oogl The CCSK Study Guide

Revision : 0.3
Created Dated: January 5th, 2015
Last Modified: January 8th, 2015

Contributor Organization Country

Alejandro Castillo Kellogg Company United States of America
Peter HJ van Eijk Club Cloud Computing Netherlands
Ajay Chauhan SafeNet United Kingdom

Ash Thakrar PwC United Kingdom

Please Scroll down to find the actual study guide

If you found any part of this guide helpful please provide a like or some feedback to the
following link:
https://www.linkedin.com/groups/CCSK-study-guide-OpenSource-
4071935.S.5958007520671911936?
view=&gid=4071935&item=5958007520671911936&type=member&commentID=discussion
%3A5958007520671911936%3Agroup%3A4071935
If you wish to contribute feel free to type your suggestions and they will be taken accordingly.
brian

CCSK Key Examination Concepts

CSA Guidance For Critical Areas of Focus in Cloud Computing V3.0 English

Based on research that I have seen online, it is suggested that 2,5,10 and 12 are heavily tested.
Especially 5. Attention should be placed to Risk and Challenges.
Victor said this was the some of the most quizzedquized areas:
Reading the material is extremely time consuming, Incident response and Identity and Access
Management seem to have the most material.

Domain 1 Architecture
Summary

SPI = Software, Platform and Infrastructure as a service.

Cloud formations = the forms of cloud computing or the way it’s deployed.
Cloud benefits - collaboration, agility, scaling, availability, reduced cost, optimized and efficient.
Steps for evaluating risk in the cloud
1. Determine what data to send to the cloud - (1) Data (2) Application/Function/Processes
2. Determine the data or function is
3. Determine the best deployment model (For models look at NIST model below)
4. Evaluate the potential cloud providers
● NIST Definition of Cloud Computing (Essential Characteristics, Cloud Service Models,
Cloud Deployment Models)

● Multi-Tenancy (NIST doesn’t have it, but CSA’s cloud model includes it as an essential:)

○ Policy Enforce ○ Governance

 ○ Segmentation ○ SLA
○ Isolation ○ Chargeback
The problem with multi-tenancy is visibility of residual data or traces of operations of tenants.
● CSA Cloud Reference Model ( Also known as service models)
○ IaaS - Most flexible, possibly the least secure, and customers responsible for
most of the security mechanisms
○ PaaS - Enormous flexibility, but not quite as flexible.
○ SaaS - Least Flexible, possibly most secure and dependency on provider
You can outsource a lot of manageability, but not accountability.
• Jericho Cloud Cube Model

The four sides/eight dimensions

I/O - Inside or Outsourced
I/E - Internal or External
O/P - Open or Proprietary
P/D - Perimeter

Least to most mature

1. Outcome/Value
2. Process
3. Software
4. Platform
5. Infrastructure

• Cloud Security Reference Model - possible definition on page 20 third paragraph

• Cloud Service Brokers - Middleman/Middleware act like proxies between the cloud and the
consumer. This is done to provide an abstraction of incapabilities between the customer and the
cloud to allow for fluidity and agility.
● • Service Level Agreements
○ Negotiable and nonnegotiable.
○ Security Level,security, governance, compliance, and liability expectation
○ Most of the control and security will be held in the SLA - auditing provides
affirmation and really specifies the level of security in SaaS

Even Private Clouds have multitenancy (multiple projects, third party consultants, contractors,
part-timers,etc…)

Domain 2: Governance and Enterprise Risk Management

● Contractual Security Requirements
○ processes, customs, policies, laws and institution
● Enterprise and Information Risk Management
○ Measure, manage and mitigate uncertainty
○ Avoidance, Reduction, Share/Insure/Transfer and Accept
● Third Party Management Recommendations
○ Contracts are risk management tools with metrics/audits to ensure accountability.
○ SLAs must cascade downwards from Provider to Third Party and supply chain
○ Incident Management , business continuity, and disaster recovery policies, and
processes and procedures, along with review of co-locations and backup
facilities must be part of the background check assessment.
● Supply chain examination
○ Risk is inherited throughout the supply chain
● Use of Cost Savings for Cloud
 ○ Should be re-invested to scrutinize the security capabilities of the provider.
Audit might be hard due to an elastic environment
The major part for most of the governance will be the contract between the provider and
customer.

Domain 3: Legal Issues: Contracts and Electronic Discovery

• Consideration of cloud-related issues in three dimensions : Monitoring, testing , evaulation???
• eDiscovery considerations - In the US you must give everything to the requesting party even if
it is not in your favor. It must also be protected and well stored (this is called a legal hold)
• Jurisdictions and data locations - The client is responsible for the data even though they might
not have access. Thus they need the CSP, however it should be written into the contract. In
terms of jurisdiction it depends on where the legal court is in?
• Liability for activities of subcontractors
• Due diligence responsibility - Identify legal barriers and insure they are addressed in contract.
• Federal Rules of Civil Procedure and electronically stored information -ESI for holding
• Metadata - it’s data about data
• Litigation hold - obligation to undertake reasonable steps to prevent destruction or
modifications of data or the information processing.

Domain 4: Compliance and Audit Management

• Definition of Compliance: the awareness and adherence to obligations (laws, policies,
contracts, etc…), including the assessment and prioritization of corrective actions deemed
necessary and appropriate.
• Right to audit - gives customers the ability to audit the cloud provider and provide for
transparency/accountability.
• Compliance impact on cloud contracts- geographical locations and legal jurisdictions.
• Audit scope and compliance scope - laws and regulations one must comply with.
• Compliance analysis requirements - include legal, procurement and contract teams to identify
them. These will likely include contracts, laws, regulations, policies and various other things.
• Auditor requirements - “Cloud aware” , SSAE 16 SOC2 or ISAE 3402 Type 2.
CSP/Third party review of how information is stored, processed and transmitted across borders
with many different laws in those places as well as the ones we must comply with.
Third parties should be picked out in advance and reviewed.
Right to transparency - can view or request a push to view the stats of the environment.

