{"id":80290,"date":"2021-12-13T21:22:59","date_gmt":"2021-12-14T02:52:59","guid":{"rendered":"https:\/\/www.whizlabs.com\/blog\/?p=80290"},"modified":"2023-11-30T21:19:01","modified_gmt":"2023-12-01T02:49:01","slug":"ccsk-exam-sample-questions","status":"publish","type":"post","link":"https:\/\/www.whizlabs.com\/blog\/ccsk-exam-sample-questions\/","title":{"rendered":"25 Free Questions &#8211; Certificate of Cloud Security Knowledge V.4"},"content":{"rendered":"<p>With more and more applications moving to the cloud; security has become a crucial element of cloud computing. Certificate of Cloud Security Knowledge (CCSK) V.4 Exam Questions is globally recognized as a cloud security certification.<\/p>\n<p>If you are a multi-cloud or IT professional looking for a glowing career in cloud security, the <a href=\"https:\/\/www.whizlabs.com\/certificate-of-cloud-security-knowledge\/\">CCSK Certification Exam Questions<\/a> is recommended for you.<\/p>\n<p>This set of 25 CCSK certification Exam practice questions will give you a first-hand understanding of Cloud Security fundamentals. It&#8217;s based on the CCSK exam pattern.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 ez-toc-wrap-left counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ea7e02;color:#ea7e02\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ea7e02;color:#ea7e02\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.whizlabs.com\/blog\/ccsk-exam-sample-questions\/#Cloud_Computing_Concepts_and_Architectures\" >Cloud Computing Concepts and Architectures<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.whizlabs.com\/blog\/ccsk-exam-sample-questions\/#Governance_and_Enterprise_Risk_Management\" >Governance and Enterprise Risk Management<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.whizlabs.com\/blog\/ccsk-exam-sample-questions\/#Legal_Issues_Contracts_and_Electronic_Discovery\" >Legal Issues, Contracts, and Electronic Discovery<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.whizlabs.com\/blog\/ccsk-exam-sample-questions\/#Infrastructure_Security\" >Infrastructure Security<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.whizlabs.com\/blog\/ccsk-exam-sample-questions\/#Virtualization_and_Containers\" >Virtualization and Containers<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.whizlabs.com\/blog\/ccsk-exam-sample-questions\/#Incident_Response\" >Incident Response<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.whizlabs.com\/blog\/ccsk-exam-sample-questions\/#Data_Security_and_Encryption\" >Data Security and Encryption<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.whizlabs.com\/blog\/ccsk-exam-sample-questions\/#_Identity_Entitlement_and_Access_Management\" >\u00a0Identity, Entitlement, and Access Management<\/a><\/li><\/ul><\/nav><\/div>\n<h3><span class=\"ez-toc-section\" id=\"Cloud_Computing_Concepts_and_Architectures\"><\/span>Cloud Computing Concepts and Architectures<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<h4><em>Q 1. Which of the following facilitates the underlying communications method for components within a cloud, some of which are exposed to the cloud user to manage their resources and configurations?<\/em><\/h4>\n<p>A. Cloud Service Provider<br \/>\nB. Cloud management plane<br \/>\nC. Cloud control plane<br \/>\nD. Application Programming Interface<br \/>\nE. Hypervisor<\/p>\n<p><strong>Answer: The correct answer is D<\/strong>.<br \/>\nAPIs are typically the underlying communications method for components within a cloud, some of which (or an entirely different set) are exposed to the cloud user to manage their resources and configurations.<br \/>\nThe cloud resources are pooled using abstraction and orchestration. Abstraction, often via virtualization, frees the resources from their physical constraints to enable pooling. Then a set of core connectivity and delivery tools (orchestration) ties these abstracted resources together, creates the pools, and provides the automation to deliver them to customers.<br \/>\nAll this is facilitated using Application Programming Interfaces. APIs are typically the underlying communications method for components within a cloud, some of which (or an entirely different set) are exposed to the cloud user to manage their resources and configurations. Most cloud APIs these days use REST (Representational State Transfer), which runs over the HTTP protocol, making it extremely well suited for Internet services.<br \/>\nIn most cases, those APIs are both remotely accessible and wrapped into a web-based user<br \/>\ninterface. This combination is the cloud management plane since consumers use it to manage and configure the cloud resources, such as launching virtual machines (instances) or configuring virtual networks. From a security perspective, it is both the biggest difference from protecting physical infrastructure (since you can\u2019t rely on physical access as a control)<br \/>\nand the top priority when designing a cloud security program. If an attacker gets into your management plane, they potentially have full remote access to your entire cloud deployment.