You are on page 1of 30

The CCSK Study Guide

Revision : 0.7
Created Dated: January 5th, 2015
Last Modified: November 24th, 2015

Contributor Organization Country

Alejandro Castillo FireEye Inc United States of America

Peter HJ van Eijk Club Cloud Computing Netherlands

Ajay Chauhan SafeNet United Kingdom

Ash Thakrar PwC United Kingdom

David Glosser Regeneron Pharmaceuticals United States of America

Please Scroll down to find the actual study guide
If you found any part of this guide helpful please provide a like or some feedback to the
following link:

https://www.linkedin.com/groups/CCSK-study-guide-OpenSource-
4071935.S.5958007520671911936?view=&gid=4071935&item=5958007520671911936&typ
e=member&commentID=discussion%3A5958007520671911936%3Agroup%3A4071935

If you wish to contribute feel free to type your suggestions and they will be taken accordingly.
CCSK Key Examination Concepts
CSA Guidance For Critical Areas of Focus in Cloud Computing V3.0 English

Based on research that I have seen online, it is suggested that 2,5,10 and 12 are heavily
tested. Especially 5. Attention should be placed to Risk and Challenges.
Victor said this was the some of the most quizzed areas:
Reading the material is extremely time consuming, Incident response and Identity and Access
Management seem to have the most material.

Domain 1 Architecture
Summary
SPI = Software, Platform and Infrastructure as a service.
Cloud formations = the forms of cloud computing or the way it’s deployed.
Cloud benefits - collaboration, agility, scaling, availability, reduced cost, optimized and
efficient.
Steps for evaluating risk in the cloud
1. Determine what data to send to the cloud - (1) Data (2)
Application/Function/Processes
2. Determine the data or function is
3. Determine the best deployment model (For models look at NIST model below)
4. Evaluate the potential cloud providers
 NIST Definition of Cloud Computing (Essential Characteristics, Cloud Service
Models, Cloud Deployment Models)

 Multi-Tenancy (NIST doesn’t have it, but CSA’s cloud model includes it as an
essential:)
 Policy Enforce  Governance
 Segmentation  SLA
 Isolation  Chargeback
The problem with multi-tenancy is visibility of residual data or traces of operations of tenants.
 CSA Cloud Reference Model ( Also known as service models)
 IaaS - Most flexible, possibly the least secure, and customers responsible for
most of the security mechanisms
 PaaS - Enormous flexibility, but not quite as flexible.
 SaaS - Least Flexible, possibly most secure and dependency on provider

You can outsource a lot of manageability, but not accountability.
• Jericho Cloud Cube Model
The four sides/eight
dimensions
I/O - Insourced or
Outsourced
I/E - Internal or
External
O/P - Open or
Proprietary
P/D - Perimeter
Least to most
mature
1. Outcome/Va
lue
2. Process
3. Software
4. Platform
5. Infrastructur
e

• Cloud Security Reference Model - possible definition on page 20 third paragraph

Middleman/Middleware act like proxies between the cloud and the consumer.security. Reduction. This is done to provide an abstraction of incapabilities between the customer and the cloud to allow for fluidity and agility.• Cloud Service Brokers .  SLAs must cascade downwards from Provider to Third Party and supply chain .  • Service Level Agreements  Negotiable and nonnegotiable. laws and institution  Enterprise and Information Risk Management  Measure. policies.etc…) Domain 2: Governance and Enterprise Risk Managementcvx  Contractual Security Requirements  processes. governance. customs. manage and mitigate uncertainty  Avoidance. third party consultants. contractors.  Security Level. compliance. Share/Insure/Transfer and Accept  Third Party Management Recommendations  Contracts are risk management tools with metrics/audits to ensure accountability.auditing provides affirmation and really specifies the level of security in SaaS Even Private Clouds may have multitenancy (multiple projects. part-timers. and liability expectation  Most of the control and security will be held in the SLA .

CSP/Third party review of how information is stored. • Compliance analysis requirements .The client is responsible for the data even though they might not have access.gives customers the ability to audit the cloud provider and provide for transparency/accountability.obligation to undertake reasonable steps to prevent destruction or modifications of data or the information processing.laws and regulations one must comply with. Audit might be hard due to an elastic environment The major part for most of the governance will be the contract between the provider and customer. along with review of co-locations and backup facilities must be part of the background check assessment. • Audit scope and compliance scope . • Federal Rules of Civil Procedure and electronically stored information -ESI for holding • Metadata . Thus they need the CSP[1].can view or request a push to view the stats of the environment. business continuity.Identify legal barriers and insure they are addressed in contract.include legal.  Incident Management . Third parties should be picked out in advance and reviewed. evaluation??? • eDiscovery considerations . and processes and procedures. regulations. testing. • Auditor requirements . laws. including the assessment and prioritization of corrective actions deemed necessary and appropriate. Domain 5: Information Management and Data Security  Six phases of the Data Security Lifecycle and their key elements: Create-Store-Use-Share-Archive-Destroy . Domain 3: Legal Issues: Contracts and Electronic Discovery • Consideration of cloud-related issues in three dimensions : Monitoring. contracts. • Right to audit . These will likely include contracts. policies. It must also be protected and well stored (this is called a legal hold) • Jurisdictions and data locations . Domain 4: Compliance and Audit Management • Definition of Compliance: the awareness and adherence to obligations (laws. • Compliance impact on cloud contracts. In terms ofjurisdiction it depends on where the legal court is in? • Liability for activities of subcontractors • Due diligence responsibility . however it should be written into the contract. procurement and contract teams to identify them.geographical locations and legal jurisdictions. and disaster recovery policies. etc…).it’s data about data • Litigation hold .In the US you must give everything to the requesting party even if it is not in your favor.  Supply chain examination  Risk is inherited throughout the supply chain  Use of Cost Savings for Cloud  Should be re-invested to scrutinize the security capabilities of the provider. SSAE 16 SOC2 or ISAE 3402 Type 2. Right to transparency .“Cloud aware” . processed and transmitted across borders with many different laws in those places as well as the ones we must comply with. policies and various other things.

