Srinivas University

ICIS
Introduction to Cloud Security

Question Bank – for 1st Internal Exam

Introduction to Cloud Security

III- Semester Bachelor of Computer Application

(BCA)

INSTITUTE OF COMPUTER SCIENCE & INFORMATION

SCIENCE
 UNIT 1
MCQ 1 MARK

1. ______ offering provides the tools and development environment to deploy applications on
another vendor’s application.
a. PaaS
b. IaaS
c. CaaS
d. All of the above
ans. b

2. Which type of hypervisor runs on a bare system?

a) Type 1
b) Type 2
c) Type 3
d) None of the above
ans. a

3. Which of the following is an example of a PaaS delivery model?

a) Salesforce.com
b) Amazon web service
c) Google App Engine
d) Google Chrome
ans. c
4. A web browser is an example of a __________cloud delivery model.
a) SaaS
b) PaaS
c) CaaS
d) IaaS
ans. a
5. What is CTP?
a) Cloud Trust Protocol.
b) composite Trust Protocol
c) Common Trust Protocol
d) Cloud Transmission Protocol
ans. A

6. The deployment of Cloud Trust Protocol (CTP) from cloud consumers is itself a cloud
capability known as ____________.
a) Software as a Service
b) Infrastructure as a Service
c)Platform as a Service
d)Transparency as a Service
ans. d

7. Which of the following SaaS platform is with an exposed API?

a. salesforce.com
b. amazon.com
c. flipkart.com
d. all of the above
ans. a

8. In which type of attack, “the hypervisor installs without requiring a restart and the
computer functions normally, without degradation of speed or services, which makes
detection difficult. It executes as a hypervisor to gain control of computer resources.”
a) Virtual machine jumping
b) Vitriol
c) Blue pill
d) Sub virt
ans. c
9. Which type of testing in cloud is Disaster Recovery testing ?
a) Functional testing
b) Non-functional testing
c) Ability testing
d) None
ans. c

10) Cloud governance must be implemented in

(a)Private Cloud
(b) Public Cloud
(c) Hybrid Cloud
(d) All the above
Answer d)

11) What is cloud bursting?

(a)Using public cloud resources to handle spikes in demand
(b)Using private cloud resources for better security
(c)Using hybrid cloud model for better efficiency
(d) All of the above
Answer a)

12. Which type of cloud testing ensures that software functions work according to the
requirements and that software properly interacts with hardware?
a) Functional testing
b) Non-functional testing
c) Ability testing
d) None
ans. A
13) Cloud Governance handles which one of the following issues
(a)Vendor Lock-in
(b) Privacy in the cloud
(c) Compliance issues
(d) All the above
Answer d)

14) Cloud Governance acts as the guidance for

(a)Cloud Adoption
(b) Cloud Usage
(c) Cloud Management
(d) All the above
Ans. d

15. What does the different virtual machines correspond to?

a) Same Server
b) Same Entity
c) Separate entities
d) None of these
ans. C

ESSAY QUESTIONS
1.Elaborate on Virtualization and its business benefits.
ANS.
In the late 90’s and early 2000’s Virtualization really started to take a foothold in the
Corporate Enterprise market, and today the applications of this technology have made it a
must-have for all businesses
There are many types of Virtualization solutions businesses have adopted, such as Server
Virtualization, Desktop Virtualization, Storage Virtualization and Network Virtualization.
Virtualization is a technology that allows multiple virtual instances or environments to run on
a single physical hardware system.
Virtualization creates virtual or simulated versions of physical resources such as servers,
storage devices, or network infrastructure, and makes them available as virtual resources.
These virtual resources can then be used to run multiple operating systems or applications
independently of one another.
Business Benefits:
1. Redundancy and instant failover abilities:
Without redundancy, many businesses would experience numerous problems with lost data.
Virtualization provides instant failover abilities which make things more efficient. Two
servers are usually connected so that if one experiences problems, the other can continue
working as if nothing happened. Such activity prevents unnecessary interruptions that would
otherwise lead to losses.
2. Smooth migration of resources
Virtualization makes it easy to switch from physical to virtual infrastructure as the need
arises. Different technologies allow for virtual disk storage, but you can quickly turn to
physical storage. This way, administrators can prevent the wastage of resources by providing
only what’s needed at a particular time without negatively impacting operations.
3. Virtual firewalls and security
Business ventures can benefit from virtual firewalls to protect access and data at lower costs
than traditional methods. Virtual security involves using advanced controls such as a virtual
switch to protect against malicious attacks. Applications are isolated to make them
untouchable from malware.
4. Improved IT support
Companies must provide excellent customer support to keep or maintain their customers.
This can be quite a challenge for ventures without enough manpower to provide customer
support when it is needed. Moving to the virtual space is a great solution that instantly
improves IT support to ensure a seamless data flow for various operations.
5. Reduced costs and a greener environment
Virtualization reduces costs by using fewer servers more efficiently. It avoids wasting
resources and cuts down on the space needed in data centers. This not only saves money but
also helps the environment by using less energy and producing a smaller carbon footprint. It's
a win-win for businesses and the planet.

2. Describe various types of virtualizations.

Ans.
Server Virtualization:
Server virtualization means running multiple operating systems on a single physical server as
virtual machines. Each virtual machine can use the server's resources.
Normally, servers use only a small part of their capacity, which is inefficient and leads to
server sprawl and complexity.
Desktop Virtualization:
Desktop virtualization allows users to access their computer desktops from other devices, like
a laptop or mobile, over a network connection.
The computer hosting these desktops becomes a server that can handle multiple virtual
desktops for different users.
Users benefit from being able to access their desktops from anywhere, and their resources are
centralized, making it easy to work from different locations.
Network Virtualization:
Network virtualization replicates a physical network using software.
It offers virtual versions of network devices like switches, routers, and firewalls.
Applications run on this virtual network just like they would on a physical network.
These technologies make it more efficient to use servers, access desktops from various
devices and locations, and create flexible virtual networks.

3. Discuss various virtualization risks and attacks.

Ans.
1. External attacks
If attackers gain access to your host-level or VMware vCenter server, this opens doors for
them to access other important VMs, or even create a user account with admin rights that
could be used over a long period of time to collect or destroy sensitive company data.
2. Keeping snapshots on VMs
Snapshots are meant to be retained for only a short time. Attackers or malicious insiders
could collect valuable data from snapshots.
3. Sharing files between VM and host, or copy-pasting between host and remote console
4. VM sprawl - too Many Virtual Machines:
Another important security risk is the proliferation of VMs, which is often caused by
developers or IT admins creating VMs for testing purposes but failing to delete them once the
testing period is over. In fact, VMs can be created so easily that IT teams have a tough
challenge to track how many there are, and when and where they are deployed. As a result,
these VMs are often left unpatched and unprotected. In addition to being vulnerabilities, they
also consume valuable hardware and other resources
5. Viruses, ransom ware and other malware:
VMs are vulnerable to many different kinds of attacks. One of the most common is ransom
ware, such as Crypto locker. It’s essential to maintain regular backups of your data off site,
where they cannot be encrypted; without backups, you might have to pay the hackers to
provide the decryption key. However, even with proper backup management, restoring many
VMs is difficult and time consuming. Therefore, you should also train all users on a regular
basis to minimize the risk of introducing ransomware

4. Explain various strategies and counter measures for addressing Virtualization risks.
Ans. Best practices for keeping your virtual environment safe
1. Secure all the parts of the infrastructure
Just like you lock the doors and windows to keep your house safe, you need to protect all
parts of your computer setup. This includes the physical stuff like the main computers,
network equipment, and storage, as well as the virtual parts like the virtual machines and the
cloud stuff you might use.
2. keep everything up to date with the latest improvements, like updating your apps on your
phone. This way, you're ready to face any challenges that come your way.
3. Have a strong backup and disaster recovery (DR) plan
A proper backup and DR plan is essential for ensuring business continuity, whether you
suffer a malware attack or a hurricane brings down your production datacenter. Having a DR
site at a remote datacenter or in the cloud helps mitigates the risk of prolonged downtime.
Here are two important tips to keep in mind as you create your DR plan
Back up VMs and physical servers
Use the 3-2-1 backup rule — Create and keep at least 3 copies of your data and store 2
backup copies on different storage media, with 1 of them located off site.

