第三章練習題附有答案

第三章練習題1.Youareinchargeofcreatingthebusinesscontinuityanddisasterrecovery(BC/DR)planandproceduresforyourorganization.Yourorganizationhasitsproductionenvironmenthostedinacloudenvironment.YouareconsideringusingcloudbackupservicesforyourBC/DRpurposesaswell.Whatwouldprobablybethebeststrategyforthisapproach,intermsofredundancyandresiliency?[單選題]A.HaveyourcloudprovideralsoprovideBC/DRbackup.B.KeepaBC/DRbackuponthepremisesofyourcorporateheadquarters.C.UseanothercloudproviderfortheBC/DRbackup.(正確答案)D.Moveyourproductionenvironmentbackintoyourcorporatepremises,anduseyourcloudprovidertohostyourBC/DRbackup.答案解析：C.It’sbesttohaveyourbackupatanothercloudproviderincasewhatevercausesaninterruptioninserviceoccursthroughoutyourprimaryprovider’senvironment;thiswillbemorecomplicatedandexpensive,butitprovidesthebestredundancyandresiliency.Usingthesameproviderforproductionandbackupisnotabadoption,butitentailstheriskofthesamecontingencyaffectingbothcopiesofyourdata.Havingeitherthebackuportheproductionenvironmentlocalizeddoesnotprovidethebestprotection,soneitheroptionBnoroptionDisdesirable.2.Youareinchargeofcreatingthebusinesscontinuityanddisasterrecovery(BC/DR)planandproceduresforyourorganization.YoudecidetohaveatabletoptestoftheBC/DRactivity.Whichofthefollowingwillofferthebestvalueduringthetest?[單選題]A.Haveallparticipantsconducttheirindividualactivitiesviaremotemeetingtechnology.B.TaskamoderatorwellversedinBC/DRactionstosuperviseandpresentscenariostotheparticipants,includingrandomizedspecialevents.(正確答案)C.ProvidecopiesoftheBC/DRpolicytoallparticipants.D.Allowallusersinyourorganizationtoparticipate.答案解析：B.Atrainedandexperiencedmoderatorcanguidetheparticipantsthroughtheactivity,enhancingtheirtrainingandnotingpitfallsandareasforimprovement.OptionAisnotpreferablebecausehavingtheparticipantsgatheredtogetherensurestheirfullattentionandprovidesinteractionthatremoteparticipationmightnotyield.OptionCisabaseline;allparticipantsshouldhavecopiesofthepolicyasamatterofcourse.OptionDisnotusefulinatabletopexercise;onlycriticalparticipantsintheorganizationshouldtakepartinthetabletop.3.Youareinchargeofcreatingthebusinesscontinuityanddisasterrecovery(BC/DR)planandproceduresforyourorganization.Yourorganizationhasitsproductionenvironmenthostedbyacloudprovider,andyouhaveappropriateprotectionsinplace.WhichofthefollowingisasignificantconsiderationforyourBC/DRbackup?[單選題]A.EnoughpersonnelattheBC/DRrecoverysitetoensureproperoperationsB.Goodcryptographickeymanagement(正確答案)C.AccesstotheserverswheretheBC/DRbackupisstoredD.Forensicanalysiscapabilities答案解析：B.Thisisadifficultquestionthatrequiresagreatdealofthought.OptionBiscorrectbecauseappropriateclouddatasecuritypracticeswillrequireencryptingagreatdealofthedata,andhavingthekeyswillbenecessaryduringcontingencyoperationsinorderto

accessthebackup;withoutthekeys,youwon’tbeabletoaccessyourdata.OptionAisnotcorrectbecauseusingthecloudforBC/DRwillallowpersonneltoaccessthebackupfromanywheretheycangetbroadbandconnectivity,notspecificallyarecoverysite.Option

Cisnotcorrectbecausethecustomerwillrarelyhavephysicalaccesstoserversinthecloudenvironment.OptionDisnotcorrectbecauseforensicanalysisisnotasignificantconsiderationinBC/DR;itismuchmoreimportantforincidentresponse.4.Youareinchargeofcreatingthebusinesscontinuityanddisasterrecovery(BC/DR)planandproceduresforyourorganization.YouaregoingtoconductafulltestoftheBC/DRplan.Whichofthefollowingstrategiesisanoptimumtechniquetoavoidmajorissues?[單選題]A.Haveanotherfullbackupoftheproductionenvironmentstoredpriortothetest.(正確答案)B.Assignallpersonneltaskstoperformduringthetest.C.Havethecloudproviderimplementasimulateddisasteratarandommomentinordertomaximizerealistictesting.D.Haveyourregulatorspresentatthetestsotheycanmonitorperformance.答案解析：A.Afulltestwillinvolveboththeproductionenvironmentandthebackupdata;itispossibletocreateanactualdisasterduringafulltestbyruiningtheavailabilityofboth.Therefore,itiscrucialtohaveafullbackup,distinctfromtheBC/DRbackup,inordertorollbackfromthetestincasesomethinggoeshorriblywrong.OptionBisincorrect