.  Volume storage: virtual hard drives (data dispersion to support resiliency and security)  Object storage: File storage (Can typically be accessed y APIs or web interface)  Logical vs physical locations of data  Potential issues from regulatory. ZIP.Volume Storage Encryption  Instance Managed encryption  Externally Managed encryption  Proxy Encryption  PaaS  Client/Application encryption  Database Encryption  Proxy Encryption  SaaS  Provider-Managed Encryption  Proxy Encryption  Database Activity Monitoring (DAM) and File Activity Monitoring (FAM): Can be used to detect and monitor attacks. PGP)  Deployment may be done using any of the following:  Dedicated Appliance  Virtual Appliance  Endpoint agent  Hypervisor agent  DLP SaaS • Detection Data Migration to the Cloud  Encryption in IaaS. PaaS & SaaS  IaaS . contractual and other jurisdictional issues are extremely important to understand both the logical and physical location of the data.  Three valid options for protecting data  Client application Encryption  Link/Network Encryption  Proxy Based Encryption  Data Loss Prevention: Used for content delivery and to monitor data in motion  Actions: Block or allow to proceed after remediation (DRM[2].

Using the open based SAML can help ensure portability of identities. storage. availible or dependent on provider. across multiple database platforms. although in the future may be available for PaaS)  FAM: Products that monitor and record all activity within a designated file repositories at the user level and can generate alerts based on violations. location. deletion and deprovisioning (removing residual data)  Hardware based dependencies moving to virtualization  Access to system logs. Open APIs and open standards such as Open Cloud Computing Interface (OCCI)  how to transfer to new vendor . backup and restore  For interoperability and portability use standard syntax.  FAM tools require agents or placing a physical appliance between the cloud storage and the cloud consumer. (courier may be an option)  Lock-In considerations by IaaS. • Data Fragmentation: When fragmentation is used along side encryption it becomes hard to compromise as you have to compromised m cloud nodes with fragments and then still break encryption. infrastructure. Usually does it by using an Information DispersalAlgorithm (IDA).  SAML and WS-Security . OS.Can help abstract hardware for flexibility and using something like Open Virtual Format (OVF) can aid in portability. performed. • Data Backup . documented. no encryption is used in dispersion.Are authentication protocols that are interoperable with standard based systems. traces.  DAM tools are typically agent-based connecting to a central collection server (which is typically virtualized).how data is generated. and can generate alerts on policy violations.  DAM: captures and records all DB SQL activity including database activity. It is used with dedicated database instances for a single customer. portability. Domain 6: Interoperability and Portability  Definitions of Portability and Interoperability  Interoperability: The requirement for the components in a cloud ecosystem to work together to produce the intended result  Portability: defines the ease of the ability to which applications components can be moved and reused elsewhere regardless of provider.  Do testing prior to moving  SaaS  Determine which data can be preserved and migrated (escrow service?)  Perform regular data backups .  Size of Data Sets . maintained. billing records  Interoperability and portability and feature sets moving from one cloud to another as well as understanding dependency on legacy IaaS (cost as well)  Who maintains crypto keys  PaaS  Tools available for secure data transfer. the format of the data or the API’s.  Virtualization impacts on Portability and Interoperability .the sheer size can cause of disruption of service during transition or can make the transition longer than it needs too. PaaS & SaaS delivery models  IaaS  creation.????? • Data Dispersion: It spreads data across (Data fragmentation) make it more resilient and harder to compromise. platform.

political or social unrest  Check accessibility of the location and anything that might inhibit that.Table compromise of:  Application Mission : Contractual.e. Business Continuity. error.audit. Delay and Deny  Cloud backup and disaster recovery services  Main Challenges: mobility. floods. time sync)  Is the dynamic nature of the cloud accurately capture . Detect. landslides or other natural disasters  not located in areas known to have high crimes. separation of duties . Crisis Management Team (CMT) and the Incident Response team (IRT)  Customer due diligence related to BCM/DR .  Disaster Recovery is built on three layers : Virtual Storage. retraining.  Review/audit the consistency of controls • Mitigating hardware compatibility Lack of interoperability can lock you to a vendor. as contractually committed and include both the Recovery Point Objective (RPO) and Recovery Time Objective (RTO)  Physical location of cloud provider  The consumer should conduct a critical evaluation of the data center’s physical location  not in areas known to have seismic activity.  Main data source for detection and analysis of an incident  Logs .  Things to review: Emergency Response team (ERT). availability. Domain 8: Data Center Operations  Relation to Cloud Controls Matrix . pretty much anything you can get  Make sure that time is consistent (i. avoidance of conflict of interests  Restoration Plan: should correlate directly to SLA. direct examination or certifications  Business Continuity Management/Disaster Recovery due diligence  Providers should have a security baseline  compartmentalization . transfers to and from cloud. performance. loss of data) “Understand up-front and plan for how to exit the contract” meat of the security. Domain 7: Traditional Security. transfer. Lock-in can also occur if the data can’t be easily exported thus the need for portability.The British Standard for Business Continuity Management (BCM)  ISO 22301 is responsible for Business Continuity  Traditional audits. and Disaster Recovery  Four D's of perimeter security : Deter. background checks . (costly conversion . business continuity. legal or regulatory requirement  Control: Security Concept that is meant to mitigate risk to accomplish mission  Specification: Details of said control that will actually mitigate said risk • Queries run by data center operators • Technical aspects of a Provider's data center operations customer should understand • Logging and report generation in multi-site clouds: it needs software to orchestrate the logging Domain 9: Incident Response  Factor allowing for more efficient and effective containment and recovery in a cloud  Can allow for faster incident response through continuous monitoring  Faster recovery through virtualization and elasticity resulting in fast containment and recovery  Easier portability and imaging thanks to VM moves. Non-disclosure agreements. scalability and metered payments. Scalable file systems and a self service disaster recovery application. when possible use open and published architectures with standards protocols. on site assessments.review CSP’s BCP process  BS 25999 .

