CCSP Cheat Sheet
Cloud Concepts, Architecture & Design
Cloud Computing Concepts
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- NIST SP 800-145 is the definition CCSP grades against
The exam settles "what is cloud" with NIST SP 800-145: on-demand network access to a shared pool of configurable resources, rapidly provisioned and released with minimal management. It fixes exactly five essential characteristics, three service models (IaaS, PaaS, SaaS), and four deployment models (public, private, community, hybrid). When a stem asks whether something qualifies as cloud, check it against this definition rather than any vendor description.
- A service is cloud only if it shows all five essential characteristics
The five are on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. They are required together: drop any one and the offering is hosting or managed IT, not cloud, under the NIST test. Questions commonly describe a setup missing exactly one and ask which characteristic is absent.
Trap Treating high availability, automation, or security as a sixth NIST characteristic; availability is a shared consideration, not one of the five essential characteristics.
- On-demand self-service means no human ticket to provision
On-demand self-service lets the consumer provision compute and storage automatically, without human interaction with the provider. The tell that it is absent is a required phone call, email, or support ticket to add capacity. If a stem says the customer must contact the provider to scale, this characteristic fails and the service is not cloud.
- Resource pooling is the source of multi-tenancy and isolation risk
Resource pooling means the provider serves many consumers from one pool using a multi-tenant model, with physical location abstracted from the consumer. Because tenants share underlying hardware, pooling is the root of every tenant-isolation, data co-residency, and noisy-neighbor concern in the rest of the exam. Dedicated single-tenant hardware fails this characteristic.
Trap Assuming a single-tenant dedicated host still counts as cloud; without pooling it fails the NIST test even if it is virtualized.
4 questions test this
- An organization is migrating a multi-tenant SaaS application to the cloud. The security architect is concerned about the resource pooling…
- An organization is deploying a multi-tenant cloud application and is concerned about performance degradation caused by one tenant's…
- A startup company is evaluating cloud deployment models for their new customer-facing application. They have limited capital, require rapid…
- A security team is evaluating the 'noisy neighbor' problem in a public cloud environment. Which combination of cloud characteristics…
- Rapid elasticity scales out and in, appearing unlimited
Rapid elasticity provisions and releases capacity quickly, often automatically, scaling outward and inward with demand so capacity appears effectively unlimited to the consumer. It is the characteristic that turns fixed capacity planning into scale-with-demand, and it is delivered by virtualization plus auto-scaling orchestration. A fixed pool that cannot shrink back down does not exhibit it.
- Measured service meters usage, enabling pay-per-use
Measured service monitors, controls, and reports resource usage, so billing matches consumption and both parties get transparency. It is what converts capital expense into metered operating expense, and its usage logs double as audit and anomaly-detection data. A flat fee unrelated to usage means measured service is absent.
Trap Reading a flat, usage-independent monthly fee as cloud pricing; without metering tied to consumption, measured service fails.
- Broad network access enlarges the attack surface
Broad network access means capabilities are reachable over the network through standard mechanisms across heterogeneous clients like laptops, phones, and thin clients. The same reach-from-anywhere property that defines it also widens exposure, which is why transport encryption and strong access control are baseline. It is about network reachability, not about bandwidth.
- Cloud roles assign accountability for each control
CCSP names the cloud service customer (consumer) who uses the service, the cloud service provider who builds and operates it, the cloud service partner who supports either side, the cloud broker who acts as a value-adding commercial intermediary, and the cloud auditor who independently assesses controls. Naming the role is how a question pins who is responsible for a given duty.
Trap Confusing the cloud broker with a partner; the broker is specifically the value-adding intermediary in the commercial relationship, while partner is the broader supporting category that also includes auditors.
- The cloud auditor independently assesses, it does not operate
The cloud auditor is an oversight role that independently examines a provider's services and controls against a standard, producing an opinion rather than running anything. Distinguish it from the provider (operates the service) and the broker (intermediates the deal). A stem describing someone who evaluates controls but does not deliver the service is naming the auditor.
5 questions test this
- A federal agency is adopting cloud services and needs to verify compliance with regulations and security policies. According to the NIST…
- In the NIST Cloud Computing Reference Architecture, which actor is responsible for conducting independent assessments of cloud services,…
- An organization requires independent verification that their cloud service provider's security controls are implemented correctly and…
- A federal agency is migrating to a cloud service and wants to ensure a third party can verify that security controls are implemented…
- According to NIST SP 500-292 Cloud Computing Reference Architecture, which actor is responsible for conducting independent assessment of…
Security duties split between provider and customer by service model: the provider always secures the layers below the line and the customer the layers above, and the line climbs the stack as you move IaaS to PaaS to SaaS. In IaaS the customer owns the OS, runtime, and data; in PaaS the provider also takes OS and runtime; in SaaS the provider runs almost everything. Match the model to the line to settle who is accountable for an incident.
Trap Assuming the provider handles everything in SaaS; the customer still owns data, identities, and access configuration in every model.
- Data and identity are always the customer's responsibility
Two duties never transfer to the provider regardless of service model: classifying and protecting your own data, and managing your own identities and access. So a leaked record from a misconfigured sharing setting or a weak user credential is the customer's fault even in SaaS, where the provider runs the platform. Exam items that hand data protection to the provider in SaaS are wrong for this reason.
8 questions test this
- An organization is implementing a hybrid cloud deployment using multiple cloud service providers coordinated through a cloud service…
- A security architect is evaluating how data protection responsibilities change across service models. Regardless of whether IaaS, PaaS, or…
- An organization using a SaaS-based customer relationship management (CRM) system wants to understand their security responsibilities under…
- A company has adopted a SaaS application for their customer relationship management system. Under the shared responsibility model, which…
- According to the shared responsibility model, which security responsibility remains with the cloud service customer REGARDLESS of the…
- When using a SaaS application for business operations, which security responsibility does the cloud service customer retain according to…
- When using a SaaS application for customer relationship management, which security responsibility does the cloud service customer retain…
- In the NIST cloud reference architecture, security is described as spanning all layers from physical to application security. When a cloud…
- Virtualization via the hypervisor is the foundation of pooling
A hypervisor abstracts one physical host into many isolated virtual machines, which is what makes resource pooling and elasticity possible. Type 1 (bare-metal) hypervisors run directly on hardware and host cloud tenant workloads; Type 2 (hosted) hypervisors run on a host OS and are desktop or lab tools. The hypervisor is a high-value target because compromising it reaches every tenant on that host.
Trap Picking a Type 2 hosted hypervisor as the basis of a multi-tenant cloud platform; clouds run Type 1 bare-metal hypervisors for tenant workloads.
18 questions test this
- A cloud architect is evaluating hypervisor options for an enterprise data center. From a security perspective, what is the PRIMARY reason…
- A security analyst is assessing virtualization threats for a cloud environment. Which attack would have the MOST significant impact if…
- A security professional is concerned about the risk of a VM escape attack in their cloud environment. Which of the following BEST describes…
- An attacker successfully exploits a vulnerability in a guest operating system and gains access to the hypervisor layer, subsequently…
- A cloud security architect is evaluating hypervisor options for a new multi-tenant cloud infrastructure. The primary concern is minimizing…
- A cloud security professional is assessing the risk of VM escape attacks in a multi-tenant virtualized environment. Which statement BEST…
- A cloud security architect is evaluating hypervisor options for a multi-tenant cloud environment. Which statement BEST describes the…
- An organization needs to run untrusted workloads in a containerized environment while maintaining strong security isolation. Which approach…
- A cloud service provider experiences a security incident where an attacker gains access from within a guest virtual machine and compromises…
- An organization runs containerized applications in a hostile multi-tenant cloud environment where security isolation between tenants is…
- An organization is running multiple tenant workloads in a virtualized environment and wants to protect against VM escape attacks. Which…
- An organization running containerized workloads in a multi-tenant cloud environment requires enhanced isolation to prevent potential…
- A cloud security professional is assessing the risk of VM escape attacks in the organization's virtualized environment. Which statement…
- An organization runs workloads requiring strong isolation in a Windows environment. The security team is comparing process-isolated…
- When evaluating cloud service providers, a security architect reviews the virtualization technology used. Which statement BEST describes…
- An organization is evaluating hypervisor technologies for their cloud infrastructure. The security team is concerned about minimizing the…
- According to NIST SP 800-125A, hypervisors have critical baseline functions that must be secured. A cloud security professional is…
- An attacker has successfully exploited a vulnerability in a cloud-hosted virtual machine and broken out of the guest OS to interact with…
- Containers share the kernel, so isolation is weaker than a VM
Containers isolate at the operating-system level and share the host kernel rather than emulating hardware, so they start in milliseconds and pack densely but provide weaker isolation than a full virtual machine. Choose them for lightweight, fast-scaling workloads while accepting that the shared kernel is the boundary an attacker would attack. A VM gives stronger isolation at the cost of weight.
Trap Assuming a container provides the same isolation strength as a VM; containers share the host kernel, so a kernel-level escape crosses the boundary.
5 questions test this
- A security team is implementing container security controls in a Linux environment. Which kernel feature provides process isolation by…
- A security architect is assessing risks associated with container-based deployments compared to traditional virtual machine architectures.…
- A security team is assessing isolation mechanisms for a multi-tenant cloud environment hosting workloads with different trust levels. Which…
- An organization needs to run untrusted workloads in a containerized environment while maintaining strong security isolation. Which approach…
- An organization runs containerized applications in a hostile multi-tenant cloud environment where security isolation between tenants is…
- A VM escape breaks tenant isolation from the hypervisor up
A VM escape is when a workload breaks out of its virtual machine or container to reach the host or other tenants, the worst-case failure of multi-tenancy. It traces to the hypervisor (or shared kernel), the highest-value target in the virtualization block, because reaching it exposes every co-resident tenant. Mitigation centers on hardening and patching the hypervisor and on strong tenant isolation.
8 questions test this
- A security analyst is assessing virtualization threats for a cloud environment. Which attack would have the MOST significant impact if…
- A security professional is concerned about the risk of a VM escape attack in their cloud environment. Which of the following BEST describes…
- An attacker successfully exploits a vulnerability in a guest operating system and gains access to the hypervisor layer, subsequently…
- A cloud security professional is assessing the risk of VM escape attacks in a multi-tenant virtualized environment. Which statement BEST…
- A cloud service provider experiences a security incident where an attacker gains access from within a guest virtual machine and compromises…
- An organization is running multiple tenant workloads in a virtualized environment and wants to protect against VM escape attacks. Which…
- A cloud security professional is assessing the risk of VM escape attacks in the organization's virtualized environment. Which statement…
- An attacker has successfully exploited a vulnerability in a cloud-hosted virtual machine and broken out of the guest OS to interact with…
- Software-defined storage and networking are provisioned by API
In cloud, storage and networking are software-defined: capacity and connectivity are provisioned programmatically through APIs rather than by racking disks or cabling, which is what self-service and elasticity actually require. SDN separates the control plane that decides routing from the data plane that forwards traffic. The risk is that a single misconfigured API call, like a public storage bucket or an open security-group rule, exposes data at scale.
- Orchestration and IaC make elasticity real but concentrate power
Orchestration automates provisioning, scaling, and teardown across the other building blocks, and modern practice expresses it as Infrastructure as Code: the whole environment defined in version-controlled templates. This is what makes rapid, automatic elasticity possible. Its risk is concentration: whoever controls the orchestration or IaC pipeline can build or destroy the entire estate, so that pipeline demands least privilege and change control.
Trap Treating the IaC or orchestration pipeline as low-risk plumbing; control of it is control of the whole environment, making it a prime target for privilege abuse.
- Managed databases trade control for less operational burden
Managed database services push patching, backup, and replication to the provider, so the customer trades some low-level control for reduced operational work, and they come in relational and non-relational (NoSQL) forms. The provider taking patching does not remove the customer's duty to secure access and classify the data inside. Choose managed services when operational simplicity outweighs the need for full host control.
Cloud Reference Architecture
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- The service model fixes the customer/provider responsibility line
Across the layered stack (facility, hardware, virtualization, OS, runtime/middleware, application, data), IaaS hands you the guest OS and everything above it; PaaS keeps the OS and runtime and leaves you the application and data; SaaS keeps the whole application and leaves you only data and access configuration. Moving SaaS to PaaS to IaaS increases your control and your security burden while the provider's shrinks. This boundary is what answers nearly every 'who is responsible for which layer' question, with the shared-responsibility principle from cloud-computing-concepts as its backdrop.
Trap Assuming the provider patches the guest OS in IaaS; in IaaS the customer owns the OS and up, so OS patching is the customer's job.
3 questions test this
- An organization uses IaaS for compute resources, PaaS for application hosting, and SaaS for email services. Regarding network security…
- An organization is migrating workloads to a PaaS environment for application development. Which security control responsibility shifts from…
- An organization is migrating applications to a public cloud using IaaS virtual machines. According to the shared responsibility model,…
- There are exactly three service models: SaaS, PaaS, IaaS
NIST SP 800-145 names three and only three service models. Newer 'as-a-service' marketing terms (FaaS for functions, DBaaS for databases, and so on) are subsets or refinements that the exam still slots under one of the three canonical models, usually PaaS. When asked to classify a managed runtime or function platform, place it in the closest NIST model rather than treating the marketing label as a fourth category.
- Drop to PaaS or IaaS when a control needs OS-level access
Pick the highest service-model abstraction that still lets you meet your control obligations: SaaS minimizes operational burden but the provider owns the OS, kernel, and host network. When a requirement forces you to touch the operating system, kernel modules, or host stack, SaaS cannot satisfy it, so move down to PaaS or IaaS where the responsibility line sits below your requirement. The choice is driven by the lowest layer you must control, not by cost alone.
- There are four NIST deployment models: public, private, community, hybrid
Public cloud pools resources across unrelated tenants on provider infrastructure; private cloud is provisioned for a single organization; community cloud is shared by organizations with a common concern such as a shared regulator or mission; hybrid binds two or more of these with technology that lets data and applications move between them. The deployment model answers who you share the tenancy boundary with, which is a different axis from the service model's responsibility line.
- Private cloud means single-tenant, not on-premises
A private cloud is defined by exclusive use by one organization, and it can be owned, managed, or operated by that organization, a third party, or both, located on or off premises. What makes it private is single-tenancy and the isolation that buys, not the physical location of the hardware. A provider-hosted environment dedicated to one customer is still a private cloud.
Trap Equating private cloud with on-premises data centers; a third-party-hosted single-tenant environment is also a private cloud.
5 questions test this
- A government agency requires strict data sovereignty controls ensuring that sensitive citizen data remains within national boundaries and…
- A security architect is evaluating the shared responsibility model implications for different cloud deployment models. In which deployment…
- When selecting a cloud deployment model, an organization must balance flexibility, security, scalability, and cost. Which factor is the…
- A financial services company requires maximum control over physical infrastructure, dedicated computing resources, and the ability to…
- A government agency requires complete ownership of all governing security controls and must ensure classified data never leaves specific…
Community cloud is provisioned for exclusive use by a specific community of organizations that share a concern such as a mission, security requirement, policy, or compliance regime. The textbook example is a group of agencies under one regulator pooling a vetted environment to share both cost and a common control baseline. It sits between public (any tenant) and private (one tenant) on the tenancy axis.
3 questions test this
- A consortium of regional healthcare providers wants to share infrastructure while maintaining strict HIPAA compliance. All members have…
- A financial services organization wants to migrate to the cloud but requires that all tenants sharing the infrastructure have identical PCI…
- A financial services company wants to use cloud computing but must share infrastructure costs with other organizations while ensuring all…
- Hybrid cloud binds models together for data and app portability
Hybrid is two or more distinct deployment models joined by technology that enables data and application portability between them, the classic case being cloud bursting where a private workload spills into public capacity at peak. It is the standard answer when regulated or sensitive data must stay private while the rest of a workload needs public elasticity. The defining feature is the binding that lets work move across the boundary, not merely owning both a private and a public environment.
- Multi-cloud is a strategy, not a fifth NIST deployment model
Using several public cloud providers at once is multi-cloud, a deployment strategy layered over the four NIST models rather than a model itself. Organizations adopt it to avoid single-provider dependency, to place each workload on its best-fit provider, or to meet data-residency needs, and they pay for it with extra identity federation, consistent-policy, and interoperability work across providers. Do not force multi-cloud into the public/private/hybrid/community taxonomy on the exam.
Trap Listing multi-cloud as one of the NIST deployment models; the four NIST models are public, private, community, and hybrid only.
- Interoperability is systems working together, portability is moving the workload
Interoperability is the ability of systems to exchange data and work together through common standards while you stay on a provider; portability is the ability to move a workload or its data to another environment and run it with little rework. They are different knobs: open APIs give interoperability, open formats and container images give portability. High values of both are what reduce vendor lock-in.
Trap Using interoperability and portability interchangeably; interoperability is communicating between systems, portability is relocating the workload itself.
- Reversibility is the verified clean-exit guarantee
Reversibility is the ability to retrieve all of your data and artifacts when leaving a provider and to have the provider verifiably delete its copies, so you can exit cleanly. It is a distinct shared consideration from portability: portability is whether the workload can run elsewhere, reversibility is whether you can fully extract and confirm deletion on the way out. Candidates most often forget reversibility exists as its own concept, so the exit clause in a contract is testing it.
- SaaS carries the highest lock-in, portable IaaS images the lowest
Lock-in tracks how much of the stack you can take with you. SaaS is highest because you can export your data but not the provider's application; PaaS is in the middle because your code is tied to platform-specific APIs; IaaS workloads packaged as portable VM or container images are lowest because the whole unit relocates. Interoperability and portability are the two considerations you assess up front to keep that lock-in manageable.
- SLAs make availability, performance, and remedies contractually measurable
Availability, resilience, and performance are shared considerations that set what service level you can commit to, and the service level agreement is where they become enforceable: it states the measurable target such as uptime percentage or response time and the remedy if it is missed. An SLA without a defined remedy or measurement method is not enforceable, so the exam treats the metric plus the consequence as the substance of the SLA.
- Governance and auditability decide whether a deployment is defensible
Security, privacy, governance, maintenance, and auditability are the shared considerations that make a deployment defensible to an auditor: governance is the policy and oversight framework, auditability is the ability to produce evidence that a control operated, and privacy is the obligation specific to personal data. These apply across every service and deployment model, which is exactly why NIST calls them shared considerations rather than features of one product.
- Confidential computing protects data in use inside an enclave
Confidential computing runs sensitive workloads inside a hardware-enforced trusted execution environment, or enclave, so data is protected while in use, closing the gap left by encryption that only covers data at rest and in transit. It is the control to reach for when the threat model includes the cloud operator, the host OS, or another tenant on the same hardware. The protected state it adds is in use, the one the traditional two states miss.
Trap Reaching for at-rest or in-transit encryption when the requirement is to protect data while it is being processed; that needs confidential computing's in-use protection.
- Edge computing trades latency for a wider physical attack surface
Edge computing pushes processing close to where data is produced, at devices, sensors, or branch sites, to cut latency and bandwidth back to a central cloud. The security cost is that compute now lives on many nodes outside the protected data center, often physically accessible, which widens the attack surface and complicates patching and monitoring. Treat each edge node as an exposed endpoint rather than as a trusted data-center server.
- Blockchain provides integrity and non-repudiation, not confidentiality
A blockchain is a distributed, tamper-evident ledger whose security value is integrity and non-repudiation: entries are chained and hard to alter without detection. It does not by itself provide confidentiality, since the ledger is typically shared and visible to participants. When a question frames blockchain as a confidentiality control it is steering you wrong; its strength is verifiable, append-only history.
Trap Selecting blockchain to keep data secret; a shared ledger gives integrity and non-repudiation, not confidentiality.
- Quantum computing is the forward-looking threat to current public-key crypto
Large-scale quantum computers threaten today's public-key algorithms such as RSA and elliptic-curve, which is why cloud security roadmaps track post-quantum cryptography and crypto-agility (the ability to swap algorithms without re-architecting). The exam treats quantum as a future risk that motivates planning for algorithm migration now, not as a present-day operational control you deploy today.
- The cloud carrier's role stays connectivity-and-transport across service models
In the NIST cloud computing reference architecture (SP 500-292) the cloud carrier is defined as the intermediary that provides connectivity and transport of cloud services between consumer and provider. Because its job is the network path rather than the application stack, its core responsibility (and the security concern that follows, protecting data in transit, e.g. via dedicated, encrypted connections per the SLA) stays the same whether the workload is IaaS, PaaS, or SaaS, whereas the consumer's and provider's responsibilities shift with the service model.
Trap Assuming the cloud provider or broker is model-independent because it 'always' operates the platform; the provider's duties expand or shrink as you move down the stack.
3 questions test this
- In the NIST Cloud Computing Reference Architecture, which actor's security responsibilities remain unchanged regardless of the service…
- In the NIST Cloud Computing Reference Architecture, which actor's security responsibilities remain unchanged regardless of whether the…
- Your organization is deploying services across multiple cloud providers. According to NIST SP 500-292, which actor's security…
- Broker arbitrage picks providers dynamically; aggregation combines fixed ones
NIST SP 500-292 splits cloud broker services into three categories: service intermediation (the broker enhances a single service), service aggregation (it combines and integrates multiple fixed services into a new one with secure data movement), and service arbitrage (like aggregation but the underlying services are not fixed, so the broker can dynamically choose providers on price or performance).
Trap Calling dynamic, criteria-driven provider selection 'aggregation'; in aggregation the chosen services are fixed, arbitrage is the one that swaps them on the fly.
5 questions test this
- A cloud service broker is assisting an enterprise client in dynamically selecting the most cost-effective cloud provider for each workload…
- A cloud service customer wants to leverage multiple cloud providers while maintaining flexibility to switch services based on real-time…
- According to the NIST Cloud Computing Reference Architecture, which category of Cloud Service Broker services is responsible for combining…
- A cloud service broker provides services to multiple customers and wants to dynamically select cloud providers based on real-time…
- According to the NIST Cloud Computing Reference Architecture, a cloud service customer requires services from multiple cloud service…
Cloud Security Concepts
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Secure Cloud Design Principles
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Cloud Service Provider Evaluation
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Cloud Data Security
Cloud Data Concepts
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- The CSA cloud data lifecycle has six phases in order
Create, Store, Use, Share, Archive, Destroy is the canonical CSA cloud data lifecycle, and the exam expects you to name them in that order. The phases are a logical sequence rather than a strict one-way clock, because data loops back: an archived record retrieved for an audit re-enters Use, and shared data is also in use. The point of the model is that each phase exposes data differently and so calls for a different control, which is what scenario questions are really testing.
- Classify data at Create, the earliest phase
A classification or label applied when data is first created travels with that data through every later phase, so Create is the correct answer when a stem asks where data should be classified. Tagging later means everything before the tag was handled at an unknown sensitivity, which you cannot retroactively fix. This is why classification belongs at the front of the lifecycle rather than at Store or Use.