<br \/>\nSource: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0<\/p>\n<h4><em>Q 2. Which layer of the logical stack includes code and message queues?<\/em><\/h4>\n<p>A. Infrastructure<br \/>\nB. Metastructure<br \/>\nC. Infostructure<br \/>\nD. Applistructure<\/p>\n<p><strong>Answer: The correct answer is D<\/strong>.<br \/>\nApplistructure: The applications deployed in the cloud and the underlying application services used to build them. For example, Platform as a Service features like message queues, artificial intelligence analysis, or notification services.<br \/>\nAt a high level, both cloud and traditional computing adhere to a logical model that helps identify different layers based on functionality. This is useful to illustrate the differences between the different computing models themselves:<br \/>\n\u2022 <strong>Infrastructure<\/strong>: The core components of a computing system: compute, network, and storage. The foundation that everything else is built on. The moving parts.<br \/>\n\u2022<strong>Metastructure<\/strong>: The protocols and mechanisms that provide the interface between the<br \/>\ninfrastructure layer and the other layers. The glue that ties the technologies and enables<br \/>\nmanagement and configuration.<br \/>\n\u2022<strong>Infostructure<\/strong>: The data and information. Content in a database, file storage, etc.<br \/>\n\u2022<strong>Applistructure<\/strong>: The applications deployed in the cloud and the underlying application services used to build them. For example, Platform as a Service features like message queues, artificial intelligence analysis, or notification services.<br \/>\nSource: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0<\/p>\n<h4><em>Q 3. Which of the following is a cloud infrastructure that is shared by several organizations and supports a specific group that has shared concerns?<\/em><\/h4>\n<p>A. Public Cloud<br \/>\nB. Private Cloud<br \/>\nC. Community Cloud<br \/>\nD. Hybrid Cloud<br \/>\nE. Common Cloud<\/p>\n<p><strong>Answer: The correct answer is C<\/strong>.<br \/>\nCommunity Cloud is the cloud infrastructure that is shared by several organizations and supports a specific community that has shared concerns (e.g. mission, security requirements, policy, or compliance considerations).<br \/>\nCommunity Cloud &#8211; The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g. mission, security requirements, policy, or compliance considerations). It may be managed by the organizations or by a third party and may be located on-premises or off-premises.<br \/>\nSource: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0<\/p>\n<h4><em>Q 4. Which plane is used by consumers to launch virtual machines or configure virtual networks?<\/em><\/h4>\n<p>A. Infrastructure Plane<br \/>\nB. Cloud Control Plane<br \/>\nC. Management Plane<br \/>\nD. Application Plane<br \/>\nE. Virtual Plane<\/p>\n<p><strong>Answer: The correct answer is C.<\/strong><br \/>\nIn most cases, those APIs are both remotely accessible and wrapped into a web-based user interface. This combination is the cloud management plane since consumers use it to manage and configure the cloud resources, such as launching virtual machines (instances) or configuring virtual networks. From a security perspective, it is both the biggest difference from protecting physical infrastructure (since you can\u2019t rely on physical access as a control) and the top priority when designing a cloud security program.<br \/>\nSource: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0<\/p>\n<h4><em>Q 5. Which of the following essential characteristics of a cloud allows customers to closely match resource consumption with demand?<\/em><\/h4>\n<p>A. Resource Pooling<br \/>\nB. On-demand self-service<br \/>\nC. Broad network access<br \/>\nD. Rapid elasticity<br \/>\nE. Measured service<\/p>\n<p><strong>Answer: The correct answer is D<\/strong><br \/>\nRapid elasticity.<br \/>\nRapid elasticity allows consumers to expand or contract the resources they use from the pool (provisioning and de-provisioning), often completely automatically. This allows them to more closely match resource consumption with demand (for example, adding virtual servers as demand increases, then shutting them down when demand drops).<br \/>\nSource: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Governance_and_Enterprise_Risk_Management\"><\/span>Governance and Enterprise Risk Management<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<h4><em>Q 6. Which of the following is the primary tool of governance between a cloud provider and a cloud customer which is true for both public and private cloud?<\/em><\/h4>\n<p>A. Audit<br \/>\nB. Cloud provider assessment<br \/>\nC. Compliance Reports<br \/>\nD. Contract<br \/>\nE. Non-Disclosure Agreement<\/p>\n<p><strong>Answer: The correct answer is D<\/strong>.<br \/>\nThe primary tool of governance is the contract between a cloud provider and a cloud customer (this is true for public and private cloud).