLA). Determine strategy of adopting cloud Explanation: While evaluating risk for cloud. 63. According to the Cloud Security Alliance (CSA). all of the above Explanation: Irrespective of the models. containment. ESI stands for: A. Increase minimally C. The provider's ability to produce evidence needed for compliance B. 62. the number of sources that must be monitored: A. compliance and liability are stipulated and enforced 68. A. According to the Cloud Security Alliance (CSA).has to be signed. ISO/IEC 27000 B. None of the above Explanation:ESI stands for Electronically Stored Information 66. Electronically Stored Information D. NDA D. ISO/IEC 27001 C. Electronic Stored Interface C. the first step is to determine data or function considered for cloud 64. Determine important of data or function D. When any expertise is outsourced --. compliance and liability are stipulated and enforced in which of the following service models? A. E-mail Storage interface B. The division of compliance responsibilities between the consumer and provider C.Explanation: Detection. governance. Determine initial costs B.

Three deployment models for cloud services D. Infrastructure as a Service D. Mitigated D. The 'ability to run multiple operating systems on a single physical system and share the underlying hardware resources' is referred as: A. In SaaS. Environmental Domain of Service C. Economic Denial of Service B. 70. Accepted B. Two deployment models for cloud services C. Rackspace Cloud is an example of: A. Leveraging of content discovery tools . Agile computing D. Four deployment models for cloud services Explanation: NONE 74. Virtualization Explanation: Ability to run multiple operating systems in a single hardware is called virtualization. Encrypted Disaster or Solution D. Processes D. 71. All of these Explanation: Tools. the division of compliance responsibilities between consumer and provider and the customer's role in bridging the gap between auditor and service provider. Cloud computing B. Grid computing C. 75. Identification of data labeling and classification capabilities. the providers ability to produce evidence needed for compliance. policies and processes are equally important and can have varied benefits. None of the above Explanation: Rackspace is an example of infrastructure as a Service. accepted or transferred as per CSA guidelines 73. User tagging to classify data. risks may be --- A. D. According to the CSA's (Cloud security alliance's) risk assessment framework. Policies C. B. Which of the following is NOT a recommendation for the 'create' phase of the data security lifecycle? A. Software as a Service B. there are A. Transferred C. All of the above Explanation: The cloud customer must understand. All of the above Explanation: Risk may be mitigated. Tools B. Engineered Data on Servers Explanation: EdoS stands for Economic Denial of Service 76. One deployment model for cloud services B. The acronym EDoS refers to: A. Platform as a Service C. Improvements in which of the following areas would lead to improvements for all cloud service customers? A. C. 72.

All of the above Explanation: Cloud cube model illustrates physical location of deployment models. C. Management and ownership D. 79. SaaS B. 80. HIPAA stands for: A. PaaS C. the cloud services agreement must allow the client or third party to: A. It is compliance. In which model. Highly Intelligent Performance and Accounting B. 83. D. The worst case scenario in a 'run on the banks' situation is that: A. D. Customers may not be able to retrieve their data C. Which of the following scenarios begins with a crisis of confidence in the cloud provider's financial position? A. According to the Cloud Security Alliance (CSA). OpenCrowd cloud solutions C. None of the above Explanation: In PaaS. Providers may be able to leak customer data to third parties D. All of the above Explanation: A run on the banks scenario can lead to crisis of confidence. Deployment models C. Health Insurance Portability and Accountability D. None of the above Explanation: HIPAA stands for Health Insurance Portability and Accountability. Customer data may be made publicly available Explanation: In case of the provider going bankrupt. Cloud Security Alliance B. 82. does the consumer have control over application hosting environment configurations? A. then there is a chance that the customers might not be able to retrieve their data . An upcoming financial audit B. A 'mass exodus' scenario C. Highly Interfering Performance and Auditing C. B. laaS D. Retain ownership of the data in original format. applications can be built and hosted 81. A 'run on the banks' scenario D. Cloud cube model illustrates -- A. Customers may be locked into a contract with a provider for many years B. Enterprise digital rights management Explanation: Content discovery tools usage is not part of 'create' phase 77. Physical location of deployment models B. Have reasonable security that data breaches will not happen. Monitor the service provider's performance and test for system vulnerabilities. Explanation: According to the Cloud Security Alliance (CSA) the cloud services agreement must allow the client or party to retain ownership of the data in original format 78. Cloud cube model was developed by --- A. Adjust the process for responding to legal requests at any time. GoGrid Explanation:Jericho forum developed cloud cube model. Jericho forum D.