Trap Choosing Store or Use as the phase to classify data; both are too late, leaving earlier handling done at an unknown sensitivity.
7 questions test this
- According to CCSP guidance, at what point in the data lifecycle should data classification FIRST occur to ensure proper protection…
- According to ISC2 best practices, at which phase of the data lifecycle should classification metadata labels be assigned to data stored in…
- Your organization is implementing a data classification scheme in cloud storage. At which point in the cloud data lifecycle should data…
- During which phase of the cloud data lifecycle should data classification IDEALLY occur?
- An organization is migrating data to the cloud and wants to implement a proper data classification program. According to ISC2 best…
- An organization implementing a cloud data catalog wants to understand when data classification should occur to ensure proper protection…
- Your organization is migrating a customer relationship management system containing EU resident personal data to a SaaS platform. The…
- Store and Archive are the data-at-rest phases
Store commits data to a repository and Archive moves it to long-term lower-cost storage, and both leave data at rest, so encryption at rest and access policy are the dominant controls. Archive adds a time dimension the regular Store phase does not: the encryption keys must outlive the retained data, and you must still be able to retrieve and decrypt records years later when a regulator or court asks.
- Use is the data-in-use phase and the hardest to protect
During Use an application or person reads or processes the data, which means it must be in cleartext in memory for the CPU to operate on it, so encryption at rest and in transit do not help here. The controls that fit Use are fine-grained access control, masking of fields the user should not see, activity monitoring, and confidential-computing enclaves that keep data encrypted even while processed.
Share is data moving to another user, tenant, partner, or region, the point where it can leave your control entirely, so it is the home of DLP, tokenization, information rights management, and encryption in transit. Treating Share as just another read misses that the recipient is outside your administrative control, which is exactly why egress-focused controls live here rather than at Use.
Trap Answering a Share scenario with only "encrypt the data"; encryption in transit protects the hop but does nothing once the outside recipient decrypts it, which is what DLP and IRM address.
- Destroy in the cloud means cryptographic erase
Because you do not own or control the physical disks in a public cloud, you cannot degauss or shred media, so the practical Destroy control is cryptographic erase: destroy the encryption keys and the remaining ciphertext is unrecoverable. This is the answer when a stem describes needing to permanently delete data in a multi-tenant environment where physical sanitization is impossible.
Trap Choosing degaussing or physical media destruction to delete cloud data; in a multi-tenant cloud you have no access to the underlying disks, so neither is available to you.
3 questions test this
- A multinational financial services firm operates an IaaS environment that stores customer records across multiple block storage volumes,…
- A healthcare organization needs to retire a large dataset of PHI that was stored in a public IaaS environment. Which approach BEST…
- During the destroy phase of the data lifecycle, an organization using IaaS cloud services needs to ensure proper sanitization verification.…
- Data dispersion scatters object fragments for durability
Data dispersion is the provider splitting a stored object into chunks, often adding parity or erasure-coding fragments, and spreading them across many disks, nodes, and availability zones so any single failure loses nothing. It is conceptually RAID stretched across a data center, and it is why cloud object stores advertise very high durability such as eleven nines. The security trade is that you lose precise knowledge of where each byte physically sits.
- Data dispersion is the threat behind data-residency requirements
Because dispersion lets the provider place fragments wherever it has capacity, you cannot prove a byte stayed inside a country, which directly conflicts with data-residency and sovereignty laws. The control is contractual and configurational rather than physical: pin the provider to a specific region or set of regions in the contract and service settings, so dispersion still happens but only within the boundary you allow. You cannot point a regulator at a specific drive, so the region constraint is the enforceable unit.
Trap Answering a residency requirement with "encrypt the data"; encrypted data sitting in the wrong jurisdiction still violates a sovereignty law, because the law restricts location, not readability.
- Dispersion is not replication and not sharding
Dispersion keeps individually-useless fragments that must be reassembled, which adds some confidentiality on top of durability. Replication keeps whole readable copies of an object in several places, so each copy is independently usable. Sharding splits database rows across nodes for scale and is a design choice you make, whereas dispersion is storage-layer behavior the provider runs underneath you. Exam stems blur these three to see whether you pick the fragment-scattering one.
Trap Calling whole-copy replication "dispersion"; replicas are independently readable, while dispersed fragments are useless until reassembled, so only the latter adds confidentiality.
- A data flow is the path data travels across its lifecycle
A data flow maps how data moves between services, tenants, regions, and outside parties, and mapping it is how you locate every point where data crosses a trust boundary into systems you do not control or a jurisdictional boundary into different laws. Those crossings are where the Share phase happens and where most data-loss and compliance failures begin, so the flow map turns a vague worry into specific checkpoints.
- Map the data flow before placing DLP or residency controls
Data-flow mapping is an input to other controls rather than a control itself, so the correct first step when you need to protect where data can go is to map the flows, because a control placed without the map is a guess about where the data is. The map tells DLP which egress points to watch, tells discovery and classification where sensitive data travels, tells residency which hops leave the allowed region, and tells audit which events to log.
Trap Buying and deploying a DLP tool before mapping the flows; without knowing the egress points you cannot tell the tool what to watch, so you protect the wrong boundaries.
- One record can occupy more than one lifecycle phase at once
The lifecycle phases are not mutually exclusive: data being shared with a partner is simultaneously being used, and an archived record retrieved for analysis is back in Use while still archived. Treating the model as a strict single-state machine leads you to apply only one control when a scenario actually spans two phases. Read the scenario for every activity happening to the data, not just the most obvious one.
- Match the control to the lifecycle phase, not to the data type
The same record needs different protection depending on where it is in its life, so the reliable method for a scenario question is to identify the phase first and let the phase name the control family: classify at Create, encrypt at rest at Store and Archive, access control and masking at Use, DLP and IRM at Share, cryptographic erase at Destroy. This phase-first reading is what most cloud-data-concepts questions reward.
- Data residency and data sovereignty are not the same thing
Data residency means the data physically sits in a specified location, while data sovereignty means the data is also subject to the laws of the country it sits in, including that government's lawful-access powers. Constraining a provider region satisfies residency, but sovereignty can still bite if the provider is headquartered under a foreign disclosure law. The exam uses the distinction to test whether you treat "keep it in-region" as a complete answer to a sovereignty concern.
Trap Treating a region constraint as a full answer to data sovereignty; residency fixes physical location, but a provider subject to a foreign government's lawful-access law can still expose the data.
- Encrypt data before splitting and dispersing it so collected fragments stay unreadable
Bit splitting and data dispersion scatter fragments so no single storage node or CSP holds the whole dataset, protecting confidentiality across providers. Encrypting before fragmentation adds defense in depth: even an attacker who collects enough fragments to reconstruct recovers only ciphertext without the key. This is the standard way to get both CSP-proof confidentiality and (with erasure coding) fault tolerance in multi-cloud storage.
Trap Encrypting only after dispersal or relying on splitting alone — fragments reassembled by an attacker are readable unless the data was encrypted before it was split.
3 questions test this
- A security engineer is implementing data dispersion for a healthcare organization that must comply with strict data privacy regulations.…
- A cloud security architect is evaluating data protection techniques for sensitive financial data stored across multiple cloud service…
- A cloud data security architect must design a storage solution that provides both high availability and protection against unauthorized…
Cloud Data Storage Architectures
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Classify cloud storage by service model first
Cloud storage types follow the service model, and that is what decides which control is yours: IaaS exposes volume and object storage (plus raw and ephemeral), PaaS exposes structured and unstructured storage, and SaaS exposes content and information storage in the application. Place the storage in IaaS, PaaS, or SaaS before reasoning about a fix, because the model tells you whether you even own a disk-level lever or only data and access.
- Volume storage is block storage attached to one instance
Volume (block) storage presents a fixed-size disk to a single virtual machine, formatted with a filesystem, and is the home for boot drives, filesystems, and self-managed databases that need low-latency random read-write. Vendor examples are Amazon EBS, Azure managed disks, and Google Cloud persistent disks. It persists independently of the instance's run state, so stopping the VM does not lose it, unlike ephemeral storage.
Trap Putting a transactional database on object storage; object storage handles whole-object writes over an API, not the in-place random read-write a database filesystem needs.
- Object storage is API-reached and internet-addressable
Object storage keeps each file as a self-contained object (data plus metadata plus a unique key) in a flat namespace reached by an HTTP API, not a mounted disk, and it scales effectively without limit. Vendor examples are Amazon S3, Azure Blob Storage, and Google Cloud Storage. It is the natural home for backups, static content, logs, and data lakes, and because objects are immutable you change one by writing a new version rather than editing in place.
Trap Treating an object store like a low-latency filesystem; it is reached by API for whole objects and is wrong for random in-place updates.
- A public bucket is the signature object-storage threat
The most common cloud data exposure is an object store left readable to anyone by a misconfigured access policy. The control is least-privilege access policy and blocking public access at the account level, plus encryption at rest. This is an identity-and-policy failure, not a network failure, so the fix lives in the bucket policy and access settings, not a firewall.
Trap Reaching for a network ACL or firewall to fix a public bucket; the exposure is a permissions misconfiguration, so the answer is least-privilege access policy and blocking public access.
- Block-volume deletion risks data remanence
Deleted volumes and old snapshots can leave recoverable blocks behind, which is the data remanence threat for block storage. In a shared multi-tenant cloud you cannot physically destroy a disk, so the cloud-correct sanitization is cryptographic erasure: destroy the encryption key so the ciphertext is unrecoverable, following NIST SP 800-88 media-sanitization guidance. Snapshots are full copies with their own access controls, so they need the same protection as the source volume.
Trap Specifying physical media destruction (degaussing or shredding) to sanitize a cloud volume; you do not own the shared hardware, so cryptographic erasure is the applicable method.
- Ephemeral storage is wiped when the instance stops
Ephemeral (instance-local) storage is disk, RAM, and cache that exists only while the VM runs and is erased when the instance stops, terminates, or migrates to new hardware. AWS calls it an instance store. It is fast and free of network latency, which suits caches, scratch space, and temporary files, but it must never hold the only copy of data you need to keep. The testable contrast: a volume persists independently of the instance; ephemeral storage does not.
Trap Storing the only copy of durable data on instance-local storage; a stop, terminate, or host migration wipes it, so durable data belongs on block or object storage.
- Raw storage is unmanaged device or LUN access
Raw storage is direct access to the underlying device or logical unit number (LUN) with no filesystem the cloud manages for you. It gives the most control and the most responsibility, and it exposes the disk at the lowest level, so low-level tampering and the burden of all higher-layer protections fall to you. The exam names it alongside long-term and ephemeral as a way data can be held, distinct from the managed volume and object services.
- Match the persistence horizon: long-term, ephemeral, raw
Beyond the service model, the blueprint classifies storage by how long data lives and how it is held: long-term storage retains data for archival and compliance windows and so carries retention, deletion, and encryption-at-rest duties; ephemeral storage holds transient state that is fine to lose; raw storage is direct unmanaged device access. Each horizon changes the dominant threat, so map the data's lifetime to the tier before choosing controls.
- PaaS structured storage is a managed database with a schema
Structured storage in PaaS is a managed database that enforces a defined schema and answers queries, covering managed relational engines (Amazon RDS, Azure SQL Database, Cloud SQL) and managed NoSQL stores (Amazon DynamoDB, Azure Cosmos DB). The provider patches and replicates the engine; you still own the schema, the data classification, the encryption keys, and the credentials. Its known shape makes structured data the easiest to discover and label.
- Database storage is threatened by injection and over-broad credentials
The signature threats to structured (database) storage are SQL or NoSQL injection and credentials that grant more than the application needs. The controls are parameterized queries, least-privilege database accounts, encryption in transit, and secrets management for the credentials. An attacker reading other tenants' records through an application input points to injection against the database, fixed by input validation and least privilege, not by a storage-encryption change.
Trap Answering a search-box data-leak with encryption at rest; the breach is injection against a structured store, so the fix is parameterized queries and least-privilege accounts.
- PaaS unstructured storage holds schemaless files
Unstructured storage in PaaS is the managed blob or bucket the platform gives your application for files with no schema: images, documents, logs, and media. It is the PaaS-managed cousin of IaaS object storage. Because the content is opaque, you cannot assume its sensitivity, so it must be scanned and classified after it lands, which makes data discovery harder than for structured stores.
- Semi-structured data sits between structured and unstructured
Many real datasets are semi-structured: they carry tags or markers such as JSON or XML but no rigid table schema. For discovery and classification they fall between structured storage (known schema, easy to label) and unstructured storage (opaque, must be scanned), so treat them as needing markup-aware discovery rather than assuming either extreme.
- SaaS gives content and information storage, no disk control
In SaaS the provider stores your data inside the application as content storage (the files and objects users upload and share) and information storage (the structured records and fields the app maintains). You have no volume to encrypt and no bucket policy to set, so disk-level controls are the provider's, and your storage levers collapse to classification, sharing and access settings, and identity.
Trap Assuming you can set disk encryption or a storage policy in SaaS; those are the provider's, and your controls are classification, sharing settings, and identity.
- SaaS content storage is threatened by over-sharing and shadow data
The defining SaaS storage risk is over-sharing (links or permissions opened too widely) and shadow data, the exported or copied data that leaves the platform's visibility, rather than a misconfigured disk that you do not own. The levers are sharing-policy enforcement, identity, and data loss prevention, since you cannot lock down the underlying storage.
- The storage model is the responsibility line
Which storage type you have also fixes who secures it: in IaaS you own encryption, access policy, and sanitization of volumes and objects; in PaaS the provider secures the storage engine while you keep the keys, classification, and access; in SaaS the provider owns nearly the whole storage stack and your only actionable storage problems are sharing and identity. This is why the exam asks 'which storage type, in which model' before it asks for a control.
- Each storage type carries one signature threat to bind a control to
Threats are testable per storage type, not in the abstract: object storage fails through public access policies, block storage through data remanence, structured databases through injection, unstructured uploads through unscanned and unclassified data, ephemeral storage through silent data loss, and SaaS content through over-sharing. Pick the control from the type the question names rather than applying one blanket measure, because the distractor usually offers a control that fits a different storage type.
Trap Applying one blanket control to every storage type; the exam binds a specific threat to each type, so a control that fits a different type is the wrong answer.
- Reed-Solomon erasure coding RS(n,k) needs any k fragments to rebuild and tolerates n-k failures
Reed-Solomon erasure coding splits data into k data fragments plus parity for n total fragments. Any k of the n fragments reconstruct the original, so the system survives up to n-k simultaneous node failures (e.g., RS(14,10) tolerates 4). Compared with replication, erasure coding delivers equivalent fault tolerance at far lower storage overhead (roughly 50% vs 200% for three-way replication), which is why it suits large, rarely accessed archival datasets.
Trap Treating erasure coding as confidentiality — it provides durability and availability only; protecting fragments from a compromised CSP still requires encrypting the data first.
5 questions test this
- A cloud security architect is evaluating data protection techniques for sensitive financial data stored across multiple cloud service…
- A cloud architect is designing a storage system that must survive the loss of multiple storage nodes while minimizing storage overhead. The…
- During a cloud security assessment, an auditor discovers the organization uses a data dispersion system with Reed-Solomon erasure coding…
- A cloud data security architect must design a storage solution that provides both high availability and protection against unauthorized…
- An organization is migrating a large archival dataset to cloud storage and must choose between data replication and erasure coding. The…
- A snapshot inherits its source volume's encryption key; changing it requires an encrypted copy
A snapshot of an encrypted block volume inherits the source's encryption state and uses the same KMS key by default, and volumes restored from it stay encrypted. To encrypt a snapshot taken from a previously unencrypted volume, or to share one cross-account, create a copy specifying encryption (and a key whose policy grants the partner account access) — you cannot change an existing snapshot's encryption in place.
Trap Assuming enabling encryption-by-default retroactively encrypts old snapshots — it applies only to new volumes and copies; existing unencrypted snapshots must be copied with encryption specified.
3 questions test this
- When creating a snapshot of an encrypted block storage volume in a cloud environment, which statement BEST describes the encryption…
- An organization wants to share an encrypted block storage snapshot with a partner organization in a different cloud account. The partner…
- An organization has enabled encryption by default for all new block storage volumes in their cloud environment. A security analyst…
Data Security Technologies & Strategies
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Sort data-protection techniques by reversibility and where the recovery secret lives
The whole 2.3 toolbox separates on one axis: can you recover the original, and what holds the secret that does it. Encryption is reversible and the secret is the key; tokenization is reversible and the secret is the token vault; static masking, anonymization, and hashing are one-way with no recovery secret at all. Place any stem's goal on that axis and the wrong family eliminates itself, which is exactly what the distractors bait you to miss.
- Tokenization removes the real value from scope; encryption keeps it present but unreadable
Tokenization swaps a sensitive value for a surrogate with no mathematical link to the original and parks the real value in a separate vault, so systems holding only tokens leave compliance scope. Encryption leaves the real value in place as ciphertext, so the system is still processing regulated data and stays in scope, just protected. For PCI DSS scope reduction the answer turns on where the value lives, not on which is stronger.
Trap Reaching for encryption to take a system out of PCI DSS scope; the real value is still present as ciphertext, so the system remains in scope.
- Tokens carry no mathematical relationship to the value they replace
A token is an arbitrary surrogate, not a transform of the input, so a leaked token reveals nothing and there is no algorithm to reverse it; recovery happens only by lookup in the hardened vault. That property, plus the separate vault, is what lets tokenization shrink the systems that handle real data. It is the opposite of format-preserving encryption, where the protected output is still derived from the value under a key.
- Static masking writes a one-way safe copy; dynamic masking gates a live view by role
Static data masking irreversibly transforms production data into a sanitized copy for dev, test, or analytics, so the lower-trust environment never held real values. Dynamic masking leaves the source untouched and redacts at read time based on the requester's role, so one query sees a card number and another sees only the last four digits. Use static to make a safe copy, dynamic to gate a live system per query.
Trap Using static masking when the requirement is to hide a column from some roles on the live system; static produces a separate copy rather than gating the source at query time.
8 questions test this
- An organization wants to use production data for testing and development but must protect personally identifiable information. The test…
- A cloud security professional is designing data protection controls for a multi-tier application. The production environment requires…
- A retail company implements dynamic data masking for its customer database to protect PII while allowing customer service representatives…
- A healthcare organization is preparing test data for a new cloud-based patient management system. The development team needs realistic data…
- An organization requires that different database users have varying levels of access to sensitive columns containing personally…
- A financial services company needs to provide realistic test data to their development team working in a non-production environment. The…
- A healthcare organization uses a production database containing PHI that customer support representatives need to access. The organization…
- A cloud security architect is designing a data protection strategy where production systems require real-time access to some sensitive data…
- Masking is for usable non-production data, not for storing data securely
Masking substitutes realistic but fake values so people can work with data's shape without seeing the secret, which fits test data and partial-display views. It is not a confidentiality control for the system of record, because the masked output is fake and the technique is one-way. When the real value must survive somewhere recoverable, masking is the wrong tool; encryption or tokenization is.
4 questions test this
- An organization wants to use production data for testing and development but must protect personally identifiable information. The test…
- A healthcare organization is preparing test data for a new cloud-based patient management system. The development team needs realistic data…
- A financial services company needs to provide realistic test data to their development team working in a non-production environment. The…
- A cloud security architect is designing a data protection strategy where production systems require real-time access to some sensitive data…
- Anonymization leaves the privacy regime; pseudonymization and tokenization do not
Anonymization removes or generalizes identifiers so a record can no longer be tied to a person even by the holder, which under GDPR Recital 26 takes the data outside the regulation. Pseudonymization (a stable code in place of a name) and tokenization still count as personal data because the mapping back exists. Confusing reversible de-identification with true anonymization is a recurring privacy trap.
Trap Treating tokenized or pseudonymized records as anonymous; the mapping still links to the individual, so privacy law still applies.
- Hashing is one-way verification, never confidentiality you can read back
A cryptographic hash is a fixed-length digest where the same input always yields the same output and no key or inverse exists. That makes it right for integrity checks, deduplication, and password storage, and wrong for any value you must later recover. Calling hashing a way to encrypt a recoverable field is the mistake the exam baits, because there is nothing to decrypt.
Trap Using a hash to protect a field the application must later display; hashing has no decrypt, so the value is gone.
- Store passwords as a salted hash with a slow KDF, never encrypted or plain
Passwords are stored hashed with a per-user salt and a deliberately slow key-derivation function such as PBKDF2, bcrypt, scrypt, or Argon2. The salt defeats precomputed rainbow tables by making identical passwords hash differently, and the slow KDF caps brute-force speed. Encryption would be wrong here because it is reversible: you should never be able to recover a stored password.
Trap Encrypting stored passwords instead of hashing them; encryption is reversible, so a key compromise exposes every password in plaintext.
- Encryption only relocates the secret to the key, so key management is the real control
Encrypting cloud data moves the protected secret from the data to the key that decrypts it, which is why NIST SP 800-57 treats the full key lifecycle as the control: generation, distribution, storage, use, rotation, and destruction. Lose the key and the ciphertext is plaintext to whoever holds it. An answer that secures only one phase while ignoring storage or destruction is usually incomplete.
- One KEK gates everything under it, which is what makes fast revocation and crypto-erase possible
Because envelope encryption wraps every object's data key under a single key-encryption key in the key service, that one KEK controls access to all the data beneath it. Disable the KEK and every object under it becomes undecryptable at once; destroy the KEK and that data is cryptographically erased. This one-key-gates-many structure is why you never have to re-encrypt at scale to revoke or delete.
5 questions test this
- A security team is planning to delete an encryption key from a cloud KMS after decommissioning a system. What is the MOST important…
- An organization is implementing Transparent Data Encryption (TDE) for their cloud-hosted SQL database. The security architect needs to…
- A cloud security architect is designing a database encryption strategy using Transparent Data Encryption (TDE). The organization wants to…
- A cloud architect is designing an object storage solution that uses envelope encryption. Which statement BEST describes the relationship…
- An organization is designing its cloud encryption strategy and wants to ensure that the key protecting their sensitive data never leaves…
- Customer-managed keys give you rotation, instant revocation, and audit; provider-managed do not
With a customer-managed key you own the KEK inside the provider's key service, so you schedule rotation, disable the key to revoke access immediately, and get a usage audit trail. Provider-managed keys are lower effort but you cannot independently rotate or revoke, and the provider can technically decrypt. When a stem wants control with convenience, customer-managed is the answer; BYOK/HYOK is for keeping the key entirely outside the provider at higher operational cost.
Trap Choosing provider-managed keys when the requirement is independent revocation or an audit trail; only customer-managed (or BYOK) gives you that control.
