CCSP - Domain 1

Daniel is the security architect at VeriSure MedTech, a cloud-based patient data management startup. Daniel discovers that public snapshots of virtual machines were left accessible on a shared infrastructure service. Unauthorized individuals accessed patient health data. Daniel must identify the fundamental issues related to cloud architecture concepts, understand the security considerations of data at rest, and implement a more secure deployment model. What primary remediation aligns with secure cloud design principles? (1.1). Maintain public snapshots for scalability but rely on strong perimeter firewalls in a hybrid model without adjusting encryption strategies. Convert the environment to a SaaS model and trust the provider's default snapshot security features without incorporating additional encryption requirements. Restrict public snapshots; integrate encryption for data at rest; transition to a private cloud model with clearly defined isolation boundaries. Remove encryption altogether as this will improve performance; rely on network security groups in the existing public cloud model.

Emily is the cloud security director at Finora Cloud Banking, a financial services firm. Emily learns that their IaaS platform's storage buckets are unintentionally exposed to the internet. The firm processes sensitive financial data requiring strict confidentiality. Emily must apply the essential characteristics of cloud computing, ensure secure configuration baselines, and consider the cost versus benefit of implementing encryption and access controls. Which action BEST meets these criteria? (1.1). Restrict public access to storage buckets; enable encryption at rest and in transit; apply least privilege IAM policies; accept the minor cost increase for secure configurations. Leave buckets public for operational ease; rely on default credentials; implement only encryption in transit; prioritize and justify cost savings over security measures. Switch to a private cloud model with no encryption to reduce complexity and assume that restricted network access suffices for data protection. Limit encryption to at-rest only and provide broad IAM roles to multiple teams while favoring lower operational costs over fine-grained access controls.

Frank is the security and privacy manager at DataSynth Health Analytics, an analytics platform for clinical data. Frank finds that an API endpoint is publicly accessible due to misconfigurations, and unauthorized entities could access sensitive data feeds. Frank must apply foundational cloud concepts, identify the appropriate reference architecture, and ensure functional security requirements are met. He must also consider ROI and KPI metrics tied to implementing secure API gateways. What is the BEST next step? (1.2). Keep the API publicly accessible to maintain speed; rely on IP whitelisting alone; ignore formal reference models; focus on short-term KPI improvements. Implement an API gateway with proper authentication; align with recommended cloud reference architecture for secure interfaces; justify the ROI by reducing breach-associated costs. Transition to a SaaS model without changing the API configuration; trust the provider's security promises; measure performance KPIs only. Disable the API entirely to avoid management overhead; avoid architectural considerations and guidance; track cost savings from reduced infrastructure usage.

Lisa is the CISO at NovaData Insurance, a cloud-driven claims processing service. Lisa observes open network ports on their PaaS environment. Attackers exploited these ports to intercept claims data. Lisa needs to understand virtualization security concerns, apply security hygiene principles, and consider how properly managed IaaS, PaaS, or SaaS models differ in their responsibilities. Which approach BEST addresses these challenges? (1.4). Shift the environment to IaaS and rely on the provider's network security, using the default port and encryption settings of the provider. Move to a SaaS model, given the provider will handle all security, including managing open ports; do not apply any internal security baselines. Focus on virtual machine-level encryption in the current PaaS model; disregard network-level controls or identity management given the provider default settings will likely be sufficient. Implement stricter access controls on the PaaS; ensure secure baseline configurations; adopt a layered security approach including encryption, identity management, and continuous monitoring.

Michael is the system architect at AeroMax Logistics, a platform leveraging hybrid cloud deployments for cargo tracking. Michael is managing a breach caused by default credentials on management interfaces, with attackers gaining unauthorized access to virtual machines storing routing schedules. Michael must ensure secure life cycle principles, incorporate identity and access controls, understand how private and public cloud models affect these controls, and measure success through KPIs. Which solution is MOST appropriate? (1.3). Keep default credentials for internal machines; bolster network perimeter controls; align KPIs to uptime and availability. Transition all services to a public cloud model; adopt default security settings from the cloud provider; align KPIs to cost savings. Replace default credentials; enable MFA; apply least-privilege IAM in both private and public cloud segments; track reduced unauthorized access events as a KPI. Apply multifactor authentication on public-facing components; maintain default credentials internally; focus KPI measurements on patching speed and intrusion prevention metrics.