. 88. Change management reports D. 86. Cloud service customers should develop evidence-collecting processes for which of the following areas? A. There are not as many security options as SaaS within this model Explanation: PaaS offers multiple security options for customers 85. What kind of provisioning is standardized in OASIS' Service Provision Markup Language (SPML)? A. Be waived. According to the Cloud Security Alliance (CSA). cloud service providers audit should be done? A. Which of the following is NOT true about PaaS? A. and change management reports. 90. Transport provisioning C. if the provider has adequate certifications D. It enables developers to build their own applications on top of the platform B. All of the above Explanation: All the mentioned functions are actively supported by cloud 91. Be done regardless of the provider's certifications C. It is more extensible than the SaaS model D. In which of the following cases. Data and applications/functions/processes D. Applications and processes/functions C. Push-style provisioning D. System configurations B. 87. Data Transferability Clause Explanation: Right to Audit Clause should be given from time to time to ensure everything is as per the agreement. Be done by the customer only B. None of the above Explanation: Data breaches is part of disaster management. Events management B. Right to Audit Clause B. None of the above Explanation: No matter what certifications provider has. Disaster management C. 89. Which of the following assets are supported by cloud? A. audit logs. Security Breach Clause D. Audit logs C. which of the following clauses should be obtained whenever possible? A. Incidents management D. cloud service providers need to be audited. Data breaches is a part of: A. It offers less customer ready features than SaaS C. 84. Lateral provisioning B. Right to Withdraw Clause C. All of the above Explanation: Cloud service customers should develop evidence-collecting processes for system configurations. Data and resources B. Pull-style provisioning Explanation: Service Provision Markup Language uses push-style provisioning.

Economic Denial of Service D. Privacy based approach Explanation: Risk based approach is an important factor to consider 98. 97. Risk based approach C. Personnel D. Inflexible. When an attacker uses a customer' resources for his/her own gain. this may be referred to as: A. Storage B. does the consumer have limited user-specific configuration settings? A. 95. PaaS C. Which of the following is not a category of infrastructure services? A. 99. 92. SaaS B. Provisioning C. SOC refers to: . Resources Explanation: Personnel compartmentalization should not be demonstrated by the cloud providers. this may be referred to as Distributed Denial of Service 93. Systems B. 2002 C. Software and hardware are tightly coupled Explanation: Through hypervisor. laaS D. according to the Cloud Security Alliance (CSA)? A. virtualization separates hardware and OS+ applications. Hardware-independence of operating system and applications C. Diminished Domain of Service B. the Federal Rules of Civil Procedure require the inclusion of electronically-stored information when responding to discovery requests. In which of these models. the Federal Rules of Civil Procedure require the inclusion of electronically- stored information when responding to discovery requests. costly infrastructure D. Security based approach D. Services Management D. 96. Which of the following is a characteristic of virtualization? A. 2006 Explanation: Since 2006. Engineered Denial of Service Explanation: When an attacker uses a customer's resources for his/her own gain. Distributed Denial of Service C. Single OS image per machine B. Which of the following should not demonstrate compartmentalization by cloud providers. Since ----. A. none of the above Explanation: Consumers do not have much of a say in SaaS offerings. Integration Explanation: Integration is not a category of infrastructure services 94. Profit based approach B. What is recommended to enterprises adopting cloud? A. 2004 D. Compute C. 2000 B.