Domain 5: Information Management and Data Security

● Six phases of the Data Security Lifecycle and their key elements
 ● Volume storage: virtual hard drives (data dispersion to support resiliency and security)
● Object storage: File storage (Can typically be accessed y APIs or web interface)
● Logical vs physical locations of data
○ Potential issues from regulatory , contractual and other jurisdictional issues are
extremely important to understand both the logical and physical location of the
data.
● Three valid options for protecting data
○ Client application Encryption
○ Link/Network Encryption
○ Proxy Based Encryption
● Data Loss Prevention: Used for content delivery and to monitor data in motion
○ Actions: Block or allow to proceed after remediation (DRM, ZIP, PGP)
○ Deployment may be done using any of the following:
■ Dedicated Appliance
■ Virtual Appliance
■ Endpoint agent
■ Hypervisor agent
■ DLP SaaS
• Detection Data Migration to the Cloud
● Encryption in IaaS, PaaS & SaaS
○ IaaS - Volume Storage Encryption
■ Instance Managed encryption
■ Externally Managed encryption
■ Proxy Encryption
○ PaaS
■ Client/Application encryption
■ Database Encryption
 ■ Proxy Encryption
○ SaaS
■ Provider-Managed Encryption
■ Proxy Encryption
● Database Activity Monitoring (DAM) and File Activity Monitoring (FAM): Can be used to
detect and monitor attacks.
○ DAM: captures and records all DB SQL activity including database activity,
across multiple database platforms, and can generate alerts on policy violations.
■ DAM tools are typically agent-based connecting to a central collection
server (which is typically virtualized). It is used with dedicated database
instances for a single customer, although in the future may be available
for PaaS)
○ FAM: Products that monitor and record all activity within a designated file
repositories at the user level and can generate alerts based on violations.
■ FAM tools require agents or placing a physical appliance between the
cloud storage and the cloud consumer.
• Data Backup - ?????
• Data Dispersion: It spreads data across (Data fragmentation) make it more resilient and harder
to compromise. Usually does it by using an Intrusion Detection Algorithm (IDA), no encryption is
used in dispersion.
• Data Fragmentation: When fragmentation is used along side encryption it becomes hard to
compromise as you have to compromised m cloud nodes with fragments and then still break
encryption.

Domain 6: Interoperability and Portability

● Definitions of Portability and Interoperability
○ Interoperability: The requirement for the components in a cloud ecosystem to
work together to produce the intended result
○ Portability: defines the ease of the ability to which applications components can
be moved and reused elsewhere regardless of provider, platform, OS,
infrastructure, location, storage, the format of the data or the API’s.
● Virtualization impacts on Portability and Interoperability - Can help abstract hardware for
flexibility and using something like Open Virtual Format (OVF) can aid in portability.
● SAML and WS-Security - Are authentication protocols that are interoperable with
standard based systems. Using the open based SAML can help ensure portability of
identities.
● Size of Data Sets - the sheer size can cause of disruption of service during transition or
can make the transition longer than it needs too. (courier may be an option)
● Lock-In considerations by IaaS, PaaS & SaaS delivery models
○ IaaS
■ creation, portability, deletion and deprovisioning (removing residual data)
■ Hardware based dependencies moving to virtualization
■ Access to system logs, traces, billing records
 ■ Interoperability and portability and feature sets moving from one cloud to
another as well as understanding dependency on legacy IaaS (cost as
well)
■ Who maintains crypto keys

○ PaaS
■ Tools available for secure data transfer, backup and restore
■ For interoperability and portability use standard syntax, Open APIs and
open standards such as Open Cloud Computing Interface (OCCI)
■ how to transfer to new vendor - how data is generated, maintained,
documented, performed, availible or dependent on provider.
■ Do testing prior to moving
○ SaaS
■ Determine which data can be preserved and migrated (escrow service?)
■ Perform regular data backups
■ Review/audit the consistency of controls
• Mitigating hardware compatibility

Lack of interoperability can lock you to a vendor, when possible use open and published
architectures with standards protocols. Lock-in can also occur if the data can’t be easily
exported thus the need for portability. (costly conversion , transfer, retraining, loss of data)

“Understand up-front and plan for how to exit the contract” meat of the security.

Domain 7: Traditional Security, Business Continuity, and Disaster Recovery

● Four D's of perimeter security : Deter, Detect, Delay and Deny
● Cloud backup and disaster recovery services
○ Main Challenges: mobility, transfers to and from cloud, availability, business
continuity, scalability and metered payments.
○ Disaster Recovery is built on three layers : Virtual Storage, Scalable file systems
and a self service disaster recovery application.
○ Things to review: Emergency Response team (ERT), Crisis Management Team
(CMT) and the Incident Response team (IRT)
● Customer due diligence related to BCM/DR - review CSP’s BCP process
○ BS 25999 - The British Standard for Business Continuity Management (BCM)
○ ISO 22301 is responsible for Business Continuity
○ Traditional audits, on site assessments, direct examination or certifications
● Business Continuity Management/Disaster Recovery due diligence
○ Providers should have a security baseline
○ compartmentalization , background checks , Non-disclosure agreements,
separation of duties , avoidance of conflict of interests
● Restoration Plan: should correlate directly to SLA, as contractually committed and
include both the Recovery Point Objective (RPO) and Recovery Time Objective (RTO)
● Physical location of cloud provider
 ○ The consumer should conduct a critical evaluation of the data center’s physical
location
○ not in areas known to have seismic activity, floods, landslides or other natural
disasters
○ not located in areas known to have high crimes, political or social unrest
○ Check accessibility of the location and anything that might inhibit that.

Domain 8: Data Center Operations

● Relation to Cloud Controls Matrix - Table compromise of:
○ Application Mission : Contractual, legal or regulatory requirement
○ Control: Security Concept that is meant to mitigate risk to accomplish mission
○ Specification: Details of said control that will actually mitigate said risk

• Queries run by data center operators

• Technical aspects of a Provider's data center operations customer should understand
• Logging and report generation in multi-site clouds: it needs software to orchestrate the logging

Domain 9: Incident Response

● Factor allowing for more efficient and effective containment and recovery in a cloud
○ Can allow for faster incident response through continuous monitoring
○ Faster recovery through virtualization and elasticity resulting in fast containment
and recovery
○ Easier portability and imaging thanks to VM moves.
● Main data source for detection and analysis of an incident
○ Logs - audit, error, performance, pretty much anything you can get
■ Make sure that time is consistent (i.e. time sync)
■ Is the dynamic nature of the cloud accurately capture
■ Are legal requirements met
■ log retention patterns and tamper resistant
● Investigating and containing an incident in an Infrastructure as a Service environment
○ snapshots of memory
○ creation of hard disk images require the CSP
○ advance forensics techniques, generating snapshots,VM introspection or live
forensic system support require the CSP
● Reducing the occurrence of application level incidents
○ SLAs and IR plans should include “Lesson Learned” after the recovery
● How often should incident response testing occur
○ At least once a year
● Offline analysis of potential incidents -????????

