The CCSK Study Guide

Revision : 0.7
Created Dated: January 5th, 2015
Last Modified: November 24th, 2015

Contributor Organization Country

Alejandro Castillo FireEye Inc United States of America

Peter HJ van Eijk Club Cloud Computing Netherlands

Ajay Chauhan SafeNet United Kingdom

Ash Thakrar PwC United Kingdom

David Glosser Regeneron Pharmaceuticals United States of America

Please Scroll down to find the actual study guide

If you found any part of this guide helpful please provide a like or some feedback to the
following link:

https://www.linkedin.com/groups/CCSK-study-guide-OpenSource-
4071935.S.5958007520671911936?view=&gid=4071935&item=5958007520671911936&typ
e=member&commentID=discussion%3A5958007520671911936%3Agroup%3A4071935

If you wish to contribute feel free to type your suggestions and they will be taken accordingly.
CCSK Key Examination Concepts
CSA Guidance For Critical Areas of Focus in Cloud Computing V3.0 English

Based on research that I have seen online, it is suggested that 2,5,10 and 12 are heavily
tested. Especially 5. Attention should be placed to Risk and Challenges.
Victor said this was the some of the most quizzed areas:
Reading the material is extremely time consuming, Incident response and Identity and Access
Management seem to have the most material.
Domain 1 Architecture
Summary
SPI = Software, Platform and Infrastructure as a service.
Cloud formations = the forms of cloud computing or the way its deployed.
Cloud benefits - collaboration, agility, scaling, availability, reduced cost, optimized and
efficient.
Steps for evaluating risk in the cloud
1. Determine what data to send to the cloud - (1) Data (2)
Application/Function/Processes
2. Determine the data or function is
3. Determine the best deployment model (For models look at NIST model below)
4. Evaluate the potential cloud providers
NIST Definition of Cloud Computing (Essential Characteristics, Cloud Service
Models, Cloud Deployment Models)

Multi-Tenancy (NIST doesnt have it, but CSAs cloud model includes it as an
essential:)
Policy Enforce Governance
Segmentation SLA
Isolation Chargeback
The problem with multi-tenancy is visibility of residual data or traces of operations of tenants.
CSA Cloud Reference Model ( Also known as service models)
IaaS - Most flexible, possibly the least secure, and customers responsible for
most of the security mechanisms
PaaS - Enormous flexibility, but not quite as flexible.
SaaS - Least Flexible, possibly most secure and dependency on provider
You can outsource a lot of manageability, but not accountability.
Jericho Cloud Cube Model
The four sides/eight
dimensions
I/O - Insourced or
Outsourced
I/E - Internal or
External
O/P - Open or
Proprietary
P/D - Perimeter
Least to most
mature
1. Outcome/Va
lue
2. Process
3. Software
4. Platform
5. Infrastructur
e

Cloud Security Reference Model - possible definition on page 20 third paragraph

 Cloud Service Brokers - Middleman/Middleware act like proxies between the cloud and the
consumer. This is done to provide an abstraction of incapabilities between the customer and
the cloud to allow for fluidity and agility.
Service Level Agreements
Negotiable and nonnegotiable.
Security Level,security, governance, compliance, and liability expectation
Most of the control and security will be held in the SLA - auditing provides
affirmation and really specifies the level of security in SaaS
Even Private Clouds may have multitenancy (multiple projects, third party consultants,
contractors, part-timers,etc)

Domain 2: Governance and Enterprise Risk Managementcvx

Contractual Security Requirements
processes, customs, policies, laws and institution
Enterprise and Information Risk Management
Measure, manage and mitigate uncertainty
Avoidance, Reduction, Share/Insure/Transfer and Accept
Third Party Management Recommendations
Contracts are risk management tools with metrics/audits to ensure
accountability.
SLAs must cascade downwards from Provider to Third Party and supply
chain
 Incident Management , business continuity, and disaster recovery policies,
and processes and procedures, along with review of co-locations and backup
facilities must be part of the background check assessment.
Supply chain examination
Risk is inherited throughout the supply chain
Use of Cost Savings for Cloud
Should be re-invested to scrutinize the security capabilities of the provider.
Audit might be hard due to an elastic environment
The major part for most of the governance will be the contract between the provider and
customer.
Domain 3: Legal Issues: Contracts and Electronic Discovery
Consideration of cloud-related issues in three dimensions : Monitoring, testing,
evaluation???
eDiscovery considerations - In the US you must give everything to the requesting party
even if it is not in your favor. It must also be protected and well stored (this is called a legal
hold)
Jurisdictions and data locations - The client is responsible for the data even though they
might not have access. Thus they need the CSP[1], however it should be written into the
contract. In terms ofjurisdiction it depends on where the legal court is in?
Liability for activities of subcontractors
Due diligence responsibility - Identify legal barriers and insure they are addressed in
contract.
Federal Rules of Civil Procedure and electronically stored information -ESI for holding
Metadata - its data about data
Litigation hold - obligation to undertake reasonable steps to prevent destruction or
modifications of data or the information processing.

Domain 4: Compliance and Audit Management

Definition of Compliance: the awareness and adherence to obligations (laws, policies,
contracts, etc), including the assessment and prioritization of corrective actions deemed
necessary and appropriate.
Right to audit - gives customers the ability to audit the cloud provider and provide for
transparency/accountability.
Compliance impact on cloud contracts- geographical locations and legal jurisdictions.
Audit scope and compliance scope - laws and regulations one must comply with.
Compliance analysis requirements - include legal, procurement and contract teams to
identify them. These will likely include contracts, laws, regulations, policies and various other
things.
Auditor requirements - Cloud aware , SSAE 16 SOC2 or ISAE 3402 Type 2.
CSP/Third party review of how information is stored, processed and transmitted across
borders with many different laws in those places as well as the ones we must comply with.
Third parties should be picked out in advance and reviewed.
Right to transparency - can view or request a push to view the stats of the environment.