<br \/>\nAs with any other area, there are specific management tools used for cloud governance. This list focuses more on tools for external providers, but these same tools can often be used internally for private deployments:<br \/>\nContracts: The primary tool of governance is the contract between a cloud provider and a<br \/>\ncloud customer (this is true for public and private clouds). The contract is your only guarantee<br \/>\nof any level of service or commitment\u2014assuming there is no breach of contract, which tosses everything into a legal scenario. Contracts are the primary tool to extend governance into business partners and providers.<br \/>\nSupplier (cloud provider) Assessments: These assessments are performed by the potential cloud customer using available information and allowed processes\/techniques. They combine contractual and manual research with third-party attestations (legal statements often used to communicate the results of an assessment or audit) and technical research. They are very similar to any supplier assessment and can include aspects like financial viability, history, feature offerings, third-party attestations, feedback from peers, and so on.<\/p>\n<h4><em>Q 7. Which of the following is an underlying vulnerability related to loss of Governance?<\/em><\/h4>\n<p>A. Lack of reputational isolation<br \/>\nB. Lack of resource isolation<br \/>\nC. Hypervisor vulnerabilities<br \/>\nD. Unclear asset ownership<br \/>\nE. Lack of supplier redundancy<\/p>\n<p><strong>Answer: The correct answer is D<\/strong>.<br \/>\nVulnerabilities related to lack of Governance are:<\/p>\n<ul>\n<li>Unclear roles and responsibilities<\/li>\n<li>Poor enforcement of role definitions<\/li>\n<li>Synchronizing responsibilities or contractual obligations external to the cloud<\/li>\n<li>SLA clauses with conflicting promises to different stakeholders<\/li>\n<li>Audit or certification not available to customers<\/li>\n<li>Cross-cloud applications creating hidden dependency<\/li>\n<li>Lack of standard technologies and solutions<\/li>\n<li>Storage of data in multiple jurisdictions and lack of transparency about THIS<\/li>\n<li>No source escrow agreement<\/li>\n<li>No control on the vulnerability assessment process<\/li>\n<li>Certification schemes not adapted to cloud infrastructures<\/li>\n<li>Lack of information on jurisdictions<\/li>\n<li>Lack of completeness and transparency in terms of use<\/li>\n<li>Unclear asset ownership<br \/>\n<strong>Options A, B, and C<\/strong> are not correct as they are the vulnerabilities related to &#8220;Loss of business reputation due to co-tenant activities&#8221;.<br \/>\nOption E is not correct as it is a vulnerability related to &#8220;Supply Chain Failure&#8221;.<br \/>\nSource: enisa<\/li>\n<\/ul>\n<h4><em>Q 8. Which of the following defines the amount of risk that the leadership and stakeholders of an organization are willing to accept?<\/em><\/h4>\n<p>A. Risk Acceptance<br \/>\nB. Risk Tolerance<br \/>\nC. Residual Risk<br \/>\nD. Risk Target<\/p>\n<p><strong>Answer: The correct answer is B<\/strong><br \/>\nRisk Tolerance.<br \/>\nRisk tolerance is the amount of risk that the leadership and stakeholders of an organization are willing to accept. It varies based on asset and you shouldn\u2019t make a blanket risk decision about a particular provider; rather, assessments should align with the value and requirements of the assets involved. Just because a public cloud provider is external and a consumer might be concerned with shared infrastructure for some assets doesn\u2019t mean it isn\u2019t within risk tolerance for all assets. Over time this means that, practically speaking, you will build out a matrix of cloud services along with which types of assets are allowed in those services. Moving to the cloud doesn\u2019t change your risk tolerance, it just changes how risk is managed.<br \/>\nSource: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0<\/p>\n<h4><em>Q 9. Which of the following can the cloud provider implement to mitigate credential compromise or theft?<\/em><br \/>\n<em>Separation of roles and responsibilities<\/em><\/h4>\n<p>A. Automated inventory of all assets<br \/>\nB. Federated method of authentication<br \/>\nC. Hardening of virtual machines using industry standards<br \/>\nD. Anomaly detection<\/p>\n<p><strong>Answer: The correct answer is E.<\/strong><br \/>\nCREDENTIAL COMPROMISE OR THEFT<\/p>\n<ul>\n<li>\u00a0Do you provide anomaly detection (the ability to spot unusual and potentially malicious IP traffic and user or support team behavior)? For example, analysis of failed and successful logins, unusual time of day, and multiple logins, etc.<\/li>\n<li>What provisions exist in the event of the theft of a customer\u2019s credentials (detection, revocation, evidence for actions)?<br \/>\nSource: enisa<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Legal_Issues_Contracts_and_Electronic_Discovery\"><\/span>Legal Issues, Contracts, and Electronic Discovery<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<h4><em>Q 10. Which of the following reflects the claim of an individual to have certain data deleted so that third persons can no longer trace them?