8 questions test this
- An organization is implementing Transparent Data Encryption (TDE) for their cloud database and wants to maintain full control over…
- A security architect is evaluating the threat landscape for block storage in a multi-tenant cloud environment. Which threat is MOST…
- A healthcare organization subject to HIPAA regulations is evaluating key management options for their cloud object storage. They require…
- A security architect is designing the encryption strategy for block storage volumes that will store regulated financial data. The…
- A cloud architect is configuring encryption for block storage volumes that will hold healthcare data. The organization requires the ability…
- A cloud security architect is designing a database encryption strategy using Transparent Data Encryption (TDE). The organization wants to…
- An organization wants to share an encrypted block storage snapshot with a partner organization in a different cloud account. The partner…
- A security architect is designing a block storage encryption architecture where the organization wants to maintain control over encryption…
- Disable the key to revoke access to encrypted data instantly across any volume
Because one KEK gates all data encrypted under it, disabling that customer-managed key cuts off decryption for petabytes at once, with no need to re-encrypt anything. Re-encrypting everything to cut off access is slow, costly, and unnecessary when the key already controls all of it. This is the practical payoff of envelope encryption plus customer-managed keys.
Trap Re-encrypting all the data to revoke access when disabling the single key that gates it achieves the same thing instantly.
- Cryptographic erase destroys data by destroying its key, not the blocks
Cryptographic erase is a key-destruction technique: the data was written encrypted, so deleting the key that protects it, the KEK that gates the DEK, turns the ciphertext into unrecoverable noise without ever touching the storage blocks. The recovery secret lives entirely in the key, so once every copy of the key is gone the data is irretrievable on demand. This makes key destruction itself a confidentiality control and is why it can sanitize media you can never physically reach.
Trap Believing the data is gone after deleting the ciphertext or disabling the key while a copy survives; cryptographic erase requires destroying every copy of the key, since that key is the only thing protecting the data.
5 questions test this
- A security team is planning to delete an encryption key from a cloud KMS after decommissioning a system. What is the MOST important…
- An organization needs to securely decommission block storage volumes containing sensitive customer data in a cloud environment. The…
- A multinational financial services firm operates an IaaS environment that stores customer records across multiple block storage volumes,…
- A healthcare organization needs to retire a large dataset of PHI that was stored in a public IaaS environment. Which approach BEST…
- A cloud security architect is implementing a data deletion strategy for a multi-tenant SaaS application. The application stores encrypted…
- An HSM keeps key material in tamper-resistant hardware and is validated to FIPS 140-2/3
A hardware security module generates, stores, and uses keys inside tamper-resistant hardware so the key never leaves in plaintext, and its assurance level is certified under FIPS 140-2 or 140-3. Reach for an HSM (or BYOK/HYOK backed by one) when the requirement is the highest key assurance or keeping keys outside the provider's reach. Software-only key storage cannot make the same hardware tamper-resistance claim.
5 questions test this
- A cloud customer operating in multiple jurisdictions learns that their cloud service provider may be subject to the US CLOUD Act, which…
- A healthcare organization subject to HIPAA regulations is evaluating key management options for their cloud object storage. They require…
- A security architect is designing the encryption strategy for block storage volumes that will store regulated financial data. The…
- A healthcare organization requires FIPS 140-2 Level 3 validated cryptographic modules to protect patient health information in their cloud…
- An organization is implementing a cloud-based Key Management Service (KMS) and wants to ensure keys are protected by hardware with tamper…
- Storage encryption (NIST SP 800-111) protects data at rest at disk, volume, or file level
NIST SP 800-111 covers encrypting stored data and distinguishes full-disk, volume or virtual-disk, and file/folder-level encryption, each protecting against a different exposure of media at rest. The granularity you pick decides what an attacker who gets the raw media or a stray snapshot can read. It governs data at rest specifically, not data in transit, which is a separate TLS concern.
- DLP enforces classification-driven policy across data at rest, in motion, and in use
Data loss prevention discovers and classifies sensitive content, then blocks, quarantines, alerts, or encrypts it across three states: at rest in stores, in motion on the network, and in use at the endpoint. It is the policy layer that decides which technique a given piece of data must get, not a replacement for encryption or access control. Coverage across all three states is what a strong DLP answer requires.
Trap Assuming network-only DLP is sufficient; it misses data at rest in stores and data in use at the endpoint, leaving two of the three states uncovered.
6 questions test this
- A security team is evaluating DLP deployment options to protect sensitive data throughout its lifecycle in a hybrid cloud environment. The…
- A cloud security architect is designing DLP policies to integrate with their Information Rights Management solution. The organization needs…
- A cloud security professional is configuring DLP policies for the organization's multi-cloud environment. The organization needs to protect…
- A financial services company must implement data archiving policies that comply with SEC Rule 17a-4 requirements for retaining records in a…
- An organization uses a CASB to discover shadow IT and classify data within cloud applications. The security team notices that employees are…
- An organization is implementing a comprehensive DLP strategy and needs to protect sensitive data across multiple locations including cloud…
- In the cloud a CASB carries the DLP coverage a perimeter appliance cannot reach
A cloud access security broker sits inline or via API between users and cloud apps and applies DLP, access, and threat controls to both sanctioned and unsanctioned (shadow IT) cloud use. It exists because browser-to-SaaS traffic never crosses a traditional network perimeter, so a gateway appliance simply cannot see it. When a stem describes controlling data going to cloud apps, the CASB is the cloud-native enforcement point.
Trap Relying on a traditional perimeter DLP appliance for SaaS traffic; browser-to-cloud flows bypass it, which is why a CASB is needed.
7 questions test this
- A security team is evaluating DLP deployment options to protect sensitive data throughout its lifecycle in a hybrid cloud environment. The…
- A cloud security architect is designing DLP policies to integrate with their Information Rights Management solution. The organization needs…
- A cloud security architect is designing DLP controls for a SaaS environment where the organization has limited infrastructure access. The…
- An organization wants to implement Information Rights Management (IRM) controls across multiple cloud services including both sanctioned…
- An organization uses a CASB to discover shadow IT and classify data within cloud applications. The security team notices that employees are…
- A multinational corporation is integrating their data classification framework with cloud DLP tools across multiple SaaS applications. The…
- An organization deploys a CASB to extend its on-premises IRM policies to cloud services. Which CASB pillar PRIMARILY supports consistent…
- Keys, secrets, and certificates are managed separately, each with issue, rotate, and revoke
Keys are cryptographic material in a KMS or HSM; secrets are application credentials like database passwords and API keys in a managed secrets store; certificates are X.509 identities from a certificate manager or CA. Each needs a managed home that can issue, rotate, and revoke centrally so nothing is hardcoded. The exam expects you to keep the three distinct rather than treating them as one bucket.
- Hardcoded secrets in source or images are the canonical finding; use a managed secrets store
A managed secrets store holds credentials encrypted, serves them to workloads at runtime by identity, and rotates them automatically, so no password or API key sits in a repository, container image, or config file. Hardcoded secrets are the recurring vulnerability because anyone who reads the artifact reads the credential. The fix the exam wants is centralizing the secret with runtime retrieval and rotation, not obscuring it in config.
Trap Storing credentials in environment files or config baked into an image instead of a secrets manager; the secret travels with the artifact and leaks with it.
- Certificate management must support revocation via CRL or OCSP, not just expiry
A certificate manager or internal CA issues X.509 certs, tracks expiry, and automates renewal, but the load-bearing capability is revocation: a compromised certificate must be invalidated before it expires using a certificate revocation list (CRL) or OCSP. Relying only on expiry leaves a compromised key trusted for its remaining lifetime. Expired or unrotated certs causing outages, and slow revocation, are the recurring operational risks.
Trap Treating certificate expiry as the only control; without CRL or OCSP a compromised certificate stays trusted until it would have expired anyway.
- Encryption protects against the provider only when you control the key
Provider-managed encryption protects data from outside attackers and stolen media, but if the provider holds the key it can technically decrypt your data, so it does not protect you from the provider itself. To exclude the provider you must hold the key, through customer-managed keys at minimum or BYOK/HYOK with your own HSM. The threat model the stem names decides which is required.
Trap Assuming provider-managed encryption keeps your data confidential from the provider; whoever holds the key can decrypt, so provider-held keys do not exclude the provider.
6 questions test this
- A security architect is evaluating the threat landscape for block storage in a multi-tenant cloud environment. Which threat is MOST…
- A cloud customer operating in multiple jurisdictions learns that their cloud service provider may be subject to the US CLOUD Act, which…
- A financial services company needs to maintain exclusive control over encryption keys while storing data in a cloud provider's environment.…
- An enterprise is implementing a multi-cloud object storage strategy and wants to maintain consistent encryption key management across…
- An organization is migrating sensitive data to cloud object storage and must choose between server-side encryption and client-side…
- An organization is migrating sensitive financial data to cloud object storage and requires protection against unauthorized access if…
- A CASB risk-scores discovered apps on dozens of security, compliance, and legal factors to prioritize them
After discovery surfaces hundreds of apps, a CASB's catalog scores each one against many risk factors (often 80-90+) spanning security controls, compliance certifications (SOC 2, HIPAA), and legal factors (data residency, terms of service). This scoring is what lets the team prioritize which shadow-IT apps to sanction or block first.
- DLP detects more than regex can: fingerprinting for forms, EDM for exact records, OCR for images
Regular-expression pattern matching suits structured, predictable formats (credit-card, SSN). For other data, DLP uses stronger techniques: document fingerprinting hashes a blank form or template's unique word pattern to catch any filled-in copy by structure, even when values vary; Exact Data Match (EDM), also called structured-data fingerprinting, indexes specific values from a source database and flags only those exact records, slashing false positives; OCR extracts text from images, scanned PDFs, and screenshots so the classifiers can inspect it.
Trap Reaching for a generic regex when the requirement is to catch a known template or an exact database record — fingerprinting matches by structure and EDM matches by indexed values, both far more precise than a format pattern.
9 questions test this
- An organization using a cloud DLP solution needs to automatically discover and classify sensitive data across their cloud storage…
- An organization is implementing a cloud-based DLP solution to support their Information Rights Management (IRM) program. The security team…
- An organization is implementing a cloud DLP solution to protect sensitive information. The security team wants to detect when employees…
- During CASB API-mode discovery of a SaaS collaboration tenant, the data classification engine flags thousands of text documents containing…
- A company uses standard forms for collecting employee personal information during onboarding. They want their DLP solution to detect when…
- An organization wants to protect standard forms containing sensitive information that employees commonly use and share via email. The…
- An organization is integrating DLP with their Information Rights Management system to protect intellectual property. The DLP solution must…
- A retail company maintains a master customer database in a cloud-hosted PaaS relational service and wants the DLP solution to discover…
- A financial services company stores customer personally identifiable information (PII) across a multi-cloud environment and must implement…
- Cut DLP false positives with context keywords, exclusion rules, and predefined sensitive-info types
Over-broad patterns produce excessive matches. Reduce false positives without losing recall by: adding context keywords (hotwords like 'Employee ID') near the pattern so a match needs supporting evidence; writing exclusion rules that filter known non-sensitive values (test SSNs, product SKUs); and using predefined sensitive-information types that combine pattern matching, dictionaries, and confidence levels. These tune accuracy rather than weakening detection.
5 questions test this
- An organization is implementing a file analysis tool to discover PII across their cloud file repositories containing millions of…
- An organization is implementing a DLP solution to discover sensitive data across their cloud environment. The security team notices that…
- A security team discovers that their DLP solution is generating numerous false positives when scanning unstructured data such as user…
- A security team is configuring DLP policies to detect sensitive health information in cloud-hosted documents. The organization needs to…
- An organization is implementing content-aware scanning for their cloud file storage to detect custom employee ID numbers formatted as three…
- DLP policy templates ship pre-built detection rules for PCI-DSS, HIPAA, and GDPR
DLP engines include regulatory policy templates with pre-configured sensitive-information types, conditions, and actions for frameworks like PCI-DSS, HIPAA, and GDPR. Using a template is the fastest way to align a deployment with a specific regulation, cutting setup time while ensuring coverage of the required data types.
3 questions test this
- An organization wants to rapidly deploy DLP controls to meet PCI DSS compliance requirements for protecting cardholder data in their cloud…
- A security team is configuring DLP policies to detect sensitive health information in cloud-hosted documents. The organization needs to…
- An organization is implementing DLP policies to comply with multiple regulatory frameworks including HIPAA, PCI-DSS, and GDPR. Which…
- Roll out a DLP policy in simulation/audit mode first, then enforce gradually
Best practice is to deploy a new DLP policy in simulation mode (also called audit or monitor mode), which logs matches and potential violations without blocking users. This lets the team measure impact, surface false positives, and tune rules before turning on enforcement, minimizing business disruption. Enforcement actions can then be tiered (audit-only, block-with-override requiring justification, full block) by severity.
7 questions test this
- An organization is deploying a new DLP policy that will affect thousands of users across multiple cloud applications. Which approach…
- An organization is deploying a DLP solution in their cloud environment and wants to minimize business disruption while still gathering data…
- A cloud security architect is designing DLP policies to protect sensitive customer data. The organization wants to minimize business…
- A security team is deploying DLP policies in simulation mode before enforcing restrictions across cloud applications. What is the PRIMARY…
- An organization is implementing a DLP solution to support their Information Rights Management strategy. The security team wants to begin…
- A company is defining DLP policy enforcement actions for their data classification program. The security team wants to implement graduated…
- An organization wants to use DLP to automatically apply sensitivity labels to documents containing personally identifiable information…
- Vaulted tokenization keeps a token-to-value database; vaultless derives tokens cryptographically with no mapping store
Vaulted tokenization stores the mapping between each token and its real value in a central vault, which becomes the highest-value target and must be protected to full PCI-DSS scope because it holds the actual PANs. Vaultless tokenization uses cryptographic methods (often HSM-backed) to generate and reverse tokens by computation rather than database lookup, eliminating the central mapping store and shrinking the attack surface.
Trap Assuming vaultless removes all risk — vaultless built on format-preserving encryption inherits FPE's weakness on small domain sizes, which NIST flags as exploitable.
3 questions test this
- An organization is implementing a tokenization solution and must decide between vaulted and vaultless approaches. The security team is…
- A financial services company implements a vaulted tokenization solution to protect customer credit card data in their cloud environment.…
- According to PCI DSS tokenization guidelines, which security control is MOST critical when implementing a card data vault that stores the…
- Deterministic tokenization yields the same token for the same input so tokenized data still joins
Deterministic tokenization produces an identical token every time for a given input value under the same key and context, preserving referential integrity. This lets analytics teams join and aggregate de-identified records across multiple tables and datasets without exposing the real values. Format-preserving encryption on the identifier can serve the same purpose where field length and format must be retained.
5 questions test this
- A cloud security architect is designing a tokenization solution where analytics teams need to perform aggregations and joins across…
- A healthcare organization implements tokenization for patient identifiers and needs to maintain referential integrity across multiple…
- An organization is implementing tokenization to protect Social Security Numbers (SSNs) across multiple customer databases while maintaining…
- A cloud security architect is designing a data protection strategy for a database containing structured patient information. The…
- A financial services organization wants to implement tokenization to protect credit card numbers while maintaining the ability to perform…
- Format-preserving encryption (NIST FF1) keeps a field's original length and format
Format-preserving encryption (FPE) encrypts data while keeping the ciphertext in the same format and length as the input, so a 16-digit card number stays 16 digits and fits legacy schemas, foreign keys, and validation. NIST SP 800-38G specifies FPE modes built on AES; the published standard defined FF1 and FF3-1, but cryptanalysis (notably Beyne 2021) prompted NIST's draft revision to drop FF3/FF3-1, leaving FF1 as the recommended mode. NIST also warns that FPE weakens when the domain (range of possible inputs) is small (it now requires a minimum domain of one million).
Trap Choosing standard AES when the database field cannot change length or format — only a format-preserving mode like FF1 keeps the original structure.
4 questions test this
- An organization is evaluating vaultless tokenization using format-preserving encryption for their cloud deployment. The security team is…
- A cloud architect is evaluating format-preserving encryption (FPE) for protecting Social Security numbers in a legacy database system that…
- A cloud security architect is designing a data protection strategy for a database containing structured patient information. The…
- An organization implementing tokenization to protect credit card numbers in their cloud-based payment processing system wants to ensure the…
- BYOK imports your key into the cloud KMS; HYOK keeps the key entirely outside the provider
Bring Your Own Key (BYOK) generates keys on your own HSM and imports them into the cloud KMS, demonstrating control over key generation while still using KMS features. Hold Your Own Key (HYOK), also called external key manager integration, keeps key material in your own KMS outside any single cloud so the provider never holds the key, even during operations. Client-side encryption likewise encrypts before upload so the CSP never sees plaintext. The more the provider must never access the key, the further you move from provider-managed toward HYOK/client-side.
Trap Picking provider-managed or BYOK when the requirement is the CSP never has the key material — only HYOK/external key manager (or client-side encryption) keeps the key out of the provider's reach.
7 questions test this
- An organization is implementing Transparent Data Encryption (TDE) for their cloud database and wants to maintain full control over…
- A cloud customer operating in multiple jurisdictions learns that their cloud service provider may be subject to the US CLOUD Act, which…
- A healthcare organization subject to HIPAA regulations is evaluating key management options for their cloud object storage. They require…
- An organization's compliance requirements mandate demonstrating control over encryption key generation before migrating to a cloud KMS.…
- A financial services company needs to maintain exclusive control over encryption keys while storing data in a cloud provider's environment.…
- An enterprise is implementing a multi-cloud object storage strategy and wants to maintain consistent encryption key management across…
- An organization is migrating sensitive data to cloud object storage and must choose between server-side encryption and client-side…
- ABAC makes access decisions from subject, resource, and environment attributes, solving role explosion
Attribute-Based Access Control evaluates attributes of the subject (department, project), the resource (classification label), and the environment (time, location) against policy to decide access dynamically (NIST SP 800-162). One attribute policy replaces the many roles that cause role explosion, and decisions adjust automatically as attributes change. A hybrid RBAC+ABAC model uses roles for baseline permissions and ABAC conditions for classification-driven granularity.
Trap Reaching for more RBAC roles when access must turn on data classification and changing context — that is what drives role explosion; ABAC evaluates classification as a resource attribute instead.
6 questions test this
- An organization operating in a multi-cloud environment needs to enforce data access policies that consider multiple factors simultaneously:…
- A cloud security architect is designing an IAM strategy for a large enterprise experiencing 'role explosion' due to the proliferation of…
- An organization implementing a cloud database solution needs to determine the appropriate access control model for their multi-tenant…
- An organization wants to implement a hybrid access control model that combines the simplicity of role-based assignments with the…
- A security architect is implementing resource tagging for data classification on cloud storage services. The organization needs to use…
- An organization is implementing a cloud data security strategy that requires access decisions to be based on data sensitivity levels rather…
- DAM dynamic profiling baselines each account's normal objects and alerts on deviations
Database Activity Monitoring with dynamic profiling automatically builds, per database account, the list of data objects that account regularly accesses, forming a behavioral baseline. When a profiled account (including a privileged DBA) touches an object outside its baseline, DAM alerts or blocks. DAM also provides near-real-time policy-violation alerting and built-in sensitive-data discovery for standards like HIPAA and GDPR.
3 questions test this
- An organization using Database Activity Monitoring wants to detect unauthorized data access attempts by privileged database administrators.…
- A healthcare organization needs to implement DAM to monitor access to databases containing PHI. They want the DAM solution to automatically…
- A cloud security team is configuring their DAM solution to detect unauthorized access to sensitive data. The DAM system uses dynamic…
- Agent-based DAM sees local DBA sessions that network-based DAM misses
Network-based DAM inspects database traffic on the wire and cannot see local connections that bypass the network, such as direct console access or local sockets used by DBAs. Host/agent-based DAM runs on the database server and captures both network and local privileged activity, which is why agent-based deployment connecting to a central collector is the common cloud DAM approach when local DBA actions must be monitored.
Trap Blaming a DAM gap on misconfiguration when local DBA sessions go unseen — network-only monitoring structurally cannot observe local connections; host-based agents are required.
3 questions test this
- A security team is evaluating DAM deployment options for monitoring dedicated database instances in their IaaS cloud environment. According…
- A financial services company uses DAM to monitor its cloud databases for compliance with PCI-DSS requirements. The security team notices…
- A financial services company is deploying DAM to monitor their cloud database containing customer financial records. The security architect…
Data Discovery
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Data Classification
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Information Rights Management
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Data Retention, Deletion & Archiving
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Data Event Auditability & Accountability
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Cloud Platform & Infrastructure Security
Cloud Infrastructure & Platform Components
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- A cloud platform has six component layers; name the layer before the control
CCSP objective 3.1 breaks every cloud platform into six layers: physical environment, network and communications, compute, virtualization, storage, and the management plane. Each layer has its own threats and controls, so the first move on a Domain 3 stem is to place the symptom in exactly one layer, because that decides which control and which owner are correct. Misplacing the layer is what leads to picking a real but wrong-layer control.
- The management plane is the highest-value target because it controls every other layer
The management plane is the orchestration and administration layer (provider portal, cloud APIs, hypervisor and orchestration consoles) that provisions, configures, snapshots, moves, and destroys all other resources. A single privileged credential here lets an attacker copy every snapshot or delete the whole estate without ever touching a guest OS or breaking a hypervisor, so its blast radius is the entire environment. That breadth is why CCSP elevates it above the technically harder attacks on lower layers.
Trap Assuming the hardest attack (VM escape, hypervisor compromise) is the biggest risk; the management plane is more dangerous because it reaches every layer at once through ordinary API calls.
4 questions test this
- An organization is migrating to a public cloud environment and the security team is concerned about the risks associated with the cloud…
- An organization's security team is conducting a risk assessment of their cloud environment. They discover that attackers could potentially…
- An organization is migrating to a public cloud platform and the security team is assessing risks associated with the management plane.…
- A security analyst discovers that an attacker successfully compromised the cloud management plane by stealing OAuth access tokens from an…
- Protect the management plane with MFA, least privilege, a bastion host, and full logging
Because management-plane access reaches the whole estate, it gets controls out of proportion to any single workload: enforce multi-factor authentication on every admin identity, separate roles so no account can both configure and audit, route administrative sessions through a hardened bastion (jump) host instead of exposing consoles to the internet, and log every privileged action to an append-only store. These map to the access-control (AC) and audit (AU) families of NIST SP 800-53.
- Virtualization is the boundary that makes multi-tenancy safe
Compute, virtualization, and storage are pooled and shared across unrelated tenants, so the core security question at these layers is whether one tenant can reach another's resources. Virtualization (a hypervisor isolating virtual machines, or a runtime isolating containers) is the boundary that keeps co-resident tenants apart, so isolation is the central control. When a stem raises one tenant reaching another's compute, the fix lives at the virtualization layer, not at a network firewall.