Domain 5: Information Management and Data Security

Six phases of the Data Security Lifecycle and their key elements:
Create-Store-Use-Share-Archive-Destroy
 Volume storage: virtual hard drives (data dispersion to support resiliency and
security)
Object storage: File storage (Can typically be accessed y APIs or web interface)
Logical vs physical locations of data
Potential issues from regulatory, contractual and other jurisdictional issues
are extremely important to understand both the logical and physical location
of the data.
Three valid options for protecting data
Client application Encryption
Link/Network Encryption
Proxy Based Encryption
Data Loss Prevention: Used for content delivery and to monitor data in motion
Actions: Block or allow to proceed after remediation (DRM[2], ZIP, PGP)
Deployment may be done using any of the following:
Dedicated Appliance
Virtual Appliance
Endpoint agent
Hypervisor agent
DLP SaaS
Detection Data Migration to the Cloud
Encryption in IaaS, PaaS & SaaS
IaaS - Volume Storage Encryption
Instance Managed encryption
Externally Managed encryption
Proxy Encryption
PaaS
Client/Application encryption
Database Encryption
Proxy Encryption
SaaS
Provider-Managed Encryption
Proxy Encryption
Database Activity Monitoring (DAM) and File Activity Monitoring (FAM): Can be used
to detect and monitor attacks.
 DAM: captures and records all DB SQL activity including database activity,
across multiple database platforms, and can generate alerts on policy
violations.
DAM tools are typically agent-based connecting to a central collection
server (which is typically virtualized). It is used with dedicated
database instances for a single customer, although in the future may
be available for PaaS)
FAM: Products that monitor and record all activity within a designated file
repositories at the user level and can generate alerts based on violations.
FAM tools require agents or placing a physical appliance between the
cloud storage and the cloud consumer.
Data Backup - ?????
Data Dispersion: It spreads data across (Data fragmentation) make it more resilient and
harder to compromise. Usually does it by using an Information DispersalAlgorithm (IDA), no
encryption is used in dispersion.
Data Fragmentation: When fragmentation is used along side encryption it becomes hard to
compromise as you have to compromised m cloud nodes with fragments and then still break
encryption.

Domain 6: Interoperability and Portability

Definitions of Portability and Interoperability
Interoperability: The requirement for the components in a cloud ecosystem to
work together to produce the intended result
Portability: defines the ease of the ability to which applications components
can be moved and reused elsewhere regardless of provider, platform, OS,
infrastructure, location, storage, the format of the data or the APIs.
Virtualization impacts on Portability and Interoperability - Can help abstract hardware
for flexibility and using something like Open Virtual Format (OVF) can aid in
portability.
SAML and WS-Security - Are authentication protocols that are interoperable with
standard based systems. Using the open based SAML can help ensure portability of
identities.
Size of Data Sets - the sheer size can cause of disruption of service during transition
or can make the transition longer than it needs too. (courier may be an option)
Lock-In considerations by IaaS, PaaS & SaaS delivery models
IaaS
creation, portability, deletion and deprovisioning (removing residual
data)
Hardware based dependencies moving to virtualization
Access to system logs, traces, billing records
Interoperability and portability and feature sets moving from one cloud
to another as well as understanding dependency on legacy IaaS (cost
as well)
Who maintains crypto keys
PaaS
Tools available for secure data transfer, backup and restore
For interoperability and portability use standard syntax, Open APIs
and open standards such as Open Cloud Computing Interface (OCCI)
how to transfer to new vendor - how data is generated, maintained,
documented, performed, availible or dependent on provider.
Do testing prior to moving
SaaS
Determine which data can be preserved and migrated (escrow
service?)
Perform regular data backups
 Review/audit the consistency of controls
Mitigating hardware compatibility
Lack of interoperability can lock you to a vendor, when possible use open and published
architectures with standards protocols. Lock-in can also occur if the data cant be easily
exported thus the need for portability. (costly conversion , transfer, retraining, loss of data)
Understand up-front and plan for how to exit the contract meat of the security.

Domain 7: Traditional Security, Business Continuity, and Disaster Recovery

Four D's of perimeter security : Deter, Detect, Delay and Deny
Cloud backup and disaster recovery services
Main Challenges: mobility, transfers to and from cloud, availability, business
continuity, scalability and metered payments.
Disaster Recovery is built on three layers : Virtual Storage, Scalable file
systems and a self service disaster recovery application.
Things to review: Emergency Response team (ERT), Crisis Management
Team (CMT) and the Incident Response team (IRT)
Customer due diligence related to BCM/DR - review CSPs BCP process
BS 25999 - The British Standard for Business Continuity Management (BCM)
ISO 22301 is responsible for Business Continuity
Traditional audits, on site assessments, direct examination or certifications
Business Continuity Management/Disaster Recovery due diligence
Providers should have a security baseline
compartmentalization , background checks , Non-disclosure agreements,
separation of duties , avoidance of conflict of interests
Restoration Plan: should correlate directly to SLA, as contractually committed and
include both the Recovery Point Objective (RPO) and Recovery Time Objective
(RTO)
Physical location of cloud provider
The consumer should conduct a critical evaluation of the data centers
physical location
not in areas known to have seismic activity, floods, landslides or other natural
disasters
not located in areas known to have high crimes, political or social unrest
Check accessibility of the location and anything that might inhibit that.

Domain 8: Data Center Operations

Relation to Cloud Controls Matrix - Table compromise of:
Application Mission : Contractual, legal or regulatory requirement
Control: Security Concept that is meant to mitigate risk to accomplish mission
Specification: Details of said control that will actually mitigate said risk
Queries run by data center operators
Technical aspects of a Provider's data center operations customer should understand
Logging and report generation in multi-site clouds: it needs software to orchestrate the
logging

