WGU E025 CLOUD & NETWORK
SECURITY OA – FULL-LENGTH
PRACTICE TEST (2026 UPDATE) :
QUESTIONS AND
RATIONALES/GRADED A+
UPDATE 100% CORRECT
📘 Domain 1: Cloud Security Models & Shared
Responsibility (15 Questions)
1. Which security model is based on the principle that no entity, whether inside or
outside the network perimeter, should be trusted by default?
A) The Castle-and-Moat Model
B) The Zero Trust Model
C) The Permissive Security Model
D) The Traditional Perimeter Model
Rationale: Zero Trust operates on the “never trust, always verify” principle, requiring
strict identity verification for every person and device attempting to access resources.
2. In the Shared Responsibility Model for Infrastructure as a Service (IaaS), which of
the following is the sole responsibility of the customer?
A) Physical security of the data center
B) Maintenance of the underlying virtualization layer
C) Security of the guest operating system and applications
D) Disposal of decommissioned hard drives
Rationale: In IaaS, the provider manages the physical infrastructure, while the
customer is responsible for everything from the OS upward.
,3. Which cloud service type places the most responsibility on the
customer according to the Shared Responsibility Model?
A) IaaS
B) PaaS
C) SaaS
D) All service types require equal customer responsibility
Rationale: In IaaS, the customer has to manage and secure nearly everything above
the hypervisor, including the OS, applications, and data.
4. A security administrator is implementing a “Defense in Depth” strategy. Which of
the following best describes this approach?
A) Relying on a single, high-end enterprise firewall to protect all data
B) Using multiple layers of security controls to provide redundancy if one fails
C) Moving all sensitive data to a single off-site physical server
D) Ensuring that only the IT Manager has access to the cloud console
Rationale: Defense in Depth uses layered defenses so that if one layer is bypassed,
others remain.
5. Which cloud security concept involves dividing a network into smaller, isolated
segments to contain potential breaches and limit lateral movement?
A) Data Encapsulation
B) Micro-segmentation
C) Vertical Scaling
D) Load Balancing
Rationale: Micro-segmentation allows granular security policies to be applied to
individual workloads, preventing an attacker from moving across the network.
6. What type of control is entirely implemented by the cloud service provider (CSP)
and inherited by all consumers?
A) Hybrid controls
B) Corrective controls
C) System-specific controls
D) Common controls
Rationale: Common controls are fully provided by the CSP and are inherited by all
cloud consumers, ensuring a baseline of security across the platform.
7. Which cloud service model provides the least amount of built-in security for the
customer?
A) IaaS
B) PaaS
, C) SaaS
D) All provide the same level of built-in security
Rationale: IaaS offers the most flexibility but also places the greatest security burden
on the customer, as the provider only secures the underlying hardware and
virtualization layer.
8. In a SaaS environment, who is typically responsible for access controls to the
application?
A) The CSP only
B) The customer only
C) Neither the CSP nor the customer
D) Both the CSP and the customer share responsibility
Rationale: In SaaS, while the provider manages the infrastructure and application
stack, the customer is responsible for managing user identities and access
permissions within the application.
9. The principle of Least Privilege dictates that users, applications, and services
should:
A) Be granted full administrative rights by default
B) Receive only the minimum permissions necessary to perform their tasks
C) Never be granted any permissions
D) Apply the same permissions to all users regardless of role
Rationale: Least Privilege reduces the risk of accidental or malicious actions by
ensuring that no entity has more privileges than strictly needed.
10. Which organization defined the three types of security control responsibilities in
the Shared Responsibility Model?
A) AWS
B) ISO
C) PCI DSS
D) NIST
Rationale: NIST provides the foundational framework that categorizes security
control responsibilities among cloud providers and consumers in the Shared
Responsibility Model.