VM introspection or live forensic system support require the CSP  Reducing the occurrence of application level incidents  SLAs and IR plans should include “Lesson Learned” after the recovery  How often should incident response testing occur  At least once a year  Offline analysis of potential incidents -???????? Challenges for Incident Response in the cloud  Automated environment does not help.  Are legal requirements met  log retention patterns and tamper resistant  Investigating and containing an incident in an Infrastructure as a Service environment  snapshots of memory  creation of hard disk images require the CSP  advance forensics techniques.set of rules into entitlement layer  fed by claims  assertion  attributes . rest)  web services can introduce more vulnerability  harder to get to logs or to demonstrate compliance  Mitigation  Least Privilege/Segregation of duties/Defense in depth/fail safe/….  Differences in S-P-I models  Consideration when performing a remote vulnerability test of a cloud-based application  Is the multi-tenancy of it??????  Categories of security monitoring for applications  Log Monitoring  Performance Monitoring  Monitoring for Malicious use  Monitoring for compromise  Monitoring for policy violations  Entitlement matrix . generating snapshots. but destroys evidence  Elastic environment makes forensic especially hard  There might be privacy issues in doing forensics Investigating and containing an incident in an PaaS/SaaS environment  Requires almost all CSP support and has to be negotiated in the Service Contract Domain 10: Application Security  Identity. and Access Management (IdEA)  Authentication  Authorization  Administration  Audit & Compliance  Policy  SDLC impact and implications  It’s typically harder in the cloud  control over physical is harder  potential incompatibilities  protection of data through lifecycle (transit. Entitlement.

So entitlement is what ultimately dictates access. This way in case of compromise the data can not be easily decrypted  Application or process may need keys so be aware…  Use KEK (Key Encrypting Keys) or in memory keys  keys per user  There should be one key per user so they can only encrypt/decrypt their own data  There should be a group key for when users need to share data. The process of mapping identities to attributes is called entitlement. and Access Management  Relationship between identities and attributes  Identity is something you are and attributes are the characteristics. keys per user  best practice  location of keys  Whenever possible keys should reside with the user/enterprise. Based on the two a characteristics a risk based decision done to allow access to resources or services. anonymization and cloud database controls  Tokenization (Basically doing reference substitutions  Data Anonymization (Stripping out sensitive data)  Masking . Entitlement. masking.The above is simply an example of an entitlement matrix Domain 11: Encryption and Key Management  Adequate encryption protection of data in the cloud  Key management best practices.  Identity Federation  The ability to use one identity repository in another for authentication or validation purposes .access control based on segregation levels Domain 12: Identity.  Relationship to tokenization.Another word for format preserving encryption?????  Utilizing Cloud database controls . location of keys.

identity plus attributes Entitlement .  VM Sprawl .is user centric authorization (user)  PDP .  How can virtual machine communications bypass network security controls  If it passes the data between VMs in the data plane as opposed to the network plane  VM attack surfaces  What else is there besides the ones mentioned and VM image tampering???  Compartmentalization of VMs  Zoned approach for production.typical OS and app hardening best practices  Blind Spot . Primacy .ability to pass identity and attributes to other services Federation .the connection of one identity repository to another. I found it easier to watch the videos and then come back to read this doc then tackling this doc heads on.process mapping privileges to identities and the related attributes RSO . they can moved geographically without alert or traceable audit trail. Insert security APIs at the hypervisors.VMs are so easy to deploy they can spiral out of control without process  Data co-mingling .the nature of having multi-vm on the same physical hardware means that the data of one VM and another type of VM is on the same hardware  instant-on gaps .entity who can be authenticated Entitlement is the process of mapping privileges Domain 13: Virtualization  VM guest hardening.Pausing a VM and turning it back on (after a long time) can introduce vulnerabilities  In-Motion VM characteristics that can create a serious complexity for audits  Because VM are portable. inter-VM traffic). test/development and highly sensitive data Domain 14: Security as a Service  10 categories  Identity and Access Management  Data Loss Prevention  Web Security  Email Security  Security Assessments  Intrusion Management  Security Information and Event Management (SIEM)  Encryption  Business Continuity and Disaster Recovery  Network Security .e. VM Sprawl.the state of being first principle .The network security appliances are blind to data that doesn’t transverse the network (i. data co-mingling.password synchronization SSO . blind spots. Entity .determines access to resources (service provider)  SAML and WS-Federation  Provisioning and authoritative sources You may want to check out the videos at the end of this guide to understand the whole entitlement process.  Relationship between Policy Decision Point (PDP) and Policy Enforcement Point (PEP)  PEP . instant-on gaps  VM Guest Hardening .Discretes types that will have identities Identity .Unique id person .