Domain 9: Incident Response

Factor allowing for more efficient and effective containment and recovery in a cloud
Can allow for faster incident response through continuous monitoring
Faster recovery through virtualization and elasticity resulting in fast
containment and recovery
Easier portability and imaging thanks to VM moves.
Main data source for detection and analysis of an incident
Logs - audit, error, performance, pretty much anything you can get
Make sure that time is consistent (i.e. time sync)
Is the dynamic nature of the cloud accurately capture
 Are legal requirements met
log retention patterns and tamper resistant
Investigating and containing an incident in an Infrastructure as a Service environment
snapshots of memory
creation of hard disk images require the CSP
advance forensics techniques, generating snapshots,VM introspection or live
forensic system support require the CSP
Reducing the occurrence of application level incidents
SLAs and IR plans should include Lesson Learned after the recovery
How often should incident response testing occur
At least once a year
Offline analysis of potential incidents -????????
Challenges for Incident Response in the cloud
Automated environment does not help, but destroys evidence
Elastic environment makes forensic especially hard
There might be privacy issues in doing forensics
Investigating and containing an incident in an PaaS/SaaS environment
Requires almost all CSP support and has to be negotiated in the Service Contract
Domain 10: Application Security
Identity, Entitlement, and Access Management (IdEA)
Authentication
Authorization
Administration
Audit & Compliance
Policy
SDLC impact and implications
Its typically harder in the cloud
control over physical is harder
potential incompatibilities
protection of data through lifecycle (transit, rest)
web services can introduce more vulnerability
harder to get to logs or to demonstrate compliance
Mitigation
Least Privilege/Segregation of duties/Defense in depth/fail safe/.
Differences in S-P-I models
Consideration when performing a remote vulnerability test of a cloud-based
application
Is the multi-tenancy of it??????
Categories of security monitoring for applications
Log Monitoring
Performance Monitoring
Monitoring for Malicious use
Monitoring for compromise
Monitoring for policy violations
Entitlement matrix - set of rules into entitlement layer
fed by claims
assertion
attributes
The above is simply an example of an entitlement matrix

Domain 11: Encryption and Key Management

Adequate encryption protection of data in the cloud
Key management best practices, location of keys, keys per user
best practice
location of keys
Whenever possible keys should reside with the user/enterprise. This
way in case of compromise the data can not be easily decrypted
Application or process may need keys so be aware
Use KEK (Key Encrypting Keys) or in memory keys
keys per user
There should be one key per user so they can only encrypt/decrypt
their own data
There should be a group key for when users need to share data.
Relationship to tokenization, masking, anonymization and cloud database controls
Tokenization (Basically doing reference substitutions
Data Anonymization (Stripping out sensitive data)
Masking - Another word for format preserving encryption?????
Utilizing Cloud database controls - access control based on segregation
levels

Domain 12: Identity, Entitlement, and Access Management

Relationship between identities and attributes
Identity is something you are and attributes are the characteristics. Based on
the two a characteristics a risk based decision done to allow access to
resources or services. The process of mapping identities to attributes is called
entitlement. So entitlement is what ultimately dictates access.
Identity Federation
The ability to use one identity repository in another for authentication or
validation purposes
 Relationship between Policy Decision Point (PDP) and Policy Enforcement Point
(PEP)
PEP - is user centric authorization (user)
PDP - determines access to resources (service provider)
SAML and WS-Federation
Provisioning and authoritative sources
You may want to check out the videos at the end of this guide to understand the whole
entitlement process. I found it easier to watch the videos and then come back to read this
doc then tackling this doc heads on.
Entity - Discretes types that will have identities
Identity - Unique id
person - identity plus attributes
Entitlement - process mapping privileges to identities and the related attributes
RSO - password synchronization
SSO - ability to pass identity and attributes to other services
Federation - the connection of one identity repository to another.
Primacy - the state of being first
principle - entity who can be authenticated
Entitlement is the process of mapping privileges
Domain 13: Virtualization
VM guest hardening, blind spots, VM Sprawl, data co-mingling, instant-on gaps
VM Guest Hardening - typical OS and app hardening best practices
Blind Spot - The network security appliances are blind to data that doesnt
transverse the network (i.e. inter-VM traffic). Insert security APIs at the
hypervisors.
VM Sprawl - VMs are so easy to deploy they can spiral out of control without
process
Data co-mingling - the nature of having multi-vm on the same physical
hardware means that the data of one VM and another type of VM is on the
same hardware
instant-on gaps - Pausing a VM and turning it back on (after a long time) can
introduce vulnerabilities
In-Motion VM characteristics that can create a serious complexity for audits
Because VM are portable, they can moved geographically without alert or
traceable audit trail.
How can virtual machine communications bypass network security controls
If it passes the data between VMs in the data plane as opposed to the
network plane
VM attack surfaces
What else is there besides the ones mentioned and VM image tampering???
Compartmentalization of VMs
Zoned approach for production, test/development and highly sensitive data

Domain 14: Security as a Service

10 categories
Identity and Access Management
Data Loss Prevention
Web Security
Email Security
Security Assessments
Intrusion Management
Security Information and Event Management (SIEM)
Encryption
Business Continuity and Disaster Recovery
Network Security
 Barriers to developing full confidence in security as a service (SECaaS)
Some security concerns: compliance, multi-tenancy and vendor lock-in
Lack of visibilities into control, personnel and general compliance
Data leakage between virtual machine instances
When deploying Security as a Service in a highly regulated industry or environment,
what should both parties agree on in advance and include in the SLA
Metrics that describe how the provider is keeping in compliance. This can in
turn be used to enforce the contract or prematurely end a contract of service
Logging and reporting implications
Is this related to SIEM?????????
How can web security as a service be deployed
on premise through software/appliance installation
Cloud by proxy
redirecting web traffic through cloud provider infrastructure
What measures do Security as a Service providers take to earn the trust of their
customers
run constant background checks that rival government background checks
they meet and exceed requirement geographical and regional regulations
enlist legal services to meet regional regulatory requirement
Data is compartmentalized and data is shared anonymously
Data monitored and held by the provider is anonymized in logs and audit
data.
Increased analytics with semantic processing.