5. Explain hyper jacking.

Ans.
Hyper jacking is like a sneaky hacker move. They try to take control of the boss of all the
virtual computers (the hypervisor) inside a big computer.
Why? So they can secretly mess with the main computer underneath all the little ones (the
virtual machines) and do bad stuff without the little computers even knowing they're there.
In essence, hyper jacking is a technique where attackers target the controlling software
(hypervisor) of virtual machines to do their dirty work without being detected by the virtual
machines themselves. To do this, the spy creates - a malicious hypervisor - which looks just
like the real one and they can manage the entire server system.
Regular security measures are ineffective because the operating system will not be aware that
the machine has been infected.
In hyperjacking, the hypervisor specifically operates in stealth mode and runs beneath the
machine, it makes it more difficult to detect and more likely to gain access to computer
servers where it can affect the operation of the entire institution or company
The hypervisor represents a single point of failure when it comes to the security and
protection of sensitive information

For a hyper jacking attack to succeed, an attacker would have to take control of the
hypervisor by the following methods:

 Injecting a rogue hypervisor beneath the original hypervisor

 Directly obtaining control of the original hypervisor
 Running a rogue hypervisor on top of an existing hypervisor
here are simple ways to protect against hyperjacking:
 Security management of the hypervisor must be kept separate from regular traffic -
Make sure the tools to manage its security are kept in a special room away from
regular traffic. It's like having a security office in a different building.
 Guest operating systems should never have access to the hypervisor.
 Management tools should not be installed or used from guest OS - Don't Let Guests
Mess with the Guard, They shouldn't have any access to the guard (hypervisor).
 Keep the Guard (hypervisor) Updated: Just like your phone gets updates, the
hypervisor needs them too. Regularly install the latest fixes and improvements to keep
it strong and secure.
6. Explain various hyper jacking attacks in virtualization
Ans.
SUBVIRT ATTACK: Implementing malware with virtual machines
In the world of computers, some people try to take control of systems for different reasons.
Attackers and defenders of computer systems both want to have full control over a system.
They do this by getting deep into the computer's operating system.
New kind of harmful software called a "HYPERVIRUS. “
This hypervirus is designed to give attackers even more control over a computer.
Here's how it works:
It installs a special program called a "virtual-machine monitor” (Rogue Hypervisor) under the
regular operating system.
This "virtual-machine monitor" essentially turns the regular operating system into a virtual
machine.
This idea is troublesome because it's very hard to detect and remove these Hyperviruses.
Even the regular software running on the computer can't see what's happening with the
hypervirus.
Hyperviruses also let attackers run harmful programs in a separate, protected area that the
main computer system can't touch.
BLUE PILL ATTACK (SOFTWARE):
Blue Pill is a special kind of computer software, often called a "rootkit," that's designed to be
very sneaky and hard to detect. It does some clever things with your computer's inner
workings, specifically using a technology called virtualization.
Here's a breakdown of the key points:
Rootkit: A rootkit is a type of software that hides itself on your computer and gives an
attacker secret control over it. It's like a hidden backdoor into your computer.
Virtualization: Virtualization is a technology that allows one computer to act like it's actually
many computers. It's often used in data centers to make better use of computer servers.
AMD-V and Intel VT-x: These are technologies built into certain computer processors that
help with virtualization. Blue Pill can use either of them.
Joanna Rutkowska: This person is a computer security expert who came up with the idea and
made an example of how Blue Pill could work.
Red Pill and Blue Pill Reference: The names "Red Pill" and "Blue Pill" come from the movie
"The Matrix." In the movie, taking the "red pill" means seeing the truth, while the "blue pill"
means staying in a false reality. In the context of Blue Pill software, it's like saying it helps
hide things on your computer so you don't see the truth.
7. Discuss about compliance and management challenges in cloud virtualization.
ANS.
 PERFORMANCE MONITORING: Unlike physical servers, monitoring the
performance of the virtual servers requires a different approach. In a virtual
infrastructure, the VMs share the common hardware resources such as CPU, memory,
and storage.
When a computer has lots of virtual machines (VMs), they all share same resources
like the CPU and memory. To make sure everything runs smoothly, we need to keep
an eye on different things than we do for a regular computer.
We use special numbers, like "CPU ready," "memory ready," "memory balloon," and
"swapped memory," to check if each VM is getting enough (resources).
 SECURITY – In virtualized systems, the boss in charge of security is called the
"hypervisor." If something bad happens to HYPERVISOR, then all the secret or
confidential stuff on the computer is in danger. This is "hyper-jacking." Bad people
can secretly put their own security guard (rogue hypervisor) in charge, and your
computer won't realize it's been compromised.
 Now, there's also a sneaky trick called "VM jumping" or "guest-hopping." It's like a
spy moving from one room to another in your house without you knowing. These
sneaky attacks use weaknesses in the hypervisor to break the rules and get into secret
rooms (VMs), even the hypervisor.
 This can happen when bad people get into a not-so-secure room (a low-value VM)
first and then use it to sneak into more secure rooms or even take control of the
hypervisor.
 To stop these attacks, we need to be super careful and make sure the hypervisor and
all the rooms (VMs) are protected really well.
 MANAGING VM SPRAWL: Virtualization can create too many virtual machines
(VMs) that aren't used efficiently. This is called "VM sprawl." To stop it, we need to
watch and adjust the VMs so they use resources just right, like making sure we have
the right number of toys and not too many. This helps us save resources.
 ATTACKS ON VIRTUALIZATION FEATURES:
In virtualization, there are many cool things we can do, like moving virtual machines
(VMs) from one computer to another (VM migration) and creating networks between
them (virtual networking). These features help make computing more flexible and
efficient. But, if we're not careful when using these features, attackers can take
advantage of them. In this case, if VM migration is not done securely, it can expose
everything inside a virtual machine.
 COMPLIANCE AND MANAGEMENT CHALLENGES: Dealing with rules and
keeping the computer system organized is hard with virtualization. This is "VM
sprawl." Some VMs are just sitting there, not used, which makes it tricky to know if
everything is working as it should.
 Also, managing and keeping everything secure is hard because there are so many
VMs. This is similar to keeping the computer safe and updated.
 So, managing rules and keeping things organized with virtualization can be a bit of a
challenge.
8. Explain Blue Pill attack
ANS. Blue Pill is the codename for a rootkit based on x86 virtualization.
Blue Pill originally required AMD-V (Pacifica) virtualization support, but was later ported to
support Intel VT-x (Vanderpool) as well. It was designed by Joanna Rutkowska and
originally demonstrated at the Black Hat Briefings on August 3, 2006, with a reference
Application implementation for the Microsoft Windows Vista kernel.
Blue Pill is a special kind of computer software, often called a "rootkit," that's designed to be
very sneaky and hard to detect. It does some clever things with your computer's inner
workings, specifically using a technology called virtualization.
Here's a breakdown of the key points:
Rootkit: A rootkit is a type of software that hides itself on your computer and gives an
attacker secret control over it. It's like a hidden backdoor into your computer.
Virtualization: Virtualization is a technology that allows one computer to act like it's actually
many computers. It's often used in data centers to make better use of computer servers.
AMD-V and Intel VT-x: These are technologies built into certain computer processors that
help with virtualization. Blue Pill can use either of them.
Joanna Rutkowska: This person is a computer security expert who came up with the idea and
made an example of how Blue Pill could work.
9. Explain terminologies VM sprawl and virtual machine jumping
Ans.
VM Sprawl: Virtualization sprawl is a phenomenon that occurs when the number of virtual
machines (VMs) on a network reaches a point where administrators can no longer manage
them effectively or properly. Virtualization sprawl is also referred to as virtual machine
sprawl, VM sprawl or virtual server sprawl.
VM sprawl just means too Many Virtual Machines. VM Sprawl is often caused by developers
or IT admins creating VMs for testing purposes but failing to delete them once the testing
period is over. In fact, VMs can be created so easily that IT teams have a tough challenge to
track how many there are, and when and where they are deployed or used. As a result, these
VMs are often left unpatched and unprotected. In addition to being vulnerabilities, they also
consume valuable hardware and other resources.
VM sprawl has become a common challenge for many organizations, and the more they rely
on virtualization, the more likely they are to encounter this problem. Because sprawl can
occur gradually, IT teams might not be aware of it at first. By the time they do realize it, the
problem is often quite serious. Even when VM admins are aware of the issue, they can still
have a difficult time identifying and removing the unwanted VMs.
Virtual machine jumping:
Virtual machine hyper jumping (VM jumping) is an attack method that exploits the
hypervisor’s weakness that allows a virtual machine (VM) to be accessed from another. The
vulnerabilities allow remote attacks and malware to compromise the VM’s separation and
protections, making it possible for an attacker to gain access to the host computer, the
hypervisor and other VMs, in addition to being able to jump from one VM to another
Imagine your computer world as a big building with many rooms (virtual machines or VMs).
Sometimes, sneaky attackers find a way to secretly go from one room to another. It's like
they're jumping around inside your computer world.
How It Happens:
They do this by taking advantage of a weakness in the computer's main manager
(hypervisor). This lets them enter one room (VM) and then move to other rooms (other
VMs), like going from one friend's room to another without permission.
Weakness of Hypervisor:
Imagine the hypervisor as the guardian of your virtual rooms (VMs). It's like the main
security guard. Sometimes, there's a small hole or weakness which attackers try to find. Once
they identify the weakness it is easy for them to continue their malicious work.
Exploiting Less Secure VMs:
Attackers usually target one Virtual Machine (VM) that is not well-guarded (less secure). It's
like picking an unlocked room or Unprotected VM to enter. Once they're in, they can use that
Virtual Machine as a starting point to move around and cause trouble in other Virtual
Machines, even reaching the main control center (host or main Computer).
These attacks can occur due to: Insecure operating systems like older versions of Windows,
which do not have modern security features such as protection against poison cookies,
memory address layout randomization and hardened stack
Here's how to stop it in simple terms:
 Keep Web and Database Traffic Apart: If one Virtual machine is for the internet
(Web), and another is for storing data (Database), make sure they don't have a direct
door to internal network. Deny the Access.
 Using private VLANs to hide the VMs from one another and only allow the guest
machines to talk to the gateway. Use something like an invisible fence (private
VLANs) to keep each VM in its own space. They can talk to a common point
(gateway) but not directly to each other.
 Using the latest and most secure operating systems with up-to-date security patches

