What Identity and Access Management (IAM) process decides to permit or deny a subject access to system objects like networks, data, or applications?
Correct Answer: A
The correct answer isA. Authorization. In Identity and Access Management (IAM),authorizationis the process of determining whether a subject (user, application, or device) has the right to access a specific system object, such as networks, data, or applications. Authorization decisions are made after successful authentication and are based on the subject's permissions, roles, or attributes. Key Characteristics of Authorization: Decision Making:Determines if access ispermitted or deniedbased on policies or permissions. Role and Attribute-Based Access:Often uses Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC) mechanisms to enforce policies. Post-Authentication Process:Occursafter authenticationhas verified the user's identity. Resource-Specific:Determines the level of access or specific operations (like read, write, execute) a user is allowed. Example Scenario: When a user logs into a cloud platform, the system firstauthenticatesthe user (verifies their identity) and thenauthorizestheir access to specific resources, such as viewing data in an S3 bucket or managing a VM instance. The access policies define what actions the authenticated user can perform. Why Other Options Are Incorrect: B: Federation:Involves linking a user's identity across multiple systems or domains but does not decide access permissions. C: Authentication:The process of verifying a user's identity, typically through passwords, biometrics, or multi- factor authentication (MFA), but it does not determine resource access. D: Provisioning:Refers to creating and managing user accounts and permissions, but it does not make real- time access decisions. Real-World Context: In cloud environments, services like AWS IAM or Azure AD use policies toauthorizeuser actions after they have beenauthenticated. For instance, an AWS IAM policy might allow a user to list S3 buckets but deny deletion. References: CSA Security Guidance v4.0, Domain 12: Identity, Entitlement, and Access Management Cloud Computing Security Risk Assessment (ENISA) - IAM and Access Control Cloud Controls Matrix (CCM) v3.0.1 - Identity and Access Management Domain
Question 112
Which of the following is a responsibility of Cloud customer?
Correct Answer: A
Image asset management. Cloud compute deployments are based on master images-be it a virtual machine, container, or other code-that are then run in the cloud. This is often highly automated and results in a larger number of images to base assets on, compared to traditional computing master images. Managing these-including which meet security requirements, where they can be deployed, and who has access to them-is an important security responsibility. Reference: CSA Security GuidelinesV.4(reproduced here for the educational purpose)
Question 113
What is a primary objective during the Detection and Analysis phase of incident response?
Correct Answer: B
During the Detection and Analysis phase of incident response, the primary objective is to validate alerts to determine whether they represent a genuine security incident, and to estimate the scope of the incident to understand the potential impact on the organization. This phase involves analyzing evidence, confirming the nature of the incident, and gathering the necessary information to move forward with containment and remediation. Developing and updating incident response policies is important but occurs more during the preparation phase, not during the detection and analysis of an active incident. Performing detailed forensic investigations typically takes place during later phases, such as Containment, Eradication, & Recovery or Post-Incident Analysis. Implementing network segmentation and isolation may be part of the Containment phase but is not the primary focus during the Detection and Analysis phase.
Question 114
In the IaaS shared responsibility model, which responsibility typically falls on the Cloud Service Provider (CSP)?
Correct Answer: B
In the Infrastructure as a Service (IaaS) shared responsibility model, the Cloud Service Provider (CSP) is typically responsible for securing the physical infrastructure, which includes the physical security of data centers, servers, networking hardware, and the physical security controls that protect them from unauthorized access or damage. Encrypting data at rest is typically the responsibility of the consumer, though the CSP may offer tools to help with this. Managing application code is the responsibility of the consumer, as they control and deploy the applications on the infrastructure provided by the CSP. Configuring firewall rules is also the responsibility of the consumer, as they manage the configuration of the virtual network, including security rules like firewalls.
Question 115
Which of the below hypervisors are 0S based and are more attractive to attackers?
Correct Answer: B
Type II hypervisors are 0S-based and more attractive to attackers. There are lot of vulnerabilities which are found not only on 0S but also in applications residing on the 0S.