Is the cloud control matrix relevant to the CCSK test???????

https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3/
ENISA Cloud Computing: Benefits, Risks and Recommendations for Information
Security
Isolation failure
Economic Denial of Service
Licensing Risks
VM hopping
Five key legal issues common across all scenarios
Top security risks in ENISA research
OVF
Underlying vulnerability in Loss of Governance
User provisioning vulnerability
Risk concerns of a cloud provider being acquired
Security benefits of cloud
Risks R.1 R.35 and underlying vulnerabilities
Data controller vs data processor definitions
in Infrastructure as a Service (IaaS), who is responsible for guest systems monitoring
Additional Study Resources
Here is a list of additional resources if you want to study for CCSK:
https://collaboration.opengroup.org/jericho/cloud_cube_model_v1.0.pdf
How Identity, Entity and Entitlement work in the cloud:
https://www.youtube.com/watch?v=6FHGe8yHeQE
The best practices for Entitlement.
https://collaboration.opengroup.org/jericho/Jericho%20Forum%20Identity%20Commandmen
ts%20v1.0.pdf
CCSK overview:
https://www.youtube.com/watch?v=LhDZe7ZntvE
CCSK overview:
https://www.youtube.com/watch?v=mniY-Jay5cY&list=PL6ASplUnEA8KQsg2Czr8y5a-
ICJujSW9W&index=1
NIST SP800-145 (NIST Definition of Cloud Computing)
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
Cloud Security Alliance (SecaaS) - Defined Categories of service 2011
https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf
Practice Questions (From SimpliLearn):
1. Suspicious intrusion detection alerts is part of
A. Events management
B. Incidents management
C. Risks management
D. None of these ]
2. Cloud providers that have not achieved ISO/IEC 27001 certification should align
themselves with:
A. ISO/IEC 27000
B. ISO/IEC 27002
C. SAS 70 practices
D. CSA SaaS v.2]
3. According to ENISA, which service model implies the highest level of liability?
A. Public cloud
B. Partner cloud
C. Private cloud]
D. Non cloud
4. Over time, the right to audit clause should be:
A. Increased
B. Reduced
C. Replaced with the compliance and monitoring clause
D. Both B and C
5. SIEM refers to:
A. Security Information and Event Management]
B. Strategic Implementation of Electronic Management
C. Service Improvement of in End-User Markets
D. Software Intrusion and External Models
6. Which of the following audits ensures that controls are implemented and
documented?
A. SAS 70 Type I
B. SAS 70 Type II
C. SAS 70 Type III
D. CSA SaaS v.2]
7. Online word processing and spreadsheet tools would fall under which of the following
service models?
A. Software as a Service
B. Platform as a Service
C. Infrastructure as a Service
D. Both A and C
8. Google Docs is an example of:
A. Software as a Service
B. Platform as a Service
C. Infrastructure as a Service
D. None of the above
9. Storage as a service is a sub-offering under which of the following categories?
A. SaaS
 B. PaaS
C. laaS
D. Both SaaS and laaS
10. The nature of cloud computing means that it is more difficult to:
A. Ensure adequate resource division
B. Determine who to contact in case of a security incident or data breach
C. Make commitments to customers regarding security
D. All of these
11. Which of the following are the phases of incident recovery should the SLA guarantee
support?
A. Analysis, incident, response and recovery
B. Detection, incidence, response and recovery
C. Detection, analysis, containment, eradication, and recovery
D. None of the above
12. When any expertise is outsourced --- has to be signed.
A. HIPAA
B. IR
C. NDA
D. None of the above
13. While evaluating risk for cloud, the first step is?
A. Determine initial costs
B. Determine data or function considered for cloud
C. Determine important of data or function
D. Determine strategy of adopting cloud
14. In a cloud environment, the number of sources that must be monitored:
A. Are the same as in any other computing environment
B. Increase minimally
C. Decrease substantially
D. Increase exponentially
15. ESI stands for:
A. E-mail Storage interface
B. Electronic Stored Interface
C. Electronically Stored Information
D. None of the above
16. Removed
17. Service levels, governance, compliance and liability are stipulated and enforced in
which of the following service models?
A. SaaS
B. PaaS
C. laaS
D. all of the above
18. According to the Cloud Security Alliance (CSA), cloud service providers should use
which of the following as a guideline?
A. ISO/IEC 27000
B. ISO/IEC 27001
C. ISO/IEC 27003
D. ISO/IEC 35000
19. According to the Cloud Security Alliance (CSA), the cloud customer must
understand:
A. The provider's ability to produce evidence needed for compliance
 B. The division of compliance responsibilities between the consumer and provider
C. The customer's role in bridging the gap between auditor and service provider
D. All of the above
20. The 'ability to run multiple operating systems on a single physical system and share
the underlying hardware resources' is referred as:
A. Cloud computing
B. Grid computing
C. Agile computing
D. Virtualization
21. Improvements in which of the following areas would lead to improvements for all
