WGU - MANAGING CLOUD SECURITY
EXAM - C838
What are the 4 characteristics of cloud computing? - ✔Broad network access
On-demand services
Resource Pooling
Measured or "metered" service
What NIST publication number defines cloud computing? - ✔800-145
What ISO/IEC standard provides information on cloud computing? - ✔17788
What is another way of describing a functional business requirement? - ✔necessary
What is another way of describing a nonfunctional business requirement? - ✔not
necessary
What is the greatest driver pushing orgs to the cloud? - ✔Cost savings
What is cloud bursting? - ✔Ability to increase available cloud resources on demand
What are 3 characteristics of cloud computing? - ✔Elasticity
Simplicity
Scalability
What is a cloud customer? - ✔Anyone purchasing cloud services
What is a cloud user? - ✔Anyone using cloud services
What are the three cloud computing service models? - ✔SaaS(Software as a service)
PaaS(Platform as a service)
IaaS(Infrastructure as a service)
What is IaaS (Infrastructure as a Service)? - ✔Cloud provider provides all the physical
capability and administration, while the customer is responsible for logical resources.
What is PaaS (Platform as a Service)? - ✔A cloud computing service that provides the
hardware and the operating system and is responsible for updating and maintaining
both.
What is SaaS (Software As A Service)? - ✔Cloud provider manages everything.
What are the four cloud deployment models? - ✔Public
Private
Community
,WGU - MANAGING CLOUD SECURITY
EXAM - C838
Hybrid
What cloud model is owned by a single organization? - ✔Private
What cloud model is an arrangement of two or more cloud servers? - ✔Hybrid
What cloud model is a shared setup between orgs? - ✔Community
What cloud model is open for free usage? - ✔Public
What is a cloud service provider? - ✔Cloud service provider manages and provides
entire hosting ability
What is a Cloud Access Security Broker? - ✔Third-party acting as an intermediary for
identity and access management
What do regulators do? - ✔Ensure organizations are in compliance with regulatory
framework.
What word in the CIA triad describes: What protects information from unauthorized
access/dissemination? - ✔Confidentiality
What word in the CIA triad describes: Ensuring that information is not subject to
unauthorized modification? - ✔Integrity
What word in the CIA triad describes: Ensuring that authorized users can access the
information when they are permitted to do so? - ✔Availability
What is a cloud architect? - ✔Expert in cloud computing
What is cloud os also known as? - ✔PaaS
NIST standard number that lists accredited and outmoded cryptosystems - ✔FIPS 140-
2
customer may be unable to leave, migrate, or transfer to an alternate provider due to
technical or non-technical constraints. - ✔vendor lock-m
What is cloud migration? - ✔Process of transitioning part of a company's data or
services from onsite premises to the cloud
What is cloud portability? - ✔Move applications and data between cloud providers
,WGU - MANAGING CLOUD SECURITY
EXAM - C838
What offers a degree of assurance that nobody w/o authorization will be able to access
other's data? - ✔Encryption
If a cloud customer wants a secure, isolated sandbox in order to conduct software
development and testing, which cloud service model would probably be best? - ✔PaaS
What technology has NOT made cloud service viable? - ✔Smart hubs
What determines the critical paths, processes, and assets of an organization? - ✔BIA
Fully-operational environment with very little maintenance or administration necessary,
which cloud service model would probably be best? - ✔PaaS
customer is unable to recover or access their own data due to the cloud provider going
into bankruptcy or otherwise leaving the market. - ✔Vendor lock-out
What are four examples of things to know to decide how to handle risks within an org? -
✔Inventory of all assets
Valuation of each asset
Critical paths, processes, and assets
Clear understanding of risk appetite
T/F: Assets are only tangible items. - ✔False. Assets are everything owned or
controlled by an org.
The process of evaluating assets? - ✔Business Impact Analysis(BIA)
What is criticality? - ✔Something an org could not operate or exist without
What are 5 examples of criticality for an org - ✔Tangible assets
Intangible assets
Processes
Data paths
Personnel
In risk, what is the avoidance method? - ✔Avoiding high risk
In risk, what is the acceptance method? - ✔Acceptable level of risk
In risk, what is an example of the avoidance method? - ✔Insurance
, WGU - MANAGING CLOUD SECURITY
EXAM - C838
In risk, what is the mitigation method? - ✔Controls or countermeasures
Assets can be what? - ✔Tangible
Intangible
Personnel
What does Business Impact Analysis do? - ✔Defines which of the assets provide the
intrinsic value of an organization.
What is risk appetite - ✔Level, Amount, or Type of risk that an org finds acceptable
What is the IaaS boundary? - ✔The provider is responsible for connectivity and power
and the customer is in charge for installation of software.
What is the PaaS boundary? - ✔The provider is responsible for updates and
administration of the OS and the customer monitors and reviews software events.
What is the SaaS boundary? - ✔The provider is responsible for system maintenance
and the customer supplies and processes data to and in the system.