10. Explain the characteristics of cloud.

Ans.
On-Demand Self-Service: This means you can easily get more computer stuff (like storage
or servers) without talking to the computer company. It's like ordering things online when
you need them.
Broad Network Access: Access cloud services through networks like the internet or local
connections. Cloud resources are made accessible via network connections, making them
available to a wide range of customer platforms. Whether accessed over the internet or
through a private local area network (LAN) in the case of private clouds
Multi-Tenancy and Resource Pooling: Multiple users share the same infrastructure while
maintaining privacy and utilizing common resources. This concept is akin to people residing
in an apartment building, sharing the same building's infrastructure while maintaining
individual privacy within their apartments. Cloud is the Same Kind.
Rapid Elasticity and Scalability: Cloud computing allows you to easily adjust the amount
of computer resources you use. You can quickly get more when you need it or give some
back when you don't, just like changing the number of seats at a table as guests come and go.
This is handy for businesses to handle varying workloads efficiently.
Measured Service: With cloud, you pay only for what you use, just like how you pay for
electricity. If you use more, you pay more. It helps you keep track of your computer expenses
easily.
INTRODUCTION TO CLOUD SECURITY QUESTION BANK

UNIT 2

Multiple Choice Questions

1. Which of the following is NOT a cloud deployment model?
a) Public Cloud
b) Private Cloud
c) Community Cloud
d) Virtual Cloud
Correct Answer: d) Virtual Cloud
2. Which cloud model offers services over the internet to the general public?
a) Private Cloud
b) Public Cloud
c) Hybrid Cloud
d) Community Cloud
Correct Answer: b) Public Cloud
3. What is the primary purpose of the Cloud Trust Protocol (CTP)?
a) To manage cloud billing
b) To ensure data privacy
c) To establish secure communication between users and cloud service providers
d) To monitor cloud performance
Correct Answer: c) To establish secure communication between users and cloud service providers
4. Which of the following is an example of SaaS?
a) Amazon EC2
b) Google Docs
c) Microsoft Azure
d) VMware
Correct Answer: b) Google Docs
5. Which type of cloud model combines public and private cloud services?
a) Public Cloud
b) Private Cloud
c) Hybrid Cloud
d) Community Cloud
Correct Answer: c) Hybrid Cloud
6. Which of the following is NOT a category of cloud security transparency?
a) Performance Transparency
b) Billing Transparency
Asst. Prof. Rhea Uppala, ICIS
INTRODUCTION TO CLOUD SECURITY QUESTION BANK

c) User Transparency
d) Configuration Transparency
Correct Answer: c) User Transparency
7. Which of the following is a threat to cloud security?
a)Data Breaches
b) Encryption
c) Identity Management
d) Load Balancing
Correct Answer: a) Data Breaches
8. What is the primary advantage of SECaaS?
a) High Cost
b) Limited Accessibility
c) Scalability
d) Dependency on internal expertise
Correct Answer: c) Scalability
9. What does "Auditing" in cloud security services refer to?
a) Assigning user permissions
b) Keeping a record of activities in the cloud
c) Encrypting sensitive data
d) Managing user authentication
Correct Answer: b) Keeping a record of activities in the cloud
10. Which strategy helps prevent data breaches in a cloud environment?
a) Disabling multi-factor authentication
b) Regularly auditing APIs
c) Data Encryption
d) Allowing unrestricted access
Correct Answer: c) Data Encryption
11. Which of the following testing methods involves the tester having no knowledge of the internal workings
of the software?
a) White Box Testing
b) Black Box Testing
c) Gray Box Testing
d) Penetration Testing
Correct Answer: b) Black Box Testing
12. Which layer of cloud service focuses on providing virtual machines, storage, and networking?
a) IaaS

Asst. Prof. Rhea Uppala, ICIS

INTRODUCTION TO CLOUD SECURITY QUESTION BANK

b) PaaS
c) SaaS
d) SECaaS
Correct Answer: a) IaaS
13. Which of the following is an example of a cloud service provider offering a private cloud solution?
a) Google Cloud Platform
b) IBM Cloud Dedicated
c) Dropbox
d) Microsoft Office 365
Correct Answer: b) IBM Cloud Dedicated
14. What does SECaaS stand for?
a) Security as a Software
b) Service Enabled Cloud Security
c) Security as a Service
d) Secure Enterprise Cloud Service
Correct Answer: c) Security as a Service
15. Which of the following is NOT an advantage of SECaaS?
a) Cost-Effective
b) Privacy Concerns
c) Expertise
d) Scalability
Correct Answer: b) Privacy Concerns
16. Which statement is true about the “Denial of Service (DoS)” threat?
a) It involves unauthorized data access.
b) It ensures data encryption.
c) It overwhelms the cloud, causing services to slow down or stop.
d) It provides secure APIs for communication.
Correct Answer: c) It overwhelms the cloud, causing services to slow down or stop.
17. Which of the following describes the process of "Penetration Testing"?
a) Encrypting data to prevent unauthorized access
b) Simulating cyberattacks to identify vulnerabilities
c) Backing up data regularly
d) Setting up multi-factor authentication
Correct Answer: b) Simulating cyberattacks to identify vulnerabilities
18. Which cloud security measure ensures that only authorized users can access specific data?
a) Authentication
Asst. Prof. Rhea Uppala, ICIS
INTRODUCTION TO CLOUD SECURITY QUESTION BANK

b) Authorization
c) Auditing
d) Account Hijacking
Correct Answer: b) Authorization
19. What is the purpose of code obfuscation in secure cloud software testing?
a) To enhance software performance
b) To make the source code difficult to understand
c) To test the software in a real-world environment
d) To simplify the software architecture
Correct Answer: b) To make the source code difficult to understand
20. Which of the following is a common mitigation strategy for insecure APIs?
a) Ignoring API vulnerabilities
b) Conducting routine audits
c) Allowing unrestricted access
d) Disabling encryption
Correct Answer: b) Conducting routine audits