Challenges for Incident Response in the cloud

● Automated environment does not help, but destroys evidence
● Elastic environment makes forensic especially hard
● There might be privacy issues in doing forensics
Investigating and containing an incident in an PaaS/SaaS environment
● Requires almost all CSP support and has to be negotiated in the Service Contract

Domain 10: Application Security

● identity, entitlement, and access management (IdEA)
○ Authentication
○ Authorization
○ Administration
○ Audit & Compliance
○ Policy
● SDLC impact and implications
○ It’s typically harder in the cloud
■ control over physical is harder
■ potential incompatibilities
■ protection of data through lifecycle (transit, rest)
■ web services can introduce more vulnerability
■ harder to get to logs or to demonstrate compliance
○ Mitigation
■ Least privilegeprivalege/Segregation of duties/Defense in depthdeph/fail
safe/….
● Differences in S-P-I models
● Consideration when performing a remote vulnerability test of a cloud-based application
○ Is the multi-tenancy of it??????
● Categories of security monitoring for applications
○ Log Monitoring
○ Performance Monitoring
○ Monitoring for Malicious use
○ Monitoring for compromise
○ Monitoring for policy violations
● Entitlement matrix - set of rules into entitlement layer
○ fed by claims
○ assertion
○ attributes
The above is simply an example of an entitlement matrix

Domain 11: Encryption and Key Management

● Adequate encryption protection of data in the cloud
○ Key management best practices, location of keys, keys per user
○ best practice
■ ?????????????????1. Enterprise users of encryption need to have keys
of their own - keys should be maintained within enterprise.
■ 2. Have the Cryptographic engine for each user or entity assign/manage
the keys based on the the entities identity.
■ location of keys
■ Whenever possible keys should reside with the user/enterprise. This way
in case of compromise the data can not be easily decrypted
■ Application or process may need keys so be aware…
● Use KEK (Key Encrypting Keys) or in memory keys
○ keys per user
■ There should be one key per user so they can only encrypt/decrypt their
own data
■ There should be a group key for when users need to share data.
● Relationship to tokenization, masking, anonymization and cloud database controls
○ Tokenization (Basically doing reference substitutions
○ Data Anonymization (Stripping out sensitive data)
○ Masking - Another word for format preserving encryption?????
○ Utilizing Cloud database controls - access control based on segregation levels

Domain 12: Identity, Entitlement, and Access Management

● Relationship between identities and attributes
 ○ Identity is something you are and attributes are the characteristics. Based on the
two a characteristics a risk based decision done to allow access to resources or
services. The process of mapping identities to attributes is called entitlement. So
entitlement is what ultimately dictates access.
● Identity Federation
○ The ability to use one identity repository in another for authentication or validation
purposes
● Relationship between Policy Decision Point (PDP) and Policy Enforcement Point (PEP)
○ PEP - is user centric authorization (user)
○ PDP - determines access to resources (service provider)
● SAML and WS-Federation
● Provisioning and authoritative sources

You may want to check out the videos at the end of this guide to understand the whole
entitlement process. I found it easier to watch the videos and then come back to read this doc
then tackling this doc heads on.

Entity - Discretes types that will have identities

Identity - Unique id
person - identity plus attributes
Entitlement - process mapping privileges to identities and the related attributes
RSO - password synchronization
SSO - ability to pass identity and attributes to other services
Federation - the connection of one identity repository to another.

Primacy - the state of being first

principle - entity who can be authenticated
Entitlement is the process of mapping privileges

Domain 13: Virtualization

● VM guest hardening, blind spots, VM Sprawl, data co-mingling, instant-on gaps
○ VM Guest Hardening - typical OS and app hardening best practices
○ Blind Spot - The network security appliances are blind to data that doesn’t
transverse the network (i.e. inter-VM traffic). Insert security APIs at the
hypervisors.
○ VM Sprawl - VMs are so easy to deploy they can spiral out of control without
process
○ Data co-mingling - the nature of having multi-vm on the same physical hardware
means that the data of one VM and another type of VM is on the same hardware
○ instant-on gaps - Pausing a VM and turning it back on (after a long time) can
introduce vulnerabilities
● In-Motion VM characteristics that can create a serious complexity for audits
 ○ Because VM are portable, they can moved geographically without alert or
traceable audit trail.
● How can virtual machine communications bypass network security controls
○ If it passes the data between VMs in the data plane as opposed to the network
plane
● VM attack surfaces
○ What else is there besides the ones mentioned and VM image tampering???
● Compartmentalization of VMs
○ Zoned approach for production, test/development and highly sensitive data

Domain 14: Security as a Service

● 10 categories
○ Identity and Access Management
○ Data Loss Prevention
○ Web Security
○ Email Security
○ Security Assessments
○ Intrusion Management
○ Security Information and Event Management (SIEM)
○ Encryption
○ Business Continuity and Disaster Recovery
○ Network Security
● Barriers to developing full confidence in security as a service (SECaaS)
○ Some security concerns: compliance, multi-tenancy and vendor lock-in
○ Lack of visibilities into control, personnel and general compliance
○ Data leakage between virtual machine instances
● When deploying Security as a Service in a highly regulated industry or environment,
what should both parties agree on in advance and include in the SLA
○ Metrics that describe how the provider is keeping in compliance. This can in turn
be used to enforce the contract or prematurely end a contract of service
● Logging and reporting implications
○ Is this related to SIEM?????????
● How can web security as a service be deployed
○ on premise through software/appliance installation
○ Cloud by proxy
○ redirecting web traffic through cloud provider infrastructure
● What measures do Security as a Service providers take to earn the trust of their
customers
○ run constant background checks that rival government background checks
○ they meet and exceed requirement geographical and regional regulations
○ enlist legal services to meet regional regulatory requirement
○ Data is compartmentalized and data is shared anonymously
○ Data monitored and held by the provider is anonymized in logs and audit data.
○ Increased analytics with semantic processing.
Is the cloud control matrix relevant to the CCSK test???????
https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3/

