An organization is implementing a new hybrid cloud deployment. Before granting access to any of the resources, the security team wants to ensure that all employees are checked against a database to see if they are allowed to access the requested resource. Which type of security control is the organization leveraging for its employees?
Correct Answer: A
The described control isauthorization, which occurs after authentication. Authorization determines what resources a user can access based on their role, attributes, or policies stored in an access control database. Authentication confirms identity, but authorization validates permissions. WAFs protect applications from malicious traffic, and antispyware tools detect malware. Neither applies to access decisions. By checking users against a database of permissions, the organization enforces the principle of least privilege, ensuring employees only access the resources necessary for their role. This strengthens data protection, reduces insider threats, and aligns with compliance requirements for access governance.
Managing-Cloud-Security Exam Question 12
As part of an e-discovery process, an employee needs to identify all documents that contain a specific phrase. Which type of discovery method should the employee use to identify these documents?
Correct Answer: B
Content-based discovery involves searching within the actual text or binary content of documents to find matches for keywords, phrases, or patterns. In e-discovery, when the requirement is to locate documents containing a specific phrase, searching based on content is the most direct and reliable method. Other approaches, such as metadata-based discovery, only examine properties like creation date or author, which do not reveal the presence of specific text. Label-based discovery relies on pre-applied classification labels, which may not always be accurate. Location-based discovery limits searches to folders or storage locations but does not guarantee relevance. Content-based discovery provides completeness in legal and regulatory investigations. It ensures that no relevant documents are overlooked simply because of inconsistent labeling or metadata, thus supporting compliance and defensibility in court proceedings.
Managing-Cloud-Security Exam Question 13
Which device is used to create and manage encryption keys used for data transmission in a cloud-based environment?
Correct Answer: A
AHardware Security Module (HSM)is a dedicated, tamper-resistant device designed for creating, managing, and storing encryption keys. In cloud environments, HSMs are essential for securing cryptographic operations, such as SSL/TLS key management, digital signatures, and secure data transmission. TPMs are hardware chips used to secure local devices, such as laptops. Memory controllers and RAID controllers manage system performance and storage but are not cryptographic devices. HSMs provide strong protection against key theft or misuse by isolating cryptographic functions from general- purpose computing resources. They are often certified under standards like FIPS 140-2, ensuring compliance with stringent security requirements. In cloud services, customers can use provider-managed HSMs or deploy dedicated virtual HSM instances for secure key management.
Managing-Cloud-Security Exam Question 14
Which component allows customers to transfer data into and out of a cloud computing vendor's environment?
Correct Answer: C
Thenetworkis the component that enables customers to transfer data into and out of a cloud environment. It provides the connectivity through which data is uploaded, downloaded, and exchanged between customer systems and cloud infrastructure. Firewalls protect the network by filtering traffic, load balancers distribute requests across resources, and virtual displays present interfaces, but none directly facilitate the transfer of data. In cloud models, secure networking is critical. Protocols like TLS encrypt traffic, while VPNs and private links provide additional isolation. Reliable networking ensures availability, while strong controls safeguard confidentiality and integrity. Customers must ensure that the cloud provider offers secure, high-performance network services to support business needs.
Managing-Cloud-Security Exam Question 15
Which action should a customer take to add an extra layer of protection to the data stored in a public cloud environment?
Correct Answer: A
While cloud providers typically offer built-in encryption, customers should apply additional encryption for sensitive data to maintain defense-in-depth. Encrypting files and folders before uploading them ensures that even if provider-side protections fail, data remains confidential. WAFs protect applications from web threats, DAM tools monitor database use, and block storage versus file storage is an architecture choice. None of these directly provide an extra protective layer for stored data. By maintaining control of their encryption keys, customers ensure compliance with data protection standards such as GDPR, HIPAA, or PCI DSS. This practice also mitigates insider threats within the provider's environment and supports secure multi-cloud strategies. Encryption remains the strongest safeguard for protecting sensitive files in public cloud storage.