cloud service customers?
A. Tools
B. Policies
C. Processes
D. All of these
22. According to the CSA's (Cloud security alliance's) risk assessment framework, risks
may be ---
A. Accepted
B. Transferred
C. Mitigated
D. All of the above
23. In SaaS, there are
A. One deployment model for cloud services
B. Two deployment models for cloud services
C. Three deployment models for cloud services
D. Four deployment models for cloud services
24. Rackspace Cloud is an example of:
A. Software as a Service
B. Platform as a Service
C. Infrastructure as a Service
D. None of the above
25. The acronym EDoS refers to:
A. Economic Denial of Service
B. Environmental Domain of Service
C. Encrypted Disaster or Solution
D. Engineered Data on Servers
26. Which of the following is NOT a recommendation for the 'create' phase of the data
security lifecycle?
A. Identification of data labeling and classification capabilities.
B. User tagging to classify data.
C. Leveraging of content discovery tools
D. Enterprise digital rights management
27. According to the Cloud Security Alliance (CSA), the cloud services agreement must
allow the client or third party to:
A. Have reasonable security that data breaches will not happen.
B. Monitor the service provider's performance and test for system vulnerabilities.
C. Retain ownership of the data in original format.
D. Adjust the process for responding to legal requests at any time.
28. Cloud cube model illustrates --
A. Physical location of deployment models
 B. Deployment models
C. Management and ownership
D. All of the above
29. Cloud cube model was developed by ---
A. Cloud Security Alliance
B. OpenCrowd cloud solutions
C. Jericho forum
D. GoGrid
30. In which model, does the consumer have control over application hosting
environment configurations?
A. SaaS
B. PaaS
C. laaS
D. None of the above
31. HIPAA stands for:
A. Highly Intelligent Performance and Accounting
B. Highly Interfering Performance and Auditing
C. Health Insurance Portability and Accountability
D. None of the above
32. Which of the following scenarios begins with a crisis of confidence in the cloud
provider's financial position?
A. An upcoming financial audit
B. A 'mass exodus' scenario
C. A 'run on the banks' scenario
D. All of the above
33. The worst case scenario in a 'run on the banks' situation is that:
A. Customers may be locked into a contract with a provider for many years
B. Customers may not be able to retrieve their data
C. Providers may be able to leak customer data to third parties
D. Customer data may be made publicly available
34. Which of the following is NOT true about PaaS?
A. It enables developers to build their own applications on top of the platform
B. It offers less customer ready features than SaaS
C. It is more extensible than the SaaS model
D. There are not as many security options as SaaS within this model\
35. Cloud service customers should develop evidence-collecting processes for which of
the following areas?
A. System configurations
B. Audit logs
C. Change management reports
D. All of the above
36. In which of the following cases, cloud service providers audit should be done?
A. Be done by the customer only
B. Be done regardless of the provider's certifications
C. Be waived, if the provider has adequate certifications
D. None of the above
37. According to the Cloud Security Alliance (CSA), which of the following clauses
should be obtained whenever possible?
A. Right to Audit Clause
B. Right to Withdraw Clause
 C. Security Breach Clause
D. Data Transferability Clause
38. What kind of provisioning is standardized in OASIS' Service Provision Markup
Language (SPML)?
A. Lateral provisioning
B. Transport provisioning
C. Push-style provisioning
D. Pull-style provisioning
39. Which of the following assets are supported by cloud?
A. Data and resources
B. Applications and processes/functions
C. Data and applications/functions/processes
D. All of the above
40. Data breaches is a part of:
A. Events management
B. Disaster management
C. Incidents management
D. None of the above
41. When an attacker uses a customer' resources for his/her own gain, this may be
referred to as:
A. Diminished Domain of Service
B. Distributed Denial of Service
C. Economic Denial of Service
D. Engineered Denial of Service
42. Which of the following is not a category of infrastructure services?
A. Storage
B. Compute
C. Services Management
D. Integration
43. Which of the following should not demonstrate compartmentalization by cloud
providers, according to the Cloud Security Alliance (CSA)?
A. Systems
B. Provisioning
C. Personnel
D. Resources
44. Which of the following is a characteristic of virtualization?
A. Single OS image per machine
B. Hardware-independence of operating system and applications
C. Inflexible, costly infrastructure
D. Software and hardware are tightly coupled
45. Since ----, the Federal Rules of Civil Procedure require the inclusion of electronically-
stored information when responding to discovery requests.
A. 2000
B. 2002
C. 2004
D. 2006
46. What is recommended to enterprises adopting cloud?
A. Profit based approach
B. Risk based approach
C. Security based approach
 D. Privacy based approach