ENISA Cloud Computing: Benefits, Risks and Recommendations for Information Security
• Isolation failure
• Economic Denial of Service
• Licensing Risks
• VM hopping
• Five key legal issues common across all scenarios
• Top security risks in ENISA research
• OVF
• Underlying vulnerability in Loss of Governance
• User provisioning vulnerability
• Risk concerns of a cloud provider being acquired
• Security benefits of cloud
• Risks R.1 – R.35 and underlying vulnerabilities
• Data controller vs data processor definitions
• in Infrastructure as a Service (IaaS), who is responsible for guest systems monitoring

Additional Study Resources

Here is a list of additional resources if you want to study for CCSK:
https://collaboration.opengroup.org/jericho/cloud_cube_model_v1.0.pdf

How Identity, Entity and Entitlement work in the cloud:

https://www.youtube.com/watch?v=6FHGe8yHeQE

The best practices for Entitlement.

https://collaboration.opengroup.org/jericho/Jericho%20Forum%20Identity%20Commandments
%20v1.0.pdf

CCSK overview:
https://www.youtube.com/watch?v=LhDZe7ZntvE
CCSK overview:
https://www.youtube.com/watch?v=mniY-Jay5cY&list=PL6ASplUnEA8KQsg2Czr8y5a-
ICJujSW9W&index=1

NIST SP800-145 (NIST Definition of Cloud Computing)

http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

Cloud Security Alliance (SecaaS) - Defined Categories of service 2011

https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf
Practice Questions (From SimpliLearn):
1. Suspicious intrusion detection alerts is part of
A. Events management
B. Incidents management
C. Risks management
D. None of these

2. Cloud providers that have not achieved ISO/IEC 27001 certification should align
themselves with:
A. ISO/IEC 27000
B. ISO/IEC 27002
C. SAS 70 practices
D. CSA SaaS v.2

3. According to ENISA, which service model implies the highest level of liability?
A. Public cloud
B. Partner cloud
C. Private cloud
D. Non cloud

4. Over time, the right to audit clause should be:

A. Increased
B. Reduced
C. Replaced with the compliance and monitoring clause
D. Both B and C

5. SIEM refers to:

A. Security Information and Event Management
B. Strategic Implementation of Electronic Management
C. Service Improvement of in End-User Markets
D. Software Intrusion and External Models

6. Which of the following audits ensures that controls are implemented and documented?
A. SAS 70 Type I
B. SAS 70 Type II
C. SAS 70 Type III
D. CSA SaaS v.2

7. Online word processing and spreadsheet tools would fall under which of the following
service models?
A. Software as a Service
B. Platform as a Service
C. Infrastructure as a Service
D. Both A and C

8. Google Docs is an example of:

A. Software as a Service
 B. Platform as a Service
C. Infrastructure as a Service
D. None of the above
9. Storage as a service is a sub-offering under which of the following categories?
A. SaaS
B. PaaS
C. laaS
D. Both SaaS and laaS

10. The nature of cloud computing means that it is more difficult to:
A. Ensure adequate resource division
B. Determine who to contact in case of a security incident or data breach
C. Make commitments to customers regarding security
D. All of these

11. Which of the following are the phases of incident recovery should the SLA guarantee
support?
A. Analysis, incident, response and recovery
B. Detection, incidence, response and recovery
C. Detection, analysis, containment, eradication, and recovery
D. None of the above

12. When any expertise is outsourced --- has to be signed.

A. HIPAA
B. IR
C. NDA
D. None of the above

13. While evaluating risk for cloud, the first step is?
A. Determine initial costs
B. Determine data or function considered for cloud
C. Determine important of data or function
D. Determine strategy of adopting cloud

14. In a cloud environment, the number of sources that must be monitored:

A. Are the same as in any other computing environment
B. Increase minimally
C. Decrease substantially
D. Increase exponentially

15. ESI stands for:

A. E-mail Storage interface
B. Electronic Stored Interface
C. Electronically Stored Information
D. None of the above

16. Removed
17. Service levels, governance, compliance and liability are stipulated and enforced in which
of the following service models?
A. SaaS
B. PaaS
C. laaS
D. all of the above

18. According to the Cloud Security Alliance (CSA), cloud service providers should use
which of the following as a guideline?
A. ISO/IEC 27000
B. ISO/IEC 27001
C. ISO/IEC 27003
D. ISO/IEC 35000

19. According to the Cloud Security Alliance (CSA), the cloud customer must understand:
A. The provider's ability to produce evidence needed for compliance
B. The division of compliance responsibilities between the consumer and provider
C. The customer's role in bridging the gap between auditor and service provider
D. All of the above

20. The 'ability to run multiple operating systems on a single physical system and share the
underlying hardware resources' is referred as:
A. Cloud computing
B. Grid computing
C. Agile computing
D. Virtualization

21. Improvements in which of the following areas would lead to improvements for all cloud
service customers?
A. Tools
B. Policies
C. Processes
D. All of these

22. According to the CSA's (Cloud security alliance's) risk assessment framework, risks may
be ---
A. Accepted
B. Transferred
C. Mitigated
D. All of the above

23. In SaaS, there are

A. One deployment model for cloud services
B. Two deployment models for cloud services
C. Three deployment models for cloud services
D. Four deployment models for cloud services
24. Rackspace Cloud is an example of:
A. Software as a Service
B. Platform as a Service
C. Infrastructure as a Service
D. None of the above

25. The acronym EDoS refers to:

A. Economic Denial of Service
B. Environmental Domain of Service
C. Encrypted Disaster or Solution
D. Engineered Data on Servers

26. Which of the following is NOT a recommendation for the 'create' phase of the data
security lifecycle?
A. Identification of data labeling and classification capabilities.
B. User tagging to classify data.
C. Leveraging of content discovery tools
D. Enterprise digital rights management

27. According to the Cloud Security Alliance (CSA), the cloud services agreement must
allow the client or third party to:
A. Have reasonable security that data breaches will not happen.
B. Monitor the service provider's performance and test for system vulnerabilities.
C. Retain ownership of the data in original format.
D. Adjust the process for responding to legal requests at any time.