compliance architecture. making it important that the data center visits by every customer to conduct an operators are required to provide auditing for audit. when The Data Controller the data is transferred to a third party custodian. 5 . Detect.Thanks to Ajay Chauhan (http://www. Deny In which type of environment is it impractical In multi-tenant environments the operator to allow the customer to conduct their own or provider cannot normally accommodate audit. Standard Operations Credentials C.Measured Service The level of attention and scrutiny paid to The valued Risk enterprise risk assessments should be directly related to what? In the majority of data protection laws. 4 . Service Office Catalogue Explanation: SOC refers to Security Operations Center. Store. cloud architecture. Cloud service classroom. the number of security notifications: A. security architecture and cloud architecture B. What are the six phases of the data security Create.cram. providers? or a longer transition period than anticipated. Increase minimally C. A. cloud architecture D. 2 . Security Operations Center D. 100. All of the above Explanation: All these should be taken into serious consideration 101. the customers? . Delay. who is ultimately responsible for the security of the data? What is the most important reason for So that it can address the specific knowing where the cloud service provider will restrictions that foreign data protection host the data? laws may impose. Compliance architecture. What are the four D's of perimeter security? Deter. Strategic Overview Card B.com/flashcards/ccsk-3657367) What are the five essential characteristics of 1 . Use.Broad Network Access. In a cloud environment. Security architecture. Are the same as in any other computing environment B. cloud service classification C. Adding Flash Card information I have received from a websiste .Resource Cloud computing as defined by NIST . Share. Increase exponentially Explanation: With cloud all security measure have only been increased exponentially. Archive. one should consider -- A. lifecycle? destroy. 3 . Decrease substantially D. When considering compliance with accepted frameworks and standards. Why is the size of data sets a consideration The sheer size of data may cause an in portability between cloud service interruption of service during a transition. Pooling.Rapid Elasticity.On-Demand service.

the applications. either by having a good environment? blend of processes.Personal Identifiable Information additional regulatory issues for all SPI . controls may not be able to monitor certain rather than a network.S. state laws Written contract with the service provider require when using a Cloud Service with reasonable security measures.What measures could be taken by the cloud SaaS providers that generate extensive service provider (CSP) that might reduce the customer-specific application logs and occurrence of application level incidents? provide secure storage as well as analysis facilities will ease the IR burden on the customer. service level required to achieve what should both parties agree on in advance regulatory objectives and include in the SLA? Economic Denial of Service (EDOS). What is the minimum that U. to… the worst case scenario would be bankruptcy of the customer or a serious economic impact How does SaaS alleviate much of the The provider is not only responsible for the consumer's direct operational responsibility? physical and environmental security controls. types of traffic? When deploying Security as a Service in a Agreement on the metrics defining the highly regulated industry or environment. in the 1995 European Union (EU) Data Protective Directive and the 2002 ePrivacy Directive as amended in 2009. refers The destruction of economic resources. and the data. where network-based security each other over a hardware backplane.Sensitive Personal Information organizations if held as an aspect of an Identity? Why do blind spots occur in a virtualized Virtual machines may communicate with environment. In Europe. but it must also address the security controls on the infrastructure. Provider? What must be included between an What must be included between an organization and a Cloud Service Provider organization and a Cloud Service Provider when the organization has contractual when the organization has contractual . tools. What two types of information will cause PII . and technologies of their own or adopting one of the maturity models. How should an SDLC be modified to address Organizations must adopt best practices application security in a Cloud Computing for development. What is the most significant reason that To be able to prove that all data has been customers are advised to maintain in-house deleted from the public cloud environment key management? when exiting that environment. name the group that has enacted The European Economic Area (EEA) data protection laws and the principles on Member States follow principles set forth which they follow.

