Cloud Data Security for CCSP

Sample Practice Questions

1. Question 1

   What is the biggest concern with hosting a key management system outside of the cloud environment?
   1. A. Confidentiality
   2. B. Portability
   3. C. Availability
   4. D. Integrity
   Explanation

   The correct answer is: A. Confidentiality.

   Hosting a key management system outside the cloud environment raises confidentiality as the primary concern because the keys must traverse network paths and be stored in an external system whose protections, access controls, and operational integrity are now critical to the confidentiality of every piece of data they decrypt; any exposure of those keys exposes the data they unlock. Portability is improved by external KMS rather than hindered. Availability is a concern with any external dependency but is generally addressed by redundancy. Integrity is supported by tamper-resistant HSMs and audit trails. CCSP candidates should treat key confidentiality as the dominant external-KMS risk and ensure the external KMS itself is protected at or above the assurance level of the data it serves.

2. Question 2

   Which of the following approaches would NOT be considered sufficient to meet the requirements of secure data destruction within a cloud environment?
   1. A. Cryptographic erasure
   2. B. Zeroing
   3. C. Overwriting
   4. D. Deletion
   Explanation

   The correct answer is: D. Deletion.

   Deletion only removes the pointers or directory entries that locate data on storage media, leaving the underlying bytes in place and recoverable by anyone with forensic tools; it is therefore insufficient for secure destruction in a cloud environment where multiple copies, snapshots, and replicas exist beyond the customer's direct reach. Cryptographic erasure, also known as crypto-shredding, destroys the wrapping keys so encrypted data becomes permanently unreadable across every replica. Zeroing overwrites with zeros and is a NIST SP 800-88 clear-level operation. Overwriting writes patterns to make data unrecoverable. CCSP candidates should treat simple deletion as the canonical example of insufficient destruction and rely on crypto-shredding for cloud disposal whenever the data was encrypted at rest from the outset.

3. Question 3

   What type of masking strategy involves making a separate and distinct copy of data with masking in place?
   1. A. Dynamic
   2. B. Replication
   3. C. Static
   4. D. Duplication
   Explanation

   The correct answer is: C. Static.

   Static masking creates a separate, persisted copy of the data set with sensitive fields replaced before the copy is delivered for use, which is exactly the strategy the question describes. Dynamic masking does not produce a separate copy; it masks values on the fly as queries traverse the data and application layers, leaving the underlying store untouched. Replication is a data-availability and durability technique that produces faithful duplicates without any masking and would re-expose every sensitive field. Duplication is not a recognised masking taxonomy term and is used here as a plausible-sounding decoy. CCSP candidates should anchor on the rule that any scenario describing a distinct, persisted, sanitised copy points to static masking, while any scenario describing on-the-fly transformation points to dynamic masking.

4. Question 4

   Which of the following storage types is most closely associated with a database-type storage implementation?
   1. A. Object
   2. B. Unstructured
   3. C. Volume
   4. D. Structured
   Explanation

   The correct answer is: D. Structured.

   Structured storage is the PaaS storage category that maps onto database-style systems with schemas, tables, rows, columns, and query languages, providing organised, indexed, and constrained data management that is fundamentally how databases work. Object storage is flat key-value addressing for large objects and is not database-shaped. Unstructured storage holds files, documents, and media without schema. Volume storage is block storage formatted by a guest OS with a hierarchical file system and is not database-shaped either. CCSP candidates should anchor structured storage to managed database services such as RDS, Cosmos DB, and Cloud SQL, distinguishing it from object stores like S3, file abstractions for unstructured content, and volume storage attached as block devices to virtual machines.

5. Question 5

   Which is the appropriate phase of the cloud data lifecycle for determining the data's classification?
   1. A. Create
   2. B. Use
   3. C. Share
   4. D. Store
   Explanation

   The correct answer is: A. Create.

   Classification must be set during the Create phase of the Securosis data lifecycle so that every subsequent phase, Store, Use, Share, Archive, and Destroy, can apply controls calibrated to the correct sensitivity level from the outset. Use is too late because access decisions, encryption choices, and DLP policies would already be wrong by the time data is consumed. Share is downstream of classification and depends on it. Store is the immediate successor to Create and inherits classification rather than setting it. CCSP candidates should hold a firm rule that classification is a Create-phase activity, that re-classification can occur in Archive, and that every protection control downstream is selected based on the classification assigned at the moment the data first enters the environment.

Other CCSP domains

• Cloud Application Security (71 questions)
• Cloud Concepts, Architecture, and Design (97 questions)
• Cloud Platform and Infrastructure Security (74 questions)
• Cloud Security Operations (48 questions)
• Legal, Risk, and Compliance (115 questions)