4 questions test this
- A healthcare organization hosts patient record systems in a multi-tenant IaaS cloud environment. During a risk assessment, the security…
- A cloud service provider is analyzing security risks associated with their virtualization infrastructure. An attacker has gained access to…
- A cloud security analyst is assessing risks in a multi-tenant IaaS environment. The analyst is concerned about an attack where malicious…
- A cloud security professional is analyzing threats to a virtualized infrastructure. Which attack type poses the GREATEST risk to…
- VM escape breaks tenant isolation, so harden and patch the hypervisor
A VM escape (hypervisor escape) is a guest breaking out of its virtual machine to run on the underlying host or hypervisor, which would let it reach co-resident tenants and defeat multi-tenant isolation entirely. The container analogue is a container escape to the shared kernel. The defense is hypervisor hardening and prompt patching, which is why the provider, not the customer, owns hypervisor security in public cloud.
Trap Reaching for a network firewall or security group to contain a VM escape; the breach is at the virtualization layer, so the answer is hypervisor hardening and patching, not network filtering.
11 questions test this
- A healthcare organization hosts patient record systems in a multi-tenant IaaS cloud environment. During a risk assessment, the security…
- A cloud service provider is analyzing security risks associated with their virtualization infrastructure. An attacker has gained access to…
- A cloud security analyst is assessing risks in a multi-tenant IaaS environment. The analyst is concerned about an attack where malicious…
- A cloud security professional is analyzing threats to a virtualized infrastructure. Which attack type poses the GREATEST risk to…
- A security analyst discovers that attackers have exploited a vulnerability in the hypervisor to gain access from one virtual machine to the…
- A security analyst discovers that an attacker has compromised a guest virtual machine and is attempting to break out of the VM to access…
- A cloud security team is assessing risks to their hypervisor infrastructure. They are concerned about attacks where malicious code within a…
- A security analyst discovers that ransomware groups are increasingly targeting VMware ESXi hypervisors in multi-tenant environments.…
- A security analyst discovers that an attacker has exploited a vulnerability in a guest operating system to gain access to the hypervisor…
- A security analyst discovers that an attacker exploited a vulnerability in the hypervisor's device driver emulation to execute malicious…
- A security analyst discovers that an attacker has exploited a vulnerability in the virtualization layer to access memory belonging to other…
- Type 1 hypervisors run on bare metal; Type 2 run on a host OS
A Type 1 (bare-metal) hypervisor runs directly on the hardware and is what cloud providers use for production multi-tenancy because it has a smaller attack surface. A Type 2 (hosted) hypervisor runs as an application on top of a host operating system and is typical of desktop or lab use, where the host OS adds attack surface beneath the guests.
Trap Assuming providers run production tenants on Type 2 hypervisors; bare-metal Type 1 is preferred for multi-tenancy because there is no host OS layer to compromise.
3 questions test this
- A cloud architect is evaluating hypervisor options for a new private cloud deployment that will host mission-critical workloads. Which…
- An organization is deploying workloads in a public cloud and the security team is evaluating hypervisor security. Which characteristic…
- An organization is evaluating hypervisor types for their cloud data center where security and performance are critical requirements. Which…
Containers isolate at the process and namespace level and share the host kernel, which makes them faster to start than virtual machines but gives them a weaker isolation boundary, because a single kernel vulnerability is exposed to every container on that host. A VM carries its own guest OS and is isolated by the hypervisor, so it survives a kernel flaw that would compromise neighboring containers.
Trap Treating a container and a VM as equally strong isolation; the container's shared kernel is a single shared fault domain that a VM's hypervisor boundary does not have.
8 questions test this
- A security architect is designing a container deployment strategy that requires VM-level isolation for untrusted workloads while…
- A security architect is concerned about isolation in a containerized environment. Which mechanism is PRIMARILY responsible for providing…
- During a cloud security assessment, an analyst discovers that development teams are running containerized workloads from multiple trust…
- A security analyst discovers that a container orchestration platform has placed a public-facing web server container on the same node as a…
- An organization needs to run containerized workloads that require stronger isolation than traditional process-based container isolation.…
- An organization is deploying containers in a shared multi-tenant cloud environment. The security team is concerned about potential…
- An organization is evaluating compute abstraction options for a multi-tenant cloud environment hosting workloads with varying trust levels.…
- A security architect is analyzing container technology risks for a cloud deployment. Which Linux kernel feature is primarily responsible…
- Side-channel attacks infer data without breaking isolation
A side-channel attack lets a workload co-resident on the same physical host infer another tenant's data from timing, cache, or power behavior rather than breaking the isolation boundary outright. It is a compute-layer multi-tenancy risk distinct from VM escape, because no boundary is actually crossed; the leakage rides shared hardware. Mitigations include dedicated hosts and provider-side microarchitectural patching.
3 questions test this
- A cloud service provider discovers that a malicious tenant was able to read sensitive data from another tenant's virtual machine memory on…
- A financial services company is evaluating HSM options for their cloud deployment. They require FIPS 140-3 Level 3 validation and want…
- An organization is migrating highly sensitive workloads to a cloud environment. The NSA's cloud security guidance recommends specific…
- Data remanence is the storage-layer leak; defeat it with encryption and cryptographic erase
Data remanence is residual data left on physical media after it is released, which a later tenant could recover if the provider reassigns that capacity without sanitizing it. Encrypting tenant data at rest makes leftover bytes useless without the key, and cryptographic erase (destroying the encryption key) renders all that data instantly unrecoverable, which scales far better than physically overwriting shared media. Both techniques are covered in NIST SP 800-88 on media sanitization.
Trap Insisting on physically overwriting media to handle remanence on shared cloud storage; you cannot reach the physical disks, so cryptographic erase by destroying the key is the cloud-appropriate control.
7 questions test this
- An organization is terminating its contract with a cloud service provider and needs to ensure its data cannot be recovered from shared…
- An organization discovers that sensitive data may still be recoverable from cloud storage volumes that were deleted three months ago due to…
- During a security assessment of a multi-tenant cloud environment, an auditor discovers that tenant data is only logically isolated on…
- An organization needs to securely destroy data stored across multiple cloud regions when a customer terminates their service agreement. The…
- A cloud service provider is decommissioning storage infrastructure that contained multiple tenants' data. According to NIST SP 800-88…
- A security analyst is conducting a risk assessment for cloud storage in a multi-tenant environment. Which storage-related risk is MOST…
- An organization is terminating cloud services with a CSP that uses shared storage infrastructure. The security team needs to ensure…
- Storage failures are usually exposure or missing encryption, not just remanence
Beyond remanence, the classic storage-layer failures are exposure and weak encryption: an object store left publicly readable, or a volume created without encryption at rest. These are configuration faults the customer typically owns, so the storage-layer answer to an exposed bucket is access policy plus encryption, not a control borrowed from another layer.
- The network layer is increasingly software-defined, so segmentation is configured not cabled
The network and communications layer carries tenant traffic between components and is increasingly software-defined, meaning segmentation, routing, and isolation are configured in software rather than wired into hardware. Its signature risks are east-west lateral movement, traffic interception, and missing segmentation, so the controls are network segmentation and traffic inspection. Because segmentation is a setting, a missing boundary is a misconfiguration, not a cabling gap.
- Compute is pooled CPU and memory allocated on demand
The compute layer is the provider's pooled CPU and memory that actually run workloads, allocated elastically on demand. Its multi-tenancy risks are resource exhaustion (one tenant's load starving others, which providers limit through quotas and scheduling) and side-channel leakage between workloads sharing a physical host. Compute is owned by the provider in every public-cloud service model.
- The physical layer is the data-center facility itself
The physical environment is the data-center building, power, cooling, cabling, and physical access control beneath every other layer. Its concerns are physical breach, environmental failure, and safe disposal of failed media, and in public cloud the provider owns it entirely; the customer relies on attestation reports rather than inspecting the facility. Detailed facility design (site selection, HVAC, tiering) is the separate secure-data-center-design subtopic.
Moving to the cloud transfers the lower layers to the provider in a predictable order. Under IaaS the provider owns physical, network, and the virtualization host while the customer owns the guest OS and up. Under PaaS the provider also owns the OS and runtime, leaving the customer the application and data. Under SaaS the provider owns everything down to the application, leaving the customer only their data, access configuration, and identities. A stem naming a component plus a service model is asking for that intersection.
- The customer never secures the hypervisor in public cloud
Across all public-cloud service models the provider owns the virtualization layer, so the customer cannot reach or harden the hypervisor; that responsibility is always the provider's. Guest-OS patching, by contrast, is the customer's job under IaaS but the provider's under PaaS and SaaS, where the provider owns the operating system. Any answer telling a public-cloud customer to harden the hypervisor is assigning provider-owned infrastructure to a party that cannot even access it.
Trap Assigning hypervisor hardening to the customer in public cloud; the customer has no access to the virtualization layer, so that is always the provider's responsibility.
- Match the symptom to its layer, then take that layer's control
Domain 3.1 items usually describe a symptom and expect you to route it: residual files recovered by a new tenant means storage and data remanence, so encrypt with cryptographic erase; a guest running on the hypervisor host means virtualization, so harden and patch; leaked API keys snapshotting databases means the management plane, so MFA, least privilege, and logging. When two options both sound plausible, the one matching the layer the symptom lives in is correct; the distractor borrows a real control from the wrong layer.
Trap Picking a genuine control aimed at the wrong layer, such as a network firewall offered as the fix for a data-remanence problem; correct control follows the layer the symptom actually sits in.
- Bare metal gives dedicated hardware with no hypervisor and the strongest isolation
Bare metal (dedicated-host) compute hands the customer a whole physical server with direct CPU and memory access and no virtualization layer, so there is no hypervisor to escape and no noisy neighbor. Choose it when a workload needs maximum tenant isolation, full OS control, hardware-level performance features, or licensing that forbids shared hosts.
Trap Reaching for a dedicated VM or single-tenant hypervisor when the requirement is no hypervisor at all; that still runs a virtualization layer.
5 questions test this
- A financial services company requires maximum isolation for processing sensitive cryptographic operations in the cloud. They need dedicated…
- An organization processes highly sensitive data and requires the strongest possible isolation from other cloud tenants. Which compute…
- A cloud service provider is designing infrastructure for a customer with highly sensitive workloads that require strict regulatory…
- An organization requires compute resources that provide direct hardware access with no virtualization layer due to strict performance…
- An organization is migrating highly sensitive workloads to a cloud environment. The NSA's cloud security guidance recommends specific…
- The noisy neighbor problem is one tenant's load degrading another's on shared hardware
In pooled multi-tenant infrastructure, one tenant consuming a disproportionate share of CPU, storage I/O, or network can degrade performance for other tenants on the same physical host. This is a performance and operational risk of resource sharing, not a breach of isolation; bare metal or dedicated capacity eliminates it.
- Micro-segmentation enforces policy per workload, not per subnet, to stop east-west lateral movement
Micro-segmentation places a virtual firewall at each workload's network interface (often via the SDN/NSG layer) so traffic is controlled host-by-host rather than at the subnet perimeter. Its purpose is to limit east-west (workload-to-workload) lateral movement inside a zone, a gap traditional perimeter segmentation leaves open. Zero Trust micro-segmentation keys rules to workload identity so only explicitly required flows are allowed.
Trap Treating subnet- or VLAN-level segmentation as equivalent; those control north-south perimeter traffic and still allow free lateral movement within a segment.
6 questions test this
- Your organization is deploying a multi-tier application in a cloud environment and needs to control traffic between the web tier,…
- An organization wants to implement security controls that can restrict lateral movement at the individual workload level rather than at the…
- An organization is implementing microsegmentation as part of their Zero Trust strategy for their cloud environment. The security team needs…
- A cloud security architect is implementing network security controls to prevent lateral movement of threats within the data center.…
- A cloud security architect is designing virtual network segmentation for a multi-tier application. The architecture includes web,…
- An organization is deploying multiple application workloads in a cloud environment. The security architect is concerned that if a single…
- East-west traffic flows between workloads inside the network; north-south crosses the perimeter
East-west traffic is internal flow between components such as web, app, and database tiers or microservices within the same virtual network. North-south traffic enters or leaves the network through the perimeter. Perimeter firewalls inspect north-south; micro-segmentation and distributed virtual firewalls are needed to inspect east-west.
8 questions test this
- A security architect is implementing network segmentation in a cloud environment and needs to control communication between different…
- A cloud security architect is designing network security controls for a cloud-native application. The security team requires inspection of…
- Your organization is deploying a multi-tier application in a cloud environment and needs to control traffic between the web tier,…
- A cloud architect is designing network segmentation for a three-tier application consisting of web, application, and database tiers in a…
- A cloud security architect is implementing network security controls to prevent lateral movement of threats within the data center.…
- A security operations team is implementing traffic inspection controls in their cloud data center. They need to monitor and secure traffic…
- A cloud security architect is designing virtual network segmentation for a multi-tier application. The architecture includes web,…
- An organization is deploying multiple application workloads in a cloud environment. The security architect is concerned that if a single…
- Tag- or identity-based segmentation lets policies follow workloads as they move or scale
Tag-based (identity-based) segmentation attaches security policy to a workload's labels or identity rather than its IP address, so rules automatically follow a VM as it migrates, scales, or changes IP. This avoids the continuous policy resynchronization that IP- and VLAN-based rules require whenever workload network locations change.
4 questions test this
- A security team is transitioning from traditional IP-based firewall rules to tag-based segmentation in their cloud virtual network…
- A cloud security architect is implementing network security groups (NSGs) to protect virtual machines in a multi-tier application. The…
- An organization is implementing microsegmentation as part of their Zero Trust strategy for their cloud environment. The security team needs…
- When designing network segmentation for a cloud data center, a security architect must decide between segment-based microsegmentation using…
- Network security groups should be deny-by-default with explicit allow rules only
Network security groups (NSGs) provide stateful 5-tuple filtering (source/destination IP, source/destination port, protocol) at the virtual-switch level. Configure them deny-by-default and add explicit allow rules only for required flows; by default, subnets within one virtual network can talk freely, so isolation must be configured, not assumed.
Trap Assuming subnets in the same VNet are isolated by default; intra-VNet communication is permitted until an NSG denies it.
7 questions test this
- A security team is conducting a risk assessment for a multi-tier application deployed in an IaaS cloud environment. The application uses…
- A cloud security team is implementing network segmentation using virtual networks and network security groups. They want to ensure proper…
- A cloud architect is designing network segmentation for a three-tier application consisting of web, application, and database tiers in a…
- A security team is configuring virtual firewall rules for their cloud deployment. Following the principle of least privilege, which…
- A cloud security architect is implementing network security groups (NSGs) to protect virtual machine workloads. Which capability do NSGs…
- A security team is configuring Network Security Groups (NSGs) in their cloud virtual network to implement workload-level…
- A security team is implementing network security groups (NSGs) in their cloud environment to segment virtual networks. They notice that by…
- VLANs cap at ~4,094 segments (12-bit ID); VXLAN's 24-bit VNI scales to ~16 million
The 802.1Q VLAN ID is 12 bits, limiting a network to about 4,094 usable VLANs, which is too few for large multi-tenant clouds. VXLAN overlay networking uses a 24-bit segment ID (VNI) supporting roughly 16 million logical segments and decouples the logical network from the physical fabric by encapsulating Layer 2 frames in UDP.
6 questions test this
- A cloud security architect is designing a data center network and wants to implement network segmentation using VLANs to separate tenant…
- A cloud security architect is designing network segmentation for a multi-tenant IaaS environment. The organization needs to support more…
- A cloud architect is designing tenant isolation for a cloud data center. The design requires network segmentation that can support over 16…
- An organization is migrating to a multi-tenant cloud environment and discovers that traditional VLAN-based segmentation cannot scale to…
- An organization is deploying a multi-tenant cloud environment and needs to create network segments for tenant isolation. The security…
- A security team is evaluating network segmentation technologies for a cloud data center that requires supporting more than 4,000 isolated…
- SDN centralizes control in the controller, which becomes the single point of compromise
Software-defined networking separates the control plane from the data plane and centralizes decision-making in the SDN controller. That centralization simplifies and standardizes policy but makes the controller a single point of failure and the highest-value target: compromising it lets an attacker rewrite flow rules across the whole network. Controller-to-switch traffic is also exposed to man-in-the-middle flow-rule tampering if unencrypted.
Trap Picking a data-plane switch as the critical asset; the control-plane controller is the component that must be hardened first.
6 questions test this
- An organization is evaluating the implementation of Software-Defined Networking (SDN) in their cloud environment. The security architect…
- A cloud security professional is assessing risks associated with Software-Defined Networking in their organization's infrastructure. The…
- An organization is deploying Software-Defined Networking (SDN) in their cloud environment. The security team is concerned about the…
- A cloud security architect is assessing the risks associated with implementing Software-Defined Networking (SDN) in the organization's…
- An organization is evaluating the security implications of implementing Software-Defined Networking (SDN) in their cloud environment. Their…
- An organization's security team has identified that the SDN controller represents a critical point of compromise in their cloud…
- Manage the SDN controller only from PAWs on a segmented out-of-band network
NSA guidance is to physically segment SDN controller management interfaces from the data interfaces and administer the controller exclusively from privileged access workstations (PAWs) connected to a dedicated out-of-band management (OOBM) network. This isolates administrative access so it cannot be reached through the production data path.
3 questions test this
- According to NSA guidance for managing SDN controller risks, what is the recommended approach for securing administrative access to SDN…
- A cloud administrator is configuring SDN controller management access for their enterprise environment. Following NSA recommendations,…
- An organization's security team has identified that the SDN controller represents a critical point of compromise in their cloud…
- Object, block, and file storage differ by access model: object = metadata + ID + API
Object storage holds data as objects, each with the payload, a unique identifier, and rich customizable metadata, accessed over HTTP/HTTPS REST APIs in a flat namespace; it suits unstructured data at petabyte scale. Block storage exposes raw fixed-size blocks for low-latency, high-IOPS workloads like databases and VM volumes. File storage offers a hierarchical NFS/SMB share for concurrent multi-user access with file-level permissions.
Trap Choosing object storage for a database needing high IOPS, or block storage for shared concurrent file access; match the access pattern to the type.
8 questions test this
- An organization is deploying a cloud-based application that requires shared file access for multiple users across different geographic…
- An organization needs to select cloud storage for a database application requiring high IOPS and low latency. The data must persist even if…
- An organization is deploying a cloud-based application that requires database storage with high IOPS and low latency. The database performs…
- An organization is migrating a large repository of unstructured data including images, videos, and backup archives to the cloud. The…
- Which characteristic MOST accurately distinguishes object storage from block and file storage in a cloud environment?
- A cloud security architect is designing storage for a mission-critical database application that requires low-latency access, high IOPS,…
- Multiple distributed teams need to concurrently access and modify shared project documents and application configuration files stored in…
- An organization stores large volumes of unstructured data including images, videos, and backup archives in the cloud. They require 11 nines…
- Persistent block volumes survive VM stop or failure; ephemeral storage is lost on stop
Persistent block storage is network-attached and lives independently of the instance, so data survives a VM stop, restart, termination, or host failure and the volume can be reattached. Ephemeral (instance/local SSD) storage is physically tied to the host and is wiped permanently when the VM stops, terminates, or the host fails; use it only for caches and scratch data.
5 questions test this
- An organization needs to select cloud storage for a database application requiring high IOPS and low latency. The data must persist even if…
- A cloud architect is designing a solution for a stateful database application requiring high-performance I/O and data that must persist…
- A cloud security professional is evaluating ephemeral storage volumes used by virtual machine instances for temporary data processing.…
- A cloud security team is implementing storage for a containerized application that processes temporary analytical data. The data does not…
- A cloud security architect is designing storage for a mission-critical database application that requires low-latency access, high IOPS,…
- Object storage reaches 11 nines durability via erasure coding across multiple AZs
Cloud object storage achieves extreme durability (e.g. 99.999999999%, '11 nines') by erasure-coding objects into data and parity fragments spread across many devices in multiple availability zones, plus redundant metadata and regular checksum validation. Durability protects against hardware failure and corruption only.
Trap Assuming high durability also protects against malicious or accidental deletion; a compromised account's delete is a valid operation, so versioning, MFA-delete, and immutable backups are still required.
5 questions test this
- A security analyst is assessing threats to the organization's cloud object storage containing sensitive customer data. According to current…
- A cloud service provider advertises that their object storage service is designed for 99.999999999% (11 nines) annual durability. Which…
- An organization is migrating a large repository of unstructured data including images, videos, and backup archives to the cloud. The…
- A cloud service provider advertises their object storage service with 99.999999999% (11 nines) annual durability. What is the PRIMARY…
- An organization stores large volumes of unstructured data including images, videos, and backup archives in the cloud. They require 11 nines…
- For VM-grade container isolation, run each container in a lightweight micro-VM (e.g. Kata)
Standard containers share the host kernel, a weaker boundary than a VM. When untrusted workloads need hardware-level isolation while keeping container tooling, use sandboxed runtimes like Kata Containers or Hyper-V isolation that run each container inside a stripped-down, OCI-compliant lightweight VM with its own guest kernel.
- KMS key rotation makes a new version for new encryption but keeps old versions for decryption
Automatic key rotation creates a new key version used for all new encryption, while the KMS retains previous versions to decrypt data already written under them. Existing ciphertext is not re-encrypted automatically, so rotation is transparent and requires no application change or bulk re-encryption.
Trap Assuming rotation re-encrypts existing data with the new key; old data stays under its original version until rewritten.
Secure Data Center Design
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Design a data center along four axes: logical, physical, environmental, resilience
Secure data center design splits into four separate problems, each with its own controls and failure mode. Logical design partitions tenants and controls access on shared hardware, and fails as a cross-tenant breach. Physical design picks the site and building, and fails as a location loss. Environmental design keeps power, cooling, and connectivity running, and fails as an availability loss. Resilience design sizes redundancy, and fails as a single point of failure. When a question names one axis, answer with that axis's control rather than a generic notion of security.
Trap Answering a tenant-isolation question with power redundancy, or an availability question with access control; each axis fails differently and needs its own control.
- Logical isolation is what keeps multi-tenancy from leaking
Because many tenants share the same physical compute, storage, and network, every wall between them is built in software, so logical design carries the isolation. It works at several layers at once: per-tenant virtual networks, hypervisor-enforced VM boundaries, logically segregated storage with per-tenant keys, and identity-based access to the management plane. A cross-tenant breach is categorically worse than compromising one host because it reaches another customer's data, which is why isolation is enforced redundantly across all those layers.
- Tenant partitioning starts with separate virtual networks per tenant
Network-layer tenant partitioning gives each customer its own logically separate virtual network (a VPC on AWS, a virtual network on Azure) with private address space, routing, and security groups, so one tenant cannot route to or even address another's resources. This is the first and broadest isolation layer; compute (hypervisor) and storage (per-tenant keys) isolation sit beneath it as defense in depth.
