Managing-Cloud-Security WGU Managing Cloud Security (JY02) Questions and Answers

TheProcess for Attack Simulation and Threat Analysis (PASTA)is a risk-centric threat modeling methodology that explicitly focuses on simulating real-world attacks from an adversary’s perspective. Unlike STRIDE or DREAD, which classify threats and rate severity, PASTA evaluates how an attacker would exploit vulnerabilities step by step.

PASTA has seven stages, including defining objectives, decomposing applications, and simulating attacks. This methodology helps organizations understand both technical and business risks by looking at the application as an attacker would.

STRIDE categorizes threats, DREAD provides scoring, and ATASM emphasizes architecture and mitigation. While valuable, they are not primarily attack-simulation frameworks. PASTA enables proactive testing of defenses against realistic adversary behaviors, making it especially relevant in modern cloud and DevSecOps environments.

Thenetworkis the component that enables customers to transfer data into and out of a cloud environment. It provides the connectivity through which data is uploaded, downloaded, and exchanged between customer systems and cloud infrastructure.

Firewalls protect the network by filtering traffic, load balancers distribute requests across resources, and virtual displays present interfaces, but none directly facilitate the transfer of data.

In cloud models, secure networking is critical. Protocols like TLS encrypt traffic, while VPNs and private links provide additional isolation. Reliable networking ensures availability, while strong controls safeguard confidentiality and integrity. Customers must ensure that the cloud provider offers secure, high-performance network services to support business needs.

The engineers are concerned aboutportability. Vendor-specific APIs and tools create a dependency on a single provider, leading to vendor lock-in. This limits the ability to migrate services or workloads to another provider without significant rework.

Reliability and availability refer to service uptime and continuity, while scalability addresses performance under demand. Although important, none of these directly relate to cross-platform flexibility. Portability ensures that services, data, and applications can be easily moved or integrated across environments.

By adopting portable solutions—such as open standards, containerization, and multi-cloud strategies—organizations reduce long-term risks, increase negotiation power with providers, and enhance resilience.

Resource pooling is one of the core characteristics of cloud computing defined by NIST. It refers to the provider’s ability to serve multiple customers by dynamically allocating and reallocating computing resources such as storage, processing, memory, and network bandwidth. These resources are abstracted using virtualization, ensuring that customers remain isolated from one another even though they share the same physical assets.

Rapid scalability describes elasticity, on-demand self-service allows users to provision resources without provider intervention, and measured service refers to metering usage. None of these concepts directly describe the multi-tenant model of shared resources.

Resource pooling improves efficiency, reduces costs, and provides flexibility, but it also introduces new security considerations such as data isolation and hypervisor security. Customers must ensure that providers implement strong controls to prevent data leakage or cross-tenant compromise.

TheZero Trustsecurity model assumes that no user, device, or application should be trusted by default, whether inside or outside the network perimeter. Every access request must be continuously verified using strict identity, authorization, and context-based checks.

Unlike traditional perimeter security, Zero Trust emphasizes the principle of “never trust, always verify.” Traffic inspection looks at data packets, intrusion prevention identifies malicious activity, and secret management safeguards sensitive keys and credentials. None of these approaches enforce constant, adaptive identity verification the way Zero Trust does.

By adopting Zero Trust, organizations ensure that access is not granted simply because a user is “inside” the network. Instead, continuous checks evaluate credentials, device posture, location, and other risk factors. This significantly reduces the risk of insider threats, credential theft, and lateral movement within cloud environments.

Indirect identifiersare pieces of information that may not identify an individual on their own but, when combined with other data, can uniquely identify someone. Examples include birthdate, ZIP code, or gender. Together, these can re-identify a person, even when names or direct identifiers are removed.

Direct identifiers (such as Social Security numbers) uniquely identify an individual alone. Data subjects are the individuals to whom the data refers, while personal details is too broad and not a formal term.

Understanding indirect identifiers is essential in privacy regulations like GDPR and HIPAA, where pseudonymization or anonymization must account for potential re-identification risks. Safeguarding indirect identifiers reduces the chance of privacy violations and unauthorized profiling.

A cloud service partner plays a complementary role by offering products or services that enhance or interact with the primary cloud provider’s offerings. Examples include managed service providers, value-added resellers, or software vendors that integrate their solutions with the core infrastructure or platform of a cloud service provider.

The customer is the end user of cloud services, regulators ensure compliance with laws, and developers create applications but do not represent an independent ecosystem role. Partners, on the other hand, extend the value of the primary offering by providing additional tools, support, or integrations that enhance customer experience.