LONG ANSWER QUESTIONS:

1. Describe various of cloud based on their deployment models.

ANS:
1. Public Cloud: In a public cloud deployment, cloud services and resources are offered over the internet by
third-party providers. These services are available to the general public, and multiple customers share the
same infrastructure. Offered by Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform
(GCP) are shared by multiple users.
2. Private Cloud: Private cloud services, like those provided by VMware and OpenStack, are dedicated
exclusively to one organization. For example, a company might establish its private cloud infrastructure
within its own data centers or use a private cloud service from a provider like IBM Cloud Dedicated.
3. Hybrid Cloud: Hybrid cloud deployments, like using AWS(public cloud) for storing and processing non-
sensitive data while utilizing a private cloud from OpenStack for sensitive customer information, combine
public and private cloud services. This allows businesses to maintain flexibility and data sharing between
different cloud environments, adjusting their resources based on specific needs.

2. Illustrate the working of IaaS, PaaS and SaaS.

ANS:
Infrastructure as a Service (IaaS):
1. It is highly based on Virtualization Technology.
2. Instead of buying a physical computer, you can rent a virtual one in the cloud.

Asst. Prof. Rhea Uppala, ICIS

INTRODUCTION TO CLOUD SECURITY QUESTION BANK

3. Pick how powerful your virtual computer should be (how much RAM, storage, etc.).
4. You only pay for the time you use the virtual computer, and you can stop or change it whenever you want.
Platform as a Service (PaaS):
1. You Want to Build a website or App: Instead of starting from scratch, you use a pre-built platform that has
tools for coding and deploying.
2. You don't worry about setting up servers or managing the technical details. You just write your code.
3. It is like a website builder where you focus on designing, and the platform takes care of the technical stuff.
4. You can utilize tools and resources to build your web application.
Software as a Service (SaaS):
1. Instead of buying and installing software on your computer, you access it over the internet.
2. You log in to a website and start using the software. No installations or updates needed on your device.
3. The company providing the software takes care of updates, security, and maintenance.
4. Example: Like using Gmail for email or Google Docs for documents without installing anything on your
computer.

3. What is Cloud Trust Protocol? How to evaluate the trust between Cloud consumer and the service
provider?
ANS:
1. The Cloud Trust Protocol (CTP) is part of the Trusted Cloud Initiative (TCI), a program by the Cloud
Security Alliance (CSA).
2. The Cloud Trust Protocol (CTP) is a set of security guidelines designed to ensure the safe and smooth
interaction between users and cloud service providers.
To evaluate trust between a cloud user and a service provider:

 Identity and Access Management (IAM): Make sure the provider has secure ways for you to log in and
control who can access your data.
 Data Encryption: Ensure that the provider encrypts your data, making it unreadable to unauthorized users.
 Responsibilities: Understand who is responsible for what - the cloud provider, and you as the user. This
clarity helps in case of any issues.

4. Explain the concept of Transparency in cloud security services and different categories of cloud security
transparency?
ANS:

1. Transparency in cloud security means being clear and open about how a cloud service provider (CSP) keeps
your data safe.
2. It means that the cloud service provider openly shows you the steps they take to protect your data and
applications.
different categories of cloud security transparency:
1. Performance Transparency: Knowing how well your cloud service is working. It Helps you trust that the
service is fast and reliable.
2. Billing Transparency: Understanding how much you're paying and why. Keeps your expenses clear so you
know where your money is going.
3. Configuration Transparency: Understanding how the cloud service is set up.
4. Workload Transparency: Knowing how much the cloud can handle in terms of tasks.

Asst. Prof. Rhea Uppala, ICIS

INTRODUCTION TO CLOUD SECURITY QUESTION BANK

5. Explain various threats to cloud security.

ANS: (write any 5)
1. Data Breaches: A data breach is when unauthorized individuals access and take sensitive information,
potentially causing harm or misuse.
2. Data Loss: Valuable information disappearing, either accidentally or due to malicious actions. Imagine losing
your important files without a way to get them back.
3. Account Hijacking: Unauthorized individuals taking control of someone's cloud account. Someone other
than you, accessing and using your account to do malicious activity without permission.
4. Insecure APIs: An insecure API (Application Programming Interface) poses a risk to cloud security. APIs are
like bridges that allow different software systems to communicate. If an API is insecure, it means there are
vulnerabilities or weaknesses in this communication link. Hackers might exploit these weaknesses to gain
unauthorized access or manipulate data within the cloud system.
5. Denial of Service (DoS): Overwhelming the cloud so much that it becomes slow or completely shuts down.
It's like a traffic jam on the internet highway, making it hard for others to get access to services or website.
6. Malicious Insiders: People within the company intentionally causing harm to the cloud's security. A spy
working from the inside, betraying their own team.

6. Describe various cloud security threat mitigation strategies.

ANS: Mitigation Strategies for Cloud Security Threats: (any 5)
Data Breaches:
 Safeguard sensitive data through encryption, making it unreadable to unauthorized individuals.
 Restrict access to sensitive information based on user roles and permissions.
Data Loss:
 Ensure consistent backups of critical data to recover in case of accidental deletion or loss.
 Encrypt data to protect it even if it falls into the wrong hands.
Account Hijacking:
 Multi-Factor Authentication (MFA): Require additional verification steps beyond passwords for account
access. (OR two factor authentication)
 Train users to recognize and report suspicious activities to prevent unauthorized account access.
Insecure APIs:
 Conduct routine audits to identify and fix vulnerabilities in APIs.
 Follow established API security standards to minimize weaknesses.
Denial of Service (DoS): Traffic Filtering: Implement traffic filtering mechanisms or tools to distinguish legitimate
from malicious traffic.
Malicious Insiders:
 Access Controls: Restrict employees' access based on their roles and responsibilities.
 Monitoring and Auditing: Regularly monitor user activities to detect any abnormal behavior.

7. Elaborate on SECaaS along with its various advantages and disadvantages.

ANS:
1. SECaaS stands for Security as a Service.
2. Instead of buying and managing all the security tools and software yourself, you hire a company to provide
these services over the internet.
Advantages of SECaaS:
 Cost-Effective: You don't have to buy expensive security tools; you pay for the services you need.
 Expertise: Security experts from the SECaaS provider take care of your security, bringing specialized
knowledge.
 Scalability: It can grow with your needs. If you need more security, you can easily get it without major
changes.
Asst. Prof. Rhea Uppala, ICIS
INTRODUCTION TO CLOUD SECURITY QUESTION BANK

 Accessibility: You can access your security services from anywhere with an internet connection.

Disadvantages of SECaaS:
 Dependency: You rely on an external company for your security. If they have issues, your security might be
affected.
 Limited Control: You have less control over the security tools because they are managed by the service
provider.
 Privacy Concerns: Since your security data is with an external company, there may be concerns about the
privacy of your information.
 Internet Reliance: Your security is dependent on a stable internet connection. If your connection is down, you
might face security gaps.