- The hypervisor enforces the strongest tenant boundary, and a hypervisor escape is the catastrophic failure
Hypervisor-enforced VM isolation gives each guest its own kernel and virtual hardware so a tenant cannot read a co-resident tenant's memory or CPU state, making it the strongest software boundary in a shared facility. The high-severity failure is a hypervisor escape (VM escape), where code breaks out of a guest to the host or a neighbor; it is rare but catastrophic, defended by keeping the hypervisor minimal and patched.
4 questions test this
- A healthcare organization hosts patient record systems in a multi-tenant IaaS cloud environment. During a risk assessment, the security…
- A cloud security analyst is assessing risks in a multi-tenant IaaS environment. The analyst is concerned about an attack where malicious…
- A cloud security professional is analyzing threats to a virtualized infrastructure. Which attack type poses the GREATEST risk to…
- A security analyst discovers that ransomware groups are increasingly targeting VMware ESXi hypervisors in multi-tenant environments.…
- Encrypt tenant data with per-tenant keys so shared media yields nothing across the boundary
Storage isolation logically segregates each tenant's data and, on professional designs, encrypts it with per-tenant keys, so even physical media shared with other customers produces nothing readable across the tenant boundary. Per-tenant keys also bound the blast radius: compromising one tenant's key never exposes another's data.
Trap Relying on a single shared encryption key across tenants; one key compromise then exposes every tenant's data on the shared media.
- Access to the management plane is identity-first, with least privilege and MFA
The control plane that provisions tenants and isolation is an API, so access to it is governed by identity, not network position. Administrative access follows least privilege, uses role-based access control to scale by role, and prefers just-in-time elevation over standing admin rights, with multi-factor authentication on every privileged path. A single over-permissioned administrative credential can collapse every isolation layer at once, so this is the load-bearing control.
Trap Securing tenant VMs and networks but leaving the management plane on a static, over-permissioned admin credential; that one credential undoes all the lower-layer isolation.
3 questions test this
- An organization wants to reduce the risk associated with standing privileged access in their cloud environment. They need a solution that…
- A security architect is reviewing the management plane security for a multi-tenant cloud solution. According to cloud security best…
- A cloud security team is implementing privileged access management (PAM) to control administrative access to production systems. Which…
- Physical design begins with site selection, which is hard to reverse
Physical design decides where and how to build before any wall goes up, so location choices carry the most weight. A site is evaluated for natural-hazard exposure (flood plains, seismic zones, storm tracks), distance from high-risk neighbors, reliable reach to the power grid and multiple carriers, and the legal jurisdiction. Build decisions (physical access control, surveillance, hardened structure) follow the site, not the other way around.
- Data center jurisdiction determines data residency and who can compel access
The country a facility sits in sets the legal jurisdiction over the data stored there, which governs data-residency obligations and which government can lawfully compel the provider to hand over data. That makes location a legal and privacy decision, not only an availability one, so siting must account for the regulatory regime, not just the hazard map.
- The power chain is utility, then UPS, then generator, and the UPS bridges the gap
Environmental power design chains redundant utility feeds to an uninterruptible power supply (UPS) to on-site generators with stored fuel. The UPS exists specifically to hold the load on battery for the seconds-to-minutes gap between a utility failure and the generators reaching full load; the generators then carry a sustained outage. Drop the UPS and the facility goes dark in that gap even with generators installed.
Trap Assuming generators alone cover a utility outage; generators take time to start and reach load, so without a UPS to bridge that gap the IT load drops.
3 questions test this
- During a power outage at a cloud service provider's data center, the UPS systems immediately activate. What is the PRIMARY purpose of the…
- During a power outage at a data center, the UPS systems immediately provide power while generators start up. What is the PRIMARY purpose of…
- During a power outage at a data center, which sequence correctly describes the operation of backup power systems to maintain continuous…
- Precision HVAC holds temperature and humidity inside the equipment's tolerance band
Cooling is an availability control because servers fail within minutes without it. Precision HVAC maintains temperature and humidity within the IT equipment's recognized envelope (the ASHRAE thermal-guidelines range): too hot and components throttle or fail, too humid and condensation forms, too dry and static discharge becomes a risk. Cooling redundancy matters as much as power redundancy when sizing a Tier.
- Data center fire suppression protects equipment, so it avoids dumping water
Fire suppression in a server hall is designed to protect equipment rather than soak it, typically clean-agent gaseous suppression or a pre-action sprinkler system that does not charge the pipes with water until a fire is actually detected. The pre-action design means a single false trigger or a burst head does not destroy a hall of running servers.
Trap Specifying a standard wet-pipe sprinkler system for a server hall; a single accidental discharge then soaks and destroys the equipment the suppression was meant to protect.
- Multi-vendor diverse connectivity stops one carrier or one cable from isolating the site
A facility with perfect power and cooling is still down if its single network link is cut, so environmental and resilience design provision diverse connectivity: physically separate fiber paths entering the building at different points, served by different carriers. One cable cut or one carrier outage then cannot take the site offline. This is the connectivity half of removing single points of failure.
Trap Treating two circuits from the same carrier entering the same conduit as redundant; a single cut or that carrier's outage drops both, so it is not true path diversity.
- Redundancy is expressed as N, N+1, and 2N
Resilience is sized in redundancy terms. N is exactly the capacity the load needs with no spare, so any failure or maintenance causes an outage. N+1 adds one spare component beyond the requirement, so one unit can fail or be serviced while the rest carry the load. 2N is full duplication, two complete independent systems, so an entire system can fail and the other carries the full load with no impact. 2N+1 is a duplicated system that also holds a spare.
Trap Reading N+1 as full duplication; N+1 is one spare component, while 2N is a second complete independent system, a much higher (and costlier) level.
4 questions test this
- A security architect is designing power redundancy for a new cloud data center that must support concurrent maintainability, allowing any…
- An organization requires a UPS configuration that provides the BEST balance between cost efficiency and operational reliability for a…
- An organization requires their data center power infrastructure to continue operating even if any single component fails, without requiring…
- An organization is evaluating a cloud service provider's data center for critical workloads. The CSP claims their facility can guarantee…
- Uptime Institute Tiers I-IV are a cumulative redundancy ladder
The Uptime Institute Tier Standard classifies a facility I through IV by the redundancy of its power and cooling, and the levels are cumulative: each Tier includes the lower ones and adds one requirement. Tier I is a single non-redundant path (N); Tier II adds redundant components (N+1); Tier III adds a second distribution path so it is concurrently maintainable; Tier IV adds fault tolerance (typically 2N). Higher Tier means higher sustained availability.
- Tier III's defining property is concurrent maintainability
Tier III adds a second distribution path (one active, one alternate) on top of redundant components, so any single component or path can be removed for planned maintenance with no downtime. That property, concurrently maintainable, is what distinguishes Tier III from Tier II: Tier II's redundant components survive a failure but its single distribution path still forces downtime to service.
Trap Choosing Tier II / N+1 when the requirement is zero-downtime maintenance; N+1 components survive a failure, but a single distribution path still requires downtime to service, which only Tier III avoids.
- Tier IV adds fault tolerance: any single failure is absorbed automatically
Tier IV has everything Tier III has plus fault tolerance, typically 2N active-active distribution, so any single unplanned failure is absorbed with no impact and no human intervention. It is the level to choose when the requirement is to survive any single failure automatically, not merely to maintain without downtime, which is the Tier III bar.
- A Tier rating measures availability, not security
The Uptime Institute Tier classification rates a facility on the redundancy of its power and cooling and the resulting sustained availability. It says nothing about access control, encryption, or tenant isolation, so a Tier IV facility can still be insecure. Treat a high Tier as a resilience assurance only, never as proof the facility's security controls are sound.
Trap Citing a Tier IV rating to answer a security question; Tier measures availability through redundancy, so it is the distractor when the stem asks about access control or data protection.
- Resilience extends beyond one building with geographic separation
No amount of in-building redundancy survives a regional event such as a flood or grid-wide outage, so resilience design also separates redundant facilities geographically and pairs that with diverse multi-vendor connectivity. Cloud providers apply the same logic at scale with availability zones engineered as physically separated facilities, so a fault in one does not cascade to another. This is where data center design hands off to business continuity and disaster recovery.
Trap Adding more UPS or generator capacity to survive a regional disaster; in-building redundancy does nothing against a flood or area-wide event, which requires a geographically separate facility.
- PUE is total facility energy divided by IT energy; WUE measures cooling water per IT energy
Power Usage Effectiveness (PUE) = total facility energy / IT equipment energy; a PUE of 1.25 means 25% extra goes to cooling, power distribution, and lighting, and a value nearer 1.0 is more efficient. Water Usage Effectiveness (WUE) divides annual cooling and humidification water by IT energy to track water efficiency, with lower being better.
3 questions test this
- A security professional is evaluating a cloud provider's data center energy efficiency. The facility consumes 15 megawatts (MW) total, with…
- A data center manager needs to evaluate cooling efficiency and receives the following information: the total facility power consumption is…
- A cloud security professional is reviewing environmental monitoring requirements for a new data center. The organization wants to optimize…
- Hot/cold aisle containment physically separates supply and exhaust air to stop recirculation
Hot- or cold-aisle containment uses barriers (sidewalls, ceiling panels, end doors) to keep hot server exhaust from mixing with cold supply air. Eliminating recirculation lets cooling deliver just enough cold air, cutting energy use. Very high-density racks may add direct-to-chip liquid cooling because water absorbs far more heat than air.
4 questions test this
- A cloud security architect is designing a data center cooling strategy to reduce energy consumption. The data center experiences hot air…
- A data center architect is designing a cooling system for a new facility hosting high-density AI workloads with chips generating up to 1000…
- A data center manager needs to optimize cooling efficiency while reducing energy consumption. The facility uses raised-floor cooling with…
- A security architect is designing cooling systems for a new data center with high-density server racks. Which approach provides the PRIMARY…
- Data centers use clean-agent suppression: nonconducting, residue-free, with room sealing and HVAC shutdown
Clean agents are electrically nonconducting gaseous extinguishants that leave no residue, so they protect IT equipment that water would damage. To maintain extinguishing concentration NFPA requires the room to be sealed and HVAC to shut down automatically on discharge. Inert-gas agents like IG-541 (Inergen) include about 8% CO2 to stimulate breathing at reduced oxygen levels.
Trap Specifying wet-pipe sprinklers for the server room; for accidental-discharge concerns use a double-interlock pre-action system that needs both detection and a fused head before water flows.
4 questions test this
- During the design phase of a data center clean agent fire suppression system, the security architect must ensure the system will maintain…
- An organization is selecting an inert gas fire suppression system for their data center. The security manager is concerned about personnel…
- A cloud service provider is designing fire suppression systems for a new data center. The security architect recommends implementing a…
- According to NFPA 75 recommendations for fire protection in data centers, what action should occur when a clean agent fire suppression…
- Server-room access is multi-factor (badge plus biometric) with liveness detection
Industry practice secures data-center server rooms with multi-factor physical authentication, typically a proximity badge (something you have) plus a biometric scan (something you are), with progressively stronger checks closer to the equipment. Biometric readers need liveness detection or spoofed samples can defeat them; self-expiring visitor badges prevent retained credentials from granting later access.
5 questions test this
- A security architect is designing authentication requirements for a cloud data center. For access to server rooms containing customer data,…
- A security architect is designing physical access controls for a new data center. The design requires that upon entering the building,…
- A cloud data center implements biometric authentication at sensitive access points. A security auditor identifies that the biometric system…
- A cloud service provider is implementing a defense-in-depth physical security strategy for a new data center. The design specifies four…
- A cloud provider's data center policy requires all visitors to sign a non-disclosure agreement, receive approval from datacenter…
Cloud Infrastructure Risk Analysis
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Controls Planning
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Business Continuity & DR
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Cloud Application Security
AppSec Training & Awareness
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- The OWASP Top 10 and CWE/SANS Top 25 are the two awareness catalogs CCSP grades against
When the exam asks what application-security awareness training should reference, the answer is the OWASP Top 10 for web application risk categories and the CWE/SANS Top 25 for the underlying software weaknesses. The two are zoom levels on one problem, not competitors: OWASP frames broad risks for prioritization, while CWE names the exact weakness so it can be tracked and trained against.
- OWASP lists broad risk categories; CWE lists specific weaknesses
The OWASP Top 10 entries are broad risk categories such as Broken Access Control or Injection, ten of them, ranked by incidence and exploitability across many applications. The CWE Top 25 entries are individual weakness types with stable identifiers, such as CWE-79 (cross-site scripting) or CWE-89 (SQL injection), ranked by how often they appear in reported CVEs and how severe they are. A stem that names a broad risk points to OWASP; one that gives a specific weakness or a CWE number points to the CWE Top 25.
Trap Treating OWASP and CWE as the same granularity; OWASP is risk categories, CWE is individual weakness identifiers, and a question can hinge on that distinction.
- Broken Access Control rose to the #1 OWASP risk in 2021
In the OWASP Top 10:2021, A01 Broken Access Control became the top-ranked risk, displacing Injection, because the supporting data showed it was the most common serious flaw across tested applications. It means a user reaching data or actions they are not authorized for.
Trap Naming Injection as the current #1 OWASP risk; it led in 2017 but Broken Access Control overtook it in the 2021 edition.
- OWASP 2021 folded XSS into the Injection category
Cross-site scripting is no longer its own OWASP Top 10 entry; in the 2021 edition it sits inside A03 Injection alongside SQL injection and command injection, because all share the root cause of untrusted input being interpreted. As a CWE it is still CWE-79.
Trap Expecting a standalone Cross-Site Scripting entry in the OWASP Top 10:2021; XSS was merged into A03 Injection that edition.
- Insecure Design (A04) is the OWASP category for missing security design, not coding bugs
A04 Insecure Design was introduced in 2021 to capture flaws that come from weak or absent security design rather than an implementation mistake, which is why threat modeling and secure design patterns are its countermeasures. A perfectly coded feature can still be insecure by design if the design never considered the threat.
Trap Assuming better code review or testing fixes Insecure Design; the flaw is in the design, so it is addressed by threat modeling and secure design, not by catching bugs.
- SSRF (A10) and Misconfiguration (A05) are the OWASP risks the cloud sharpens most
Server-Side Request Forgery was added as A10 in 2021 partly because cloud metadata endpoints make a tricked internal request especially damaging, exposing instance credentials. Security Misconfiguration (A05) is the OWASP category that maps most directly to cloud breaches, because insecure defaults and exposed configuration are the dominant cloud failure. Both are general risks, but cloud raises their impact.
Trap Dismissing SSRF as a niche web bug in a cloud context; against a metadata endpoint it can leak the instance's IAM credentials.
- CWE is MITRE's dictionary of weakness types; the Top 25 ranks the most dangerous
Common Weakness Enumeration (CWE) is maintained by MITRE as a catalog of software and hardware weakness types, each with a stable CWE-number. The CWE Top 25 Most Dangerous Software Weaknesses ranks the 25 most prevalent and severe, scored from reported CVE data. It was historically co-published with SANS, which is why it is still called the CWE/SANS Top 25.
- An OWASP category contains several CWE weaknesses
The two catalogs nest: OWASP A03 Injection contains CWE-89 (SQL injection) and CWE-79 (cross-site scripting); OWASP A01 Broken Access Control contains weaknesses such as CWE-22 (path traversal) and CWE-862 (missing authorization). OWASP is the awareness framing for prioritizing what to teach; CWE is the precise label you attach to a specific finding so it can be tracked and deduplicated.
- The cloud dissolves the network as a trust boundary, so authenticate every call
Cloud workloads are reachable through public control-plane and data-plane APIs, so an internal source address is no longer authorization. Code that trusted any caller already inside the data center must be rewritten to authenticate and authorize every request, because the perimeter the old code leaned on does not exist in the cloud.
Trap Relying on network position or a VPC boundary to authorize requests between cloud services; location grants no trust, so each call still needs its own authentication.
- Keep secrets out of code and images; fetch them from a secrets manager at runtime
In the cloud, credentials travel through source repositories, CI/CD pipelines, container images, and environment variables, any of which can leak them. The awareness rule is that secrets belong in a managed secrets store the app reads at runtime, never hardcoded in source or baked into an image. This is the developer-side habit; OWASP catalogs the failure as part of misconfiguration and integrity risks.
Trap Storing a secret in an environment variable or container image and treating it as hidden; both are readable and leak the credential.
2 questions test this
- Misconfiguration and insecure defaults are the most common cloud-breach root cause
A publicly exposed storage bucket, debug mode left on in production, or a default admin password unchanged is consistently the largest single source of cloud breaches, and it is OWASP A05 Security Misconfiguration. The defense taught in awareness is hardened baselines (for example a CIS Benchmark) deployed from a golden image, plus configuration scanning that flags drift. When a scenario shows data exposed with no exploit or malware, this is the root cause.
Trap Reaching for a new firewall or perimeter device when data is exposed with no exploit; the cause is misconfiguration, fixed by a hardened baseline, not a network control.
- Over-permissive IAM turns a compromised component into a full-account compromise
A function or container granted a wildcard or admin role hands an attacker everything that role can reach if the code is compromised, so least privilege is a coding and design concern, not just an operations one. Grant each component only the actions and resources it needs, and prefer short-lived credentials over long-lived static keys. A stem where a compromised component reached far more than its job required points here.
Trap Attaching a broad or admin role to a workload because scoping it is more effort; one compromise then exposes everything that role can reach.
2 questions test this
- Unvalidated input is the root of the entire injection family
Trusting data from a request, a queue, or another service is what lets untrusted input be interpreted as a command or query, which is OWASP A03 Injection. The awareness-level defense is to validate input against an allowlist and encode output for its context. Awareness names the weakness; the secure-coding subtopic implements the parameterized query and the encoder.
Trap Validating only with a denylist of known-bad patterns; attackers bypass denylists, so an allowlist of permitted input is the durable control.
7 questions test this
- An organization is developing a security awareness training program for developers to address OWASP Top 10 vulnerabilities. According to…
- An organization is developing a security awareness program for their development team focused on preventing injection vulnerabilities.…
- A development team is implementing secure coding practices according to the NIST Secure Software Development Framework (SSDF). Which…
- A development team is building an event-driven application that consumes messages from an event bus. According to OWASP guidance, which…
- A development team is building a serverless application that can be triggered by multiple event sources including API Gateway requests,…
- An organization is evaluating security risks specific to their event-driven serverless architecture. A security analyst identifies that…
- According to OWASP secure coding practices, which of the following represents the MOST critical practice for preventing injection…
- Vulnerable and outdated dependencies (A06) need software composition analysis
Most cloud applications are mostly other people's code, so shipping a library or platform with a known CVE is a leading risk, catalogued as OWASP A06 Vulnerable and Outdated Components. The awareness-level defense is software composition analysis (SCA) in the pipeline to detect known-vulnerable dependencies, plus keeping components current.
Trap Assuming your own code review covers third-party libraries; SCA tooling, not manual review, is what finds known-vulnerable dependencies at scale.
- Awareness names the weakness and the defense; secure coding implements it
AppSec training and awareness is the what and the why: which weaknesses exist, why the cloud makes them sharper, and how to recognize them in a question stem. The hands-on secure coding, threat modeling, and SDLC-phase work belong to the secure SDLC subtopics. On the exam, a question about recognizing a risk category or a common pitfall is awareness; a question about how to implement the fix is the secure SDLC.
- Role-based awareness training is most effective before the first commit
Secure software depends more on what developers know going in than on what testing catches coming out, because the cheapest defect to fix is the one never written. Awareness training therefore targets onboarding and is role-based, so developers, testers, and operators each learn the pitfalls relevant to their work before insecure code or defaults enter the repository.
- Match the symptom to the awareness answer when reading the stem
The recurring pattern: data exposed with no exploit points to misconfiguration and a hardened baseline; a credential found in a repo or image points to a secrets manager plus rotation; a compromised component that reached too far points to over-permissive IAM and least privilege. Match the described symptom to the concept rather than to the most technically impressive option, which is usually the distractor.
Secure SDLC Process
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- The secure SDLC is the normal SDLC with a security activity per phase
The SSDLC does not replace the development life cycle; it attaches a deliberate security activity to each existing phase so security is designed in rather than inspected in at the end. The phases ISC2 commonly uses are requirements, design, development, testing, deployment, and operations and maintenance. Knowing the backbone matters more than the exact count, because different models compress or rename phases while keeping the same flow.
- Fix flaws as early as possible because cost rises about 10x per later phase
The cheapest place to fix a defect is the earliest phase that could catch it, which is why the whole life cycle is phased. A requirements or design flaw fixed on paper costs roughly an order of magnitude less than the same flaw found in testing, and far less again than a vulnerability patched in production. This cost-to-fix curve is the reasoning behind shift-left, so a question describing an expensive late patch is signalling a skipped early activity.
- Capture security requirements at the requirements phase, not before launch
Security and privacy requirements are gathered alongside functional requirements at the very start, driven by the data handled, the regulations in scope, and the threat environment. They then shape design, constrain code, and define what tests must prove. A team that writes only functional stories and discovers its encryption, logging, and access needs during a pre-launch pen test has inverted the life cycle and pays for it in rework.
Trap Treating security as a final review gate just before go-live; that lets flawed requirements and insecure design accumulate to where they are expensive to remove, the exact shift-left failure the phase model prevents.
- Abuse cases are the security counterpart to use cases, written at requirements
An abuse case describes how an attacker would deliberately misuse a feature, the mirror image of a use case that describes intended behavior. Writing abuse cases during the requirements phase surfaces the misuse paths controls must block before any design is drawn. They feed the threat model that the design phase produces.
- Threat modeling belongs to the design phase, before code exists
The design phase produces a secure architecture and a threat model that names what could go wrong and which control answers each threat. Trust boundaries, authentication flows, and where data is encrypted are decided here on paper, where changes are cheap. The describe-the-process view places threat modeling in design; the specific methods used to do it live in the apply-the-SDLC objective.
Trap Placing threat modeling in the coding phase; it belongs to design, because you model the architecture before the code that implements it exists.
- SAST is a white-box code-time check run during development
Static application security testing (SAST) analyzes source code or bytecode without running it, flagging vulnerable patterns early in the development phase. It is a white-box technique because it sees the code, so it catches issues like injection-prone patterns before a build runs. It cannot see behavior that only emerges at runtime, which is what dynamic testing covers.
Trap Expecting SAST to catch runtime-only flaws such as misconfigured server responses or auth bypasses that appear only when the app runs; those need dynamic testing.
- DAST is a black-box runtime check run during testing
Dynamic application security testing (DAST) exercises the running application from the outside, finding flaws that surface only at runtime. It is a black-box technique because it sees behavior, not source, so it complements rather than replaces SAST. A complete secure SDLC uses both: SAST in development on the code, DAST in testing on the running system.