<\/em><\/h4>\n<p>A. Right to be deleted<br \/>\nB. Right to be erased<br \/>\nC. Right to non-disclosure<br \/>\nD. Right to be forgotten<br \/>\nE. Right to privacy<\/p>\n<p><strong>Answer: The correct answer is D<\/strong>.<br \/>\nThe right to be forgotten &#8220;reflects the claim of an individual to have certain data deleted so that third persons can no longer trace them.&#8221;<br \/>\nData Subjects\u2019 Rights: Data subjects have rights to information regarding the processing of their data: the right to object to certain uses of their personal data; to have their data corrected or erased; to be compensated for damages suffered as a result of unlawful processing; the right to be forgotten; and the right to data portability. The existence of these rights significantly affects cloud service relationships.<br \/>\nSource: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0<\/p>\n<h4><em>Q 11. When entrusting a third party to process the data on its behalf, who remains responsible for the collection and processing of the data?<\/em><\/h4>\n<p>A. Data Processor<br \/>\nB. Data Controller<br \/>\nC. Data Analyzer<br \/>\nD. Data Protector<\/p>\n<p><strong>Answer: The correct answer is B<\/strong>.<br \/>\nWhen entrusting a third party to process data on its behalf (a data processor), a data controller remains responsible for the collection and processing of that data. The data controller is required to ensure that any such third parties take adequate technical and organizational security measures to safeguard the data.<br \/>\nSource: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0<\/p>\n<h4><em>Compliance and Audit Management<\/em><\/h4>\n<h4><em>Q 12. Which of the following is a form of a compliance inheritance in which all or some of the cloud provider\u2019s infrastructure and services undergo an audit to a compliance standard?<\/em><\/h4>\n<p>A. Policy Audit<br \/>\nB. Pass-through Audit<br \/>\nC. Third Party Audit<br \/>\nD. Compliance Audit<\/p>\n<p><strong>Answer: The correct answer is B<\/strong>.<br \/>\nMany cloud providers are certified for various regulations and industry requirements, such as PCI DSS, SOC1, SOC2, HIPAA, best practices\/frameworks like CSA CCM, and global\/regional regulations like the EU GDPR. These are sometimes referred to as pass-through audits. A pass-through audit is a form of compliance inheritance. In this model all or some of the cloud provider\u2019s infrastructure and services undergo an audit to a compliance standard. The provider takes responsibility for the costs and maintenance of these certifications.<br \/>\nSource: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Infrastructure_Security\"><\/span>Infrastructure Security<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<h4><em>Q 13. Which of the following is not a security benefit of Immutable workloads?<\/em><\/h4>\n<p>A. Security testing can be managed during image creation<br \/>\nB. You no longer patch running systems or worry about dependencies<br \/>\nC. You can enable remote logins to run workloads<br \/>\nD. It is much faster to roll out updated versions<br \/>\nE. It is easier to disable services and whitelist applications<\/p>\n<p><strong>Correct Answer: C<\/strong><br \/>\nYou can, and should, disable remote logins to running workloads (if logins are even an option). This is an operational requirement to prevent changes that aren\u2019t consistent across the stack, which also has significant security benefits.<br \/>\nAuto-scaling and containers, by nature, work best when you run instances launched dynamically based on an image; those instances can be shut down when no longer needed for capacity without breaking an application stack. This is core to the elasticity of compute in the cloud. Thus, you no longer patch or make other changes to a running workload, since that wouldn\u2019t change the image, and, thus, new instances would be out of sync with whatever manual changes you make on whatever is running. We call these virtual machines immutable.<br \/>\nImmutable workloads enable significant security benefits:<br \/>\n\u00b7 You no longer patch running systems or worry about dependencies, broken patch processes, etc. You replace them with a new gold master.<br \/>\n\u2022 You can, and should, disable remote logins to running workloads (if logins are even an option). This is an operational requirement to prevent changes that aren\u2019t consistent across the stack, which also has significant security benefits.<br \/>\n\u2022 It is much faster to roll out updated versions since applications must be designed to handle individual nodes going down (remember, this is fundamental to any auto-scaling). You are less constrained by the complexity and fragility of patching a running system. Even if something breaks, you just replace it.<br \/>\n\u2022 It is easier to disable services and whitelist applications\/processes since the instance should never change.