https://collaboration.1 – R.com/watch?v=6FHGe8yHeQE The best practices for Entitlement.0. multi-tenancy and vendor lock-in  Lack of visibilities into control. Is the cloud control matrix relevant to the CCSK test??????? https://cloudsecurityalliance.pdf CCSK overview: https://www.0. personnel and general compliance  Data leakage between virtual machine instances  When deploying Security as a Service in a highly regulated industry or environment. This can in turn be used to enforce the contract or prematurely end a contract of service  Logging and reporting implications  Is this related to SIEM?????????  How can web security as a service be deployed  on premise through software/appliance installation  Cloud by proxy  redirecting web traffic through cloud provider infrastructure  What measures do Security as a Service providers take to earn the trust of their customers  run constant background checks that rival government background checks  they meet and exceed requirement geographical and regional regulations  enlist legal services to meet regional regulatory requirement  Data is compartmentalized and data is shared anonymously  Data monitored and held by the provider is anonymized in logs and audit data.opengroup.  Barriers to developing full confidence in security as a service (SECaaS)  Some security concerns: compliance. who is responsible for guest systems monitoring Additional Study Resources Here is a list of additional resources if you want to study for CCSK: https://collaboration.com/watch?v=LhDZe7ZntvE CCSK overview: https://www.org/jericho/Jericho%20Forum%20Identity%20Commandmen ts%20v1. what should both parties agree on in advance and include in the SLA  Metrics that describe how the provider is keeping in compliance.35 and underlying vulnerabilities • Data controller vs data processor definitions • in Infrastructure as a Service (IaaS).com/watch?v=mniY-Jay5cY&list=PL6ASplUnEA8KQsg2Czr8y5a- ICJujSW9W&index=1 .youtube.org/download/cloud-controls-matrix-v3/ ENISA Cloud Computing: Benefits.youtube.youtube. Risks and Recommendations for Information Security • Isolation failure • Economic Denial of Service • Licensing Risks • VM hopping • Five key legal issues common across all scenarios • Top security risks in ENISA research • OVF • Underlying vulnerability in Loss of Governance • User provisioning vulnerability • Risk concerns of a cloud provider being acquired • Security benefits of cloud • Risks R.opengroup.org/jericho/cloud_cube_model_v1.  Increased analytics with semantic processing. Entity and Entitlement work in the cloud: https://www.pdf How Identity.

Public cloud B. Storage as a service is a sub-offering under which of the following categories? A. Which of the following audits ensures that controls are implemented and documented? A. SAS 70 practices D. Service Improvement of in End-User Markets D.pdf Practice Questions (From SimpliLearn): 1. Both A and C 8. Incidents management C. Software Intrusion and External Models 6. Non cloud 4. Software as a Service B.org/wp-content/uploads/2011/09/SecaaS_V1_0. SAS 70 Type I B. CSA SaaS v. Events management B. Online word processing and spreadsheet tools would fall under which of the following service models? A. ISO/IEC 27000 B.Defined Categories of service 2011 https://cloudsecurityalliance. the right to audit clause should be: A. Infrastructure as a Service D.gov/publications/nistpubs/800-145/SP800-145. SAS 70 Type III D. Risks management D.nist. Private cloud] D. SaaS .2] 3. Replaced with the compliance and monitoring clause D. Strategic Implementation of Electronic Management C. SIEM refers to: A. Software as a Service B. Over time. Security Information and Event Management] B. Both B and C 5. Increased B. which service model implies the highest level of liability? A. Suspicious intrusion detection alerts is part of A.pdf Cloud Security Alliance (SecaaS) . ISO/IEC 27002 C.2] 7. According to ENISA. CSA SaaS v. None of these ] 2. None of the above 9.NIST SP800-145 (NIST Definition of Cloud Computing) http://csrc. Google Docs is an example of: A. Platform as a Service C. Platform as a Service C. Infrastructure as a Service D. Reduced C. SAS 70 Type II C. Partner cloud C. Cloud providers that have not achieved ISO/IEC 27001 certification should align themselves with: A.

Determine data or function considered for cloud C. According to the Cloud Security Alliance (CSA).has to be signed. Electronic Stored Interface C. Determine who to contact in case of a security incident or data breach C. eradication. None of the above 16. IR C. Determine initial costs B. the number of sources that must be monitored: A. While evaluating risk for cloud. ISO/IEC 27001 C. Detection. ISO/IEC 27003 D. HIPAA B. compliance and liability are stipulated and enforced in which of the following service models? A. B. the first step is? A. the cloud customer must understand: A. PaaS C. Detection. The provider's ability to produce evidence needed for compliance . Increase minimally C. NDA D. When any expertise is outsourced --. Are the same as in any other computing environment B. laaS D. laaS D. Service levels. Determine strategy of adopting cloud 14. According to the Cloud Security Alliance (CSA). incidence. SaaS B. In a cloud environment. None of the above 13. incident. cloud service providers should use which of the following as a guideline? A. response and recovery C. Which of the following are the phases of incident recovery should the SLA guarantee support? A. Both SaaS and laaS 10. All of these 11. E-mail Storage interface B. A. Decrease substantially D. Make commitments to customers regarding security D. None of the above 12. response and recovery B. all of the above 18. and recovery D. analysis. ESI stands for: A. ISO/IEC 35000 19. Determine important of data or function D. containment. PaaS C. Analysis. Ensure adequate resource division B. Increase exponentially 15. The nature of cloud computing means that it is more difficult to: A. Removed 17. ISO/IEC 27000 B. Electronically Stored Information D. governance.

Encrypted Disaster or Solution D. Policies C. Cloud computing B. According to the Cloud Security Alliance (CSA). One deployment model for cloud services B. Enterprise digital rights management 27. All of the above 20. Agile computing D. Accepted B. Four deployment models for cloud services 24. Processes D. According to the CSA's (Cloud security alliance's) risk assessment framework. B. The 'ability to run multiple operating systems on a single physical system and share the underlying hardware resources' is referred as: A. 28. Platform as a Service C. Monitor the service provider's performance and test for system vulnerabilities. Which of the following is NOT a recommendation for the 'create' phase of the data security lifecycle? A. Mitigated D. Identification of data labeling and classification capabilities. Economic Denial of Service B. Improvements in which of the following areas would lead to improvements for all cloud service customers? A. Software as a Service B. All of the above 23. Transferred C. there are A. risks may be --- A. Two deployment models for cloud services C. User tagging to classify data. The acronym EDoS refers to: A. In SaaS. Grid computing C. All of these 22. C. None of the above 25. Have reasonable security that data breaches will not happen. the cloud services agreement must allow the client or third party to: A. B. Retain ownership of the data in original format. D. Environmental Domain of Service C. C. Leveraging of content discovery tools D. Infrastructure as a Service D. Rackspace Cloud is an example of: A. Three deployment models for cloud services D. B. Virtualization 21. The customer's role in bridging the gap between auditor and service provider D. Adjust the process for responding to legal requests at any time. Cloud cube model illustrates -- A. Engineered Data on Servers 26. The division of compliance responsibilities between the consumer and provider C. Physical location of deployment models . Tools B.