becausenotallpersonnelwillhavetaskstoperform;mostpersonnelwillhavetoevacuatefromthefacilityonlyduringafulltest.OptionCisincorrectbecausethecloudprovidershouldnotinitiatethetest,andthetestshouldnottakeplaceatarandommoment.OptionDisnotcorrectbecausetheregulators’presencewillnotaddanyvaluetothetest.5.ASecurityAssertionMarkupLanguage(SAML)identityassertiontokenusestheprotocol.[單選題]A.ExtensibleMarkupLanguage(XML)(正確答案)B.HypertextTransferProtocol(HTTP)C.HypertextMarkupLanguage(HTML)D.AmericanStandardCodeforInformationInterchange(ASCII)答案解析：A.SecurityAssertionMarkupLanguage(SAML)isbasedonXML.HTTPisusedforport80webtraffic;HTMLisusedtopresentwebpages.ASCIIistheuniversalalphanumericcharacterset.6.Theminimumessentialcharacteristicsofaclouddatacenterareoftenreferredtoas“ping,power,pipe.”Whatdoesthistermmean?[單選題]A.Remoteaccessforcustomertorackeddevicesinthedatacenter;electricalutilities;connectivitytoanInternetserviceprovider(ISP)/theInternet(正確答案)B.Applicationsuitability;availability;connectivityC.Infrastructureasaservice(IaaS);softwareasaservice(SaaS);platformasaservice(PaaS)D.Anti-malwaretools;controlsagainstdistributeddenialofservice(DDoS)attacks;physical/environmentalsecuritycontrols,includingfiresuppression答案解析：A.OptionAisthedefinitionoftheterm;theotheranswersarenot.7.TosupportallaspectsoftheCIAtriad(confidentiality,integrity,availability),allofthefollowingaspectsofaclouddatacenterneedtobeengineeredwithredundanciesexcept[單選題]A.PowersupplyB.HVACC.Administrativeoffices(正確答案)D.Internetserviceprovider(ISP)/connectivitylines答案解析：C.Theadministrativeofficesofaclouddatacenterrarelyarepartofthecriticalfunctionsoftheoperation;adatacentercouldlikelyendurethelossoftheadministrativeofficesfor

aconsiderablelengthoftime,soredundancyhereisprobablynotcosteffective.Alltheotheritemspartofthecriticalpathandneedredundancies.8.Whoisthecloudcarrier?[單選題]A.ThecloudcustomerB.ThecloudproviderC.Theregulatoroverseeingthecloudcustomer’sindustryD.TheISPbetweenthecloudcustomerandprovider(正確答案)答案解析：C.Theadministrativeofficesofaclouddatacenterrarelyarepartofthecriticalfunctionsoftheoperation;adatacentercouldlikelyendurethelossoftheadministrativeofficesfor

aconsiderablelengthoftime,soredundancyhereisprobablynotcosteffective.Alltheotheritemspartofthecriticalpathandneedredundancies.9.Whichofthefollowingtermsdescribesameanstocentralizelogicalcontrolofallnet-workednodesintheenvironment,abstractedfromthephysicalconnectionstoeach?[單選題]A.Virtualprivatenetwork(VPN)B.Software-definednetwork(SDN)(正確答案)C.Accesscontrollists(ACLs)D.Role-basedaccesscontrol(RBAC)答案解析：B.Thequestiondescribesasoftware-definednetwork(SDN).

AVPNisusedforcreatinganencryptedcommunicationstunneloveranuntrustedmedium,sooptionAisincorrect.

ACLsareusedascentralizedrepositoriesforidentification,authentication,andauthoriza-tionpurposes,sooptionCisincorrect.

RBACisanaccesscontrolmodelusedtoassignpermissionsbasedonjobfunctionswithinanorganization,sooptionDisincorrect.10.Insoftware-definednetworking(SDN),thenorthboundinterface(NBI)usuallyhandlestrafficbetweentheandthe[單選題]A.Cloudcustomer;ISPB.SDNcontrollers;SDNapplications(正確答案)C.Cloudprovider;ISPD.Router;host答案解析：B.TheNBIusuallyhandlestrafficbetweentheSDNcontrollersandSDNapplications.