This ecosystem role is recognized by major cloud frameworks, such as the Cloud Security Alliance, which notes the importance of partners in ensuring interoperability, extending services, and supporting shared responsibility. For customers, this means greater flexibility and choice in tailoring cloud solutions to business needs.

In a cloud environment, responsibility forhardware managementshifts primarily to the cloud provider. Customers no longer manage servers, storage devices, or physical networks directly. As a result, hardware management policies are less critical for customer audits compared to data classification, procurement, or acceptable use.

Data classification remains essential to secure sensitive information. Software procurement policies are important to control licensing and compliance. Acceptable use policies govern employee behavior in cloud environments.

While organizations may still need high-level oversight of hardware through contracts and SLAs, detailed hardware policies have a reduced role. Instead, emphasis shifts to managing the shared responsibility model, ensuring cloud provider controls complement customer governance.

Backups are only valuable if they can be successfully restored when needed. Testing backups on a periodic basis is the only reliable way to validate their viability. Simply storing backups without testing may create a false sense of security, because corruption, misconfiguration, or incomplete backup sets can go unnoticed until a disaster occurs.

Industry best practices, such as those recommended by NIST and ISO 27031, emphasize regular backup testing as part of disaster recovery and business continuity planning. Testing involves restoring data to a test environment, verifying its integrity, and ensuring that applications can use the restored data as expected.

Deleting, comparing, or replacing backups might help in managing storage efficiency, but these actions do not confirm whether the backups are usable. Periodic testing ensures alignment with company policy, regulatory requirements, and internal risk management controls. It also provides confidence to management that recovery objectives, such as RTO (Recovery Time Objective) and RPO (Recovery Point Objective), can be met.

The requirement for a username, password, and security token describesauthentication—the process of verifying the identity of a user. By requiring multiple factors (something you know + something you have), the organization is implementing multifactor authentication (MFA).

Authorization defines what resources a user can access after authentication. WAFs protect web applications, and ACLs specify rules for allowed or denied traffic, but neither validate user identity.

Authentication ensures that only legitimate users gain access to cloud resources. In hybrid environments, MFA is a strong safeguard against credential theft and phishing attacks, providing assurance that identities are genuine before authorization decisions are made.

Multifactor Authentication (MFA)is a commonly mandated control for obtaining cybersecurity insurance. MFA requires users to present at least two independent factors—something they know (password), something they have (token), or something they are (biometrics). This significantly reduces the risk of unauthorized access due to stolen or weak credentials.

Network segmentation and application whitelisting are valuable, but they are not universal insurance requirements. TPM is a hardware component for securing local devices but does not protect remote access in distributed work models.

By enforcing MFA across VPNs, cloud services, email, and administrative interfaces, organizations demonstrate strong access control measures. Insurance providers recognize MFA as a foundational safeguard, reducing claims risk from credential-based breaches. This makes MFA both a compliance requirement and a best practice.

TheCLOUD Actaddresses conflicts that arise when law enforcement in one jurisdiction seeks access to data stored in another country. It clarifies how U.S. authorities can compel cloud providers to produce data, even if stored overseas, and establishes a framework for resolving jurisdictional conflicts through bilateral agreements.

The Act does not regulate genetic data, breach notifications, or employer surveillance. Its central purpose is to handle the challenge of cross-border data access in the era of globalized cloud computing.

For organizations, this means carefully evaluating how and where data is stored, and ensuring contracts and compliance strategies account for potential conflicts between U.S. law and foreign privacy regulations like GDPR. Awareness of CLOUD Act obligations is crucial in multinational cloud deployments.

Without a clear understanding of infrastructure and software, the leadership team must first conduct aninventory of assets. An asset inventory provides a comprehensive list of hardware, software, and services that support business operations.

Creating checklists, defining criteria, and assigning roles are important, but they rely on knowing what assets exist. Without an inventory, the disaster recovery plan would miss critical dependencies, making recovery incomplete or impossible.

Performing an inventory supports business impact analysis, risk assessments, and recovery prioritization. It ensures that all critical systems are accounted for and appropriate recovery strategies can be designed. Asset inventories are a foundational best practice for disaster recovery and continuity planning.

Outside the United States,ISAE 3402 (International Standard on Assurance Engagements 3402)is the standard used for audits equivalent to SOC reports. It ensures that service organizations demonstrate adequate internal controls over financial reporting and operational processes.

SSAE 18 is the U.S. standard governing SOC audits. ISRE 2400 and SSARS 25 focus on accounting and review services, not assurance over service organizations.

ISAE 3402 provides assurance to international customers that cloud providers or service organizations meet rigorous standards for security, availability, processing integrity, confidentiality, and privacy. This builds global trust and interoperability in compliance frameworks.