<br \/>\n\u2022 Most security testing can be managed during image creation, reducing the need for vulnerability assessment on running workloads since their behavior should be completely known at the time of creation. This doesn\u2019t eliminate all security testing for production workloads, but it is a means of offloading large portions of testing<br \/>\nSource: Security Guidance for Critical Areas of Focus in Cloud Computing V4<\/p>\n<h4><em>Q 14. Which of the following leverages virtual network topologies to run smaller, and more isolated networks without incurring additional hardware costs?<\/em><\/h4>\n<p>A. Microsegmentation<br \/>\nB. VLANs<br \/>\nC. Converged networking<br \/>\nD. Virtual Private Networks<br \/>\nE. Virtual Private Cloud<\/p>\n<p><strong>Answer: The correct answer is A,<\/strong><br \/>\n<strong>microsegmention<\/strong>.<br \/>\nMicrosegmentation (also sometimes referred to as hyper segregation) leverages virtual network topologies to run more, smaller, and more isolated networks without incurring additional hardware costs that historically make such models prohibitive. Since the entire networks are defined in software without many of the traditional addressing issues, it is far more feasible to run these multiple, software-defined environments.<br \/>\nSource: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0<\/p>\n<h4><em>Q 15. Installing traditional agents designed for physical servers will not result in the same amount of efficiency and performance on a virtualized server.<\/em><\/h4>\n<p>A. True<br \/>\nB. False<\/p>\n<p><strong>Answer: The correct answer is A.<\/strong><br \/>\n\u201cTraditional\u201d agents may impede performance more heavily in the cloud. Lightweight agents with lower compute requirements allow better workload distribution and efficient use of resources. Agents not designed for cloud computing may assume underlying compute capacity that isn\u2019t aligned with how the cloud deployment is designed. The developers on a given project might assume they are running a fleet of lightweight, single-purpose virtual machines. A security agent not attuned to this environment could significantly increase processing overhead, requiring larger virtual machine types and increasing costs<br \/>\nSource: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Virtualization_and_Containers\"><\/span>Virtualization and Containers<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<h4><em>Q 16. Which of the following are the primary security responsibilities of the cloud provider in compute virtualization? (Select 2)<\/em><\/h4>\n<p>A. Isolation<br \/>\nB. Identity &amp; Access Management<br \/>\nC. Encryption<br \/>\nD. Securing the underlying infrastructure<br \/>\nE. Monitoring and Logging<\/p>\n<p><strong>Answer: The correct answer is A, D.<\/strong><br \/>\nThe primary security responsibilities of the cloud provider in compute virtualization are to enforce isolation and maintain a secure virtualization infrastructure.<br \/>\nCloud Provider Responsibilities<br \/>\nThe primary security responsibilities of the cloud provider in compute virtualization are to enforce isolation and maintain a secure virtualization infrastructure.<br \/>\n\u2022 Isolation ensures that compute processes or memory in one virtual machine\/container should not be visible to another. It is how we separate different tenants, even when they are running processes on the same physical hardware.<br \/>\n\u2022 The cloud provider is also responsible for securing the underlying infrastructure and the virtualization technology from external attack or internal misuse. This means using patched and up-to-date hypervisors that are properly configured and supported with processes to keep them up to date and secure over time. The inability to patch hypervisors across a cloud deployment could create a fundamentally insecure cloud when a new vulnerability in the technology is discovered.<\/p>\n<p><span style=\"font-weight: 400;\">Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4<\/span><\/p>\n<h4><em>Q 17. Which of the following WAN virtualization technology is used to create networks which span multiple base networks?<\/em><\/h4>\n<p>A. Cloud overlay networks<br \/>\nB. Virtual private networks<br \/>\nC. Virtual private cloud<br \/>\nD. Network peering<\/p>\n<p><strong>Answer: The correct answer is A<\/strong>.<br \/>\nCloud overlay networks are a special kind of WAN virtualization technology for creating networks that span multiple \u201cbase\u201d networks. For example, an overlay network could span physical and cloud locations or multiple cloud networks, perhaps even on different providers.<br \/>\nSource: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0<\/p>\n<h4><em>Q 18. The most fundamental security control for any multitenant network is-<\/em><\/h4>\n<p>A. Hypervisor security<br \/>\nB. Segregation and isolation of network traffic<br \/>\nC. Logging and monitoring controls<br \/>\nD. Secure image creation process<\/p>\n<p><strong>Answer: The correct answer is B<\/strong>.<br \/>\nExplanation:<br \/>\nThe cloud provider is primarily responsible for building secure network infrastructure and configuring it properly. The absolute top security priority is segregation and isolation of network traffic to prevent tenants from viewing another\u2019s traffic. This is the most foundational security control for any multi-tenant network.