28. Cloud cube model illustrates --

A. Physical location of deployment models
B. Deployment models
C. Management and ownership
D. All of the above

29. Cloud cube model was developed by ---

A. Cloud Security Alliance
B. OpenCrowd cloud solutions
C. Jericho forum
D. GoGrid

30. In which model, does the consumer have control over application hosting environment
configurations?
A. SaaS
B. PaaS
C. laaS
D. None of the above

31. HIPAA stands for:

A. Highly Intelligent Performance and Accounting
 B. Highly Interfering Performance and Auditing
C. Health Insurance Portability and Accountability
D. None of the above

32. Which of the following scenarios begins with a crisis of confidence in the cloud
provider's financial position?
A. An upcoming financial audit
B. A 'mass exodus' scenario
C. A 'run on the banks' scenario
D. All of the above

33. The worst case scenario in a 'run on the banks' situation is that:
A. Customers may be locked into a contract with a provider for many years
B. Customers may not be able to retrieve their data
C. Providers may be able to leak customer data to third parties
D. Customer data may be made publicly available

34. Which of the following is NOT true about PaaS?

A. It enables developers to build their own applications on top of the platform
B. It offers less customer ready features than SaaS
C. It is more extensible than the SaaS model
D. There are not as many security options as SaaS within this model\

35. Cloud service customers should develop evidence-collecting processes for which of the
following areas?
A. System configurations
B. Audit logs
C. Change management reports
D. All of the above

36. In which of the following cases, cloud service providers audit should be done?
A. Be done by the customer only
B. Be done regardless of the provider's certifications
C. Be waived, if the provider has adequate certifications
D. None of the above

37. According to the Cloud Security Alliance (CSA), which of the following clauses should
be obtained whenever possible?
A. Right to Audit Clause
B. Right to Withdraw Clause
C. Security Breach Clause
D. Data Transferability Clause

38. What kind of provisioning is standardized in OASIS' Service Provision Markup

Language (SPML)?
A. Lateral provisioning
B. Transport provisioning
 C. Push-style provisioning
D. Pull-style provisioning

39. Which of the following assets are supported by cloud?

A. Data and resources
B. Applications and processes/functions
C. Data and applications/functions/processes
D. All of the above

40. Data breaches is a part of:

A. Events management
B. Disaster management
C. Incidents management
D. None of the above

41. When an attacker uses a customer' resources for his/her own gain, this may be referred to
as:
A. Diminished Domain of Service
B. Distributed Denial of Service
C. Economic Denial of Service
D. Engineered Denial of Service

42. Which of the following is not a category of infrastructure services?

A. Storage
B. Compute
C. Services Management
D. Integration

43. Which of the following should not demonstrate compartmentalization by cloud providers,
according to the Cloud Security Alliance (CSA)?
A. Systems
B. Provisioning
C. Personnel
D. Resources

44. Which of the following is a characteristic of virtualization?

A. Single OS image per machine
B. Hardware-independence of operating system and applications
C. Inflexible, costly infrastructure
D. Software and hardware are tightly coupled

45. Since ----, the Federal Rules of Civil Procedure require the inclusion of electronically-
stored information when responding to discovery requests.
A. 2000
B. 2002
C. 2004
D. 2006
 46. What is recommended to enterprises adopting cloud?
A. Profit based approach
B. Risk based approach
C. Security based approach
D. Privacy based approach

47. In which of these models, does the consumer have limited user-specific configuration
settings?
A. SaaS
B. PaaS
C. laaS
D. none of the above

48. SOC refers to:

A. Strategic Overview Card
B. Standard Operations Credentials
C. Security Operations Center
D. Service Office Catalogue

49. When considering compliance with accepted frameworks and standards, one should
consider --
A. Cloud service classroom; security architecture and cloud architecture
B. Compliance architecture; cloud architecture; cloud service classification
C. Security architecture; compliance architecture; cloud architecture
D. All of the above

50. In a cloud environment, the number of security notifications:

A. Are the same as in any other computing environment
B. Increase minimally
C. Decrease substantially
D. Increase exponentially

ANSWERS(
51.Suspicious intrusion detection alerts is part of
Original number +50 )
A. Events management
B. Incidents management
C. Risks management
D. None of these
Explanation: Suspicious intrusion detection alerts is part of incident management.
 52. Cloud providers that have not achieved ISO/IEC 27001 certification should align
themselves with:
A. ISO/IEC 27000
B. ISO/IEC 27002
C. SAS 70 practices
D. CSA SaaS v.2
Explanation: Providers that have not achieved ISO/IEC 27001 certification should align
themselves with ISO/IEC 27002

53.According to ENISA, which service model implies the highest level of liability?
A. Public cloud
B. Partner cloud
C. Private cloud
D. Non cloud
Explanation: According to ENISA, private cloud model implies the highest level of liability

54. Over time, the right to audit clause should be:

A. Increased
B. Reduced
C. Replaced with the compliance and monitoring clause
D. Both B and C
Explanation: Over a period of time, the need to audit should get reduced and should be replaced
by a compliance and monitoring clause

55.SIEM refers to:

A. Security Information and Event Management
B. Strategic Implementation of Electronic Management
C. Service Improvement of in End-User Markets
D. Software Intrusion and External Models
Explanation: SIEM stands for Security Information and Event Management

56.Which of the following audits ensures that controls are implemented and documented?
A. SAS 70 Type I
B. SAS 70 Type II
C. SAS 70 Type III
D. CSA SaaS v.2
Explanation: CSA SaaS v.2 ensures that controls are implemented and documented.

