Certificate of Cloud Security Knowledge (CCSK) Foundation Quiz Questions and Answers

The following is a standard for provisioning and de-provisioning accounts in external systems and exchanging attribute information

Answer :
  • SCIM

Explanation :

The correct answer is SCIM. According to CSA guidance 4.0 (page 133), System for Cross-domain Identity Management (SCIM) is a standard for provisioning and deprovisioning accounts in external systems and for exchanging attribute information. SAML also allows for secure exchange of attribute information, but the best answer is SCIM as question literally takes from the guidance word-for-word. WAP is a wireless protocol and oAuth is limited to authorization. Service Provisioning Markup Language is no longer referenced in the 4.0 version of the guidance

What may raise an issue when directly federating internal directory servers in the free-form model?

Answer :
  • It may require users to VPN back to the corporate network before accessing cloud services

Explanation :

The correct answer is that users may have to VPN back to the corporate network before accessing cloud services (CSA guidance page 135). Directory servers with appropriate capabilities (e.g. Active Directory Federations Services) can form federation with cloud services. Although both SAML and oAuth are standards that can be leveraged for federation, these are not the best answer. Finally, while identity broker services may be more scalable depending on the use case involved, this is not found in the CSA guidance.

Which entity has the primary relationship with an individual?

Answer :
  • The Data Controller

Explanation :

The correct answer is the Data Controller. Page 36 of the guidance states the Data Controller has the primary relationship with an individual. Of note, the guidance uses both data controller and data custodian depending on the applicable jurisdiction. These terms can be used interchangeably. Americans call the role that collects information from individuals (data subjects) as the data custodian whereas Europeans call this role the data controller.

Why might a cloud service provider not allow customers to audit their environment?

Answer :
  • Economies of scale

Explanation :

The BEST answer is “Economies of Scale”, as referenced in page 56 of the CSA guidance. Although this is associated with the time and effort required to manage these audits, always look for the BEST answer as likely being the words associated with the question in the guidance. All other answers are incorrect.

Which testing type can be used to find embedded credentials in application code?

Answer :
  • Static Application Security Testing (SAST

Explanation :

The correct answer is Static Application Security Testing (SAST). Dynamic testing is testing code as it is running. Fuzz testing is generally a dynamic testing type. Although the other three options may be possible, the most appropriate answer is SAST (page 113).

Virtual network traffic should not be bridged backed out to the physical network for inspection because:

Answer :
  • Physical network inspection will create a bottleneck

Explanation :

The correct answer is C. Bridging traffic from a virtual network to a physical network will cause bottlenecks (Pg. 95). Note, although this cannot be done in a public cloud network, there is no reference to public or private (and the bottleneck remains true).

What is the CSA term for something assigned to an entity within a given namespace?

Answer :
  • Identity

Explanation :

The correct answer is Identity (guidance pg. 131). An Identifier is how an identity is asserted. Persona is identity plus attributes that indicates context. SAML is a federation standard and Authorizer is not a term used by the CSA.

A Role in context of Identity and Access Management according to the CSA is:

Answer :
  • Used to make access decisions

Explanation :

Ok, this one was made purposefully difficult. In reality, all of these could be correct. However, the BEST answer is “used to make access decisions” as this is found directly in the guidance on page 131.

Logging is an example of what type of control?

Answer :
  • Detective

Explanation :

Logging is a detective control. This is not found in the guidance, rather it is a question based on security knowledge. Detection is a critical component of security and should be enabled when feasible.

Which of the following is most applicable for protecting the Management Plane components itself, such as the web and API servers?

Answer :
  • Perimeter Security

Explanation :

The correct answer is Perimeter Security (page 71). Although all other options may be valid, perimeter security is listed as the most applicable to protect the components such as web and API servers.