All of the above 33. None of the above 32. Which of the following scenarios begins with a crisis of confidence in the cloud provider's financial position? A. Be done regardless of the provider's certifications C. Highly Interfering Performance and Auditing C. cloud service providers audit should be done? A. if the provider has adequate certifications D. It is more extensible than the SaaS model D. OpenCrowd cloud solutions C. Cloud Security Alliance B. does the consumer have control over application hosting environment configurations? A. SaaS B. Management and ownership D. All of the above 36. Jericho forum D. PaaS C. Providers may be able to leak customer data to third parties D. Customers may be locked into a contract with a provider for many years B. Customers may not be able to retrieve their data C. which of the following clauses should be obtained whenever possible? A. All of the above 29. In which model. Change management reports D. Cloud cube model was developed by --- A. Right to Withdraw Clause . Cloud service customers should develop evidence-collecting processes for which of the following areas? A. It enables developers to build their own applications on top of the platform B. GoGrid 30. B. The worst case scenario in a 'run on the banks' situation is that: A. Be waived. System configurations B. In which of the following cases. Highly Intelligent Performance and Accounting B. A 'mass exodus' scenario C. Health Insurance Portability and Accountability D. Audit logs C. There are not as many security options as SaaS within this model\ 35. Right to Audit Clause B. An upcoming financial audit B. HIPAA stands for: A. It offers less customer ready features than SaaS C. None of the above 37. None of the above 31. Be done by the customer only B. A 'run on the banks' scenario D. Deployment models C. laaS D. Which of the following is NOT true about PaaS? A. Customer data may be made publicly available 34. According to the Cloud Security Alliance (CSA).

Software and hardware are tightly coupled 45. Which of the following is not a category of infrastructure services? A. A. Storage B. Services Management D. Incidents management D. None of the above 41. Single OS image per machine B. What kind of provisioning is standardized in OASIS' Service Provision Markup Language (SPML)? A. 2004 D. What is recommended to enterprises adopting cloud? A. Resources 44. When an attacker uses a customer' resources for his/her own gain. Economic Denial of Service D. costly infrastructure D. Inflexible. Provisioning C. C. Data Transferability Clause 38. Risk based approach C. Disaster management C. Since ----. Which of the following assets are supported by cloud? A. Profit based approach B. Data and applications/functions/processes D. Pull-style provisioning 39. Transport provisioning C. Distributed Denial of Service C. Integration 43. Data and resources B. 2002 C. Security Breach Clause D. Push-style provisioning D. All of the above 40. Systems B. Applications and processes/functions C. Compute C. Lateral provisioning B. Data breaches is a part of: A. Security based approach . Diminished Domain of Service B. Engineered Denial of Service 42. Hardware-independence of operating system and applications C. according to the Cloud Security Alliance (CSA)? A. this may be referred to as: A. Which of the following is a characteristic of virtualization? A. Personnel D. 2000 B. Which of the following should not demonstrate compartmentalization by cloud providers. 2006 46. Events management B. the Federal Rules of Civil Procedure require the inclusion of electronically- stored information when responding to discovery requests.

52. When considering compliance with accepted frameworks and standards. All of the above 50. CSA SaaS v. Private cloud D. Are the same as in any other computing environment B. None of these Explanation: Suspicious intrusion detection alerts is part of incident management. Risks management D. Increase minimally C. Increase exponentially ANSWERS( 51. SAS 70 practices D. the right to audit clause should be: . Events management B. Over time. cloud architecture D. compliance architecture. Security architecture.2 Explanation: Providers that have not achieved ISO/IEC 27001 certification should align themselves with ISO/IEC 27002 53. cloud architecture. Decrease substantially D. which service model implies the highest level of liability? A. Cloud providers that have not achieved ISO/IEC 27001 certification should align themselves with: A. none of the above 48. Security Operations Center D. Strategic Overview Card B. security architecture and cloud architecture B. According to ENISA. Service Office Catalogue 49. Non cloud Explanation: According to ENISA. private cloud model implies the highest level of liability 54. Cloud service classroom. Incidents management C. Partner cloud C. Public cloud B. laaS D. PaaS C. the number of security notifications: A. one should consider -- A. SOC refers to: A. does the consumer have limited user-specific configuration settings? A. ISO/IEC 27000 B. cloud service classification C. In a cloud environment. Privacy based approach 47. Suspicious intrusion detection alerts is part of Original number +50 ) A. Standard Operations Credentials C. In which of these models. Compliance architecture. ISO/IEC 27002 C. SaaS B. D.

Software as a Service B. Security Information and Event Management B. Platform as a Service C.2 Explanation: CSA SaaS v. 57. SAS 70 Type II C. incidence. Service Improvement of in End-User Markets D. The nature of cloud computing means that it is more difficult to: A. Software as a Service B. All of these Explanation:All of the above mentioned reasons together make up cloud computing 61. Infrastructure as a Service D. Platform as a Service C. CSA SaaS v. Make commitments to customers regarding security D. incident. containment. SAS 70 Type III D. response and recovery B. response and recovery C. SIEM refers to: A. Detection. Which of the following are the phases of incident recovery should the SLA guarantee support? A. Infrastructure as a Service D.2 ensures that controls are implemented and documented. Online word processing and spreadsheet tools would fall under which of the following service models? A. Analysis. Both A and C Explanation: Online tools are examples of Software as a Service. None of the above . Strategic Implementation of Electronic Management C. analysis. SAS 70 Type I B. 58. Determine who to contact in case of a security incident or data breach C. Storage as a service is a sub-offering under which of the following categories? A. Increased B. and recovery D. A. Replaced with the compliance and monitoring clause D. Ensure adequate resource division B. Both SaaS and laaS Explanation: It is an offering of laaS 60. PaaS C. laaS D. SaaS B. Both B and C Explanation: Over a period of time. Google Docs is an example of: A. None of the above Explanation: Google doc is an example of SaaS 59. Reduced C. the need to audit should get reduced and should be replaced by a compliance and monitoring clause 55. eradication. Software Intrusion and External Models Explanation: SIEM stands for Security Information and Event Management 56. Detection. Which of the following audits ensures that controls are implemented and documented? A.