57.Online word processing and spreadsheet tools would fall under which of the following
service models?
A. Software as a Service
B. Platform as a Service
C. Infrastructure as a Service
D. Both A and C
Explanation: Online tools are examples of Software as a Service.
 58.Google Docs is an example of:
A. Software as a Service
B. Platform as a Service
C. Infrastructure as a Service
D. None of the above
Explanation: Google doc is an example of SaaS

59. Storage as a service is a sub-offering under which of the following categories?

A. SaaS
B. PaaS
C. laaS
D. Both SaaS and laaS

Explanation: It is an offering of laaS

60.The nature of cloud computing means that it is more difficult to:

A. Ensure adequate resource division
B. Determine who to contact in case of a security incident or data breach
C. Make commitments to customers regarding security
D. All of these
Explanation:All of the above mentioned reasons together make up cloud computing

61. Which of the following are the phases of incident recovery should the SLA guarantee
support?
A. Analysis, incident, response and recovery
B. Detection, incidence, response and recovery
C. Detection, analysis, containment, eradication, and recovery
D. None of the above
Explanation: Detection, analysis, containment, eradication and recovery are the phases of
incident recovery and SLA must ensure it is covered.

62.When any expertise is outsourced --- has to be signed.

A. HIPAA
B. IR
C. NDA
D. None of the above
Explanation: NDA has to be signed while outsourcing expertise. NDA stands for Non-Disclosure
Agreement.

63. While evaluating risk for cloud, the first step is?
A. Determine initial costs
B. Determine data or function considered for cloud
C. Determine important of data or function
D. Determine strategy of adopting cloud
Explanation: While evaluating risk for cloud, the first step is to determine data or function
considered for cloud
 64.In a cloud environment, the number of sources that must be monitored:
A. Are the same as in any other computing environment
B. Increase minimally
C. Decrease substantially
D. Increase exponentially
Explanation: Since resources grow depending upon the demand it grows exponentially

65.ESI stands for:

A. E-mail Storage interface
B. Electronic Stored Interface
C. Electronically Stored Information
D. None of the above
Explanation:ESI stands for Electronically Stored Information

66. Remove

67. Service levels, governance, compliance and liability are stipulated and enforced in which
of the following service models?
A. SaaS
B. PaaS
C. laaS
D. all of the above
Explanation: Irrespective of the models, service levels, governance, complience and liability are
stipulated and enforced

68. According to the Cloud Security Alliance (CSA), cloud service providers should use
which of the following as a guideline?
A. ISO/IEC 27000
B. ISO/IEC 27001
C. ISO/IEC 27003
D. ISO/IEC 35000
Explanation: According to the Cloud Security Alliance (CLA), cloud service providers should
use ISO/IEC 27001 as a guideline

69. According to the Cloud Security Alliance (CSA), the cloud customer must understand:
A. The provider's ability to produce evidence needed for compliance
B. The division of compliance responsibilities between the consumer and provider
C. The customer's role in bridging the gap between auditor and service provider
D. All of the above
Explanation: The cloud customer must understand; the providers ability to produce evidence
needed for compliance, the division of compliance responsibilities between consumer and
provider and the customer's role in bridging the gap between auditor and service provider.

70. The 'ability to run multiple operating systems on a single physical system and share the
underlying hardware resources' is referred as:
A. Cloud computing
B. Grid computing
 C. Agile computing
D. Virtualization
Explanation: Ability to run multiple operating systems in a single hardware is called
virtualization.

71. Improvements in which of the following areas would lead to improvements for all cloud
service customers?
A. Tools
B. Policies
C. Processes
D. All of these
Explanation: Tools, policies and processes are equally important and can have varied benefits.

72.According to the CSA's (Cloud security alliance's) risk assessment framework, risks may
be ---
A. Accepted
B. Transferred
C. Mitigated
D. All of the above
Explanation: Risk may be mitigated, accepted or transferred as per CSA guidelines

73.In SaaS, there are

A. One deployment model for cloud services
B. Two deployment models for cloud services
C. Three deployment models for cloud services
D. Four deployment models for cloud services
Explanation: NONE

74.Rackspace Cloud is an example of:

A. Software as a Service
B. Platform as a Service
C. Infrastructure as a Service
D. None of the above
Explanation: Rackspace is an example of infrastructure as a Service.

75.The acronym EDoS refers to:

A. Economic Denial of Service
B. Environmental Domain of Service
C. Encrypted Disaster or Solution
D. Engineered Data on Servers
Explanation: EdoS stands for Economic Denial of Service

76. Which of the following is NOT a recommendation for the 'create' phase of the data
security lifecycle?
A. Identification of data labeling and classification capabilities.
B. User tagging to classify data.
C. Leveraging of content discovery tools
 D. Enterprise digital rights management
Explanation: Content discovery tools usage is not part of 'create' phase

77. According to the Cloud Security Alliance (CSA), the cloud services agreement must
allow the client or third party to:
A. Have reasonable security that data breaches will not happen.
B. Monitor the service provider's performance and test for system vulnerabilities.
C. Retain ownership of the data in original format.
D. Adjust the process for responding to legal requests at any time.
Explanation: According to the Cloud Security Alliance (CSA) the cloud services agreement must
allow the client or party to retain ownership of the data in original format

78.Cloud cube model illustrates --

A. Physical location of deployment models
B. Deployment models
C. Management and ownership
D. All of the above
Explanation: Cloud cube model illustrates physical location of deployment models.

79.Cloud cube model was developed by ---

A. Cloud Security Alliance
B. OpenCrowd cloud solutions
C. Jericho forum
D. GoGrid
Explanation:Jericho forum developed cloud cube model.

80.In which model, does the consumer have control over application hosting environment
configurations?
A. SaaS
B. PaaS
C. laaS
D. None of the above
Explanation: In Paas, applications can be built and hosted

81. HIPAA stands for:

A. Highly Intelligent Performance and Accounting
B. Highly Interfering Performance and Auditing
C. Health Insurance Portability and Accountability
D. None of the above
Explanation: HIPAA stands for Health Insurance Portability and Accountability. It is
compliance,

82. Which of the following scenarios begins with a crisis of confidence in the cloud
provider's financial position?
A. An upcoming financial audit
B. A 'mass exodus' scenario
C. A 'run on the banks' scenario
 D. All of the above
Explanation: A run on the banks scenario can lead to crisis of confidence.

83. The worst case scenario in a 'run on the banks' situation is that:
A. Customers may be locked into a contract with a provider for many years
B. Customers may not be able to retrieve their data
C. Providers may be able to leak customer data to third parties
D. Customer data may be made publicly available

Explanation: In case of the provider going bankrupt, then there is a chance that the customers
might not be able to retrieve their data

84.Which of the following is NOT true about PaaS?