47. In which of these models, does the consumer have limited user-specific configuration
settings?
A. SaaS
B. PaaS
C. laaS
D. none of the above
48. SOC refers to:
A. Strategic Overview Card
B. Standard Operations Credentials
C. Security Operations Center
D. Service Office Catalogue
49. When considering compliance with accepted frameworks and standards, one should
consider --
A. Cloud service classroom; security architecture and cloud architecture
B. Compliance architecture; cloud architecture; cloud service classification
C. Security architecture; compliance architecture; cloud architecture
D. All of the above
50. In a cloud environment, the number of security notifications:
A. Are the same as in any other computing environment
B. Increase minimally
C. Decrease substantially
D. Increase exponentially

ANSWERS(
51. Suspicious intrusion detection alerts is part of
Original number +50 )
A. Events management
B. Incidents management
C. Risks management
D. None of these
Explanation: Suspicious intrusion detection alerts is part of incident management.
52. Cloud providers that have not achieved ISO/IEC 27001 certification should align
themselves with:
A. ISO/IEC 27000
B. ISO/IEC 27002
C. SAS 70 practices
D. CSA SaaS v.2
Explanation: Providers that have not achieved ISO/IEC 27001 certification should align
themselves with ISO/IEC 27002
53. According to ENISA, which service model implies the highest level of liability?
A. Public cloud
B. Partner cloud
C. Private cloud
D. Non cloud
Explanation: According to ENISA, private cloud model implies the highest level of liability
54. Over time, the right to audit clause should be:
 A. Increased
B. Reduced
C. Replaced with the compliance and monitoring clause
D. Both B and C
Explanation: Over a period of time, the need to audit should get reduced and should be
replaced by a compliance and monitoring clause
55. SIEM refers to:
A. Security Information and Event Management
B. Strategic Implementation of Electronic Management
C. Service Improvement of in End-User Markets
D. Software Intrusion and External Models
Explanation: SIEM stands for Security Information and Event Management
56. Which of the following audits ensures that controls are implemented and
documented?
A. SAS 70 Type I
B. SAS 70 Type II
C. SAS 70 Type III
D. CSA SaaS v.2
Explanation: CSA SaaS v.2 ensures that controls are implemented and documented.
57. Online word processing and spreadsheet tools would fall under which of the following
service models?
A. Software as a Service
B. Platform as a Service
C. Infrastructure as a Service
D. Both A and C
Explanation: Online tools are examples of Software as a Service.
58. Google Docs is an example of:
A. Software as a Service
B. Platform as a Service
C. Infrastructure as a Service
D. None of the above
Explanation: Google doc is an example of SaaS
59. Storage as a service is a sub-offering under which of the following categories?
A. SaaS
B. PaaS
C. laaS
D. Both SaaS and laaS
Explanation: It is an offering of laaS
60. The nature of cloud computing means that it is more difficult to:
A. Ensure adequate resource division
B. Determine who to contact in case of a security incident or data breach
C. Make commitments to customers regarding security
D. All of these
Explanation:All of the above mentioned reasons together make up cloud computing
61. Which of the following are the phases of incident recovery should the SLA guarantee
support?
A. Analysis, incident, response and recovery
B. Detection, incidence, response and recovery
C. Detection, analysis, containment, eradication, and recovery
D. None of the above
Explanation: Detection, analysis, containment, eradication and recovery are the phases of
incident recovery and SLA must ensure it is covered.
62. When any expertise is outsourced --- has to be signed.
A. HIPAA
B. IR
C. NDA
D. None of the above
Explanation: NDA has to be signed while outsourcing expertise. NDA stands for Non-
Disclosure Agreement.
63. While evaluating risk for cloud, the first step is?
A. Determine initial costs
B. Determine data or function considered for cloud
C. Determine important of data or function
D. Determine strategy of adopting cloud
Explanation: While evaluating risk for cloud, the first step is to determine data or function
considered for cloud
64. In a cloud environment, the number of sources that must be monitored:
A. Are the same as in any other computing environment
B. Increase minimally
C. Decrease substantially
D. Increase exponentially
Explanation: Since resources grow depending upon the demand it grows exponentially
65. ESI stands for:
A. E-mail Storage interface
B. Electronic Stored Interface
C. Electronically Stored Information
D. None of the above
Explanation:ESI stands for Electronically Stored Information
66. Remove
67. Service levels, governance, compliance and liability are stipulated and enforced in
which of the following service models?
A. SaaS
B. PaaS
C. laaS
D. all of the above
Explanation: Irrespective of the models, service levels, governance, compliance and liability
are stipulated and enforced
68. According to the Cloud Security Alliance (CSA), cloud service providers should use
which of the following as a guideline?
A. ISO/IEC 27000
B. ISO/IEC 27001
C. ISO/IEC 27003
D. ISO/IEC 35000
Explanation: According to the Cloud Security Alliance (CLA), cloud service providers
should use ISO/IEC 27001 as a guideline
69. According to the Cloud Security Alliance (CSA), the cloud customer must
understand:
A. The provider's ability to produce evidence needed for compliance
B. The division of compliance responsibilities between the consumer and provider
C. The customer's role in bridging the gap between auditor and service provider
 D. All of the above
Explanation: The cloud customer must understand; the providers ability to produce evidence
needed for compliance, the division of compliance responsibilities between consumer and
provider and the customer's role in bridging the gap between auditor and service provider.
70. The 'ability to run multiple operating systems on a single physical system and share
the underlying hardware resources' is referred as:
A. Cloud computing
B. Grid computing
C. Agile computing
D. Virtualization
Explanation: Ability to run multiple operating systems in a single hardware is called
virtualization.
71. Improvements in which of the following areas would lead to improvements for all
cloud service customers?
A. Tools
B. Policies
C. Processes
D. All of these
Explanation: Tools, policies and processes are equally important and can have varied
benefits.
72. According to the CSA's (Cloud security alliance's) risk assessment framework, risks
may be ---
A. Accepted
B. Transferred
C. Mitigated
D. All of the above
Explanation: Risk may be mitigated, accepted or transferred as per CSA guidelines
73. In SaaS, there are
A. One deployment model for cloud services
B. Two deployment models for cloud services
C. Three deployment models for cloud services
D. Four deployment models for cloud services
Explanation: NONE
74. Rackspace Cloud is an example of:
A. Software as a Service
B. Platform as a Service
C. Infrastructure as a Service
D. None of the above
Explanation: Rackspace is an example of infrastructure as a Service.
75. The acronym EDoS refers to:
A. Economic Denial of Service
B. Environmental Domain of Service
C. Encrypted Disaster or Solution
D. Engineered Data on Servers
Explanation: EdoS stands for Economic Denial of Service
76. Which of the following is NOT a recommendation for the 'create' phase of the data
security lifecycle?