What should encryption be used for in a cloud datacenter? - ✔Long-term
storage/archiving
Protecting near-term stored files, such as snapshots of virtualized instances
Preventing unauthorized access to specific datasets by authorized personnel
What should encryption be used for in communications between cloud providers and
users? - ✔Creating secure sessions
Ensuring the integrity and confidentiality of data in transit
What are 4 controls/mechanisms a cloud provider should play a role in in layered
defense? - ✔Strong personnel controls
Technological controls
Physical controls
Governance mechanisms
In cloud layered defense what are examples of personnel controls? - ✔background
checks
continual monitoring
In cloud layered defense what are examples of technological controls? - ✔encryption
event logging
access control enforcement
EXAM - C838
What are the 4 characteristics of cloud computing? - ✔Broad network access
On-demand services
Resource Pooling
Measured or "metered" service
What NIST publication number defines cloud computing? - ✔800-145
What ISO/IEC standard provides information on cloud computing? - ✔17788
What is another way of describing a functional business requirement? - ✔necessary
What is another way of describing a nonfunctional business requirement? - ✔not
necessary
What is the greatest driver pushing orgs to the cloud? - ✔Cost savings
What is cloud bursting? - ✔Ability to increase available cloud resources on demand
What are 3 characteristics of cloud computing? - ✔Elasticity
Simplicity
Scalability
What is a cloud customer? - ✔Anyone purchasing cloud services
What is a cloud user? - ✔Anyone using cloud services
What are the three cloud computing service models? - ✔SaaS(Software as a service)
PaaS(Platform as a service)
IaaS(Infrastructure as a service)
What is IaaS (Infrastructure as a Service)? - ✔Cloud provider provides all the physical
capability and administration, while the customer is responsible for logical resources.
What is PaaS (Platform as a Service)? - ✔A cloud computing service that provides the
hardware and the operating system and is responsible for updating and maintaining
both.
What is SaaS (Software As A Service)? - ✔Cloud provider manages everything.
What are the four cloud deployment models? - ✔Public
Private
Community
,WGU - MANAGING CLOUD SECURITY
EXAM - C838
Hybrid
What cloud model is owned by a single organization? - ✔Private
What cloud model is an arrangement of two or more cloud servers? - ✔Hybrid
What cloud model is a shared setup between orgs? - ✔Community
What cloud model is open for free usage? - ✔Public
What is a cloud service provider? - ✔Cloud service provider manages and provides
entire hosting ability
What is a Cloud Access Security Broker? - ✔Third-party acting as an intermediary for
identity and access management
What do regulators do? - ✔Ensure organizations are in compliance with regulatory
framework.
What word in the CIA triad describes: What protects information from unauthorized
access/dissemination? - ✔Confidentiality
What word in the CIA triad describes: Ensuring that information is not subject to
unauthorized modification? - ✔Integrity
What word in the CIA triad describes: Ensuring that authorized users can access the
information when they are permitted to do so? - ✔Availability
What is a cloud architect? - ✔Expert in cloud computing
What is cloud os also known as? - ✔PaaS
NIST standard number that lists accredited and outmoded cryptosystems - ✔FIPS 140-
2
customer may be unable to leave, migrate, or transfer to an alternate provider due to
technical or non-technical constraints. - ✔vendor lock-m
What is cloud migration? - ✔Process of transitioning part of a company's data or
services from onsite premises to the cloud
What is cloud portability? - ✔Move applications and data between cloud providers
,WGU - MANAGING CLOUD SECURITY
EXAM - C838
What offers a degree of assurance that nobody w/o authorization will be able to access
other's data? - ✔Encryption
If a cloud customer wants a secure, isolated sandbox in order to conduct software
development and testing, which cloud service model would probably be best? - ✔PaaS
What technology has NOT made cloud service viable? - ✔Smart hubs
What determines the critical paths, processes, and assets of an organization? - ✔BIA
Fully-operational environment with very little maintenance or administration necessary,
which cloud service model would probably be best? - ✔PaaS
customer is unable to recover or access their own data due to the cloud provider going
into bankruptcy or otherwise leaving the market. - ✔Vendor lock-out
What are four examples of things to know to decide how to handle risks within an org? -
✔Inventory of all assets
Valuation of each asset
Critical paths, processes, and assets
Clear understanding of risk appetite
T/F: Assets are only tangible items. - ✔False. Assets are everything owned or
controlled by an org.
The process of evaluating assets? - ✔Business Impact Analysis(BIA)
What is criticality? - ✔Something an org could not operate or exist without
What are 5 examples of criticality for an org - ✔Tangible assets
Intangible assets
Processes
Data paths
Personnel
In risk, what is the avoidance method? - ✔Avoiding high risk
In risk, what is the acceptance method? - ✔Acceptable level of risk
In risk, what is an example of the avoidance method? - ✔Insurance
, WGU - MANAGING CLOUD SECURITY
EXAM - C838
In risk, what is the mitigation method? - ✔Controls or countermeasures
Assets can be what? - ✔Tangible
Intangible
Personnel
What does Business Impact Analysis do? - ✔Defines which of the assets provide the
intrinsic value of an organization.
What is risk appetite - ✔Level, Amount, or Type of risk that an org finds acceptable
What is the IaaS boundary? - ✔The provider is responsible for connectivity and power
and the customer is in charge for installation of software.
What is the PaaS boundary? - ✔The provider is responsible for updates and
administration of the OS and the customer monitors and reviews software events.
What is the SaaS boundary? - ✔The provider is responsible for system maintenance
and the customer supplies and processes data to and in the system.
What should encryption be used for in a cloud datacenter? - ✔Long-term
storage/archiving
Protecting near-term stored files, such as snapshots of virtualized instances
Preventing unauthorized access to specific datasets by authorized personnel
What should encryption be used for in communications between cloud providers and
users? - ✔Creating secure sessions
Ensuring the integrity and confidentiality of data in transit
What are 4 controls/mechanisms a cloud provider should play a role in in layered
defense? - ✔Strong personnel controls
Technological controls
Physical controls
Governance mechanisms
In cloud layered defense what are examples of personnel controls? - ✔background
checks
continual monitoring
In cloud layered defense what are examples of technological controls? - ✔encryption
event logging
access control enforcement