Susan is the cloud security engineer at Regal Funds Investment, a company analyzing large financial datasets in a public cloud. Susan discovers that sensitive market data has been inadvertently transferred externally without encryption. She must apply fundamental cloud security concepts, ensure data protection in transit, align with a reference architecture that includes secure communication layers, and justify the slight overhead in cost. What approach should Susan take? (1.1). Continue cleartext transmission to maintain speed; harden perimeter firewalls to compensate. Implement encryption in transit; integrate secure endpoints as per reference guidance; accept latency costs resulting from these changes; monitor traffic for ongoing compliance. Shift all operations to a private cloud relying on the provider's encryption policies; assume reduced external exposure as a result of the shift; monitor for indicators of unauthorized access. Use encryption at rest as in-transit encryption is cost prohibitive; utilize default network security configurations supplied by the provider.

Jonathan is the security architect at CliniData BioServices, a hybrid cloud provider handling genomic data analysis. Jonathan notices that developers have used default credentials on VMs, resulting in attackers gaining root access to sensitive workloads. Jonathan must address identity and access management across the hybrid model, adopt a secure life cycle approach, and consider whether IaaS or PaaS is more controllable. Which solution BEST fits? (1.4). Keep default credentials internally; upgrade the perimeter firewall; maintain IaaS environment and keep IAM separate; incorporate hybrid complexity to deter attackers. Move to SaaS; develop a unique credential policy; rely on the cloud provider's standard security settings; forgo centralized IAM across hybrid boundaries due to cost prohibitions. Apply MFA to external services; develop a unique credential policy; disable IAM for internal nodes due to high management overhead; deploy local user accounts to developers. Enforce unique credentials; enable MFA; integrate centralized IAM tools across hybrid resources; consider PaaS options with built-in identity controls.

Rachel is the cloud compliance manager at TransCom Freight, a transportation analytics firm using a multi-cloud environment. Rachel discovers that containerized workloads lack proper network segmentation. As a result, unauthorized traffic flows between cloud-based services. Rachel must apply cloud reference architecture guidelines, ensure network security principles are followed, and compare IaaS vs. PaaS networking controls. Which action BEST secures the environment? (1.5). Keep all containers in a flat network architecture; minimize firewall rules to avoid complexity; develop a business case for shifting workloads back to on-premises infrastructure. Migrate services to a single public cloud; do not segment workloads as this would introduce latency; adopt the cloud providers default security settings; assume that uniformity equals security. Implement micro-segmentation for containers; use a reference architecture to structure network layers; apply least privilege rules across multiple clouds. Focus on encrypting workloads at rest to meet compliance requirements; segment the network to include a management VLAN and to minimize network latency.

Albert is the CISO at MediTrans Pharma, a medical research firm. Albert discovers that open network ports in a PaaS environment exposed proprietary drug formulas. Albert must ensure that virtualization and network security principles are integrated, and that cost effective measures are being taken. He must also consider hybrid vs. public deployment trade-offs. What's the MOST appropriate solution to meet these goals? (1.3). Close unused ports; adopt encryption in transit and at rest; enforce MFA and role-based access; communicate to management that cost increases are a fraction of the benefit gained from intellectual property protection. Close unused ports; maintain use of default credentials; adopt encryption at rest; enforce MFA for external access only; ensure no cost increases occur given company revenue fell in the previous quarter. Move workloads to a hybrid model; adopt local firewall rules; focus on cost savings given the state of the global economy. Implement encryption at rest; monitor network ports for unauthorized access; incorporate security considerations in service-level agreements; justify minimal cost increases on inflationary pressures and cost of doing business.

Bob is the system architect at FinAx Cloud Brokers, a financial data aggregator. Bob finds that workloads scale dynamically but lack consistent encryption and monitoring. Sensitive payment data sits in memory during scale-ups on a public cloud. Bob must apply building block technologies (e.g., virtualization, storage, network), ensure proper logging, and consider performance versus security costs. Which measure aligns BEST? (1.2). Avoid encryption to maintain performance; enable critical event logging; implement scaling policies aligned to cost-saving auto-scaling scripts. Implement encryption in memory and at rest; enable comprehensive logging and monitoring; adopt scalable IAM policies; accept slight performance impact for robust security. Shift to a private cloud; ensure service level agreements incorporate all costs; adopt default logging policies; adopt private cloud provider's security posture. Encrypt backup files; ignore runtime encryption as this would impact latency and speed; maintain minimal logging to avoid management overhead costs associat.