A. It enables developers to build their own applications on top of the platform
B. It offers less customer ready features than SaaS
C. It is more extensible than the SaaS model
D. There are not as many security options as SaaS within this model
Explanation: PaaS offers multiple security options for customers

85. Cloud service customers should develop evidence-collecting processes for which of the
following areas?
A. System configurations
B. Audit logs
C. Change management reports
D. All of the above
Explanation: Cloud service customers should develop evidence-collecting processes for system
configurations, audit logs, and change management reports.

86. In which of the following cases, cloud service providers audit should be done?
A. Be done by the customer only
B. Be done regardless of the provider's certifications
C. Be waived, if the provider has adequate certifications
D. None of the above
Explanation: No matter what certifications provider has, cloud service providers need to be
audited.

87. According to the Cloud Security Alliance (CSA), which of the following clauses should
be obtained whenever possible?
A. Right to Audit Clause
B. Right to Withdraw Clause
C. Security Breach Clause
D. Data Transferability Clause
Explanation: Right to Audit Clause should be given from time to time to ensure everything is as
per the agreement.
88.
89. What kind of provisioning is standardized in OASIS' Service Provision Markup
Language (SPML)?
 A. Lateral provisioning
B. Transport provisioning
C. Push-style provisioning
D. Pull-style provisioning
Explanation: Service Provision Markup Language uses push-style provisioning.

90.Which of the following assets are supported by cloud?

A. Data and resources
B. Applications and processes/functions
C. Data and applications/functions/processes
D. All of the above
Explanation: All the mentioned functions are actively supported by cloud

91.Data breaches is a part of:

A. Events management
B. Disaster management
C. Incidents management
D. None of the above
Explanation: Data breaches is part of disaster management.

92. When an attacker uses a customer' resources for his/her own gain, this may be referred to
as:
A. Diminished Domain of Service
B. Distributed Denial of Service
C. Economic Denial of Service
D. Engineered Denial of Service
Explanation: When an attacker uses a customer's resources for his/her own gain, this may be
referred to as Distributed Denial of Service

93.Which of the following is not a category of infrastructure services?

A. Storage
B. Compute
C. Services Management
D. Integration
Explanation: Integration is not a category of infrastructure services

94. Which of the following should not demonstrate compartmentalization by cloud providers,
according to the Cloud Security Alliance (CSA)?
A. Systems
B. Provisioning
C. Personnel
D. Resources
Explanation: Personnel compartmentalization should not be demonstrated by the cloud
providers.

95. Which of the following is a characteristic of virtualization?

A. Single OS image per machine
 B. Hardware-independence of operating system and applications
C. Inflexible, costly infrastructure
D. Software and hardware are tightly coupled
Explanation: Through hypervisor, virtualization separates hardware and OS+ applications.

96. Since ----, the Federal Rules of Civil Procedure require the inclusion of electronically-
stored information when responding to discovery requests.
A. 2000
B. 2002
C. 2004
D. 2006
Explanation: Since 2006, the Federal Rules of Civil Procedure require the inclusion of
electronically-stored information when responding to discovery requests.

97.What is recommended to enterprises adopting cloud?

A. Profit based approach
B. Risk based approach
C. Security based approach
D. Privacy based approach
Explanation: Risk based approach is an important factor to consider

98.In which of these models, does the consumer have limited user-specific configuration
settings?
A. SaaS
B. PaaS
C. laaS
D. none of the above
Explanation: Consumers do not have much of a say in SaaS offerings.

99. SOC refers to:

A. Strategic Overview Card
B. Standard Operations Credentials
C. Security Operations Center
D. Service Office Catalogue
Explanation: SOC refers to Security Operations Center.

100. When considering compliance with accepted frameworks and standards, one
should consider --
A. Cloud service classroom; security architecture and cloud architecture
B. Compliance architecture; cloud architecture; cloud service classification
C. Security architecture; compliance architecture; cloud architecture
D. All of the above
Explanation: All these should be taken into serious consideration

101. In a cloud environment, the number of security notifications:

A. Are the same as in any other computing environment
B. Increase minimally
 C. Decrease substantially
D. Increase exponentially
Explanation: With cloud all security measure have only been increased exponentially.

Adding Flash Card information I have received from a websiste - Thanks to Ajay Chauhan
(http://www.cram.com/flashcards/ccsk-3657367)

What are the five essential characteristics of 1 - Broad Network Access. 2 - Resource
Cloud computing as defined by NIST - Pooling. 3 - On-Demand service. 4 - Rapid
Elasticity. 5 - Measured Service

The level of attention and scrutiny paid to The valued Risk

enterprise risk assessments should be directly
related to what?

In the majority of data protection laws, when the The Data Controller
data is transferred to a third party custodian,
who is ultimately responsible for the security of
the data?

What is the most important reason for knowing So that it can address the specific
where the cloud service provider will host the restrictions that foreign data protection laws
data? may impose.

What are the six phases of the data security Create, Store, Use, Share, Archive,
lifecycle? destroy.

Why is the size of data sets a consideration in The sheer size of data may cause an
portability between cloud service providers? interruption of service during a transition, or
a longer transition period than anticipated.

What are the four D's of perimeter security? Deter, Detect, Delay, Deny

In which type of environment is it impractical to In multi-tenant environments the operator or

allow the customer to conduct their own audit, provider cannot normally accommodate
making it important that the data center visits by every customer to conduct an
operators are required to provide auditing for audit.
the customers?

What measures could be taken by the cloud SaaS providers that generate extensive
service provider (CSP) that might reduce the customer-specific application logs and
occurrence of application level incidents? provide secure storage as well as analysis
facilities will ease the IR burden on the
customer.

How should an SDLC be modified to address Organizations must adopt best practices for
application security in a Cloud Computing development, either by having a good blend
environment? of processes, tools, and technologies of
their own or adopting one of the maturity
models.

What is the most significant reason that To be able to prove that all data has been
customers are advised to maintain in-house key deleted from the public cloud environment
management? when exiting that environment.

What two types of information will cause PII - Personal Identifiable Information
additional regulatory issues for all organizations SPI - Sensitive Personal Information
if held as an aspect of an Identity?