OptionsAandCareincorrectbecauseneitherofthoseoptionslistsanyoftheSDNinfra-structure,bethatthecontrollersortheapplications.OptionDmaybearguablycorrect,

astheremightbeanNBIhandlingthattrafficbetweenthosenodes,butoptionBismorespecificandalwaystrueforthisdefinition,soitisthebetterchoice.11.Software-definednetworking(SDN)allowsnetworkadministratorsandarchitectstoper-formallthefollowingfunctionsexcept[單選題]A.ReroutetrafficbasedoncurrentcustomerdemandB.CreatelogicalsubnetswithouthavingtochangeanyactualphysicalconnectionsC.FilteraccesstoresourcesbasedonspecificrulesorsettingsD.Deliverstreamingmediacontentinanefficientmannerbyplacingitclosertotheenduser(正確答案)答案解析：D.OptionDisreallyadefinitionofaCDN(contentdeliverynetwork).

AlltheotheroptionsareaspectsofSDNs.12.Whichofthefollowingisadevicespeciallypurposedtohandletheissuance,distribution,andstorageofcryptographickeys?[單選題]A.Keymanagementbox(KMB)B.Hardwaresecuritymodule(HSM)(正確答案)C.Ticket-grantingticket(TGT)D.Trustedcomputingbase(TCB)答案解析：B.ThequestiondescribesanHSM.

KMBisanonsensetermusedasadistractor,soitisincorrect.

TGTisatermassociatedwithKerberossinglesign-onsystemsandisincorrect.

TheTCBincludestheelementsofhardwareandsoftware(usuallyintheoperatingsystem)thatensurethatasystemcanonlybecontrolledbythosewiththeproperpermissions(i.e.,adminswithrootcontrol),soitisalsoincorrect.13.Whendiscussingthecloud,weoftensegregatethedatacenterintothetermscomputestorage,andnetworking.Computeismadeupofand[單選題]A.Routers;hostsB.Applicationprogramminginterface(APIs);northboundinterface(NBIs)C.Centralprocessingunit(CPU);random-accessmemory(RAM)(正確答案)D.Virtualized;actualhardwaredevices答案解析：C.Thecomputenodesofaclouddatacentercanbemeasuredintermsofhowmanycentralprocessingunits(CPUs)andhowmuchrandomaccessmemory(RAM)isavailablewithinthecenter.

OptionAisincorrectbecauserouterswouldbeconsideredapartofthenetworkingofadatacenter(andbecauseoptionCisabetteranswer).

OptionBinvolvesapplicationsandhowtrafficflowsbetweenthemandstoragecontrol-lers;ithasnothingtodowiththecomputenodesandisthereforewrong.

OptionDmightobliquelybeconsideredcorrectbecauseit’stechnicallytrue(computenodeswillincludebothvirtualandhardwaremachines),butoptionCisamuchbetterandmoreaccuratechoice.14.Allofthefollowingcanbeusedtoproperlyapportioncloudresourcesexcept[單選題]A.ReservationsB.SharesC.Cancellations(正確答案)D.Limits答案解析：C.Cancellationsisnotatermusedtodescribearesourceallotmentmethodology.Alloftheotheroptionsaresuchterms.15.Whichofthefollowingisamethodforapportioningresourcesthatinvolvessettingguar-anteedminimumsforalltenants/customerswithintheenvironment?[單選題]A.Reservations(正確答案)B.SharesC.CancellationsD.Limits答案解析：A.Thequestionisthedefinitionofreservations.

OptionsBandDarealsoresourceapportioningmethods,buttheydonotfallunderthedefinitiondescribedinthequestion.16.Whichofthefollowingisamethodforapportioningresourcesthatinvolvessettingmaxi-mumusageamountsforalltenants/customerswithintheenvironment?[單選題]A.ReservationsB.SharesC.CancellationsD.Limits(正確答案)答案解析：D.Thequestiondescribeslimits.

OptionsAandBarealsoresourceapportioningmethods,buttheydonotfallunderthedefinitiondescribedinthequestion.

OptionCisbecauseithasnomeaninginthiscontext.17.Whichofthefollowingisamethodforapportioningresourcesthatinvolvesprioritizingresourcerequeststoresolvecontentionsituations?[單選題]A.ReservationsB.Shares(正確答案)C.CancellationsD.Limits答案解析：D.Thequestiondescribeslimits.

OptionsAandBarealsoresourceapportioningmethods,buttheydonotfallunderthedefinitiondescribedinthequestion.

OptionCisbecauseithasnomeaninginthiscontext.18.Abare-metalhypervisorisType[單選題]A.1(正確答案)B.2C.3D.4答案解析：A.Abare-metalhypervisorisaType1hypervisor.