8. Explain cloud security services: Authentication, Authorization, Auditing and Accountability (AAAA).
ANS:
1. Authentication: In the digital world, authentication is like entering a username and password to access your
accounts. It confirms that you are who you say you are.
2. Authorization: Once you've proven your identity, authorization comes into play. It's like having certain
permissions based on your role or status. User rights – what you can do after getting into website or system
3. Auditing: Think of auditing as keeping a digital record of everything that happens in the cloud. It tracks who
accessed the cloud, what actions they took, and when they did it. It's similar to a digital security guard keeping
watch and documenting all activities.
4. Accountability: If something goes wrong or there's a question about who did what, accountability helps trace
it back to the responsible person. It ensures there's a clear understanding of who is accountable for specific
actions in the cloud showing them Audit trail document (An audit trail is a record of events, activities, or
changes that occur within a system or process.)

AAAA in the context of Cloud Security Services works together to control access, monitor activities, and assign
responsibility in the digital space where information is stored and accessed over the internet.

9. Describe penetration testing on cloud environment.

ANS:
1. Penetration testing, often referred to as ethical hacking or "pen testing," is a security assessment approach
where trained professionals simulate cyberattacks to identify vulnerabilities in a system, network, or
application.
2. When conducting penetration testing in a cloud environment, the focus is on assessing the security of the
cloud infrastructure, services, and applications.
3. Tools like Whois and Nslookup gather information about the target network, while password-cracking tools
like Brutus and WebCracker identify weak passwords.
Testing Levels:
Level I (High-level): Examines organizational policies, procedures, standards, and guidelines without direct
system testing.
Level II (Network Evaluation): Involves hands-on activities like information gathering and scanning.
Level III (Penetration Test): Simulates a hacker's approach to identify vulnerabilities, emphasizing real-world
scenarios.

Asst. Prof. Rhea Uppala, ICIS

INTRODUCTION TO CLOUD SECURITY QUESTION BANK

10. Discuss about secure cloud software testing and types on testing in cloud.
ANS. Secure cloud software testing involves evaluating cloud-based applications and services to identify
vulnerabilities and ensure they meet security standards. It's essential due to the sensitive data often stored in the cloud.

Key Properties and Behaviours Checked:

 Predictable and Secure Behaviour: Ensures the software behaves as expected and securely under various
conditions.
 Vulnerability-Free: Identifies and addresses vulnerabilities and weaknesses.
 Error Handling: Verifies the software can maintain security even during attacks or faults.
 Code Obfuscation: Protects against reverse engineering by obscuring or obfuscating the source code. (By
obfuscating the code, developers make it challenging for others to understand the program's internal
workings. Obfuscating means deliberately making something unclear or difficult to understand.)
Types on testing in cloud:
White Box Testing: Testers have full access to the internal workings of the software. They can see the source
code, architecture, and design documents.
Gray Box Testing: Testers have partial access to the internal structure. They can see some parts of the source
code but not everything.
Black Box Testing: Testers have no knowledge of the internal workings of the software. They interact with the
software from an external perspective, like a regular user. It's similar to using a device without knowing how it's
made.

Asst. Prof. Rhea Uppala, ICIS

INTRODUCTION TO CLOUD SECURITY QUESTION BANK

UNIT 3
MULTIPLE CHOICE QUESTIONS:

1. What is the main purpose of identity management (IAM)?

A) Controlling software installations

B) Managing internet access
C) Confirming a user's identity and controlling access
D) Monitoring data usage
Correct Answer: C) Confirming a user's identity and controlling access
2. Which of the following is an example of an authentication method in IAM?
A) Firewalls
B) Smart cards
C) Data encryption
D) Load balancing
Correct Answer: B) Smart cards
3. What does access control determine after authentication?
A) User preferences
B) Device compatibility
C) The level of access a user has within a system
D) Network bandwidth
Correct Answer: C) The level of access a user has within a system
Governance and Enterprise Risk in the Cloud
4. Which of the following is a primary component of governance in cloud services?
A) Data migration tools
B) Encryption keys
C) Policies, processes, and internal controls
D) File-sharing options
Correct Answer: C) Policies, processes, and internal controls
5. Enterprise Risk Management (ERM) in the cloud focuses on:
A) Reducing electricity costs
B) Managing risks related to cloud services
C) Updating software regularly
D) Improving internet speed
Correct Answer: B) Managing risks related to cloud services
Asst. Prof. Rhea Uppala, ICIS
INTRODUCTION TO CLOUD SECURITY QUESTION BANK

6. Autonomic security is designed to:

A) Operate independently without human intervention
B) Manage server hardware maintenance
C) Reduce internet usage
D) Encrypt all email communications
Correct Answer: A) Operate independently without human intervention
7. Which of the following is a key feature of autonomic cloud systems?
A) Manual configuration
B) Self-management
C) Fixed security protocols
D) One-time authentication
Correct Answer: B) Self-management
8. What does "adaptability" mean in autonomic cloud security?
A) Adjusting to unexpected changes in the environment
B) Using only standard encryption
C) Blocking all external access
D) Disabling user accounts
Correct Answer: A) Adjusting to unexpected changes in the environment

9. Which of the following is a solution for ensuring cloud compliance?

A) Regular software updates
B) Reducing file sizes
C) Disabling encryption
D) Allowing public access
Correct Answer: A) Regular software updates
10. Why is choosing a trustworthy cloud provider important for compliance?
A) It offers better internet speed
B) It ensures reliable and safe data handling
C) It provides free software
D) It reduces storage costs
Correct Answer: B) It ensures reliable and safe data handling

Asst. Prof. Rhea Uppala, ICIS

INTRODUCTION TO CLOUD SECURITY QUESTION BANK

11. Portability issues arise when:

A) You can't connect to the internet
B) Data transfer between cloud services is not smooth
C) Software updates fail
D) Security protocols are ignored
Correct Answer: B) Data transfer between cloud services is not smooth
12. Which of the following is an interoperability issue in the cloud?
A) Data incompatibility between cloud services
B) High internet speed
C) Low storage capacity
D) Strong encryption
Correct Answer: A) Data incompatibility between cloud services
13. A common portability issue in the cloud is:
A) High security risks
B) Data transfer challenges
C) Software compatibility
D) Faster data access
Correct Answer: B) Data transfer challenges
Business Continuity Management and Disaster Recovery in Cloud
14. What is the purpose of Business Continuity Management (BCM) in the cloud?
A) Monitoring network speed
B) Ensuring critical business functions can continue during disruptions
C) Reducing software costs
D) Enhancing data visualization
Correct Answer: B) Ensuring critical business functions can continue during disruptions
15. Which cloud-based practice ensures minimal downtime during a disaster?
A) Data encryption
B) Load balancing
C) Disaster Recovery (DR)
D) User authentication
Correct Answer: C) Disaster Recovery (DR)
16. What is a key advantage of using the cloud for disaster recovery?
A) High storage costs
B) Limited data access
Asst. Prof. Rhea Uppala, ICIS
INTRODUCTION TO CLOUD SECURITY QUESTION BANK

C) Quick data replication to separate locations

D) Reduced internet speed
Correct Answer: C) Quick data replication to separate locations
General Cloud Concepts
17. Which of the following is NOT an example of autonomic security?
A) Systems adapting to new threats
B) Human intervention at every step
C) Self-management features
D) Independent threat responses
Correct Answer: B) Human intervention at every step
18. Which feature helps maintain security in compliance audits?
A) Disabling firewalls
B) Using strong passwords
C) Sharing access with all employees
D) Ignoring software updates
Correct Answer: B) Using strong passwords
19. An example of an enterprise risk in the cloud is:
A) Incompatible file formats
B) Network latency
C) Unauthorized access to sensitive data
D) Excessive cloud storage space
Correct Answer: C) Unauthorized access to sensitive data