Trap Choosing DAST alone as sufficient application security testing; without SAST you miss code-level defects that never surface in black-box behavior.
- Each phase owns a distinct, named security activity
The phase model assigns one security activity per phase so nothing is implicit: requirements gathers security requirements and abuse cases, design produces the threat model and secure architecture, development applies secure coding and SAST, testing runs DAST and abuse-case testing, deployment hardens config and manages secrets, and operations patches, monitors, and securely decommissions. The exam frequently hands you a phase and asks for its activity, or an activity and asks for its phase.
- Maintenance and secure decommissioning are phases of the SSDLC, not afterthoughts
Operations and maintenance is a full phase: the live system is patched, monitored, and its dependencies tracked, and when the application retires it is securely decommissioned with data sanitized or crypto-shredded and access revoked. Treating retirement as outside the life cycle leaves orphaned data and credentials behind. In the cloud, crypto-shredding the keys is the practical decommission step because you do not control the physical disks.
- Waterfall runs the phases once in sequence with sign-off gates
Waterfall executes the phases strictly in order, each formally signed off before the next begins, which gives traceability and predictability that suit fixed-scope, heavily regulated work. Its cost is that most testing is deferred to a late dedicated phase, so security defects appear where the cost-to-fix curve is steepest, and mid-project requirement changes are expensive to absorb. Choose it when requirements are stable and a regulator expects documented phase gates.
Trap Forcing waterfall onto volatile requirements; its single ordered pass ships software that no longer matches need by release, which is exactly when an iterative methodology fits better.
- Agile delivers the same phases in short repeating iterations
Agile runs requirements, design, build, and test inside short sprints, producing working tested software continuously and absorbing changing requirements gracefully. The risk is that security drifts when it is not made an explicit part of every sprint, because deferred security work tends never to arrive. Choose agile when requirements evolve and fast feedback matters more than fixed up-front scope.
Trap Assuming agile is automatically secure; without security work built into each sprint, the iterative cadence just defers security indefinitely.
- DevSecOps shifts security left by automating it into the pipeline
DevSecOps extends DevOps by wiring security into the automated CI/CD pipeline so it runs on every change: SAST and software composition analysis on code and dependencies, DAST on the running build, infrastructure-as-code and container-image scanning, and policy-as-code gates. The principle is continuous automated assurance instead of a one-time release gate, the same shift-left idea the cost-to-fix curve demands, now enforced by the pipeline rather than by discipline alone.
Trap Treating a single security review just before launch as a secure pipeline; that is a release gate, not shift-left, and lets insecure design accumulate until it is costly to fix.
14 questions test this
- An organization wants to ensure that its IaC templates comply with security policies before any pull request is merged. The security team…
- A cloud security architect is designing a CI/CD pipeline for deploying microservices in containers. The organization wants to prevent…
- An organization is implementing training for developers on integrating SCA tools into CI/CD pipelines. Which approach should the training…
- A DevSecOps team is integrating SCA scanning into their cloud application development workflow. According to OWASP DevSecOps guidance, at…
- An organization is implementing a container security strategy that includes vulnerability scanning for container images. At which point in…
- An organization is implementing container image scanning within their CI/CD pipeline. At which point in the pipeline does scanning provide…
- A security architect wants to enforce organizational guardrails on every Terraform plan before it is applied, such as prohibiting publicly…
- An organization is implementing a DevSecOps pipeline and wants to identify security vulnerabilities in their Terraform templates before…
- An organization wants to integrate SCA scanning into their CI/CD pipeline for cloud-native applications. At which stage should SCA scanning…
- A development team is implementing container security controls for their cloud-native application. Which approach provides the MOST…
- A cloud application development team using a DevSecOps approach wants to ensure that vulnerabilities introduced during the coding phase are…
- A software development organization is implementing the NIST Secure Software Development Framework (SSDF), which incorporates practices…
- A DevSecOps engineer is integrating IAST into a continuous integration pipeline for a cloud-native application. What is the PRIMARY benefit…
- A DevSecOps team wants their CI/CD pipeline to automatically enforce security policies as code, ensuring that every deployment is validated…
- Agile is iteration cadence; DevSecOps is automated security in delivery
The two are complementary, not synonyms: agile decides how often you run the phases, while DevSecOps decides how security is built into delivery. You can run agile with manual security reviews each sprint, and you can apply DevSecOps practices on top of waterfall or agile alike. A question about automating SAST/DAST into CI/CD points to DevSecOps, while a question about short iterations and changing scope points to agile.
Trap Equating agile with DevSecOps; adopting sprints does not by itself automate security, and automating security does not require agile.
- Software composition analysis covers vulnerable third-party dependencies
Software composition analysis (SCA) inventories the open-source and third-party components a build pulls in and flags known-vulnerable versions, which neither SAST nor DAST reliably catch because the flaw lives in code you did not write. In a DevSecOps pipeline SCA runs automatically on each change so a newly disclosed dependency CVE is caught at build time. It is the supply-chain-facing leg of automated assurance.
Trap Relying on SAST to catch vulnerable libraries; SAST scans your code, while a known-vulnerable dependency version is found by SCA against a vulnerability database.
- Security is a system requirement, designed in, not bolted on
The governing principle of the secure SDLC is that security is a property of the system and its delivery process, captured as a requirement and carried through every phase, never a checklist added before release. This is why the phase model exists and why shift-left is the recurring corrective. A process whose only security step is a final gate has misunderstood the model regardless of which methodology it uses.
Applying the Secure SDLC
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Software Assurance & Validation
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Verified Secure Software
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Cloud Application Architecture
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Identity & Access Management Solutions
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Cloud Security Operations
Building Cloud Infrastructure
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- A TPM measures and attests platform state; it is not a key vault
A Trusted Platform Module is a passive chip soldered to one physical host that hashes firmware, boot loader, and kernel into Platform Configuration Registers as they load, then signs those values so a remote verifier can confirm the host booted known-good software (measured boot and remote attestation). It can also seal a small secret to a specific PCR state so the secret only unseals on that exact configuration. It is not built for bulk encryption or holding many keys.
Trap Reaching for a TPM to store and serve application encryption keys; that throughput-and-storage role belongs to an HSM, while the TPM only measures, attests, and seals a tiny secret.
- An HSM keeps key material inside its boundary and returns only the result
A Hardware Security Module is a high-throughput cryptographic processor whose defining guarantee is that the private key never leaves its tamper-resistant boundary in plaintext. You send it data plus an operation (encrypt, decrypt, sign, generate); it performs the operation internally and returns only the result. That property is what lets you prove a key was never exposed to the operating system or to a co-tenant.
3 questions test this
- A cloud operations team is implementing key management best practices for their AWS CloudHSM cluster. The organization wants to ensure that…
- An organization is implementing key management controls for their cloud HSM deployment to ensure that highly sensitive master keys never…
- A cloud security architect is designing a key management strategy for an organization using cloud HSM services. The architect needs to…
- FIPS 140 levels name specific physical-tamper guarantees, not brands
HSMs are validated against FIPS 140-2 or its successor FIPS 140-3, and the level is the testable detail. Level 1 is software-grade with no physical security; Level 2 adds tamper-evidence and role-based authentication; Level 3 adds active tamper response (the device zeroizes its keys on physical intrusion) plus identity-based operator authentication; Level 4 adds resistance to environmental attacks. When a mandate says "FIPS 140-2 Level 3" it is specifying the tamper-response and operator-auth guarantee, so record the certificate number as evidence.
Trap Treating any FIPS 140 validation as equivalent; Level 1 has no physical protection at all, so it does not satisfy a Level 3 zeroize-on-intrusion requirement.
5 questions test this
- During an HSM deployment review, a cloud security engineer needs to understand the tamper response mechanisms of FIPS 140-2 Level 3…
- A security operations team is monitoring their cloud HSM infrastructure when they receive an alert indicating a tamper event has been…
- A financial services organization is evaluating cloud-based HSM solutions and requires FIPS 140-2 Level 3 certification. Which security…
- A financial institution has implemented a cloud HSM solution and must configure tamper detection and response mechanisms. What is the…
- An organization using a cloud HSM service experiences a hardware tamper event that triggers automatic key deletion. Which term BEST…
- Multi-tenant KMS vs dedicated HSM is a custody decision
Cloud key services come in two shapes that differ by who controls the partition. A multi-tenant key management service (AWS KMS, Azure Key Vault, Google Cloud KMS) is HSM-backed but shared across customers, which is fine for most workloads. A dedicated single-tenant HSM (AWS CloudHSM, Azure Dedicated HSM) gives one customer sole control of the hardware partition and the keys, for when regulation or contract makes shared custody unacceptable. Choose dedicated only when single-tenant custody is genuinely required, because it costs more and you operate it.
Trap Provisioning a dedicated single-tenant HSM for an ordinary workload that the multi-tenant KMS already protects; you take on cost and operational burden with no custody requirement to justify it.
- Production multi-tenant cloud runs Type-1 hypervisors
A Type-1 (bare-metal) hypervisor installs directly on the hardware with no host operating system beneath it, so its trusted computing base is small, which is why every IaaS provider runs one (KVM, Xen, ESXi). A Type-2 (hosted) hypervisor runs as an application on a general-purpose OS, inheriting that OS's vulnerabilities, suitable for a developer laptop but not a multi-tenant host. Fewer layers below the isolation boundary means fewer paths for a guest to escape it.
Trap Picking a Type-2 hypervisor for a multi-tenant cloud host because it is easier to set up; the underlying host OS becomes an extra attack surface directly beneath every tenant's guest.
- VM escape is the threat the hypervisor build exists to prevent
VM escape (guest-to-host breakout, sometimes hyperjacking) is when a guest exploits a flaw in the hypervisor or emulated virtual hardware to run code at host level, which on a shared host means reaching co-tenants. Build-phase defenses all shrink the path to it: run Type-1 to drop the host-OS layer, keep the hypervisor patched to a known baseline, strip and isolate the management interface, and enforce isolation with CPU virtualization extensions rather than fragile software emulation.
6 questions test this
- A security analyst determines that an attacker successfully exploited a vulnerability in the virtual device emulator to escape from a guest…
- An organization is deploying compute virtualization infrastructure for a multi-tenant cloud data center. The security team must select the…
- A cloud security architect is concerned about VM escape attacks in their virtualized environment where an attacker could break out of a…
- A cloud service provider implements compute isolation for tenants in their IaaS offering. Which control provides the STRONGEST security…
- A cloud security architect is evaluating hypervisor options for a new enterprise data center. Which hypervisor type provides the MOST…
- A security operations team discovers that an attacker has exploited a vulnerability in a guest virtual machine and gained access to the…
- CPU virtualization extensions enforce isolation in silicon
Require the hardware virtualization extensions on every host: Intel VT-x or AMD-V for CPU virtualization, plus Intel VT-d or AMD-Vi (IOMMU) for DMA isolation so a passed-through or malicious device cannot read host memory. Hardware-enforced isolation is stronger than software emulation, so the build that turns these on is the more secure one. Also apply microcode and firmware updates that mitigate speculative-execution side channels.
Trap Assuming software emulation isolates guests as well as the hardware extensions; without VT-d/AMD-Vi, a passthrough device can DMA into memory the guest should never reach.
- Disable memory deduplication across tenants and encrypt sensitive guest memory
Shared physical RAM is partitioned among guests, so the threats are cross-VM reads and side channels. Disable transparent page sharing and memory deduplication across tenants, because identical-page merging has enabled cross-VM information leaks. For high-isolation or confidential workloads, enable hardware memory encryption (AMD SEV, Intel SGX enclaves, or Intel TDX trust domains) so guest memory is encrypted even from the hypervisor and the host operator, not only from other guests.
Trap Relying on hypervisor partitioning alone for confidential data; without hardware memory encryption a compromised hypervisor or host operator can still read the guest's RAM.
- Lock down the virtual switch so a guest cannot sniff or spoof neighbors
On virtual switch port groups, disable promiscuous mode so a guest cannot capture traffic destined for other VMs, and disable MAC-address changes and forged transmits so a guest cannot impersonate another's address. Segment tenants onto their own virtual networks or VLANs/VXLANs with default-deny security groups, and isolate the management plane onto a separate network that guest workloads cannot route to.
Trap Leaving promiscuous mode enabled on a port group for troubleshooting convenience; any guest on that group can then sniff its neighbors' traffic.
- Cryptographic erase is the scalable way to sanitize reclaimed cloud storage
A virtual disk reassigned from one tenant to another must not carry the previous tenant's bytes (data remanence). Encrypt every volume and image at rest, then sanitize by destroying the encryption key (cryptographic erase), which renders the data unrecoverable instantly and at scale, consistent with NIST SP 800-88 media sanitization. Physical overwrite or degaussing does not fit shared, abstracted cloud storage the way crypto-erase does.
Trap Assuming you can degauss or physically destroy a specific tenant's blocks in a shared cloud array; you do not control the physical media, so cryptographic erase via key destruction is the workable control.
3 questions test this
- A company is decommissioning a cloud environment that stored sensitive data across SAN volumes, NAS file shares, and object storage. The…
- An organization needs to securely decommission data stored across cloud SAN block volumes and object storage buckets. Physical media…
- An organization needs to permanently destroy specific data sets stored on cloud-based SAN block storage. The data is encrypted at rest…
- Containers share a kernel, so isolate untrusted workloads in their own VM
Containers are not a hypervisor type; they isolate at the OS level with namespaces and cgroups while sharing one host kernel, a weaker boundary than a hypervisor's because a kernel exploit can cross between containers. When untrusted or strongly-isolated workloads need the VM boundary back, run each container or pod inside its own lightweight VM on a Type-1 hypervisor.
Trap Treating the container boundary as equivalent to the VM boundary; a single host-kernel vulnerability can compromise every container on the host, which the hypervisor boundary would have contained.
- Build every host and image from a hardened baseline, not a default install
Build is the one clean moment, so produce hosts, hypervisors, and golden guest images from a defined baseline mapped to a recognized standard such as a CIS Benchmark or DISA STIG. The baseline removes default and unused accounts, changes or removes every default credential including the management agent's, disables unused services and ports, sets the host firewall to default-deny, enables disk encryption, and configures secure logging and time sync. Anything left at vendor defaults is the easiest thing for an attacker to use.
Trap Leaving the management agent's or appliance's default credentials in place after deployment; default credentials are among the first things scanned for and exploited.
- Capture the hardened build as a signed, immutable golden image
Provision every host and VM from a single golden image rather than configuring each by hand. Immutability is the security property: identical instances make configuration drift detectable (anything differing from the image is suspect), patching becomes rebuild-and-replace instead of in-place editing, and a compromised instance is discarded rather than cleaned. Sign or hash the image and verify it at launch so a tampered image is caught before it boots.
- Harden the management plane before handing it to operators
The management plane (hypervisor management interface, orchestration and configuration tools, cloud control APIs) controls every guest, so it is the highest-value target. At build time isolate it on its own network away from tenant traffic, install its tools only from verified sources, require MFA and least-privilege RBAC for administrators, and enable full audit logging of management actions from day one. A breach here is a breach of the whole estate, not one tenant.
Trap Putting the management interface on the same network tenants can reach so admins can connect conveniently; that exposes the control plane of every guest to tenant-side attackers.
- Keep IaC and config-management credentials in a secrets manager, never in an image
Infrastructure-as-Code and configuration-management tooling is part of the build attack surface because the credentials it holds can rebuild the entire estate. Store those secrets in a dedicated secrets manager and inject them at run time; never bake them into a golden image, a container layer, or a source repository, where they persist and leak. The blast radius of a leaked build credential is the whole platform.
Trap Embedding deploy keys or API tokens directly in the golden image or IaC repo for convenience; they ship to every host and survive in version history where they are trivially harvested.
- Install the guest virtualization toolset from the trusted source during build
Part of building a guest is installing its virtualization toolset (VMware Tools, virtio paravirtualized drivers, cloud-init or the cloud agent) so paravirtualized I/O performs well and the orchestration hook is present. Pull these only from the platform vendor's trusted source, then harden the guest OS itself to the baseline. The toolset runs with privilege inside the guest, so a tampered package is a direct foothold.
- Build sets the secure starting state; operate keeps it secure over time
The build phase produces a hardened, immutable starting point: trust anchors, hypervisor choice, baselines, golden images. Keeping that state hardened (patch management, drift remediation, monitoring, backup/restore, availability tuning) is the operate phase, covered in the operating-cloud-infrastructure subtopic. Questions about standing up infrastructure point to baselines and trust anchors, while questions about maintaining it point to patching and monitoring.
Trap Answering a standing-up question with an operate-phase control like patch cadence; the build question is asking for the baseline, golden image, or hardware trust anchor that defines the secure starting state.
- CSP-managed keys let the provider decrypt; hold the keys yourself for regulated data
When the CSP manages encryption keys it retains the technical ability to decrypt tenant data, so for regulated data the recommendation is customer-managed keys (CMK) held in a key store separate from the provider — or client-side encryption — so provider insiders cannot read the plaintext. This applies segregation of duties between the data host and the key holder.
Trap Accepting default CSP-managed platform keys for regulated data, leaving the provider technically able to decrypt it.
5 questions test this
- A company stores regulated data on both cloud-based NAS file storage and object storage. Both systems encrypt data at rest using…
- A cloud customer is implementing encryption at rest for data stored across SAN and NAS systems in a public cloud environment. Based on the…
- A financial services company stores regulated data on cloud block storage volumes that replace its on-premises SAN. Compliance mandates the…
- An organization stores regulated financial data in cloud object storage. Compliance requirements mandate the organization retain control of…
- An organization uses a cloud-based NAS for storing regulated healthcare data shared via NFS. The security team has identified that cloud…
- Unique per-tenant keys give cryptographic isolation on shared storage
Encrypting each tenant's volumes or objects with its own unique key, managed through a centralized KMS, ensures one tenant's data cannot be decrypted with another tenant's key even if storage-layer isolation fails. Centralized key management supplies consistent lifecycle, access control, and audit across SAN, NAS, and object storage.
Trap Using one shared key across all tenants so a single key compromise exposes every tenant's data.
4 questions test this
- A security architect is designing a cloud storage strategy that includes SAN for databases, NAS for shared file repositories, and object…
- A cloud architect designs a multi-tenant storage environment using SAN block storage for high-performance database workloads and object…
- An organization needs to permanently destroy specific data sets stored on cloud-based SAN block storage. The data is encrypted at rest…
- In a multi-tenant cloud environment, several tenants share a common SAN infrastructure for block storage. The cloud provider must ensure…
- Set EXTRACTABLE=false so an HSM key can never be exported
Creating a key with the EXTRACTABLE attribute set to false (EXTRACTABLE=0) makes it non-extractable: it can only be used for cryptographic operations inside the HSM and cannot be exported even via key wrapping. This is the configuration for highly sensitive master keys that must never leave the HSM boundary, and it cannot be reversed after creation.
Trap Leaving keys extractable for portability when the requirement is that they never leave the HSM under any circumstance.
3 questions test this
- A cloud operations team is implementing key management best practices for their AWS CloudHSM cluster. The organization wants to ensure that…
- An organization is implementing key management controls for their cloud HSM deployment to ensure that highly sensitive master keys never…
- A cloud security architect is designing a key management strategy for an organization using cloud HSM services. The architect needs to…
- Uptime Tier III is concurrently maintainable; Tier IV is also fault tolerant
Tier III is the minimum that supports concurrent maintainability — any component can be taken offline for maintenance without disrupting service. Tier IV adds fault tolerance, so a single unplanned component failure also causes no disruption (about 99.995%, ~26 minutes annual downtime); a requirement for both fault tolerance and maintenance without interruption needs Tier IV.
Trap Selecting Tier III when the requirement also demands surviving an unplanned single-component failure — that is Tier IV.
3 questions test this
- A cloud service provider requires that its data center power and cooling infrastructure can sustain any single component failure without…
- A cloud service provider is designing their data center to support mission-critical financial services requiring minimal downtime. Which…
- An organization requires that its cloud service provider's data center supports maintenance of power and cooling infrastructure without…
- PUE is total facility power divided by IT power, so lower is more efficient
Power Usage Effectiveness is total data-center energy divided by the energy delivered to IT equipment. A PUE of 1.2 means 1 watt powers IT and 0.2 watts goes to overhead (cooling, power distribution, lighting); a PUE of 1.8 means 0.8 watts of overhead per IT watt. The closer to 1.0, the more efficient the facility.
Trap Reading a higher PUE as better — a larger ratio means more overhead and worse efficiency.
4 questions test this
- An organization evaluating a cloud service provider reviews the provider's sustainability report, which states the data center operates…
- A cloud service provider reports that its primary data center facility has a Power Usage Effectiveness (PUE) of 1.8. Which statement BEST…
- A cloud service provider reports a Power Usage Effectiveness (PUE) value of 1.8 for one of their data center facilities. What does this…
- A data center manager reviews a facility audit report showing a Power Usage Effectiveness (PUE) value of 1.4. What does this metric…
- A Building Management System monitors and controls facility environment proactively
A Building Management System (BMS) continuously monitors data-center temperature, humidity, airflow, and power via facility-wide sensors, automates HVAC control, and alerts operations staff as conditions approach (before they exceed) thresholds. The correct response to a trending-toward-threshold alert is to investigate and adjust proactively, not wait for the alarm.
Trap Waiting until the BMS alarm threshold is breached to act, instead of remediating while conditions are merely trending upward.
4 questions test this
- A cloud data center facilities team needs to deploy a system that provides real-time monitoring of HVAC performance, automated control of…
- A data center operations team receives a notification from the Building Management System (BMS) indicating that temperature in a server…
- Which system is PRIMARILY responsible for providing centralized, continuous monitoring and automated alerting of temperature, humidity, and…
- A cloud service provider's data center uses a Building Management System (BMS) to oversee facility environmental conditions. The BMS…
- Hot/cold aisle containment stops exhaust and supply air from mixing
Hot-aisle/cold-aisle containment erects physical barriers that separate server hot exhaust from cold supply air, eliminating the recirculation that causes localized hot spots and inconsistent inlet temperatures even when overall cooling capacity is adequate. It is the targeted fix for air-mixing problems and improves cooling efficiency.
Trap Adding more raw cooling capacity to chase hot spots when the root cause is hot/cold air recirculation that containment resolves.
5 questions test this
- A data center operations team discovers localized hot spots near several server racks despite the facility's overall cooling capacity…
- A data center operations team is experiencing hot spots near server racks caused by server exhaust air mixing with cold supply air from the…
- A cloud data center is experiencing inconsistent server inlet temperatures, with some racks exceeding ASHRAE recommended limits while…
- A data center design team is evaluating physical layout strategies to optimize the efficiency of their cooling infrastructure. They are…
- A data center architect is evaluating cooling strategies to improve energy efficiency in a new server room. The primary concern is…
- UPS provides instant bridge power until generators assume the load
On utility power loss the UPS comes online instantly, supplying short-term battery bridge power for the seconds-to-minutes it takes diesel generators to start, stabilize, and take over the sustained facility load. The UPS is the gap-filler, not the long-duration source.