Why do blind spots occur in a virtualized Virtual machines may communicate with
environment, where network-based security each other over a hardware backplane,
controls may not be able to monitor certain rather than a network.
types of traffic?

When deploying Security as a Service in a Agreement on the metrics defining the

highly regulated industry or environment, what service level required to achieve regulatory
should both parties agree on in advance and objectives
include in the SLA?

Economic Denial of Service (EDOS), refers to… The destruction of economic resources; the
worst case scenario would be bankruptcy of
the customer or a serious economic impact

How does SaaS alleviate much of the The provider is not only responsible for the
consumer's direct operational responsibility? physical and environmental security
controls, but it must also address the
security controls on the infrastructure, the
applications, and the data.

In Europe, name the group that has enacted The European Economic Area (EEA)
data protection laws and the principles on which Member States follow principles set forth in
they follow. the 1995 European Union (EU) Data
Protective Directive and the 2002 ePrivacy
Directive as amended in 2009.

What is the minimum that U.S. state laws Written contract with the service provider
require when using a Cloud Service Provider? with reasonable security measures.

What must be included between an What must be included between an

organization and a Cloud Service Provider organization and a Cloud Service Provider
when the organization has contractual when the organization has contractual
obligations to protect the personal information obligations to protect the personal
of their clients, contacts or employees, to information of their clients, contacts or
ensure that the data are not used for secondary employees, to ensure that the data are not
use and are not disclosed to third parties? used for secondary use and are not
disclosed to third parties?

What is a click-wrap agreement? What is a click-wrap agreement?

How does an organization respond to the How does an organization respond to the
evolving nature of the cloud environment? evolving nature of the cloud environment?

How does an organization respond to the All documents that pertain to the case
evolving nature of the cloud environment? whether favorable to its case or the other
litigant's case.

What is ESI? Electronically Stored Information

What are four considerations for a cloud Cross-border or multi-jurisdiction

customer to understand in reference to - Assignment of compliance responsibilities
regulatory compliance? including the providers
- CSP capability to show compliance
- Relationship between all parties including
customer, CSP, auditors and CSP
providers

What role do audits perform in the cloud Audits must be independently conducted
relationships? and should be robustly designed to reflect
best practice, appropriate resources, and
tested protocols and standards.

At what stage should compliance be addressed Requirement identification stage

between an organization and CSP?

What is multi-tenancy? Use of same resources or application by

multiple customers that may belong to the
same organization or a different
organization.

What does a cloud service model need to Policy-driven enforcement

include for multi-tenancy consumers? Segmentation
Isolation
Governance
Service Levels
Chargeback/billing models

What services can be shared in multi-tenancy Infrastructure

cloud service models? Data
Metadata
Services
Applications
What three cloud services make up the Cloud Infrastructure as a Service (IaaS)
Reference Model? Platform as a Service (PaaS)
Software as a Service (SaaS)

Define IaaS IaaS delivers computer infrastructure as a

service along with raw storage and
networking.

Define PaaS PaaS delivers computing platform and

solution stack as a service.

Define SaaS SaaS delivers software and its associated

data hosted centrally typically in the cloud
and are usually accessed by users via a
web browser over the Internet.

List the four dimensions in the Jericho Cloud Internal (I) / External (E): Physical Location
Cube Model - Proprietary (P) / Open (O): State of
Ownership
- Perimeterised (Per) / De-perimeterised (D-
p): Architectural mindset
- Insourced / Outsourced: Who provides the
cloud service

List the four cloud deployment models Public

Private - internal/external
Hybrid
Community

What is the key takeaway for security The lower down the stack the CSP stops,
architecture? the more security capabilities and
management consumers are responsible
for implementing and managing
themselves.

What are the risks and pitfalls to consider in the How / where cloud service are deployed
Cloud Security Reference Model? - Manner in which cloud services are
consumed
- Re-perimeterization of enterprise networks
- Types of assets, resources and
information being managed
- Who manages them and How
- which controls are selected and How they
are integrated
- compliance issues

How do you determine the general security Classify a cloud service against the cloud
posture of a service and how it relates to an architectural model
asset's assurance and protection - Map the security architecture and
requirements? business, regulatory, and other compliance
requirements as a gap-analysis exercise

What do cloud service brokers provide? Intermediation

- Monitoring
- Transformation/portability
- Governance
- Provisioning
- Integration services
- Relationship negotiation between CSP
and consumers

What are included in a Service Level Service levels

Agreement (SLA)? - Security
- Governance
- Compliance
- Liability expectations of the service and
provider

What are two types of Service Level Negotiable

Agreements (SLA)? Non-negotiable

Name the five basic principles followed in Auditing supply chains

Corporate Governance. - Board and management structure and
process
- Corporate responsibility and compliance
- Financial transparency and information
disclosure
- Ownership structure and exercise of
control rights

Define Corporate Governance The set of processes, technologies,

customs, policies, laws and institutions
affecting the way an enterprise is directed,
administered or controlled.

Define Information Risk Management The process of identifying and

understanding exposure to risk and the
capability of managing it, aligned with the
risk appetite and tolerance of the data
owner.

Define Enterprise Risk Management The methods and processes used by

organizations to manage risks and seize
 opportunities related to the achievement of
their objectives.

List four of the specific risks identified and Avoidance: exiting the activities giving rise
analyzed by management in a cloud to risk
environment. - Reduction: taking action to reduce the
likelihood or impact related to the risk
- Share or insure: transferring or sharing a
portion of the risk to finance it
- Accept: no action is taken due to a
cost/benefit decision

What should be specifically targeted in the Incident management

assessment of a CSP's third party service - business continuity
providers? - Disaster recovery policies, processes and
procedures
- Review of co-location and back-up
facilities

What is a CSP's supply chain? Their service provider relationships and

dependencies

How should the cost savings obtained by cloud

computing services be utilized?

Define Public Cloud? The cloud infrastructure is made available

to the general public or a large industry
group and is owned by an organization
selling cloud services.

Define Private Cloud The cloud infrastructure is operated solely

for a single organization. It may be
managed by the organization or by a third
party and may be located on-premise or off-
premise.

Additionally There is Techgig site where we have 1 hour training for Cloud
CCSK Training Link
Its good training ..I will upload some sites for the CCSK training.And information.