A. Identification of data labeling and classification capabilities.
B. User tagging to classify data.
C. Leveraging of content discovery tools
 D. Enterprise digital rights management
Explanation: Content discovery tools usage is not part of 'create' phase
77. According to the Cloud Security Alliance (CSA), the cloud services agreement must
allow the client or third party to:
A. Have reasonable security that data breaches will not happen.
B. Monitor the service provider's performance and test for system vulnerabilities.
C. Retain ownership of the data in original format.
D. Adjust the process for responding to legal requests at any time.
Explanation: According to the Cloud Security Alliance (CSA) the cloud services agreement
must allow the client or party to retain ownership of the data in original format
78. Cloud cube model illustrates --
A. Physical location of deployment models
B. Deployment models
C. Management and ownership
D. All of the above
Explanation: Cloud cube model illustrates physical location of deployment models.
79. Cloud cube model was developed by ---
A. Cloud Security Alliance
B. OpenCrowd cloud solutions
C. Jericho forum
D. GoGrid
Explanation:Jericho forum developed cloud cube model.
80. In which model, does the consumer have control over application hosting
environment configurations?
A. SaaS
B. PaaS
C. laaS
D. None of the above
Explanation: In PaaS, applications can be built and hosted
81. HIPAA stands for:
A. Highly Intelligent Performance and Accounting
B. Highly Interfering Performance and Auditing
C. Health Insurance Portability and Accountability
D. None of the above
Explanation: HIPAA stands for Health Insurance Portability and Accountability. It is
compliance,
82. Which of the following scenarios begins with a crisis of confidence in the cloud
provider's financial position?
A. An upcoming financial audit
B. A 'mass exodus' scenario
C. A 'run on the banks' scenario
D. All of the above
Explanation: A run on the banks scenario can lead to crisis of confidence.
83. The worst case scenario in a 'run on the banks' situation is that:
A. Customers may be locked into a contract with a provider for many years
B. Customers may not be able to retrieve their data
C. Providers may be able to leak customer data to third parties
D. Customer data may be made publicly available
Explanation: In case of the provider going bankrupt, then there is a chance that the customers
might not be able to retrieve their data
 84. Which of the following is NOT true about PaaS?
A. It enables developers to build their own applications on top of the platform
B. It offers less customer ready features than SaaS
C. It is more extensible than the SaaS model
D. There are not as many security options as SaaS within this model
Explanation: PaaS offers multiple security options for customers
85. Cloud service customers should develop evidence-collecting processes for which of
the following areas?
A. System configurations
B. Audit logs
C. Change management reports
D. All of the above
Explanation: Cloud service customers should develop evidence-collecting processes for
system configurations, audit logs, and change management reports.
86. In which of the following cases, cloud service providers audit should be done?
A. Be done by the customer only
B. Be done regardless of the provider's certifications
C. Be waived, if the provider has adequate certifications
D. None of the above
Explanation: No matter what certifications provider has, cloud service providers need to be
audited.
87. According to the Cloud Security Alliance (CSA), which of the following clauses
should be obtained whenever possible?
A. Right to Audit Clause
B. Right to Withdraw Clause
C. Security Breach Clause
D. Data Transferability Clause
Explanation: Right to Audit Clause should be given from time to time to ensure everything is
as per the agreement.
88.
89. What kind of provisioning is standardized in OASIS' Service Provision Markup
Language (SPML)?
A. Lateral provisioning
B. Transport provisioning
C. Push-style provisioning
D. Pull-style provisioning
Explanation: Service Provision Markup Language uses push-style provisioning.
90. Which of the following assets are supported by cloud?
A. Data and resources
B. Applications and processes/functions
C. Data and applications/functions/processes
D. All of the above
Explanation: All the mentioned functions are actively supported by cloud
91. Data breaches is a part of:
A. Events management
B. Disaster management
C. Incidents management
D. None of the above
Explanation: Data breaches is part of disaster management.
 92. When an attacker uses a customer' resources for his/her own gain, this may be
referred to as:
A. Diminished Domain of Service
B. Distributed Denial of Service
C. Economic Denial of Service
D. Engineered Denial of Service
Explanation: When an attacker uses a customer's resources for his/her own gain, this may be
referred to as Distributed Denial of Service
93. Which of the following is not a category of infrastructure services?
A. Storage
B. Compute
C. Services Management
D. Integration
Explanation: Integration is not a category of infrastructure services
94. Which of the following should not demonstrate compartmentalization by cloud
providers, according to the Cloud Security Alliance (CSA)?
A. Systems
B. Provisioning
C. Personnel
D. Resources
Explanation: Personnel compartmentalization should not be demonstrated by the cloud
providers.
95. Which of the following is a characteristic of virtualization?
A. Single OS image per machine
B. Hardware-independence of operating system and applications
C. Inflexible, costly infrastructure
D. Software and hardware are tightly coupled
Explanation: Through hypervisor, virtualization separates hardware and OS+ applications.
96. Since ----, the Federal Rules of Civil Procedure require the inclusion of electronically-
stored information when responding to discovery requests.
A. 2000
B. 2002
C. 2004
D. 2006
Explanation: Since 2006, the Federal Rules of Civil Procedure require the inclusion of
electronically-stored information when responding to discovery requests.
97. What is recommended to enterprises adopting cloud?
A. Profit based approach
B. Risk based approach
C. Security based approach
D. Privacy based approach
Explanation: Risk based approach is an important factor to consider
98. In which of these models, does the consumer have limited user-specific configuration
settings?
A. SaaS
B. PaaS
C. laaS
D. none of the above
Explanation: Consumers do not have much of a say in SaaS offerings.
99. SOC refers to:
 A. Strategic Overview Card
B. Standard Operations Credentials
C. Security Operations Center
D. Service Office Catalogue
Explanation: SOC refers to Security Operations Center.
100. When considering compliance with accepted frameworks and standards, one
should consider --
A. Cloud service classroom; security architecture and cloud architecture
B. Compliance architecture; cloud architecture; cloud service classification
C. Security architecture; compliance architecture; cloud architecture
D. All of the above
Explanation: All these should be taken into serious consideration
101. In a cloud environment, the number of security notifications:
A. Are the same as in any other computing environment
B. Increase minimally
C. Decrease substantially
D. Increase exponentially
Explanation: With cloud all security measure have only been increased exponentially.
Adding Flash Card information I have received from a websiste - Thanks to Ajay
Chauhan (http://www.cram.com/flashcards/ccsk-3657367)