Trap Expecting the UPS to carry the facility for hours — its role is to bridge only until the generators assume the load.
3 questions test this
- During a sudden utility power failure at a data center, the Uninterruptible Power Supply (UPS) system activates. What is the PRIMARY…
- During a utility power failure at a data center hosting cloud services, what is the correct sequence of power infrastructure response…
- A data center experiences a complete loss of utility power from the external grid. The facility is equipped with uninterruptible power…
- Lowering a biometric threshold trades FRR for FAR; CER is where they meet
Loosening a biometric system's matching threshold lowers the False Rejection Rate (fewer legitimate users denied) but raises the False Acceptance Rate (more impostors admitted). The Crossover Error Rate (CER), also called Equal Error Rate, is the threshold where FAR equals FRR and is the standard single-number accuracy comparison — lower CER is a better system.
Trap Tuning only for low False Rejection (user convenience) while ignoring the rising False Acceptance Rate that admits impostors.
3 questions test this
- A security team is configuring a biometric fingerprint reader for data center access. When adjusting the sensitivity threshold, they notice…
- A security administrator is evaluating biometric systems for a cloud data center's physical access control. When comparing different…
- A security administrator is evaluating biometric systems for a cloud data center's physical access control. The system should provide…
- Physical defense in depth layers controls from perimeter inward to the rack
Defense in depth applies multiple concentric physical barriers — perimeter fencing, building access control, data-center floor restrictions, then server-rack locks — so if one layer is defeated the next still protects the asset. The layers run from the outermost perimeter inward to rack-level security.
Trap Relying on a single strong control (e.g. a guarded entrance) instead of layered concentric barriers from perimeter to rack.
3 questions test this
- A cloud service provider implements multiple security layers including perimeter fencing, building access controls, data center floor…
- A cloud provider implements multiple layers of physical security including perimeter fencing, building access controls, data center floor…
- A cloud provider implements a defense-in-depth strategy for physical data center security using concentric security layers. Which sequence…
Operating Cloud Infrastructure
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Reach hosts through a bastion, never an open management port
A bastion host, also called a jump box, is a hardened VM in a public subnet that is the only machine allowed to accept inbound RDP or SSH; workload hosts in private subnets accept admin traffic only from the bastion's security group, never from the internet. Concentrating access at one logged choke point lets you enforce MFA, tight allow-lists, and session recording in a single place, instead of securing every host's exposed port. An internet-facing RDP (3389) or SSH (22) rule open to 0.0.0.0/0 is the classic exposure these patterns exist to remove.
Trap Putting the bastion in the same security group rules as the workload but still leaving the workload's RDP/SSH open to the internet, which defeats the single-entry-point design.
- Use a managed session broker for admin access with no inbound port
When a scenario wants administrative access with no open management port and centralized, identity-bound logging, the answer is a managed broker rather than a hand-built bastion. AWS Systems Manager Session Manager, Azure Bastion, and GCP Identity-Aware Proxy all reach the host through the provider's control plane over an outbound or TLS-brokered connection, so the instance needs no inbound rule and often no public IP, and every session is scoped by IAM and logged centrally by default.
Trap Choosing a public RDP/SSH rule plus a network ACL allow-list when the requirement is no inbound port at all; only a brokered service removes the port.
- VPN gives broad network reach; a jump box gives one audited host entry
A VPN establishes an encrypted tunnel onto the private network so an operator can reach many hosts as if local, which suits broad operational reach. A bastion brokers access to one target through a single recorded hop, which suits a clean per-host audit trail. Pick the VPN when the operator legitimately needs to touch many systems, and the jump box when the requirement is a single controlled, logged entry point.
Trap Reaching for a VPN when the real requirement is per-session recording of who touched which host; a plain VPN logs the tunnel, not each host session.
- Out-of-band console access is the recovery path, so guard it like the bastion
The provider's serial or hypervisor console reaches a guest even when its network stack or SSH daemon is broken, which makes it the recovery channel of last resort. Because it bypasses the normal network controls, it must be protected as tightly as the primary admin path, with MFA and tight authorization, or it becomes an unmonitored back door.
- Security groups are stateful; network ACLs are stateless
A security group is a stateful per-instance firewall: allow an inbound flow and its return traffic is permitted automatically, so you do not write a matching outbound rule. A network ACL is a stateless subnet-level filter, so return traffic needs its own explicit rule in the opposite direction, including the ephemeral-port range. Knowing which is stateful decides how many rules a given scenario actually requires.
Trap Treating a network ACL as stateful and forgetting the return-direction rule, so the response traffic is silently dropped even though the request was allowed.
- VLANs segment at layer 2; security groups filter at layer 3/4
A VLAN partitions one physical network into isolated broadcast domains so tenants or tiers cannot see each other's traffic at the link layer. A security group, by contrast, filters allowed flows per instance higher up the stack. They are complementary: VLANs isolate the network, security groups govern which allowed flows cross between hosts; neither replaces the other.
- DNSSEC protects integrity and authenticity, not confidentiality
DNSSEC signs DNS records so a resolver can verify an answer was not forged or tampered with in transit. It does not encrypt the query or response, so it provides no confidentiality; an observer still sees which names are looked up. The exam pairing to lock in: DNSSEC defends against spoofing and cache poisoning, while encryption of the lookup itself is a separate concern.
Trap Assuming DNSSEC encrypts DNS traffic; it only signs records for integrity, so confidentiality requires a different control.
- Lock DHCP to authorized servers to stop rogue configuration
DHCP hands clients their IP address, gateway, and DNS resolver, so an unguarded segment lets a rogue DHCP server feed clients a malicious gateway or resolver and silently intercept traffic. Restricting DHCP to authorized servers (and enabling DHCP snooping where the platform supports it) keeps an attacker from redirecting hosts through their own machine.
- TLS secures one session; a VPN secures the whole link
TLS protects an individual connection such as an API call or a management session, giving that session confidentiality and integrity. A VPN tunnels everything crossing an untrusted path between two endpoints. Use TLS for application and management endpoints, and a VPN when an entire site or operator must reach the private network over hostile transit.
- IDS detects and alerts; IPS is inline and blocks
An intrusion detection system inspects a copy of the traffic and raises an alert on a match, but it does not stop the flow. An intrusion prevention system sits inline in the traffic path and can drop or reset the offending connection in real time. The distinction the exam turns on is action plus placement: detection-only and out-of-band for IDS, blocking and inline for IPS.
Trap Selecting an IDS when the requirement is to actively stop malicious traffic; an IDS only alerts, so blocking needs an inline IPS.
- A honeypot is a decoy, so any interaction with it is suspicious
A honeypot is a deliberately exposed system with no production value, so any connection to it signals reconnaissance or attack and yields early warning and threat intelligence. It must be isolated from real systems so a compromise of the decoy cannot pivot into production, and organizations often weigh legal and entrapment concerns before deploying one.
Trap Placing a honeypot with network reach into production so a compromised decoy becomes a foothold rather than a contained sensor.
- A vulnerability scan enumerates weaknesses; a pen test exploits them
Routine authenticated vulnerability scanning finds missing patches and weak configurations and feeds the patch and hardening cycle, but it only reports known weaknesses. A penetration test goes further and actively exploits them to prove real-world impact. In the cloud, confirm the provider's testing policy before scanning shared infrastructure.
Trap Calling a vulnerability scan a penetration test; the scan lists potential issues, while the pen test demonstrates exploitability.
- Harden hosts to a published baseline like a CIS Benchmark or STIG
Hardening reduces a host to a documented, measurable configuration standard, most often a CIS Benchmark or a DISA STIG in government contexts, then audits the host against it. NIST SP 800-123 frames the goal as least functionality: run only the accounts, ports, and services the role requires, and turn on audit logging. Building from a named baseline gives you a repeatable target and a way to detect drift, rather than ad hoc per-server tweaks.
- Bake the baseline into the golden image, not into a live server
Because cloud hosts are short-lived, the hardened baseline is applied to the golden image and re-applied on every rebuild, instead of being hand-configured on a running instance. This keeps every host in the fleet identical to the audited standard and removes the configuration drift that accumulates when operators patch live servers by hand.
- Patch immutable infrastructure by re-imaging, not in-place updates
The cloud-native patch model treats servers as cattle: rebuild the golden image with the fixed packages, roll the fleet to the new image, and terminate the old instances, rather than updating each running host. This guarantees every host is identical, erases drift, and lets you roll back instantly by redeploying the prior image. In-place patching is reserved for genuinely stateful hosts that cannot be replaced.
Trap Hand-patching a fraction of a fleet in place, which leaves the rest unpatched and reintroduces the drift immutable rebuilds exist to prevent.
3 questions test this
- An organization follows an immutable infrastructure model using Infrastructure as Code for cloud workloads. A critical vulnerability is…
- An organization is migrating its workloads to the cloud and wants to implement a patching strategy that increases reliability, consistency,…
- An organization uses an immutable infrastructure model for its containerized workloads in the cloud. When a vulnerability scanner…
- Follow the patch loop in order: identify, test, schedule, deploy, verify
Patch management runs a fixed sequence: identify missing patches from scans and advisories, test the patch in non-production, schedule it through change management, deploy to a canary subset before the full fleet, then verify the patch took and the service is healthy while keeping the previous image for rollback. A scenario about a patch that broke production is usually testing whether the test or canary step was skipped.
Trap Deploying a patch fleet-wide without a canary or a tested rollback image, so a bad patch takes the whole service down at once.
5 questions test this
- An organization discovers a zero-day vulnerability affecting critical production systems in their cloud environment. Their standard patch…
- A vulnerability scanner identifies a critical vulnerability across multiple production virtual machines in a cloud environment. The vendor…
- Your organization is designing an automated patching workflow for cloud workloads that integrates vulnerability scanning with patch…
- According to NIST SP 800-40, which phase of enterprise patch management involves confirming that patches have been successfully applied and…
- A cloud operations team is preparing to deploy a non-emergency security patch to ESXi hypervisor hosts in their production cluster. Before…
- HA restarts failed guests; fault tolerance runs a zero-downtime shadow
High availability automatically restarts a failed host's guests on a surviving cluster member, accepting a brief restart outage in exchange for recovery without human action. Fault tolerance instead runs a lockstep shadow VM so a host failure causes no downtime at all, at much higher cost. Match the mechanism to how much interruption the workload can absorb.
Trap Assuming HA gives zero-downtime failover; HA tolerates a short restart gap, and only fault tolerance avoids the outage entirely.
- Use maintenance mode to drain a host before patching it
Maintenance mode tells the cluster to evacuate every guest off a host, using live migration (a resource scheduler such as VMware DRS), so the host can be patched or rebooted with no guest downtime. It is how immutable patching and HA fit together: the scheduler empties the host, you service it, and the guests keep running on other cluster members meanwhile.
- DRS live-migrates running guests to balance load and drain hosts
A distributed resource scheduler, with VMware DRS as the canonical example, live-migrates running guests between cluster hosts to balance CPU and memory load and to honor placement rules. The same migration machinery powers maintenance-mode evacuation, so the scheduler is doing double duty for both performance balancing and planned maintenance.
- Monitor hardware health and capacity to catch failure before outage
Availability depends on seeing trouble early, so operators track two signals: performance and capacity (network throughput, compute utilization, storage I/O, response time) to catch saturation before it degrades service, and hardware health (disk SMART status, CPU, fan speed, temperature) to catch a failing component before it dies. In managed cloud the provider owns the physical sensors, but the tenant still watches guest-level capacity and cluster headroom.
- Clustering survives host failure; backups survive data loss and corruption
Cluster HA protects against a host dying, but it cannot recover from data corruption, ransomware, or accidental deletion because it keeps running the same bad data. Backups cover exactly those cases. Store backup copies off the primary cluster, ideally in another region or account, and keep at least one immutable copy that cannot be altered or deleted by a compromised admin.
Trap Relying on cluster HA or replication as the backup; replication faithfully copies corruption and ransomware to the replica, so it is not a recovery control.
- An untested backup is not a control; schedule restore tests
Backups fail silently, so a backup you have never restored is a hope rather than a control. Schedule periodic restore tests to prove the data is recoverable and that the process meets the recovery objectives. The recovery targets themselves (RTO and RPO) are set in the BC/DR plan, not chosen during day-to-day operations; backup operations exist to meet them.
Trap Treating successful backup jobs as proof of recoverability; only a tested restore confirms the backup can actually be brought back.
- Define infrastructure as code for identical, auditable, rollback-able fleets
Infrastructure as Code defines servers, networks, and policies in versioned templates (Terraform, CloudFormation, ARM/Bicep) that the platform provisions automatically. Three properties make it the operate-and-maintain default: every change is reviewed and recorded like source code, the same template yields identical environments with no drift, and a bad change is rolled back by redeploying the prior version. A scenario about keeping hundreds of hosts configured identically and auditably is pointing at IaC.
- The management plane is the highest-value target, so guard it hardest
The management plane is the control layer (console, APIs, orchestration) that can create, destroy, and reconfigure every resource, so an attacker who owns it owns the whole cloud. No host-level control can contain a management-plane compromise, which is why the exam frames it as catastrophic. Protect it with MFA on every admin identity, least-privilege roles, no standing root or owner access, and complete logging of every control-plane action.
Trap Assuming host hardening or network controls limit the blast radius of a management-plane compromise; control of the plane overrides controls beneath it.
- Patching responsibility shifts with the service model: IaaS customer patches the guest OS
Under shared responsibility the customer's patching burden grows as you move down the stack: in IaaS the customer patches the guest operating system and applications, in PaaS the CSP patches the platform and OS while the customer patches their code, and in SaaS the CSP patches everything. The provider always owns the underlying infrastructure and hypervisor.
Trap Assuming the CSP patches the guest OS on IaaS VMs — that responsibility stays with the customer.
5 questions test this
- A cloud security professional reviews vulnerability scan results showing missing operating system patches across the organization's cloud…
- An organization uses SaaS for email, PaaS for application development, and IaaS for hosting legacy systems. The security team is defining…
- An organization deployed virtual machines in a public cloud IaaS environment to host critical applications. The security team needs to…
- Your organization deploys virtual machines using an IaaS cloud service model and also consumes a PaaS-based database service from the same…
- A company operates a hybrid cloud environment with workloads distributed across IaaS virtual machines and PaaS-hosted applications. The…
- Virtual patching shields a zero-day until the real patch ships
When a vendor patch is unavailable or systems cannot be taken offline, virtual patching applies a security-policy enforcement layer (such as IPS or WAF signatures) that blocks exploitation attempts without modifying the underlying code. It is an interim compensating control, paired with an expedited emergency-patching process once the fix is released.
Trap Waiting out the normal multi-week test cycle for a live zero-day instead of deploying virtual patching as an interim shield.
- ESXi lockdown mode forces administration through vCenter, not direct host login
Enabling lockdown mode on an ESXi host restricts direct local logins and forces administrative operations through vCenter Server, which enforces centralized authentication, role-based access control, and audit logging. Effective hypervisor hardening layers this with MFA, application allowlisting, regular patching, and behavioral anomaly monitoring.
Trap Leaving direct local ESXi access open for convenience, bypassing the centralized authentication and audit trail vCenter provides.
- Credentialed scans see far more than unauthenticated scans
An authenticated (credentialed) vulnerability scan logs into the target with valid credentials and enumerates installed software, patch levels, and configuration from the inside, revealing weaknesses invisible to an external unauthenticated scan. For ephemeral auto-scaling fleets, baking scanning agents into the base image gives every new instance coverage on launch.
Trap Trusting a thin unauthenticated scan result as complete when a credentialed scan would expose far more internal findings.
3 questions test this
- An organization's cloud environment uses auto-scaling groups that dynamically provision and terminate virtual machine instances based on…
- An organization deploys virtual machines in an IaaS cloud environment and wants to obtain the most comprehensive view of vulnerabilities…
- An organization deploys a vulnerability scanner to assess its cloud-hosted IaaS virtual machines. The initial non-credentialed scan returns…
- Encryption at rest does not cover the wire; add in-transit encryption
Server-side encryption at rest protects stored data but leaves it exposed as it crosses the network over file or block protocols, so NAS (NFS/SMB) and iSCSI SAN traffic needs TLS or IPsec for confidentiality and integrity in transit. The at-rest encryption should also be transparent to standard protocol clients so operations are unaffected.
Trap Assuming at-rest encryption alone secures NAS or iSCSI data, leaving the protocol traffic open to interception on the network.
3 questions test this
- An organization is migrating shared file storage to a cloud-based NAS solution using NFS and SMB protocols. When implementing encryption at…
- An organization deploys a cloud-based NAS solution with AES-256 server-side encryption at rest for shared file storage. Users access file…
- An organization is deploying an iSCSI-based SAN in a cloud IaaS environment to host database workloads. The security team must protect data…
Operational Controls & Standards
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Digital Forensics
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Communication with Relevant Parties
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Operations Management
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Legal, Risk & Compliance
Cloud Legal Requirements & Risks
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- The defining cloud legal risk is conflicting international law
Cloud decouples a dataset from any single nation's law, so one set of records can fall under two contradictory legal duties at once, where satisfying one country's law breaks another's. The classic case is a US disclosure order on data the EU forbids transferring. Recognize that no national law wins by default; you manage the overlap with localization, lawful-transfer mechanisms, or customer-held encryption keys rather than assuming one regime cancels the other.
Trap Assuming one country's law automatically overrides the other; the conflict is genuine and unresolved, which is exactly why it is the testable risk.
3 questions test this
- A multinational company uses cloud storage that distributes data across data centers in multiple countries. During litigation, the company…
- A multinational organization stores EU citizen data in a European cloud region operated by a US-headquartered cloud service provider. When…
- A U.S.-based cloud service provider receives a valid U.S. warrant under the CLOUD Act for enterprise customer content data stored in a…
- The US CLOUD Act reaches data by provider control, not by storage location
The CLOUD Act lets US authorities compel a US-based provider to produce data in its possession, custody, or control wherever in the world it is stored. Storing data in an EU region does not place it beyond the order, because the trigger is the provider's nationality, not the bytes' location. This is why provider nationality is its own legal-risk factor, independent of region choice.
Trap Believing that choosing a non-US region exempts a US provider's data from a US order; region does not change who can be compelled.
4 questions test this
- A multinational organization stores sensitive data with a CSP that hosts multiple tenants on shared infrastructure across several…
- An organization operating across multiple jurisdictions is evaluating controls to protect its data in a multi-tenant cloud environment from…
- A multinational organization stores EU citizen data in a European cloud region operated by a US-headquartered cloud service provider. When…
- A U.S.-based cloud service provider receives a valid U.S. warrant under the CLOUD Act for enterprise customer content data stored in a…
- GDPR can treat a compelled foreign disclosure as an unlawful transfer
GDPR restricts moving personal data outside the EEA unless a lawful transfer mechanism is in place, and a disclosure to a foreign government can itself count as a prohibited transfer. That is the EU side of the CLOUD-Act collision: the same act that satisfies the US order can violate GDPR. The lawful-transfer instruments (adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules) exist to make a cross-border transfer legal under the originating regime.
- Data sovereignty is the principle; localization is the requirement
Data sovereignty means data is governed by the laws of the country where it is physically stored or processed. Data localization (data residency) is the concrete legal requirement to keep specified data inside a national border. Sovereignty explains why location matters; localization is the rule you must actually satisfy for regulated categories such as government, financial, health, or personal data.
Trap Using the two terms interchangeably; an item may pair the principle (sovereignty) with the requirement (localization) and reward the candidate who keeps them distinct.
5 questions test this
- An organization is developing a jurisdictional compliance strategy for its multi-cloud deployment. The legal team asks the security…
- An organization evaluating cloud service providers for sensitive government workloads must understand key concepts related to geographic…
- An organization is deploying a tokenization solution to protect PII stored across multiple public cloud regions. The solution uses a token…
- An organization operating across multiple countries uses a global cloud service provider. Some jurisdictions mandate strict data…
- An organization configuring data location controls within its multi-cloud environment must address both data residency and data sovereignty…
- Satisfy localization with in-region selection plus contractual residency
When a localization rule applies, keep the data only in provider regions inside the required jurisdiction and bind the provider by contract not to move, replicate, or back it up elsewhere. Region choice becomes a compliance decision before it is a latency decision. Backup and replication destinations are in scope, so a default global-replication setting can silently breach residency.
Trap Treating cross-region backup or global replication as harmless; an automatic copy into another jurisdiction can violate a residency requirement.
- Hold your own keys to blunt foreign-disclosure orders
Encrypting with keys the customer controls and the provider never holds means a compelled provider can only surrender ciphertext it cannot read. This is the strongest technical answer to the CLOUD-Act-versus-GDPR dilemma, because it neutralizes the value of an order served on the provider. It does not remove the legal conflict, but it limits what the provider can actually hand over.
Trap Relying on provider-managed encryption against a government order; if the provider holds the keys, it can be compelled to decrypt and produce readable data.
4 questions test this
- A multinational organization stores sensitive data with a CSP that hosts multiple tenants on shared infrastructure across several…
- An organization operating across multiple jurisdictions is evaluating controls to protect its data in a multi-tenant cloud environment from…
- A healthcare organization is implementing encryption for PHI stored in a public cloud storage service. Following the segregation of duties…
- A healthcare organization subject to HIPAA stores protected health information (PHI) in a public cloud storage service. To maintain maximum…
- Multi-tenancy makes one tenant's legal process a risk to others
Because tenants share infrastructure, a law-enforcement seizure or litigation request aimed at one tenant can reach hardware that also stores other tenants' data, and you lose physical custody of the media entirely. These are risks of the cloud delivery model, not of any single workload, and they are why collection must be tenant-scoped and provider-mediated rather than a physical disk seizure.
4 questions test this
- According to ISO/IEC 27050 and CSA Guidance, what is the PRIMARY challenge that multi-tenancy in cloud storage creates for eDiscovery…
- Your organization stores data in a multi-tenant SaaS environment where the cloud service provider utilizes shared storage infrastructure. A…
- A cloud service provider operating a multi-tenant platform with shared storage receives a court order requiring the disclosure of a…
- A cloud service provider receives a law enforcement subpoena targeting data belonging to one specific tenant in a shared storage…
- eDiscovery is the identify-preserve-collect-review-produce lifecycle for ESI
eDiscovery (electronic discovery) is the legal process of identifying, preserving, collecting, reviewing, and producing electronically stored information (ESI) for litigation or investigation. The international standard for it is ISO/IEC 27050, and the Cloud Security Alliance publishes cloud-specific eDiscovery guidance that maps the same lifecycle onto provider-hosted data. The CCSP needs the lifecycle and the cloud complications, not courtroom procedure.