Paige is the cloud security director at AeroLink Charter, an aviation logistics provider. Paige discovers that configuration baselines were never set for IaaS instances. Virtual machines run with default OS images and no hardening. Paige must incorporate secure life cycle principles, standardize baselines, and consider a cloud reference architecture that includes configuration management. Which steps are the MOST effective to achieve this? (1.1). Retain default OS images to maximize uptime and avoid complexity; undertake annual vulnerability scans; opt out of utilizing standardized configuration baselines. Move to a SaaS solution, which does not require OS management; use a reputable provider; this ensures that no baselines will be required. Develop secure baselines for IaaS VMs; enforce hardened OS images; use automated configuration tools; verify alignment with recognized cloud architecture patterns. Apply baselines to critical VMs only; opt out of implementing configuration management tools due to cost; optimize network firewalls for security.

Linda is the CISO at Genova Analytics, a data analysis startup. Linda determines that the cloud's resource elasticity is not matched by identity controls. Excessive permissions are granted to all users to enable quick scalability. Linda must refine IAM based on cloud computing characteristics, integrate secure design patterns, and weigh the cost of implementing least privilege vs. broad access. What is the BEST approach? (1.2). Implement least privilege IAM policies; adjust roles dynamically as workloads scale; accept the administrative overhead as necessary for strong security. Maintain permissions regime to ensure continued rapid changes; uplift incident response capability; justify to the business that reduced management costs outweigh security risks. Shift to a private cloud to control IAM by restricting external connections; continue internal role structure as is; implement SIEM solution to ensure events and alerts are registered. Use MFA on all accounts keeping existing permissions; ensure cloud account access is logged for at least 180 days in case an incident occurs.

Tom is the security architect at CloudSys Retail, a company processing online orders. Tom observes that data is stored unencrypted in a public cloud IaaS. Attackers obtained sensitive customer data from publicly exposed volumes. Tom must integrate encryption strategies, compare PaaS and IaaS storage security capabilities, and consider ROI metrics for enhanced data protection. Which option aligns BEST with these requirements? (1.3). Keep volumes public to allow better accessibility by customers; ensure default provider-managed keys are fully implemented; measure system uptime as an ROI. Enable server-side encryption; ensure volumes are not publicly exposed; adopt key management best practices; measure reduced breach risk as an ROI. Move to PaaS storage; forgo encryption to reduce latency; rely on the provider's default security settings to address exposure issues. Encrypt backups; keep production volumes public to ensure interoperability; implement basic IAM policies and controls.

Sarah is the cloud risk officer at MediCore Diagnostics, a medical diagnostics provider. Sarah discovers that service integration across hybrid environments lacks standardized cryptography. Sarah must apply recommended cryptographic practices, ensure that keys are managed securely, and understand how service models influence encryption responsibilities. She must also consider the operational cost of proper key rotation. Which measure is BEST? (1.4). Use 3DES encryption to simplify rotation; store keys locally on each VM; justify lower costs by reduced complexity. Utilize the provider's default encryption to ensure interoperability; avoid key rotation to minimize risk and save operational effort; rely on providers' assurances relating to compliance. Encrypt one segment of the environment to test effectiveness; implement firewall controls as a compensating control; implement SHA-1 as the chosen cryptographic hashing function. Implement centrally managed encryption keys; apply recommended cryptographic algorithms across hybrid services; rotate keys regularly; accept that the operational overhead is justified given the sensitivity of the information.

Jane is the cloud security director at AeroVista Airlines, an airline operating an online ticketing platform. The platform stores passenger data in a multi-tenant SaaS model without proper tenant isolation. Jane must align with reference architectures that ensure data segmentation, assess how SaaS differs in responsibilities, and measure how improved isolation affects KPIs. Which action is MOST suitable? (1.5). Enforce tenant isolation through service provider configuration; integrate logical separation of data; track reduced data leakage incidents as a KPI. Accept SaaS providers sometimes mix multi-tenant data as a result of business continuity needs; rely on partial encryption of sensitive records; track platform uptime as a KPI. Shift to IaaS to gain control over data segregation and isolation; opt out of encryption policies and procedures due to processing overhead required; measure KPIs on server load. Implement encryption on company data, relying on unique IAM tokens per tenant; ignore reference architectures as they are cumbersome to implement fully, and the business does not have budget to allocate.