<br \/>\nSource: Security Guidance for Critical Areas of Focus in Cloud Computing<br \/>\nTopic: Cloud Provider Responsibilities<br \/>\nDomain 8 \/\/ VIRTUALIZATION AND CONTAINERS<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Incident_Response\"><\/span>Incident Response<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<h4><em>Q 19. What must the monitoring scope cover in addition to the deployed assets?<\/em><\/h4>\n<p>A. The data plane<br \/>\nB. The application plane<br \/>\nC. The service plane<br \/>\nD. The access plane<br \/>\nE. The management plane<\/p>\n<p><strong>Answer: The correct answer is E<\/strong>.<br \/>\nIn all cases, the monitoring scope must cover the cloud\u2019s management plane, not merely the deployed assets.<br \/>\nDetection and analysis in a cloud environment may look nearly the same (for IaaS) and quite different (for SaaS). In all cases, the monitoring scope must cover the cloud\u2019s management plane, not merely the deployed assets.<br \/>\nSource: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0<\/p>\n<h4><em>Q 20. Resource pooling practiced by the cloud services may especially complicate which part of the IR process?<\/em><\/h4>\n<p>A. Detection<br \/>\nB. Prevention<br \/>\nC. Monitoring<br \/>\nD. Recovery<br \/>\nE. Forensics<\/p>\n<p><strong>Answer: The correct answer is E<\/strong><br \/>\n<strong>Forensics.<\/strong><br \/>\nThe resource pooling practiced by cloud services, in addition to the rapid elasticity offered by cloud infrastructures, may dramatically complicate the IR process, especially the forensic activities carried out as part of the incident analysis. Forensics has to be carried out in a highly dynamic environment, which challenges basic forensic necessities [4] such as establishing the scope of an incident, the collection, and attribution of data, preserving the semantic integrity of that data, and maintaining the stability of evidence overall. These problems are exacerbated when cloud customers attempt to carry out forensic activities since they operate in a non-transparent environment (which underscores the necessity of support by the cloud provider as mentioned above).<br \/>\nSource: Guidance for Critical Areas of Focus in Cloud Computing<\/p>\n<h4><em>Application Security<\/em><\/h4>\n<h4><em>Q 21. In which of the five main phases of secure application design and development, you perform Threat Modelling?<\/em><\/h4>\n<p>A. Training<br \/>\nB. Define<br \/>\nC. Design<br \/>\nD. Develop<br \/>\nE. Test<\/p>\n<p><strong>Answer: The correct answer is C.<\/strong><br \/>\nIt is during the design phase that you perform threat modeling, which must also be cloud and provider\/platform-specific.<br \/>\n<strong>Design<\/strong>: During the application design process, especially when PaaS is involved, the focus for security in the cloud is on architecture, the cloud provider\u2019s baseline capabilities, cloud provider features, and automating and managing security for deployment and operations. We find that there are often significant security benefits to integrating security into the application architecture since there are opportunities to leverage the provider\u2019s own security capabilities. For example, inserting a serverless load balancer or message queue could completely block certain network attack paths. This is also where you perform threat modeling, which must also be cloud and provider \/ platform-specific.<br \/>\nSource: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Data_Security_and_Encryption\"><\/span>Data Security and Encryption<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<h4><em>Q 22. Which of the following will not help to detect actual migrations, monitor cloud usage, and any data transfers to the cloud?<\/em><\/h4>\n<p>A. CASB &#8211; Cloud Access and Security Brokers<br \/>\nB. URL Filtering<br \/>\nC. DLP- Data Loss Prevention<br \/>\nD. Data Encryption in transit<\/p>\n<p><strong>Answer: The correct answer is D.<\/strong><br \/>\nYou can detect actual migrations, monitor cloud usage and any data transfers using CASB, URL filtering, and DLP. Data encryption in transit will help to secure the data while in motion but will not help to detect actual migrations, monitor cloud usage and any data transfers to the cloud<br \/>\nTo detect actual migrations, monitor cloud usage, and any data transfers. You can do this with the help of the following tools:<br \/>\nCASB: Cloud Access and Security Brokers (also known as Cloud Security Gateways) discover internal use of cloud services using various mechanisms such as network monitoring, integrating with an existing network gateway or monitoring tool, or even by monitoring DNS queries. After discovering which services your users are connecting to, most of these products then offer monitoring of activity on approved services through API connections (when available) or inline interception (man in the middle monitoring). Many support DLP and other security alerting and even offer controls to better manage the use of sensitive data in cloud services (SaaS\/PaaS\/and IaaS).