cloud service providers should use which of the following as a guideline? A. 63. E-mail Storage interface B. cloud service providers should use ISO/IEC 27001 as a guideline 69. ISO/IEC 27000 B. compliance and liability are stipulated and enforced in which of the following service models? A. According to the Cloud Security Alliance (CSA). In a cloud environment. ISO/IEC 35000 Explanation: According to the Cloud Security Alliance (CLA). None of the above Explanation: NDA has to be signed while outsourcing expertise. ISO/IEC 27003 D. the first step is to determine data or function considered for cloud 64.Explanation: Detection. laaS D. all of the above Explanation: Irrespective of the models. service levels. Increase minimally C. According to the Cloud Security Alliance (CSA). Determine data or function considered for cloud C. the first step is? A. Are the same as in any other computing environment B. None of the above Explanation:ESI stands for Electronically Stored Information 66. A. IR C. the number of sources that must be monitored: A. eradication and recovery are the phases of incident recovery and SLA must ensure it is covered. containment. The customer's role in bridging the gap between auditor and service provider . Increase exponentially Explanation: Since resources grow depending upon the demand it grows exponentially 65. Determine important of data or function D. Electronic Stored Interface C. the cloud customer must understand: A. SaaS B. When any expertise is outsourced --. governance. PaaS C. Determine strategy of adopting cloud Explanation: While evaluating risk for cloud. governance.has to be signed. Decrease substantially D. The division of compliance responsibilities between the consumer and provider C. ISO/IEC 27001 C. The provider's ability to produce evidence needed for compliance B. NDA D. While evaluating risk for cloud. Remove 67. 62. Service levels. analysis. Electronically Stored Information D. HIPAA B. Determine initial costs B. ESI stands for: A. NDA stands for Non- Disclosure Agreement. compliance and liability are stipulated and enforced 68.

Virtualization Explanation: Ability to run multiple operating systems in a single hardware is called virtualization. The acronym EDoS refers to: A. Improvements in which of the following areas would lead to improvements for all cloud service customers? A. risks may be --- A. Three deployment models for cloud services D. According to the CSA's (Cloud security alliance's) risk assessment framework. C. D. Accepted B. Platform as a Service C. Environmental Domain of Service C. One deployment model for cloud services B. Infrastructure as a Service D. The 'ability to run multiple operating systems on a single physical system and share the underlying hardware resources' is referred as: A. the providers ability to produce evidence needed for compliance. Economic Denial of Service B. Encrypted Disaster or Solution D. Policies C. 70. 71. Four deployment models for cloud services Explanation: NONE 74. Rackspace Cloud is an example of: A. Cloud computing B. All of the above Explanation: The cloud customer must understand. Agile computing D. accepted or transferred as per CSA guidelines 73. Which of the following is NOT a recommendation for the 'create' phase of the data security lifecycle? A. In SaaS. All of these Explanation: Tools. Leveraging of content discovery tools . Tools B. Processes D. the division of compliance responsibilities between consumer and provider and the customer's role in bridging the gap between auditor and service provider. Engineered Data on Servers Explanation: EdoS stands for Economic Denial of Service 76. Identification of data labeling and classification capabilities. Software as a Service B. B. 75. there are A. 72. Two deployment models for cloud services C. Grid computing C. Transferred C. Mitigated D. None of the above Explanation: Rackspace is an example of infrastructure as a Service. User tagging to classify data. policies and processes are equally important and can have varied benefits. All of the above Explanation: Risk may be mitigated.

GoGrid Explanation:Jericho forum developed cloud cube model. Customer data may be made publicly available Explanation: In case of the provider going bankrupt. then there is a chance that the customers might not be able to retrieve their data . D. Adjust the process for responding to legal requests at any time. Which of the following scenarios begins with a crisis of confidence in the cloud provider's financial position? A. Customers may be locked into a contract with a provider for many years B. Retain ownership of the data in original format. Customers may not be able to retrieve their data C. Management and ownership D. The worst case scenario in a 'run on the banks' situation is that: A. 80. Enterprise digital rights management Explanation: Content discovery tools usage is not part of 'create' phase 77. According to the Cloud Security Alliance (CSA). does the consumer have control over application hosting environment configurations? A. Physical location of deployment models B. None of the above Explanation: HIPAA stands for Health Insurance Portability and Accountability. In which model. Explanation: According to the Cloud Security Alliance (CSA) the cloud services agreement must allow the client or party to retain ownership of the data in original format 78. All of the above Explanation: A run on the banks scenario can lead to crisis of confidence. Jericho forum D. Health Insurance Portability and Accountability D. C. 79. OpenCrowd cloud solutions C. All of the above Explanation: Cloud cube model illustrates physical location of deployment models. laaS D. Highly Interfering Performance and Auditing C. A 'run on the banks' scenario D. Deployment models C. Cloud cube model illustrates -- A. Cloud Security Alliance B. A 'mass exodus' scenario C. 83. Highly Intelligent Performance and Accounting B. Monitor the service provider's performance and test for system vulnerabilities. D. PaaS C. the cloud services agreement must allow the client or third party to: A. B. It is compliance. Providers may be able to leak customer data to third parties D. Cloud cube model was developed by --- A. 82. Have reasonable security that data breaches will not happen. HIPAA stands for: A. applications can be built and hosted 81. SaaS B. An upcoming financial audit B. None of the above Explanation: In PaaS.