Asst. Prof. Rhea Uppala, ICIS

INTRODUCTION TO CLOUD SECURITY QUESTION BANK

LONG ANSWER QUESTIONS:

1. Elaborate the concepts of identity management and access control.

ANS:
1. In the realm of cybersecurity, identity management (or IAM - Identity and Access Management)
is the process of confirming a user's identity and controlling their access to specific systems and
resources.
2. It's like a digital ID card that determines who gets access to what in online services.
3. Authentication, a key component of IAM, involves verifying a user's identity using methods like
passwords, PINs, fingerprints, or smart cards. We interact with authentication mechanisms every day.
4. When you enter a username and password, use a PIN, scan your fingerprint, your identity is being
verified for authentication purposes.
5. Once authenticated, access control steps in.
6. Access control determines the level of access a user has within a system.
7. For instance, in a business setting, access control might permit high-level administrators to modify
settings and access sensitive data, while restricting regular employees to their specific tasks,
preventing unauthorized access.
8. Essentially, identity management ensures the right person is logging in, and access control ensures
they can only do what they're allowed to do, safeguarding sensitive information

2. List out the governance and enterprise risk in cloud.

ANS:
1. Governance, It includes policies, processes, and internal controls that help the organization run
smoothly when using technology like cloud services.
2. Governance is like the rulebook or guidelines. It's like deciding who the leaders are, what
strategies to use, and how to make sure everyone follows the rules.
3. Access Control: The governance policy ensures that only authorized employees, have access to
sensitive data.
4. Data Security: Governance policy does encryption methods and regular security audits.
5. Enterprise Risk Management: This is all about dealing with the various risks a company might
face. In the context of the cloud, it means understanding and managing the risks related to using
cloud services, Enterprise Risk Management is like having a captain who plans for all possible
challenges.
In the cloud world, these principles (GOVERNANCE AND ENTERPRISE RISK
MANAGEMENT) guide how businesses use technology and manage potential risks effectively.

3. Discover the key factors to consider autonomic security for cloud application.
ANS.
1. Autonomic security for cloud applications refers to the methods and practices to automatically secure
data and resources in cloud computing systems.
2. Autonomic security ensures that these cloud systems are protected from various threats, such as
cyberattacks, data breaches, and other malicious activities.

Asst. Prof. Rhea Uppala, ICIS

INTRODUCTION TO CLOUD SECURITY QUESTION BANK

3. "Autonomously" refers to the ability of a system or process to operate independently, without

external control or human intervention.
Key factors to consider for autonomic security :
 Adaptability: Autonomic cloud systems can adjust to unexpected changes in the environment.
 Simplicity for Users: Autonomic systems are designed to hide complex technical details from users
and operators.
 Historical Context: Autonomic computing, which started in 2001, aimed to simplify the
management of complex computing systems. Autonomic security should continue this trend by
simplifying the process of securing cloud applications.
 Self-Management: Autonomic systems have self-managing features, meaning they can adjust and
respond to changes in the environment without constant human intervention or human interaction.

4. Discover solution for compliance and audit issues in the cloud.

ANS. Solutions for Cloud Compliance and Audit Issues:
• Strong Passwords and Access Control: Create strong, unique passwords and limit who can access
your cloud data. This keeps your files safe from unauthorized access.
• Encryption for Data Security: Encryption is like turning your messages into a secret code that only
you and the intended person can understand. Use it to protect your files.
• Regular Software Updates: Just like updating your computer or phone keeps them running
smoothly, cloud services need updates too. These updates often include security improvements.
• Choosing a Trustworthy Cloud Provider: Pick a cloud provider that is known for being reliable
and safe. Look for providers with good reviews and a history of keeping data secure.
• Backups and Recovery Plans: Regularly back up your important files to the cloud and have a plan

5. List few portability and interoperability issues in the cloud.

ANS.
1. In the cloud, portability issues occur when you can't move your data or applications smoothly
between different cloud services.
2. Cloud interoperability issues happen when one cloud service can't easily exchange data with another.
It's like not being able to send a message from one messaging app to another without complications.
Portability Issues:
1. Data Transfer Challenges: Moving large volumes of data between different cloud providers can be
slow and costly.
2. Vendor-Specific Formats: Cloud services may use unique formats, making it difficult to transfer
data seamlessly between different providers.
3. Dependency on Unique Features: Applications relying on specific features of one cloud provider
may not function the same way on another provider's platform.
Interoperability Issues:

Asst. Prof. Rhea Uppala, ICIS

INTRODUCTION TO CLOUD SECURITY QUESTION BANK

1. Data Incompatibility: Data formats and structures may differ between cloud services, causing
issues when trying to exchange information.
2. Service Integration: Integrating different cloud services to work together seamlessly can be
challenging due to differences in APIs and protocols.

6. Write about business continuity management and disaster recovery in cloud

ANS.
1. Business Continuity Management (BCM): In the cloud, BCM involves planning to ensure that
critical business functions can continue despite disruptions. This includes data backups, and
continuity plans which is specific to the cloud environment.
2. Disaster Recovery (DR): Cloud-based DR involves replicating critical systems and data to a
separate geographic location or cloud region. This redundancy ensures that if one location fails,
operations can quickly switch to another, minimizing downtime and data loss.
3. BCM and DR work hand-in-hand in the cloud, both aspects are aligned to maintain overall business
resilience.
4. Monitoring and Feedback: Cloud environments offer monitoring capabilities. Continuous feedback
and analysis of data allow organizations to improve their BCM and DR strategies over time..

Asst. Prof. Rhea Uppala, ICIS

INTRODUCTION TO CLOUD SECURITY QUESTION BANK

UNIT 4
MCQ QUESTIONS:

1. What is the primary goal of the ITIL lifecycle?

a) To manage IT services
b) To improve IT services
c) To deliver IT services
d) To plan IT services
Correct answer: b) To improve IT services

2. Which stage of the ITIL lifecycle involves designing IT services?

a) Service Strategy
b) Service Design
c) Service Transition
d) Service Operation
Correct answer: b) Service Design

3. What is the purpose of the Continual Service Improvement stage in the ITIL lifecycle?
a) To identify areas for improvement
b) To implement new services
c) To manage existing services
d) To plan for future services
Correct answer: a) To identify areas for improvement

4. What is the main goal of security management in the cloud?

a) To minimize risks associated with potential threats and vulnerabilities
b) To maximize the use of cloud applications and networks
c) To ensure data privacy
d) To comply with regulatory requirements
Correct answer: a) To minimize risks associated with potential threats and vulnerabilities

5. What is the purpose of identification and assessment in security management?

Asst. Prof. Rhea Uppala, ICIS

INTRODUCTION TO CLOUD SECURITY QUESTION BANK

a) To recognize and evaluate cloud services used by a business

b) To limit potential risks
c) To implement security measures
d) To monitor cloud services
Correct answer: a) To recognize and evaluate cloud services used by a business

6. What is the focus area for securing services in the cloud related to data security?
a) At rest, in transit, in storage
b) Shared responsibility model
c) Encryption and key management
d) All of the above
Correct answer: d) All of the above

7. What is the purpose of encryption and key management in securing services in the cloud?
a) To protect data at rest
b) To protect data in transit
c) To protect data in storage
d) To ensure data privacy
Correct answer: d) To ensure data privacy

8. What does SPI stand for in the context of cloud service models?
a) Service Provider Interface
b) Software as a Service
c) Platform as a Service
d) Infrastructure as a Service
Correct answer: a) Service Provider Interface

9. Which cloud service model is responsible for providing virtualized computing resources?
a) SaaS
b) PaaS
c) IaaS
d) None of the above
Asst. Prof. Rhea Uppala, ICIS
INTRODUCTION TO CLOUD SECURITY QUESTION BANK

Correct answer: c) IaaS

10. What is the primary goal of IaaS Availability Management?

a) To ensure the availability of computing and storage infrastructure
b) To ensure the availability of virtual servers
c) To ensure the availability of network resources
d) To ensure the availability of data centers
Correct answer: a) To ensure the availability of computing and storage infrastructure