- ISO/IEC 27050 is the eDiscovery standard to name
When a cloud question references a standard for electronic discovery, the answer is ISO/IEC 27050, a multi-part standard covering eDiscovery overview and concepts (Part 1), governance and management, code of practice (Part 3), and technical readiness. Pair it with CSA cloud eDiscovery guidance for the provider-hosted angle. Do not confuse it with ISO/IEC 27037 (digital evidence handling) or 27018 (cloud PII).
Trap Reaching for ISO/IEC 27018 (cloud PII protection) when the stem asks about eDiscovery; 27050 is the eDiscovery standard.
- A legal hold must override the provider's deletion and retention cycles
A legal hold is a directive that suspends normal deletion and retention so potentially relevant data is preserved. In the cloud it must override the provider's automated lifecycle and retention policies, and your contract must let you invoke it. Without that, a routine deletion job can destroy evidence and expose you to spoliation, the legal sanction for destroying discoverable evidence.
Trap Assuming the provider preserves data by default or relying on routine backups; a normal lifecycle policy can delete evidence under hold.
9 questions test this
- Your organization uses a SaaS-based cloud storage service and has just been notified that litigation against the company is reasonably…
- According to ISO/IEC 27050, an organization must perform eDiscovery on cloud-stored ESI in response to a regulatory investigation. Which…
- A company's cloud contract is expiring, and the data disposal clause requires all tenant data to be destroyed within 30 days of…
- When evaluating a cloud service provider for eDiscovery readiness, which contractual provision is MOST important to ensure the organization…
- Your organization has initiated termination of its cloud service agreement. The data destruction clause requires the CSP to delete all…
- Your organization stores regulated data in a public cloud environment. Legal counsel has notified you of a reasonable anticipation of…
- An organization's automated cloud storage retention policy deletes a dataset of potentially relevant records BEFORE a litigation hold could…
- An organization's cloud service provider deleted data subject to an active litigation hold because an automated lifecycle management policy…
- Following the termination of a cloud service agreement, the customer requests full deletion of all data. However, the CSP identifies that a…
- Spoliation is the sanction for destroying discoverable evidence
Spoliation is the destruction or alteration of evidence that should have been preserved for litigation, and it carries legal sanctions independent of the underlying case. In the cloud it is a live risk because automated lifecycle deletion runs continuously, so failing to place a timely legal hold can destroy ESI you were legally obligated to keep.
7 questions test this
- Your organization uses a SaaS-based cloud storage service and has just been notified that litigation against the company is reasonably…
- A company's cloud contract is expiring, and the data disposal clause requires all tenant data to be destroyed within 30 days of…
- Your organization has initiated termination of its cloud service agreement. The data destruction clause requires the CSP to delete all…
- Your organization stores regulated data in a public cloud environment. Legal counsel has notified you of a reasonable anticipation of…
- An organization's automated cloud storage retention policy deletes a dataset of potentially relevant records BEFORE a litigation hold could…
- An organization's cloud service provider deleted data subject to an active litigation hold because an automated lifecycle management policy…
- Following the termination of a cloud service agreement, the customer requests full deletion of all data. However, the CSP identifies that a…
- Possession, custody, or control puts the duty to produce on the customer
Even though the provider physically holds the data, the legal duty to produce it in discovery usually rests on the customer having possession, custody, or control of it through the account. You therefore must be able to find and produce relevant ESI across regions and services, and your contract must give you the access and export capability to do so.
- You cannot image hardware you do not own, so collection is provider-mediated
In a multi-tenant cloud, evidence collection happens through provider export tooling and APIs scoped to your tenant, because you have no physical access to the disks and a raw disk image would expose other tenants' data. The shared substrate is exactly why tenant-scoped, provider-mediated acquisition is required instead of a physical seizure.
Trap Choosing to image the physical disk or seize the host yourself; the hardware is shared and not under your control.
4 questions test this
- According to ISO/IEC 27050 and CSA Guidance, what is the PRIMARY challenge that multi-tenancy in cloud storage creates for eDiscovery…
- Your organization stores data in a multi-tenant SaaS environment where the cloud service provider utilizes shared storage infrastructure. A…
- A cloud service provider operating a multi-tenant platform with shared storage receives a court order requiring the disclosure of a…
- A cloud service provider receives a law enforcement subpoena targeting data belonging to one specific tenant in a shared storage…
- Forensic legal requirements: chain of custody and integrity still apply
Even when the provider performs the hands-on acquisition, the legal requirements hold: chain of custody (a documented, unbroken record of who handled the evidence, when, and why, so it is admissible) and integrity via cryptographic hashing so the evidence is provably unaltered, supporting non-repudiation. What changes in the cloud is custody of the physical media, which now spans the provider's collection step, so the contract must require forensic cooperation and verifiable acquisition.
4 questions test this
- A cloud security professional is establishing chain of custody procedures for digital evidence stored in a public cloud environment to…
- An organization uses automated cloud audit logging to collect evidence for an upcoming SOC 2 audit. The security team is concerned about…
- During a cloud forensic investigation, the auditor reviewing governance controls discovers that chain of custody records for collected…
- An organization must maintain chain of custody for digital evidence collected from its cloud environment during a regulatory investigation.…
- Negotiate eDiscovery and forensic support into the contract before you need it
Because every preservation and collection step depends on the provider, the legal-risk control is contractual and is arranged at onboarding, not after a subpoena. Require a right to issue legal holds that override lifecycle deletion, defined eDiscovery and forensic support with response timeframes, tenant-scoped collection that does not expose other customers, retention of relevant logs, and notification when the provider receives legal process touching your data.
5 questions test this
- When negotiating a cloud services contract for a multi-tenant environment, which provision is MOST critical for addressing how the CSP…
- When evaluating a cloud service provider for eDiscovery readiness, which contractual provision is MOST important to ensure the organization…
- An organization is negotiating a cloud service agreement for a multi-tenant SaaS deployment that will process sensitive regulated data.…
- Your organization stores regulated data in a multi-tenant cloud environment. A law enforcement agency serves a valid subpoena directly to…
- An organization is negotiating a cloud service agreement and wants to ensure it is protected when third parties, including law enforcement…
- Evaluate the legal-risk surface as provider due diligence
Cloud legal risk is part of provider selection, not an afterthought. Assess the provider's governing law, the jurisdictions it operates in, how it responds to legal process, its residency options, and its eDiscovery and forensic support, before placing a workload. The recurring exam framing is that legal exposure should drive provider and region choice up front.
- A compliant provider does not discharge the customer's legal duty
Under the shared-responsibility model, the provider's certifications and compliant regions cover the provider's layer only; governing law, legal holds, residency, and the duty to produce evidence remain the customer's accountability. The architecture and the contract carry these obligations, so they cannot be assumed away by pointing at the provider's attestations.
Trap Concluding that using a compliant provider makes the customer compliant; the customer's own legal accountability is never transferred by the provider's certifications.
- Validate a law-enforcement request's legitimacy first, then redirect it to the customer
When a CSP receives a law-enforcement request for a tenant's content data, the first step is to validate its legitimacy and legal sufficiency (proper authority, scope, and service channel). Industry best practice then favors redirecting law enforcement to obtain the data directly from the enterprise customer, who is the data owner, rather than the provider producing it.
Trap Handing over the data immediately because the request looks official, skipping the legal-sufficiency review and the redirect to the customer.
4 questions test this
- A cloud service provider operating a multi-tenant platform receives a law enforcement request for an enterprise customer's content data.…
- A cloud service provider operating a multi-tenant platform receives a valid law enforcement request for content data belonging to an…
- Your organization uses a SaaS application hosted in a multi-tenant cloud environment. The cloud service provider receives a valid law…
- Your organization stores regulated data in a multi-tenant cloud environment. A law enforcement agency serves a valid subpoena directly to…
- Produce only the minimum data, and challenge overbroad orders or gag clauses through legal channels
When the CSP must comply with a valid order, it should disclose only the minimum data necessary to satisfy that specific order, not bulk tenant data. A non-disclosure (gag) order is obeyed as a binding obligation while the provider seeks to narrow or challenge it. Where a US order conflicts with foreign law such as GDPR, a provider may raise that conflict through a comity-based challenge, though under the CLOUD Act the statutory motion-to-quash route is narrow (it is limited to data on non-US persons where the conflict is with a qualifying foreign government under an executive agreement, which the EU is not).
Trap Ignoring a gag order and notifying the tenant anyway, instead of complying while challenging the secrecy requirement in court.
3 questions test this
- A CSP operating a multi-tenant environment receives a law enforcement request accompanied by a non-disclosure order that prohibits…
- Law enforcement presents a valid warrant to a cloud service provider for content data belonging to one specific tenant in a shared…
- A U.S.-based cloud service provider receives a valid U.S. warrant under the CLOUD Act for enterprise customer content data stored in a…
Privacy Issues
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- PHI is a regulated subset of PII, not a parallel category
Personally identifiable information (PII) is anything that identifies a person directly (name, government ID) or indirectly (an IP address plus a timestamp). Protected health information (PHI) is the narrower set: health data tied to an identifiable individual and held by a HIPAA covered entity or business associate. Treat them as nested, all PHI is PII, but most PII is not PHI, because the label drives which controls legally attach.
Trap Treating PHI and PII as separate, parallel buckets and applying only baseline PII handling to health data, which strips the stronger HIPAA controls PHI legally requires.
- Indirect identifiers still make data PII
Data does not need a name to be personal; if it can be linked to an individual when combined with other data, it counts. An IP address, a device ID, or a location trail plus a timestamp are PII under GDPR's broad definition. The practical effect is that telemetry you assumed was anonymous becomes in-scope the moment it can be joined back to a person.
Trap Assuming only direct identifiers like names count as PII, so quasi-identifiers (IP, device ID, geolocation) escape privacy obligations.
- Pseudonymized data is still personal data; only true anonymization is out of scope
Pseudonymization replaces identifiers with a token but keeps a key that can re-link to the individual, so under GDPR it remains personal data with full obligations. Only irreversible anonymization, where no one can re-identify the person, falls outside privacy law. Pseudonymization is a risk-reducing security measure, not a get-out-of-scope move.
Trap Treating pseudonymized data as anonymized and concluding the privacy rules no longer apply; the re-linking key keeps it in scope.
- Contractual private data is what you promised; regulated private data is what the law commands
Contractual private data is protected because a contract says so, such as cardholder data under PCI DSS or customer data under a service agreement, and the remedy is contractual (penalties, termination). Regulated private data is protected by statute like GDPR or HIPAA, and the remedy is a regulator's fines and mandatory breach notification. A single record can be both at once.
- A contract can raise the privacy floor but never waive a statutory duty
When a contract term and a privacy statute conflict, the statute wins; a contract can add protections beyond the law but cannot contract out of a regulator-enforced obligation. So an answer that says the provider's terms permit something a privacy law forbids is wrong whenever a statute is in play. Where obligations overlap, you satisfy the stricter one.
Trap Reasoning that because the cloud contract allows a use of personal data, it is compliant, even though a statute like GDPR forbids it.
- In the cloud the customer is the controller and the provider the processor
The controller decides why and how personal data is processed and holds the accountability; the processor acts only on the controller's documented instructions. Putting data in a cloud service does not transfer controllership: the customer stays the controller and the provider becomes a processor (or sub-processor). Physical custody of the data does not make the provider the controller.
Trap Naming the cloud provider as the controller because it physically holds the data, which wrongly shifts the accountability that stays with the customer.
6 questions test this
- An organization is evaluating a cloud service provider's compliance with ISO/IEC 27018 for handling personal data. Regarding audit logging…
- Your organization is negotiating a cloud service provider contract for hosting sensitive business data. Which contractual provision is MOST…
- Your organization is negotiating a contract with a cloud service provider for a SaaS solution that will process sensitive customer data.…
- A cloud service provider acting as a PII processor is pursuing ISO/IEC 27018 compliance. The provider intends to leverage personal data…
- During contract negotiations with a cloud service provider, you discover the standard terms of service permit the provider to analyze and…
- Your organization is negotiating a contract with a cloud service provider for a critical SaaS application that will process sensitive…
- GDPR Article 28 requires a data processing agreement before processing
Because the customer stays accountable, GDPR Article 28 requires a written data processing agreement (DPA) before a processor touches personal data. The DPA must bind the processor to act only on documented instructions, keep data confidential, secure it, assist with data-subject requests and breach notice, gate and disclose sub-processors, and delete or return data at the end. The DPA, not a marketing assurance, is the control.
Trap Relying on a generic NDA or the provider's standard terms of service in place of a DPA; an NDA protects confidentiality but does not meet Article 28.
- US PHI to a cloud vendor needs a HIPAA business associate agreement
When PHI flows from a covered entity to a vendor that handles it, HIPAA requires a signed business associate agreement (BAA) making the vendor a business associate bound to the Security and Privacy Rules. A cloud provider that stores or processes PHI is a business associate even if it never views the data. No BAA means the arrangement is non-compliant from the start.
Trap Substituting a GDPR-style DPA or a generic NDA for a BAA when the regulated data is US PHI; HIPAA specifically requires the BAA.
4 questions test this
- A healthcare organization is evaluating a cloud service provider for storing electronic protected health information (ePHI). Under HIPAA…
- A healthcare organization is evaluating a cloud service provider to host electronic protected health information (ePHI). The CSP will store…
- A healthcare organization plans to migrate its electronic protected health information (ePHI) to a cloud service provider's environment.…
- A healthcare organization plans to use a public cloud service provider to store and process electronic protected health information (ePHI).…
- ISO/IEC 27018 is the code of practice for protecting PII in public clouds
ISO/IEC 27018 extends ISO/IEC 27001/27002 with controls for a public-cloud provider acting as a PII processor: process PII only on customer instruction, do not use it for the provider's own marketing, support data-subject requests, disclose sub-processors and data locations, and notify the customer of breaches and government access requests. Provider certification to 27018 is how it demonstrates these commitments.
Trap Choosing ISO/IEC 27017 (cloud security controls) or ISO/IEC 27001 (the general ISMS) when the question specifically asks about protecting PII in the cloud; 27018 is the cloud-PII answer.
7 questions test this
- An organization is evaluating a cloud service provider's compliance with ISO/IEC 27018 for handling personal data. Regarding audit logging…
- During a compliance audit, an organization discovers that cloud audit logs forwarded to its centralized SIEM contain personally…
- A cloud service provider acting as a PII processor is implementing controls to comply with ISO/IEC 27018. The standard requires limitations…
- An organization's Data Protection Officer reviews the cloud audit logging configuration to verify alignment with ISO/IEC 27018. Which…
- An organization is evaluating a public cloud service provider's privacy practices for processing personally identifiable information (PII).…
- A cloud service provider acting as a PII processor is pursuing ISO/IEC 27018 compliance. The provider intends to leverage personal data…
- An organization using a public cloud provider to process personal data on behalf of its customers is evaluating compliance with ISO/IEC…
- GAPP is a privacy management framework, not a cloud-processor control set
The Generally Accepted Privacy Principles (GAPP) from the AICPA/CICA organize a privacy program around principles such as notice, choice and consent, collection, use and retention, access, disclosure, security, quality, and monitoring. Reach for GAPP when assessing or building an organization's overall privacy program, not when picking a specific cloud-provider control. It is a framework, not law and not a cloud-specific standard.
Trap Picking GAPP for a question about a specific public-cloud PII control; GAPP frames a whole program, while ISO/IEC 27018 names the cloud-processor control.
- GDPR is binding law with fines up to 4% of global turnover
GDPR is enforceable EU regulation, not a voluntary code, and its most serious infringements carry administrative fines up to the greater of 20 million euros or 4% of total worldwide annual turnover. That enforcement power is why GDPR is the privacy statute CCSP leans on. A provider being certified to ISO/IEC 27018 does not discharge the customer's GDPR duty.
- Cross-border transfer of EU personal data needs a lawful mechanism
GDPR restricts moving personal data outside the EU/EEA unless a transfer mechanism applies: an adequacy decision for the destination country, standard contractual clauses (SCCs), or binding corporate rules. An unlawful transfer is itself a GDPR violation independent of any breach. Confirm the basis before the data crosses the border, not after.
Trap Assuming encryption or a contract clause alone legitimizes an international transfer; without an adequacy decision, SCCs, or BCRs the transfer is unlawful.
2 questions test this
- The controller must be able to satisfy data-subject rights
GDPR gives individuals rights the controller must honor: access, rectification, erasure (right to be forgotten), restriction, portability, and objection. In the cloud, satisfying erasure or portability depends on the provider's tooling and on knowing every location the data was dispersed to, so the DPA must obligate the provider to assist. Build for these rights up front rather than retrofitting.
3 questions test this
- A cloud application must support GDPR data portability rights. The privacy team is designing an API endpoint to allow data subjects to…
- A company operates a cloud application composed of multiple microservices that each store different categories of personal data. A data…
- Under GDPR Article 17, a data subject requests erasure of their personal data from your cloud application. The application uses an API…
- A PIA is a preventive control run before processing begins
A Privacy Impact Assessment (PIA) identifies and reduces privacy risk before an activity goes live, so it is preventive, not a post-incident review. In the cloud its value is timing: it forces choices like data residency, tokenization, or rejecting an unacceptable sub-processor while the design can still change. Run it after deployment and only costly retrofits remain.
Trap Treating a PIA as a post-deployment audit; assessing privacy risk after go-live forfeits the point of the control.
- GDPR makes a DPIA mandatory for high-risk processing
Under GDPR the PIA is called a Data Protection Impact Assessment (DPIA), and it is required, not optional, when processing is likely to be high risk to individuals: large-scale special-category data, systematic monitoring of a public area, or large-scale profiling with legal effects. A DPIA is conditional on high risk, neither always required nor merely a nice-to-have.
Trap Claiming a DPIA is always required or always optional; it is specifically triggered by high-risk processing.
- If high risk remains after a DPIA, consult the supervisory authority first
A DPIA moves through describe the processing, test necessity and proportionality, rate the risks to individuals, then apply mitigations. If high risk still remains after mitigation, GDPR requires the controller to consult the supervisory authority before proceeding. The documented DPIA is kept as evidence of accountability.
Trap Proceeding with processing that is still high risk after mitigation without prior consultation; GDPR requires consulting the supervisory authority first.
- Cloud DPIA inputs come from the provider, tying it to the DPA
Several DPIA inputs (data location, sub-processor list, breach-notification timelines, deletion guarantees) are facts only the provider can supply, which links the DPIA back to the data processing agreement and the provider's ISO/IEC 27018 disclosures. A DPIA written without those provider facts is incomplete and understates the real risk.
- Jurisdiction is set by where data subjects are, not only where servers sit
GDPR applies extraterritorially: it covers processing of EU residents' personal data even by a controller or processor with no EU establishment, when it offers goods or services to, or monitors, people in the EU. So choosing a non-EU cloud region does not by itself escape GDPR if the data subjects are in the EU. Privacy obligations follow the people, not just the hardware.
Trap Assuming hosting data outside the EU removes GDPR obligations; the regulation reaches processing of EU residents' data regardless of server location.
- Country-specific privacy laws layer on top of the baseline
Beyond GDPR, regional statutes add their own duties: HIPAA/HITECH for US health data, and other national or sector laws for the same dataset depending on where individuals reside. When a dataset spans jurisdictions, the controller must meet each applicable law, and overlapping obligations resolve to the stricter requirement. Map the data subjects to laws before designing controls.
- ISO/IEC 27018 is distinct from 27017 and 27701
Keep the cloud ISO family straight: 27018 is cloud PII protection (privacy, provider as processor), 27017 is cloud security controls (not privacy), and 27701 is the privacy information management system extension to 27001 that operationalizes a PIMS. A question naming public-cloud PII processing points to 27018 specifically.
Trap Confusing ISO/IEC 27018 with 27017 (cloud security) or 27701 (privacy management system); only 27018 is the cloud-PII processor code of practice.
- Enforce privacy data minimization with least-privilege, field-level IAM
Data minimization (GDPR Articles 5(1)(c) and 25) is enforced technically by restricting access to only the data each role needs. Role-based or attribute-based IAM that limits visibility to the required PII fields, plus periodic entitlement reviews to strip unneeded permissions, is the direct control; when a PIA finds excessive exposure, tightening these access controls is the first corrective step.
Trap Reaching for broad encryption or logging first, when minimization is about restricting who can see which fields.
8 questions test this
- During a Privacy Impact Assessment for a new cloud-based HR application, an organization discovers that all users with application access…
- A cloud security architect is designing IAM controls for a healthcare analytics platform processing patient data across multiple…
- A cloud service provider processing personal data on behalf of multiple data controllers implements pseudonymization of PII in…
- A cloud service provider acting as a PII processor is implementing controls to comply with ISO/IEC 27018. The standard requires limitations…
- An organization hosting a SaaS application processes customer PII in a multi-tenant cloud environment. The security team needs to ensure…
- Your organization is migrating customer data to a public cloud and must comply with GDPR Article 5(1)(c) data minimization requirements.…
- An organization migrating EU citizen data to a cloud environment must comply with the GDPR data minimization principle. Which IAM practice…
- Your organization is migrating customer data to a public cloud environment and must comply with GDPR Article 25, which requires data…
- Pick static masking, dynamic masking, or tokenization by where the data lives and who sees it
De-identification choices differ by use case: static data masking irreversibly replaces PII with realistic fictitious values in a non-production copy for dev/test; dynamic data masking redacts fields at query time based on IAM role so support staff see only what they need; tokenization replaces values (such as PANs) with non-sensitive tokens, narrowing PCI-DSS scope, but the token vault holding the originals stays subject to data-residency and sovereignty law.
Trap Using dynamic masking to create a dev/test dataset, when only static masking gives an irreversibly de-identified copy.
4 questions test this
- A financial services organization uses a cloud database containing customer PII for its production application. Developers need realistic…
- A financial services company stores credit card numbers in a cloud-based data lake for analytics purposes. The company wants to minimize…
- An organization is deploying a tokenization solution to protect PII stored across multiple public cloud regions. The solution uses a token…
- An organization hosting a SaaS application processes customer PII in a multi-tenant cloud environment. The security team needs to ensure…
- Centralize consent and data-subject-right enforcement at the API gateway
Privacy-by-design favors a single policy enforcement/decision point rather than scattering checks across services. A consent-management API acts as a policy decision point that evaluates each data-access query against stored consent before processing, and a dedicated data-subject-request endpoint at the API gateway orchestrates actions like Article 17 erasure across all downstream microservices.
3 questions test this
- Your organization is developing a cloud-hosted SaaS application that processes personal data of EU residents through multiple APIs. The…
- Your organization is developing a cloud-based application that must manage user consent for multiple data processing activities. The…
- Under GDPR Article 17, a data subject requests erasure of their personal data from your cloud application. The application uses an API…
Cloud Audit Process
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Enterprise Risk Management
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Outsourcing & Cloud Contracts
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.