It enables developers to build their own applications on top of the platform B. It is more extensible than the SaaS model D. 87. According to the Cloud Security Alliance (CSA). Right to Audit Clause B. Push-style provisioning D. Be done regardless of the provider's certifications C. None of the above Explanation: No matter what certifications provider has. Events management B. 84. All of the above Explanation: All the mentioned functions are actively supported by cloud 91. Security Breach Clause D. 88. Change management reports D. Audit logs C. Lateral provisioning B. Data and resources B. 89. Incidents management D. Data breaches is a part of: A. What kind of provisioning is standardized in OASIS' Service Provision Markup Language (SPML)? A. Be waived. Applications and processes/functions C. 90. Which of the following is NOT true about PaaS? A. Data Transferability Clause Explanation: Right to Audit Clause should be given from time to time to ensure everything is as per the agreement. In which of the following cases. System configurations B. Be done by the customer only B. and change management reports. Cloud service customers should develop evidence-collecting processes for which of the following areas? A. which of the following clauses should be obtained whenever possible? A. Pull-style provisioning Explanation: Service Provision Markup Language uses push-style provisioning. Data and applications/functions/processes D. cloud service providers audit should be done? A. Which of the following assets are supported by cloud? A. if the provider has adequate certifications D. cloud service providers need to be audited. Right to Withdraw Clause C. It offers less customer ready features than SaaS C. Transport provisioning C. . audit logs. All of the above Explanation: Cloud service customers should develop evidence-collecting processes for system configurations. Disaster management C. There are not as many security options as SaaS within this model Explanation: PaaS offers multiple security options for customers 85. None of the above Explanation: Data breaches is part of disaster management. 86.

Which of the following should not demonstrate compartmentalization by cloud providers. What is recommended to enterprises adopting cloud? A. 2006 Explanation: Since 2006. 2000 B. Since ----. 97. 95. Privacy based approach Explanation: Risk based approach is an important factor to consider 98. A. the Federal Rules of Civil Procedure require the inclusion of electronically-stored information when responding to discovery requests. Profit based approach B. When an attacker uses a customer' resources for his/her own gain. Economic Denial of Service D. does the consumer have limited user-specific configuration settings? A. virtualization separates hardware and OS+ applications. costly infrastructure D. Systems B. Single OS image per machine B. Diminished Domain of Service B. 96. SOC refers to: . laaS D. none of the above Explanation: Consumers do not have much of a say in SaaS offerings. this may be referred to as Distributed Denial of Service 93. 99. Distributed Denial of Service C. SaaS B. Which of the following is not a category of infrastructure services? A. Compute C. Resources Explanation: Personnel compartmentalization should not be demonstrated by the cloud providers. PaaS C. Provisioning C. Engineered Denial of Service Explanation: When an attacker uses a customer's resources for his/her own gain. Risk based approach C. Personnel D. according to the Cloud Security Alliance (CSA)? A. Inflexible. this may be referred to as: A. 92. 2004 D. Storage B. Services Management D. Security based approach D. Which of the following is a characteristic of virtualization? A. In which of these models. Integration Explanation: Integration is not a category of infrastructure services 94. Hardware-independence of operating system and applications C. 2002 C. the Federal Rules of Civil Procedure require the inclusion of electronically- stored information when responding to discovery requests. Software and hardware are tightly coupled Explanation: Through hypervisor.

compliance architecture. lifecycle? destroy. Share. Delay. Security architecture. the number of security notifications: A. 5 .Broad Network Access. 2 .com/flashcards/ccsk-3657367) What are the five essential characteristics of 1 . cloud service classification C.Rapid Elasticity.Thanks to Ajay Chauhan (http://www. cloud architecture D. Are the same as in any other computing environment B. the customers? . Security Operations Center D.Measured Service The level of attention and scrutiny paid to The valued Risk enterprise risk assessments should be directly related to what? In the majority of data protection laws. who is ultimately responsible for the security of the data? What is the most important reason for So that it can address the specific knowing where the cloud service provider will restrictions that foreign data protection host the data? laws may impose. Why is the size of data sets a consideration The sheer size of data may cause an in portability between cloud service interruption of service during a transition. Cloud service classroom. making it important that the data center visits by every customer to conduct an operators are required to provide auditing for audit. 100. Decrease substantially D. When considering compliance with accepted frameworks and standards. Detect. Standard Operations Credentials C. Increase minimally C. All of the above Explanation: All these should be taken into serious consideration 101.Resource Cloud computing as defined by NIST . Adding Flash Card information I have received from a websiste . security architecture and cloud architecture B. Store. What are the six phases of the data security Create. A. cloud architecture. Use. Increase exponentially Explanation: With cloud all security measure have only been increased exponentially. one should consider -- A. Archive. 3 . 4 . What are the four D's of perimeter security? Deter. In a cloud environment. Strategic Overview Card B. Service Office Catalogue Explanation: SOC refers to Security Operations Center.On-Demand service. when The Data Controller the data is transferred to a third party custodian. Deny In which type of environment is it impractical In multi-tenant environments the operator to allow the customer to conduct their own or provider cannot normally accommodate audit. providers? or a longer transition period than anticipated. Compliance architecture. Pooling.cram.