What are the five essential characteristics of 1 - Broad Network Access. 2 - Resource
Cloud computing as defined by NIST - Pooling. 3 - On-Demand service. 4 - Rapid
Elasticity. 5 - Measured Service

The level of attention and scrutiny paid to The valued Risk

enterprise risk assessments should be
directly related to what?

In the majority of data protection laws, when The Data Controller

the data is transferred to a third party
custodian, who is ultimately responsible for
the security of the data?

What is the most important reason for So that it can address the specific
knowing where the cloud service provider will restrictions that foreign data protection
host the data? laws may impose.

What are the six phases of the data security Create, Store, Use, Share, Archive,
lifecycle? destroy.

Why is the size of data sets a consideration The sheer size of data may cause an
in portability between cloud service interruption of service during a transition,
providers? or a longer transition period than
anticipated.

What are the four D's of perimeter security? Deter, Detect, Delay, Deny

In which type of environment is it impractical In multi-tenant environments the operator

to allow the customer to conduct their own or provider cannot normally accommodate
audit, making it important that the data center visits by every customer to conduct an
operators are required to provide auditing for audit.
the customers?
What measures could be taken by the cloud
service provider (CSP) that might reduce the
occurrence of application level incidents?
How should an SDLC be modified to address
application security in a Cloud Computing
environment?
What is the most significant reason that
customers are advised to maintain in-house
key management?
What two types of information will cause
additional regulatory issues for all
organizations if held as an aspect of an
Identity?
Why do blind spots occur in a virtualized
environment, where network-based security
controls may not be able to monitor certain
types of traffic?
When deploying Security as a Service in a
highly regulated industry or environment,
what should both parties agree on in advance regulatory objectives
and include in the SLA?
Economic Denial of Service (EDOS), refers
to
How does SaaS alleviate much of the
consumer's direct operational responsibility?
In Europe, name the group that has enacted
data protection laws and the principles on
which they follow.
What is the minimum that U.S. state laws
require when using a Cloud Service
Provider?
What must be included between an
organization and a Cloud Service Provider
when the organization has contractual
SaaS providers that generate extensive
customer-specific application logs and
provide secure storage as well as analysis
facilities will ease the IR burden on the
customer.
Organizations must adopt best practices
for development, either by having a good
blend of processes, tools, and
technologies of their own or adopting one
of the maturity models.
To be able to prove that all data has been
deleted from the public cloud environment
when exiting that environment.
PII - Personal Identifiable Information
SPI - Sensitive Personal Information
Virtual machines may communicate with
each other over a hardware backplane,
rather than a network.
Agreement on the metrics defining the
service level required to achieve
The destruction of economic resources;
the worst case scenario would be
bankruptcy of the customer or a serious
economic impact
The provider is not only responsible for the
physical and environmental security
controls, but it must also address the
security controls on the infrastructure, the
applications, and the data.
The European Economic Area (EEA)
Member States follow principles set forth
in the 1995 European Union (EU) Data
Protective Directive and the 2002 ePrivacy
Directive as amended in 2009.
Written contract with the service provider
with reasonable security measures.
What must be included between an
organization and a Cloud Service Provider
when the organization has contractual
obligations to protect the personal
information of their clients, contacts or
employees, to ensure that the data are not
used for secondary use and are not disclosed
to third parties?
What is a click-wrap agreement?
How does an organization respond to the
evolving nature of the cloud environment?
How does an organization respond to the
evolving nature of the cloud environment?
What is ESI?
What are four considerations for a cloud
customer to understand in reference to
regulatory compliance?
What role do audits perform in the cloud
relationships?
At what stage should compliance be
addressed between an organization and
CSP?
What is multi-tenancy?
What does a cloud service model need to
include for multi-tenancy consumers?
What services can be shared in multi-tenancy Infrastructure
cloud service models?
What three cloud services make up the Cloud Infrastructure as a Service (IaaS)
Reference Model?
obligations to protect the personal
information of their clients, contacts or
employees, to ensure that the data are not
used for secondary use and are not
disclosed to third parties?
What is a click-wrap agreement?
How does an organization respond to the
evolving nature of the cloud environment?
All documents that pertain to the case
whether favorable to its case or the other
litigant's case.
Electronically Stored Information
Cross-border or multi-jurisdiction
- Assignment of compliance
responsibilities including the providers
- CSP capability to show compliance
- Relationship between all parties
including customer, CSP, auditors and
CSP providers
Audits must be independently conducted
and should be robustly designed to reflect
best practice, appropriate resources, and
tested protocols and standards.
Requirement identification stage
Use of same resources or application by
multiple customers that may belong to the
same organization or a different
organization.
Policy-driven enforcement
Segmentation
Isolation
Governance
Service Levels
Chargeback/billing models
Data
Metadata
Services
Applications
Platform as a Service (PaaS)
Software as a Service (SaaS)
Define IaaS
Define PaaS
Define SaaS
List the four dimensions in the Jericho Cloud
Cube Model
List the four cloud deployment models
What is the key takeaway for security
architecture?
What are the risks and pitfalls to consider in
the Cloud Security Reference Model?
How do you determine the general security
posture of a service and how it relates to an
asset's assurance and protection
requirements?
What do cloud service brokers provide?
IaaS delivers computer infrastructure as a
service along with raw storage and
networking.
PaaS delivers computing platform and
solution stack as a service.
SaaS delivers software and its associated
data hosted centrally typically in the cloud
and are usually accessed by users via a
web browser over the Internet.
Internal (I) / External (E): Physical
Location
- Proprietary (P) / Open (O): State of
Ownership
- Perimeterised (Per) / De-perimeterised
(D-p): Architectural mindset
- Insourced / Outsourced: Who provides
the cloud service
Public
Private - internal/external
Hybrid
Community
The lower down the stack the CSP stops,
the more security capabilities and
management consumers are responsible
for implementing and managing
themselves.
How / where cloud service are deployed
- Manner in which cloud services are
consumed
- Re-perimeterization of enterprise
networks
- Types of assets, resources and
information being managed
- Who manages them and How
- which controls are selected and How
they are integrated
- compliance issues
Classify a cloud service against the cloud
architectural model
- Map the security architecture and
business, regulatory, and other
compliance requirements as a gap-
analysis exercise
Intermediation
- Monitoring
- Transformation/portability
- Governance

What are included in a Service Level
Agreement (SLA)?
What are two types of Service Level
Agreements (SLA)?
Name the five basic principles followed in
Corporate Governance.
Define Corporate Governance
Define Information Risk Management
Define Enterprise Risk Management
List four of the specific risks identified and
analyzed by management in a cloud
environment.
What should be specifically targeted in the
assessment of a CSP's third party service
providers?
- Provisioning
- Integration services
- Relationship negotiation between CSP
and consumers
Service levels
- Security
- Governance
- Compliance
- Liability expectations of the service and
provider
Negotiable
Non-negotiable
Auditing supply chains
- Board and management structure and
process
- Corporate responsibility and compliance
- Financial transparency and information
disclosure
- Ownership structure and exercise of
control rights
The set of processes, technologies,
customs, policies, laws and institutions
affecting the way an enterprise is directed,
administered or controlled.
The process of identifying and
understanding exposure to risk and the
capability of managing it, aligned with the
risk appetite and tolerance of the data
owner.
The methods and processes used by
organizations to manage risks and seize
opportunities related to the achievement of
their objectives.
Avoidance: exiting the activities giving rise
to risk
- Reduction: taking action to reduce the
likelihood or impact related to the risk
- Share or insure: transferring or sharing a
portion of the risk to finance it
- Accept: no action is taken due to a
cost/benefit decision
Incident management
- business continuity
- Disaster recovery policies, processes
and procedures
- Review of co-location and back-up
facilities
 What is a CSP's supply chain?
How should the cost savings obtained by
cloud computing services be utilized?
Define Public Cloud?
Define Private Cloud
It may also be worth visiting the following site for additional CCSK training information.
CCSK Training Link
[1] Cloud Service Provider
[2] Digital Rights Management
Their service provider relationships and
dependencies
Reinvest into increased scrutiny of the
security capabilities of the provider,
application of security controls, and
ongoing detailed assessments and audits
to ensure requirements are continuously
met.
The cloud infrastructure is made available
to the general public or a large industry
group and is owned by an organization
selling cloud services.
The cloud infrastructure is operated solely
for a single organization. It may be
managed by the organization or by a third
party and may be located on-premise or
off-premise.