and tested protocols and standards. What does a cloud service model need to Policy-driven enforcement include for multi-tenancy consumers? Segmentation Isolation Governance Service Levels Chargeback/billing models What services can be shared in multi-tenancy Infrastructure cloud service models? Data Metadata Services Applications What three cloud services make up the Cloud Infrastructure as a Service (IaaS) Reference Model? Platform as a Service (PaaS) Software as a Service (SaaS) . contacts or information of their clients.obligations to protect the personal obligations to protect the personal information of their clients.Relationship between all parties including customer. appropriate resources. At what stage should compliance be Requirement identification stage addressed between an organization and CSP? What is multi-tenancy? Use of same resources or application by multiple customers that may belong to the same organization or a different organization.CSP capability to show compliance . contacts or employees.Assignment of compliance regulatory compliance? responsibilities including the providers . to ensure that the data are not used for secondary use and are not disclosed used for secondary use and are not to third parties? disclosed to third parties? What is a click-wrap agreement? What is a click-wrap agreement? How does an organization respond to the How does an organization respond to the evolving nature of the cloud environment? evolving nature of the cloud environment? How does an organization respond to the All documents that pertain to the case evolving nature of the cloud environment? whether favorable to its case or the other litigant's case. CSP. to ensure that the data are not employees. auditors and CSP providers What role do audits perform in the cloud Audits must be independently conducted relationships? and should be robustly designed to reflect best practice. What is ESI? Electronically Stored Information What are four considerations for a cloud Cross-border or multi-jurisdiction customer to understand in reference to .

Governance . List the four dimensions in the Jericho Cloud Internal (I) / External (E): Physical Cube Model Location . regulatory.Types of assets. architecture? the more security capabilities and management consumers are responsible for implementing and managing themselves. Define SaaS SaaS delivers software and its associated data hosted centrally typically in the cloud and are usually accessed by users via a web browser over the Internet.Perimeterised (Per) / De-perimeterised (D-p): Architectural mindset .Map the security architecture and requirements? business. Define PaaS PaaS delivers computing platform and solution stack as a service.Manner in which cloud services are consumed . What are the risks and pitfalls to consider in How / where cloud service are deployed the Cloud Security Reference Model? .Define IaaS IaaS delivers computer infrastructure as a service along with raw storage and networking.Insourced / Outsourced: Who provides the cloud service List the four cloud deployment models Public Private .Who manages them and How .Proprietary (P) / Open (O): State of Ownership .internal/external Hybrid Community What is the key takeaway for security The lower down the stack the CSP stops.Monitoring .Transformation/portability .which controls are selected and How they are integrated .compliance issues How do you determine the general security Classify a cloud service against the cloud posture of a service and how it relates to an architectural model asset's assurance and protection .Re-perimeterization of enterprise networks . and other compliance requirements as a gap- analysis exercise What do cloud service brokers provide? Intermediation . resources and information being managed .

. administered or controlled.Corporate responsibility and compliance .Share or insure: transferring or sharing a portion of the risk to finance it . customs.business continuity providers? .Relationship negotiation between CSP and consumers What are included in a Service Level Service levels Agreement (SLA)? . Define Enterprise Risk Management The methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. . laws and institutions affecting the way an enterprise is directed.Provisioning . Define Information Risk Management The process of identifying and understanding exposure to risk and the capability of managing it. processes and procedures .Compliance . List four of the specific risks identified and Avoidance: exiting the activities giving rise analyzed by management in a cloud to risk environment.Disaster recovery policies.Review of co-location and back-up facilities .Accept: no action is taken due to a cost/benefit decision What should be specifically targeted in the Incident management assessment of a CSP's third party service .Security . .Reduction: taking action to reduce the likelihood or impact related to the risk . aligned with the risk appetite and tolerance of the data owner.Integration services .Liability expectations of the service and provider What are two types of Service Level Negotiable Agreements (SLA)? Non-negotiable Name the five basic principles followed in Auditing supply chains Corporate Governance.Financial transparency and information disclosure . policies.Ownership structure and exercise of control rights Define Corporate Governance The set of processes.Board and management structure and process .Governance . technologies.

and ongoing detailed assessments and audits to ensure requirements are continuously met. application of security controls. It may also be worth visiting the following site for additional CCSK training information. CCSK Training Link [1] Cloud Service Provider [2] Digital Rights Management . What is a CSP's supply chain? Their service provider relationships and dependencies How should the cost savings obtained by Reinvest into increased scrutiny of the cloud computing services be utilized? security capabilities of the provider. Define Private Cloud The cloud infrastructure is operated solely for a single organization. Define Public Cloud? The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. It may be managed by the organization or by a third party and may be located on-premise or off-premise.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.