Infrastructure as a Service (IaaS) delivers fundamental computing resources over the cloud. These include virtual machines, block storage, networking, and load balancers. Customers use these resources to build and manage custom IT solutions, while the provider manages the underlying hardware.

PaaS abstracts infrastructure further, providing a development environment for applications without requiring infrastructure management. SaaS delivers fully functional applications over the internet. NaaS is a narrower category focusing on network delivery.

IaaS is the correct answer because it gives maximum flexibility and control compared to the other models, allowing organizations to build tailored environments. It also requires customers to manage operating systems, middleware, and runtime security, making shared responsibility an essential part of the model.

While cloud providers typically offer built-in encryption, customers should applyadditional encryptionfor sensitive data to maintain defense-in-depth. Encrypting files and folders before uploading them ensures that even if provider-side protections fail, data remains confidential.

WAFs protect applications from web threats, DAM tools monitor database use, and block storage versus file storage is an architecture choice. None of these directly provide an extra protective layer for stored data.

By maintaining control of their encryption keys, customers ensure compliance with data protection standards such as GDPR, HIPAA, or PCI DSS. This practice also mitigates insider threats within the provider’s environment and supports secure multi-cloud strategies. Encryption remains the strongest safeguard for protecting sensitive files in public cloud storage.

TheSarbanes-Oxley (SOX) Act of 2002was enacted to restore investor confidence after major corporate accounting scandals. It requires publicly traded corporations to maintain accurate financial reporting and implement internal controls to safeguard the integrity of disclosed information.

GLBA focuses on protecting consumer financial data, GDPR is a European regulation governing privacy, and the CLOUD Act addresses cross-border law enforcement access to data. Only SOX directly mandates financial disclosure and corporate accountability.

SOX compliance includes maintaining audit trails, securing data integrity, and ensuring that executives certify financial statements. Failure to comply carries severe penalties, both civil and criminal. For cloud environments, SOX compliance extends to ensuring IT systems used for financial data are secure, monitored, and auditable.

Proceduresare detailed, step-by-step instructions that guide personnel on how to perform specific tasks in alignment with higher-level policies. In an investigation, when uncertainty arises about handling a dataset, procedures provide the exact operational guidance required.

Policies establish high-level rules (e.g., “financial data must be protected”), while procedures explain how to achieve compliance with those policies (e.g., “verify encryption, label dataset, log access, and escalate to compliance officer”). Legal rulings and definitions are external references but do not provide operational steps.

By following documented procedures, investigators ensure consistency, compliance, and defensibility in legal contexts. This also ensures that evidence is handled properly, supporting admissibility in court and protecting the organization against legal or regulatory challenges.

The most critical concern in long-term cloud storage iskey management. If encryption keys are lost, corrupted, or improperly rotated, the organization will lose the ability to decrypt its own data, rendering backups unusable. This issue is particularly serious because cloud storage almost always relies on encryption to secure sensitive or regulated information.

While regulatory compliance, quantum threats, and change tracking are important, none directly prevent permanent data loss. The reliability of key management ensures that access to long-term archival data is preserved across changes in personnel, technology, and vendors.

Best practices include using centralized key management systems (such as Hardware Security Modules or cloud Key Management Services), applying role-based controls, and performing periodic key rotation and escrow. Addressing key management in the backup plan ensures that data will remain accessible for years or decades, regardless of technological shifts.

This is an example ofsocial engineering, where attackers manipulate individuals into divulging confidential information or performing actions that compromise security. In this case, the fraudulent caller convinced the help desk to disclose sensitive employee data.

Man-in-the-middle attacks involve intercepting communication between parties, escalation of privilege involves gaining higher access rights, and internal threats come from legitimate insiders. None of these fit the situation as accurately as social engineering.

Social engineering exploits human trust rather than technical vulnerabilities. Common tactics include phishing, pretexting, and phone-based fraud (vishing). Preventing such threats requires strong identity verification processes, employee awareness training, and layered authentication mechanisms. By recognizing the human element as a weak point, organizations can better prepare staff to resist manipulative tactics.

AnIdentity Provider (IdP)is a system that stores and manages identity information and validates authentication and authorization requests. IdPs are critical in cloud and hybrid environments, supporting protocols such as SAML, OAuth, and OpenID Connect for federated access.

An HSM manages encryption keys, not identities. Zero Trust is a security philosophy requiring continuous verification, but the system that enforces authentication is the IdP. A bastion host provides secure administrative access but does not manage identity.

By using an IdP, organizations centralize credential management, enforce multifactor authentication, and integrate with Single Sign-On (SSO). This reduces password fatigue, increases security, and ensures consistent access control policies across applications and services.