11. Who is responsible for setting up and taking care of virtual servers in an IaaS environment?
a) IaaS provider
b) Customer
c) Both
d) Neither
Correct answer: b) Customer

12. What is the purpose of Security Vulnerability Management?

a) To identify and evaluate risks
b) To implement security measures
c) To monitor cloud services
d) To manage patches
Correct answer: a) To identify and evaluate risks

13. What is the purpose of Security Patch Management?

a) To fix vulnerabilities
b) To prevent security breaches
c) To manage patches
d) All of the above
Correct answer: d) All of the above

15. What is the purpose of avoiding source code secrets in PaaS?

Asst. Prof. Rhea Uppala, ICIS
INTRODUCTION TO CLOUD SECURITY QUESTION BANK

a) To prevent unauthorized access

b) To protect VM management interfaces
c) To store credentials in source code
d) To encrypt authentication keys

Correct answer: a) To prevent unauthorized access

16. What are the three main components of IAM functional architecture?
a) Identification, Authentication, Authorization
b) Identification, Authentication, Access Control
c) Identification, Authorization, Access Control
d) Authentication, Authorization, Access Control
Correct answer: a) Identification, Authentication, Authorization

17. What is the purpose of the Shared Responsibility Model?

a) To define the responsibilities of the cloud service provider and the customer
b) To ensure data privacy
c) To comply with regulatory requirements
d) To minimize risks associated with potential threats and vulnerabilities
Correct answer: a) To define the responsibilities of the cloud service provider and the customer

LONG ANSWER QUESTIONS:

1) Illustrate ITIL lifecycle in an enterprise

ANS.
1. ITIL (Information Technology Infrastructure Library)
2. ITIL is a set of best practices for managing Information Technology (IT) services.
3. ITIL provides a structured framework for PLANNING, DELIVERING, AND IMPROVING IT
SERVICES to meet the needs of the organization and its customers.
Five Stages of ITIL Lifecycle: The ITIL lifecycle is divided into five interconnected stages

Asst. Prof. Rhea Uppala, ICIS

INTRODUCTION TO CLOUD SECURITY QUESTION BANK

1. Service Strategy: You decide what IT services your organization needs to achieve its overall
goals.
2. Service Design: You create detailed plans for how the IT services will be implemented, including
specifications and requirements. It ensures that the services are designed in a way that meets business
needs.
3. Service Transition: The designed services are built, tested, and then introduced into the live
environment. It ensures a smooth transition from planning to live operation.
4. Service Operation: The services are managed in the live environment according to agreed-upon
service levels.
5. Continual Service Improvement: Ongoing evaluation of services to identify areas for
improvement, making sure they evolve to meet changing needs.

• Each stage connects to the next, forming a continuous cycle of planning, designing,
transitioning, operating, and improving IT services.

2) Explain security management standards

ANS.
The main goal of security management in the cloud is to enable businesses to fully utilize cloud applications
and networks while minimizing the risks associated with potential threats and vulnerabilities.
Strategies and Tactics:
• Identification and Assessment: This involves recognizing and evaluating the various cloud services a
business is using. It's like taking stock of what tools and applications are in use within the cloud
environment.
• Limiting Threats and Vulnerabilities: Once cloud services are identified, security management uses
strategies to limit potential risks. This can include using encryption, access controls, and other
security measures to safeguard data and systems.

3) Speculate various focus areas for securing services in the cloud.

ANS.
Data Security:
• At Rest, In Transit, In Storage: Keep your data safe whether it's sitting idle, moving between
locations, or actively in use.
• Shared Responsibility Model: Understand who is responsible for what in terms of securing data. It's a
shared effort between you and the cloud service provider.
Asst. Prof. Rhea Uppala, ICIS
INTRODUCTION TO CLOUD SECURITY QUESTION BANK

Encryption and Key Management:

• Critical Areas: Focus on two crucial aspects—encryption and key management—across major cloud
platforms like AWS, Azure, and Google Cloud.
• Why It Matters: Encryption ensures that even if someone unauthorized accesses your data, they can't
understand it without the proper 'key.'

4) Explain various security management functions available for SPI cloud delivery models.
ANS.
• SPI stands for "Service Provider Interface. “
• SPI typically refers to the different types of cloud service models. The three main categories are:
SaaS, Paas, Iaas.
1. Software as a Service (SaaS):
• User Authentication and Authorization: Ensures that only authorized users can access the SaaS
application, typically through secure login credentials.
• Data Encryption: Protects sensitive data during transmission and storage by converting it into a
secure format that can only be deciphered with the right keys.
2. Platform as a Service (PaaS):
• Access Controls: Implements robust access controls to manage user permissions and restrict
unauthorized access to the development platform.
• Secure Development Practices: Promotes and enforces secure coding practices among developers to
mitigate vulnerabilities in applications built on the PaaS platform.
3. Infrastructure as a Service (IaaS):
• Virtual Machine Security: Ensures the security of virtual machines through timely patching, regular
updates, and proper configuration.
• Data Backups and Disaster Recovery: Implements robust data backup and recovery strategies to
safeguard against data loss and ensure business continuity in case of unforeseen events.
• Identity and Access Management: Controls user access to infrastructure components and resources,
preventing unauthorized use and potential security breaches.

5) Briefly explain IaaS Availability management

• ANS. IaaS Availability Management involves ensuring that the Infrastructure as a Service (IaaS) is
consistently accessible and operational.
• For IaaS providers, this includes maintaining the availability of computing and storage infrastructure,
as well as additional services like account management, messaging, identity and authentication,
databases, billing, and monitoring.
• As a customer, your job is to set up and take care of the virtual servers. To do this, you need the IaaS
provider's network, servers, and storage to be available when you need them.

Asst. Prof. Rhea Uppala, ICIS

INTRODUCTION TO CLOUD SECURITY QUESTION BANK

• The provider also needs a good, reliable data centre design that can handle problems and keep things
running even if something goes wrong. So, it's a team effort to make sure the IaaS service is always
there and working well for you.

6) Explain the following terms: i) Security Vulnerability Management ii) Security Patch
Management
ANS.
1. Security Vulnerability Management:
• Security Vulnerability Management is like having a digital detective for your systems. It uses tools
like vulnerability scanners to find weak points in your network. Once identified, it evaluates the risks
and helps decide the best way to deal with them. Think of it as a proactive guard against potential
cyber threats.

2. Security Patch Management:

• Security Patch Management is your system's personal bodyguard. It ensures that your software and
applications are up to date by managing patches. Patches fix vulnerabilities and prevent security
breaches, making it a crucial task. It's like giving your systems the latest armor to stay safe in the
ever-evolving digital landscape.

7) Summarize the standard practices followed by PaaS customer to reduce software application
vulnerability.
ANS.
Secure Key Management: Keep your keys safe in a special place called Azure Key Vault.
• Azure Key Vault locks up important things like keys and credentials, making sure they're super
secure.
• Azure Key Vault encrypts authentication keys, storage account keys, and other sensitive data,
enhancing security.
Avoid Source Code Secrets:
1. Never store credentials or secrets in source code or GitHub repositories.
2. Keeping keys( UNIQUE CODE OR PASSWORD) out of public code repositories prevents
unauthorized access, protecting against potential security threats.
Protect VM Management Interfaces:

Asst. Prof. Rhea Uppala, ICIS

INTRODUCTION TO CLOUD SECURITY QUESTION BANK

1. Use secure management interfaces for PaaS and IaaS services, avoiding direct remote access
from the internet.
• This means when you're managing your virtual servers (VMs) in the cloud (PaaS and IaaS services),
don't let just anyone directly access them from the internet. Instead, use special secure methods
(protocols) like SSH, RDP, or PowerShell remoting.