11. A company wants to implement sandboxing for its cloud architecture. This
technique is primarily used to:
A) Increase network bandwidth
B) Isolate and execute untested or untrusted code in a controlled environment
SECURITY OA – FULL-LENGTH
PRACTICE TEST (2026 UPDATE) :
QUESTIONS AND
RATIONALES/GRADED A+
UPDATE 100% CORRECT
📘 Domain 1: Cloud Security Models & Shared
Responsibility (15 Questions)
1. Which security model is based on the principle that no entity, whether inside or
outside the network perimeter, should be trusted by default?
A) The Castle-and-Moat Model
B) The Zero Trust Model
C) The Permissive Security Model
D) The Traditional Perimeter Model
Rationale: Zero Trust operates on the “never trust, always verify” principle, requiring
strict identity verification for every person and device attempting to access resources.
2. In the Shared Responsibility Model for Infrastructure as a Service (IaaS), which of
the following is the sole responsibility of the customer?
A) Physical security of the data center
B) Maintenance of the underlying virtualization layer
C) Security of the guest operating system and applications
D) Disposal of decommissioned hard drives
Rationale: In IaaS, the provider manages the physical infrastructure, while the
customer is responsible for everything from the OS upward.
,3. Which cloud service type places the most responsibility on the
customer according to the Shared Responsibility Model?
A) IaaS
B) PaaS
C) SaaS
D) All service types require equal customer responsibility
Rationale: In IaaS, the customer has to manage and secure nearly everything above
the hypervisor, including the OS, applications, and data.
4. A security administrator is implementing a “Defense in Depth” strategy. Which of
the following best describes this approach?
A) Relying on a single, high-end enterprise firewall to protect all data
B) Using multiple layers of security controls to provide redundancy if one fails
C) Moving all sensitive data to a single off-site physical server
D) Ensuring that only the IT Manager has access to the cloud console
Rationale: Defense in Depth uses layered defenses so that if one layer is bypassed,
others remain.
5. Which cloud security concept involves dividing a network into smaller, isolated
segments to contain potential breaches and limit lateral movement?
A) Data Encapsulation
B) Micro-segmentation
C) Vertical Scaling
D) Load Balancing
Rationale: Micro-segmentation allows granular security policies to be applied to
individual workloads, preventing an attacker from moving across the network.
6. What type of control is entirely implemented by the cloud service provider (CSP)
and inherited by all consumers?
A) Hybrid controls
B) Corrective controls
C) System-specific controls
D) Common controls
Rationale: Common controls are fully provided by the CSP and are inherited by all
cloud consumers, ensuring a baseline of security across the platform.
7. Which cloud service model provides the least amount of built-in security for the
customer?
A) IaaS
B) PaaS
, C) SaaS
D) All provide the same level of built-in security
Rationale: IaaS offers the most flexibility but also places the greatest security burden
on the customer, as the provider only secures the underlying hardware and
virtualization layer.
8. In a SaaS environment, who is typically responsible for access controls to the
application?
A) The CSP only
B) The customer only
C) Neither the CSP nor the customer
D) Both the CSP and the customer share responsibility
Rationale: In SaaS, while the provider manages the infrastructure and application
stack, the customer is responsible for managing user identities and access
permissions within the application.
9. The principle of Least Privilege dictates that users, applications, and services
should:
A) Be granted full administrative rights by default
B) Receive only the minimum permissions necessary to perform their tasks
C) Never be granted any permissions
D) Apply the same permissions to all users regardless of role
Rationale: Least Privilege reduces the risk of accidental or malicious actions by
ensuring that no entity has more privileges than strictly needed.
10. Which organization defined the three types of security control responsibilities in
the Shared Responsibility Model?
A) AWS
B) ISO
C) PCI DSS
D) NIST
Rationale: NIST provides the foundational framework that categorizes security
control responsibilities among cloud providers and consumers in the Shared
Responsibility Model.
11. A company wants to implement sandboxing for its cloud architecture. This
technique is primarily used to:
A) Increase network bandwidth
B) Isolate and execute untested or untrusted code in a controlled environment