<br \/>\nURL filtering: While not as robust as CASB a URL filter\/web gateway may help you understand which cloud services your users are using (or trying to use).<br \/>\nDLP: If you monitor web traffic (and look inside SSL connections) a Data Loss Prevention (DLP) tool may also help detect data migrations to cloud services. However, some cloud SDKs and APIs may encrypt portions of data and traffic that DLP tools can\u2019t unravel, and thus they won\u2019t be able to understand the payload.<\/p>\n<figure id=\"attachment_80292\" aria-describedby=\"caption-attachment-80292\" style=\"width: 375px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\"wp-image-80292 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2021\/12\/DLP-tool.png\" alt=\"DLP tool\" width=\"375\" height=\"320\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2021\/12\/DLP-tool.png 375w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2021\/12\/DLP-tool-300x256.png 300w\" sizes=\"(max-width: 375px) 100vw, 375px\" \/><figcaption id=\"caption-attachment-80292\" class=\"wp-caption-text\">DLP tool<\/figcaption><\/figure>\n<p>Source: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0<\/p>\n<h4><em>Q 23. Which of the following should be the main consideration for key management?<\/em><\/h4>\n<p>A. Performance, access control, latency, non-repudiation<br \/>\nB. Performance, accessibility, latency, security<br \/>\nC. Performance, access control, speed,non-repudiation<br \/>\nD. Performance, availability, speed, security<\/p>\n<p><strong>Answer: The correct answer is B<\/strong>.<br \/>\nThe main considerations for key management are performance, accessibility, latency, and security.<br \/>\nKey Management (Including Customer-Managed Keys)<br \/>\nThe main considerations for key management are performance, accessibility, latency, and security. Can you get the right key to the right place at the right time while also meeting your security and compliance requirements?<br \/>\nSource: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0<\/p>\n<h3><span class=\"ez-toc-section\" id=\"_Identity_Entitlement_and_Access_Management\"><\/span>\u00a0Identity, Entitlement, and Access Management<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<h4><em>Q 24. Identity brokers handle federating between identity providers and relying parties<\/em><\/h4>\n<p>A. True<br \/>\nB. False<\/p>\n<p><strong>Answer: The correct answer is A<\/strong>.<br \/>\nIdentity brokers handle federating between identity providers and relying parties (which may not always be a cloud service).<br \/>\nExplanation:<br \/>\nIdentity brokers handle federating between identity providers and relying parties (which may not always be a cloud service). They can be located on the network edge or even in the cloud in order to enable web-SSO.<br \/>\nIdentity providers don\u2019t need to be located only on-premises; many cloud providers now support cloud-based directory servers that support federation internally and with other cloud services. For example, more complex architectures can synchronize or federate a portion of an organization\u2019s identities for an internal directory through an identity broker and then to a cloud-hosted directory, which then serves as an identity provider for other federated connections.<br \/>\nSource: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0<\/p>\n<h4><em>Q 25. Which of the following is a preferred model for cloud-based access management?<\/em><\/h4>\n<p>A. Role based<br \/>\nB. Identity based<br \/>\nC. Access Based<br \/>\nD. Attribute based<\/p>\n<p><strong>Answer: The correct answer is D<\/strong>.<br \/>\n\u2022 ABAC is the preferred model for cloud-based access management.<br \/>\nCloud platforms tend to have greater support for the Attribute-Based Access Control (ABAC) model for IAM, which offers greater flexibility and security than the Role-Based Access Control (RBAC) model.<br \/>\nRBAC is the traditional model for enforcing authorizations and relies on what is often a single attribute (a defined role). ABAC allows more granular and context-aware decisions by incorporating multiple attributes, such as role, location, authentication method, and more.<br \/>\nSource: Security Guidance for Critical Areas of Focus in Cloud Computing V4.0<\/p>\n<p><strong>Conclusion:<\/strong><\/p>\n<p>Cloud Security is a complex domain, especially in a multi-cloud environment. The above set of <a href=\"https:\/\/www.whizlabs.com\/certificate-of-cloud-security-knowledge\/\">25 CCSK Exam practice questions<\/a> are based on Cloud Security fundamentals. This should give you a glimpse of the CCSK exam pattern and also make you familiar with the CCSK Exam questions format.<\/p>\n<p>When are you planning to take the CCSK exam? We recommend you practice more in an actual exam environment.