What is the minimum that U. name the group that has enacted The European Economic Area (EEA) data protection laws and the principles on Member States follow principles set forth which they follow. How should an SDLC be modified to address Organizations must adopt best practices application security in a Cloud Computing for development. refers The destruction of economic resources. In Europe. and technologies of their own or adopting one of the maturity models. Provider? What must be included between an What must be included between an organization and a Cloud Service Provider organization and a Cloud Service Provider when the organization has contractual when the organization has contractual . What is the most significant reason that To be able to prove that all data has been customers are advised to maintain in-house deleted from the public cloud environment key management? when exiting that environment. What two types of information will cause PII . either by having a good environment? blend of processes.What measures could be taken by the cloud SaaS providers that generate extensive service provider (CSP) that might reduce the customer-specific application logs and occurrence of application level incidents? provide secure storage as well as analysis facilities will ease the IR burden on the customer. in the 1995 European Union (EU) Data Protective Directive and the 2002 ePrivacy Directive as amended in 2009. controls may not be able to monitor certain rather than a network. the applications. types of traffic? When deploying Security as a Service in a Agreement on the metrics defining the highly regulated industry or environment. to… the worst case scenario would be bankruptcy of the customer or a serious economic impact How does SaaS alleviate much of the The provider is not only responsible for the consumer's direct operational responsibility? physical and environmental security controls. where network-based security each other over a hardware backplane. state laws Written contract with the service provider require when using a Cloud Service with reasonable security measures.Personal Identifiable Information additional regulatory issues for all SPI .S. tools. service level required to achieve what should both parties agree on in advance regulatory objectives and include in the SLA? Economic Denial of Service (EDOS).Sensitive Personal Information organizations if held as an aspect of an Identity? Why do blind spots occur in a virtualized Virtual machines may communicate with environment. but it must also address the security controls on the infrastructure. and the data.

obligations to protect the personal obligations to protect the personal information of their clients. What is ESI? Electronically Stored Information What are four considerations for a cloud Cross-border or multi-jurisdiction customer to understand in reference to .Relationship between all parties including customer. appropriate resources. CSP. What does a cloud service model need to Policy-driven enforcement include for multi-tenancy consumers? Segmentation Isolation Governance Service Levels Chargeback/billing models What services can be shared in multi-tenancy Infrastructure cloud service models? Data Metadata Services Applications What three cloud services make up the Cloud Infrastructure as a Service (IaaS) Reference Model? Platform as a Service (PaaS) Software as a Service (SaaS) . to ensure that the data are not employees. and tested protocols and standards. contacts or employees. At what stage should compliance be Requirement identification stage addressed between an organization and CSP? What is multi-tenancy? Use of same resources or application by multiple customers that may belong to the same organization or a different organization. auditors and CSP providers What role do audits perform in the cloud Audits must be independently conducted relationships? and should be robustly designed to reflect best practice. to ensure that the data are not used for secondary use and are not disclosed used for secondary use and are not to third parties? disclosed to third parties? What is a click-wrap agreement? What is a click-wrap agreement? How does an organization respond to the How does an organization respond to the evolving nature of the cloud environment? evolving nature of the cloud environment? How does an organization respond to the All documents that pertain to the case evolving nature of the cloud environment? whether favorable to its case or the other litigant's case. contacts or information of their clients.CSP capability to show compliance .Assignment of compliance regulatory compliance? responsibilities including the providers .

Types of assets.internal/external Hybrid Community What is the key takeaway for security The lower down the stack the CSP stops.Who manages them and How . Define PaaS PaaS delivers computing platform and solution stack as a service.compliance issues How do you determine the general security Classify a cloud service against the cloud posture of a service and how it relates to an architectural model asset's assurance and protection .Monitoring . resources and information being managed .Governance . What are the risks and pitfalls to consider in How / where cloud service are deployed the Cloud Security Reference Model? .Perimeterised (Per) / De-perimeterised (D-p): Architectural mindset . regulatory.Insourced / Outsourced: Who provides the cloud service List the four cloud deployment models Public Private . and other compliance requirements as a gap- analysis exercise What do cloud service brokers provide? Intermediation . Define SaaS SaaS delivers software and its associated data hosted centrally typically in the cloud and are usually accessed by users via a web browser over the Internet.Map the security architecture and requirements? business.which controls are selected and How they are integrated . List the four dimensions in the Jericho Cloud Internal (I) / External (E): Physical Cube Model Location .Manner in which cloud services are consumed .Define IaaS IaaS delivers computer infrastructure as a service along with raw storage and networking. architecture? the more security capabilities and management consumers are responsible for implementing and managing themselves.Transformation/portability .Re-perimeterization of enterprise networks .Proprietary (P) / Open (O): State of Ownership .

. List four of the specific risks identified and Avoidance: exiting the activities giving rise analyzed by management in a cloud to risk environment.Corporate responsibility and compliance .Share or insure: transferring or sharing a portion of the risk to finance it . aligned with the risk appetite and tolerance of the data owner.Accept: no action is taken due to a cost/benefit decision What should be specifically targeted in the Incident management assessment of a CSP's third party service .Reduction: taking action to reduce the likelihood or impact related to the risk .Disaster recovery policies.Review of co-location and back-up facilities .business continuity providers? . administered or controlled. customs.Relationship negotiation between CSP and consumers What are included in a Service Level Service levels Agreement (SLA)? . processes and procedures .Security . laws and institutions affecting the way an enterprise is directed. Define Enterprise Risk Management The methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. .Compliance .Integration services . Define Information Risk Management The process of identifying and understanding exposure to risk and the capability of managing it.Liability expectations of the service and provider What are two types of Service Level Negotiable Agreements (SLA)? Non-negotiable Name the five basic principles followed in Auditing supply chains Corporate Governance. policies.Ownership structure and exercise of control rights Define Corporate Governance The set of processes.Financial transparency and information disclosure . technologies.Board and management structure and process .Governance . .Provisioning .

and ongoing detailed assessments and audits to ensure requirements are continuously met. CCSK Training Link [1] Cloud Service Provider [2] Digital Rights Management . It may be managed by the organization or by a third party and may be located on-premise or off-premise. Define Private Cloud The cloud infrastructure is operated solely for a single organization. It may also be worth visiting the following site for additional CCSK training information. Define Public Cloud? The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. application of security controls. What is a CSP's supply chain? Their service provider relationships and dependencies How should the cost savings obtained by Reinvest into increased scrutiny of the cloud computing services be utilized? security capabilities of the provider.