8) Explain IAM functional architecture

ANS. IAM (Identity and Access Management) functional architecture involves three main
components:
1. Identification: Assigning a unique identity to individuals or entities within the system.
2. Authentication: Verifying the claimed identity to ensure the person or entity is who they say they
are.
3. Authorization: Granting access rights and permissions based on the authenticated identity, ensuring
individuals have appropriate access to resources and tasks.

9. Explain Shared Responsibiltity Model.

Ans.

Asst. Prof. Rhea Uppala, ICIS

INTRODUCTION TO CLOUD SECURITY QUESTION BANK

Asst. Prof. Rhea Uppala, ICIS

INTRODUCTION TO CLOUD SECURITY QUESTION BANK

UNIT 5

MULTIPLE CHOICE QUESTIONS:

1. What is the main privacy concern regarding data in the cloud?

A) Data Encryption
B) Data Ownership
C) Data Security
D) Data Location
Answer: C) Data Security
2. What does the principle of "Purpose Limitation" in data privacy regulations refer to?
A) Collecting minimal data
B) Using data only for lawful purposes
C) Collecting data only for specified purposes
D) Sharing data across different countries
Answer: C) Collecting data only for specified purposes
3. Which of the following is a key component of Governance, Risk, and Compliance (GRC)?
A) Implementation
B) Fairness
C) Key Controls
D) Proportionality
Answer: C) Key Controls
4. What is one of the primary goals of the Cloud Security Alliance (CSA)?
A) To ensure data ownership
B) To help users and providers understand security requirements
C) To minimize cloud storage costs
D) To promote public access to private cloud systems
Answer: B) To help users and providers understand security requirements
5. Which of the following is an example of operational security in cloud computing?
A) Asset Safety
B) Data Encryption
C) User Separation
D) Fairness
Answer: A) Asset Safety
6. In the lifecycle approach to cloud security, what is the role of the 'Monitoring' phase?
Asst. Prof. Rhea Uppala, ICIS
INTRODUCTION TO CLOUD SECURITY QUESTION BANK

A) Implementing security measures

B) Regularly checking the effectiveness of controls
C) Adapting to new threats
D) Assessing security needs
Answer: B) Regularly checking the effectiveness of controls
7. Which legal principle ensures that data is only collected for lawful reasons or with individual
consent?
A) Lawfulness
B) Fairness
C) Accuracy
D) Compliance
Answer: A) Lawfulness
8. What does "Data Protection in Transit" refer to in cloud privacy principles?
A) Protecting data when it's stored
B) Ensuring data is not intercepted during transmission
C) Encrypting data at rest
D) Keeping data only in one country
Answer: B) Ensuring data is not intercepted during transmission
9. Which of the following is NOT a benefit of GRC for Cloud Service Providers (CSPs)?
A) Improved security
B) Better IT compliance monitoring
C) Higher data storage capacity
D) Reduced burden of compliance testing
Answer: C) Higher data storage capacity

LONG ANSWER QUESTION:

1. What are the key privacy concerns in the cloud?
ANS. 1. Data Security: The worry that someone might access or steal your information stored in the cloud.
2. Data Ownership: Understanding who has control over your data in the cloud. It's important to know if you
still own and control your information or if the cloud service provider has certain rights.
3. Data Location: Knowing where your data physically resides. Some users are concerned if their data is
stored in different countries, as different regions have different privacy laws.

Asst. Prof. Rhea Uppala, ICIS

INTRODUCTION TO CLOUD SECURITY QUESTION BANK

4. Data Encryption: If data is not properly encrypted, it may be vulnerable to interception during
transmission or storage.

2) Brief about common privacy principles of cloud computing

ANS.
1. Data Protection in Transit: Keep your information safe while it travels between devices or
networks.
2. Asset Safety: Make sure your data and the devices storing it are protected from physical damage or
theft.
3. User Separation: If one user has a problem, it shouldn't affect others. Each user's data should stay
private.
4. Governance Framework: The company providing the service should have a plan to manage and
coordinate how they keep things secure.
5. Operational Security: Run the service in a way that stops and catches any attacks. Security
shouldn't be too complicated or costly.

3) Discuss legal and regulatory requirements for data privacy

ANS.
1. Purpose Limitation: Only collect data for stated legal purposes or with individual consent or individual
permission.
2. Proportionality and Minimization: Collect only necessary data to avoid privacy risks. Prevents excessive
data collection and misuse.
3. Lawfulness: Collect and use data based on lawful grounds (e.g., consent, legal obligation).
4. Fairness and Transparency: Collect and use data fairly and transparently. It Builds trust and allows
individuals to understand data practices.
5. Accuracy: Keep personal data accurate and correct inaccuracies promptly.

4) Explain the lifecycle approach for determining, implementing, operating and

monitoring controls over CSP
ANS.
1. Assessment: Identify security needs based on risks and compliance requirements.
2. Implementation: Put selected security measures into action within the cloud setup.
3. Operations: Ensure continuous functioning and maintenance of these security measures.
4. Monitoring:
- Regularly check and assess the effectiveness of security controls.
5. Adaptation:
- Adjust controls to address emerging threats or improve overall security based on feedback and changes in
technology.

Asst. Prof. Rhea Uppala, ICIS

INTRODUCTION TO CLOUD SECURITY QUESTION BANK

5) Explain the key components of GRC

ANS. GRC stands for Governance, Risk, and Compliance. It's an integrated approach ensure compliance
with regulations, and effectively manage risks.
1. Risk Assessment: Identify risks to the cloud service. Figure out the regulations that affect the services.
2. Key Controls: Set up specific safeguards to handle risks and meet rules.
3. Monitoring: Keep an eye on controls regularly. Spot and fix any problems, track progress.
4. Reporting: Share regular reports on metrics and performance. Let the management and customers know
how well things are going.
5. Continuous Improvement: Improve safeguards as needed. Act quickly on any big issues found.

6) Give some benefits of GRC for CSP’s.

ANS.
• Reduce risks through a structured risk management approach
• Improve monitoring of IT compliance
• Improve security
• Rationalize compliance requirements and control assessment processes
• Reduce the burden of compliance monitoring and testing

7) Describe the illustrative control objectives of asset, communication and operations

management for cloud computing.
ANS.
• Responsibility for Assets: Ensure proper protection of organizational assets. Make sure everyone
knows how to safeguard company resources, like data and equipment.
• Information Classification: Provide the right level of protection for different types of information.
Classify information based on its sensitivity, and apply appropriate security measures accordingly.
• Prior to Employment:Confirm that new hires understand their roles and reduce the risk of theft or
fraud.
• During Employment: Keep everyone aware of security threats and their responsibilities to prevent
human errors.
• Termination or Change of Employment: When someone leaves the organization, make sure the
departure is orderly to prevent any security risks associated with their departure.
8) Explain Cloud Security Alliance in detail
ANS. The Cloud Security Alliance is an organization that focuses on making sure that both the users
and providers of cloud computing understand and meet the necessary security requirements.
Asst. Prof. Rhea Uppala, ICIS
INTRODUCTION TO CLOUD SECURITY QUESTION BANK

The primary objective of CSA are:

Common Understanding: Help both the users and the providers of cloud services understand what security
measures are needed.
Research on Best Practices: Find out and share the best and safest ways to use cloud computing.
Awareness and Education: CSA runs campaigns and educational programs to help people use the cloud
properly and securely.
Guidance and Lists: CSA makes lists of issues and gives guidance on how to make sure your stuff stays
safe when using cloud services.
CSA's White Paper:
• CSA wrote a detailed document (white paper) that talks about specific concerns related to
cloud computing. They cover 15 areas, including:
• How cloud systems are set up.
• Managing risks and rules for big organizations.
• Legal stuff related to cloud computing.
• Making different cloud systems work together smoothly.
So, in simple terms, CSA is like a helpful guide that wants to make sure everyone using the cloud does
it safely and understands how to keep their information secure.

Asst. Prof. Rhea Uppala, ICIS