<\/p>\n<p>Reference Links:<\/p>\n<ul>\n<li><a href=\"https:\/\/cloudsecurityalliance.org\/education\/ccsk\/\" target=\"_blank\" rel=\"noopener\">https:\/\/cloudsecurityalliance.org\/education\/ccsk\/<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>With more and more applications moving to the cloud; security has become a crucial element of cloud computing. Certificate of Cloud Security Knowledge (CCSK) V.4 Exam Questions is globally recognized as a cloud security certification. If you are a multi-cloud or IT professional looking for a glowing career in cloud security, the CCSK Certification Exam Questions is recommended for you. This set of 25 CCSK certification Exam practice questions will give you a first-hand understanding of Cloud Security fundamentals. It&#8217;s based on the CCSK exam pattern. Cloud Computing Concepts and Architectures Q 1. Which of the following facilitates the underlying [&hellip;]<\/p>\n","protected":false},"author":210,"featured_media":80294,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[3515,12],"tags":[4782,4781],"class_list":["post-80290","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-consulting","category-google-cloud","tag-certificate-of-cloud-security-knowledge-v-4-exam-certification","tag-certificate-of-cloud-security-knowledge-v-4-exam-questions"],"uagb_featured_image_src":{"full":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2021\/12\/Free-Questions-blog-on-Certificate-of-Cloud-Security-Knowledge-V.4.png",560,315,false],"thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2021\/12\/Free-Questions-blog-on-Certificate-of-Cloud-Security-Knowledge-V.4-150x150.png",150,150,true],"medium":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2021\/12\/Free-Questions-blog-on-Certificate-of-Cloud-Security-Knowledge-V.4-300x169.png",300,169,true],"medium_large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2021\/12\/Free-Questions-blog-on-Certificate-of-Cloud-Security-Knowledge-V.4.png",560,315,false],"large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2021\/12\/Free-Questions-blog-on-Certificate-of-Cloud-Security-Knowledge-V.4.png",560,315,false],"1536x1536":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2021\/12\/Free-Questions-blog-on-Certificate-of-Cloud-Security-Knowledge-V.4.png",560,315,false],"2048x2048":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2021\/12\/Free-Questions-blog-on-Certificate-of-Cloud-Security-Knowledge-V.4.png",560,315,false],"profile_24":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2021\/12\/Free-Questions-blog-on-Certificate-of-Cloud-Security-Knowledge-V.4.png",24,14,false],"profile_48":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2021\/12\/Free-Questions-blog-on-Certificate-of-Cloud-Security-Knowledge-V.4.png",48,27,false],"profile_96":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2021\/12\/Free-Questions-blog-on-Certificate-of-Cloud-Security-Knowledge-V.4.png",96,54,false],"profile_150":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2021\/12\/Free-Questions-blog-on-Certificate-of-Cloud-Security-Knowledge-V.4.png",150,84,false],"profile_300":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2021\/12\/Free-Questions-blog-on-Certificate-of-Cloud-Security-Knowledge-V.4.png",300,169,false],"tptn_thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2021\/12\/Free-Questions-blog-on-Certificate-of-Cloud-Security-Knowledge-V.4-250x250.png",250,250,true],"web-stories-poster-portrait":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2021\/12\/Free-Questions-blog-on-Certificate-of-Cloud-Security-Knowledge-V.4.png",560,315,false],"web-stories-publisher-logo":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2021\/12\/Free-Questions-blog-on-Certificate-of-Cloud-Security-Knowledge-V.4.png",96,54,false],"web-stories-thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2021\/12\/Free-Questions-blog-on-Certificate-of-Cloud-Security-Knowledge-V.4.png",150,84,false]},"uagb_author_info":{"display_name":"Jeevitha TP","author_link":"https:\/\/www.whizlabs.com\/blog\/author\/jeevithatwhizlabs-com\/"},"uagb_comment_info":17,"uagb_excerpt":"With more and more applications moving to the cloud; security has become a crucial element of cloud computing. Certificate of Cloud Security Knowledge (CCSK) V.4 Exam Questions is globally recognized as a cloud security certification. If you are a multi-cloud or IT professional looking for a glowing career in cloud security, the CCSK Certification Exam&hellip;","_links":{"self":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/80290","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/users\/210"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/comments?post=80290"}],"version-history":[{"count":8,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/80290\/revisions"}],"predecessor-version":[{"id":92357,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/80290\/revisions\/92357"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media\/80294"}],"wp:attachment":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media?parent=80290"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/categories?post=80290"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/tags?post=80290"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}