OptionBdescribesanothertypeofhypervisor;theotheroptionsareincorrectbecausethereisnosuchthingasaType3orType4hypervisor.19.Ahypervisorthatrunsinsideanotheroperatingsystem(OS)isaTypehypervisor.[單選題]A.1B.2(正確答案)C.3D.4答案解析：B.ThequestiondescribesaType2hypervisor.

OptionAdescribesanothertypeofhypervisor;theotheroptionsareincorrectbecausethereisnosuchthingasaType3orType4hypervisor.20.ATypehypervisorisprobablymoredifficulttodefendthanotherhypervisors.[單選題]A.1B.2(正確答案)C.3D.4答案解析：B.AType2hypervisorreliesontheunderlyingoperatingsystem(OS)tooperateproperly;

theunderlyingOSoffersalargeattacksurfaceforaggressors.

AType1hypervisorbootsdirectlyfromthehardware;it’smucheasiertosecureamachine’sBasicInput/OutputSystem(BIOS)thananentireOS,sooptionBisbetterthanoptionA.

OptionsCandDareincorrectbecausethereisnosuchthingasaType3orType4hypervisor.21.Oneofthesecuritychallengesofoperatinginthecloudisthatadditionalcontrolsmustbeplacedonfilestoragesystemsbecause[單選題]A.FilestoresarealwayskeptinplaintextinthecloudB.ThereisnowaytosanitizefilestoragespaceinthecloudC.Virtualizationnecessarilypreventstheuseofapplication-basedsecuritycontrolsD.Virtualmachinesarestoredassnapshottedfileswhennotinuse(正確答案)答案解析：D.VMsaresnapshottedandsimplystoredasfileswhentheyarenotbeingused;anattackerwhogainsaccesstothosefilestorescouldostensiblystealentiremachinesinhighlyportable,easilycopiedformats.Therefore,thesecloudstoragespacesmustincludeasignificantamountofcontrols.

OptionsAandCaresimplyuntrue.

OptionBisuntruewhencrypto-shreddingisutilized.22.Whatisthemainreasonvirtualizationisusedinthecloud?[單選題]A.Virtualmachines(VMs)areeasiertoadminister.B.IfaVMisinfectedwithmalware,itcanbeeasilyreplaced.C.WithVMs,thecloudproviderdoesnothavetodeployanentirehardwaredeviceforeverynewuser.(正確答案)D.VMsareeasiertooperatethanactualdevices.答案解析：C.WhileoptionsAandBarebothalsotrue,CisthemostsignificantreasonclouddatacentersuseVMs.Ifthecloudproviderhadtopurchaseanewboxforeveryuser,thecostofcloudserviceswouldbeasmuchasrunningatraditionalenvironment(orlikelycostevenmore),andtherewouldbenoreasonforanyorganizationtomigratetothecloud,especiallyconsideringtherisksassociatedwithdisclosingdatatoathirdparty.

OptionDissimplyuntrue.VMsarenoteasiertooperatethanactualdevices.23.Orchestratingresourcecallsisthejobofthe[單選題]A.AdministratorB.RouterC.VMD.Hypervisor(正確答案)答案解析：D.Thequestiondescribeswhatthehypervisordoes.(Notethattheanswer“operatingsystem”wouldalsoworkherebutwasnotoneoftheoptions.)

OptionAisincorrect;theallocationofresourcesisnotperformedmanually.

Therouterdirectstrafficbetweennetworks;itdoesnotapportionresources.Therefore,optionBisincorrect.

AVMmakesresourcecalls;optionCisincorrect.24.Whichofthefollowingtermsdescribesacloudstorageareathatusesafilesystem/hierarchy?[單選題]A.VolumestorageB.Objectstorage(正確答案)C.Logicalunitnumber(LUN)D.Blockstorage答案解析：B.Objectstorageis,literally,ameansofstoringobjectsinahierarchysuchasafiletree.

Alltheotheroptionsaretermsusedtodescribecloudstorageareaswithoutfilestructures.25.Typically,whichformofcloudstorageisusedintheneartermforsnapshottedvirtualmachine(VM)images?[單選題]A.VolumestorageB.Objectstorage(正確答案)C.Logicalunitnumber(LUN)D.Blockstorage答案解析：B.SnapshottedVMimagesareusuallykeptinobjectstorage,asfiles.

AlltheotheroptionsareincorrectandoptionCisnotatypeofstorage.26.Whooperatesthemanagementplane?[單選題]A.RegulatorsB.EndconsumersC.Privilegedusers(正確答案)D.Privacydatasubjects答案解析：C.Onlythemosttrustedadministratorsandmanagerswillhaveaccesstotheclouddatacenter’smanagementplane.Thesewillusuallybecloudprovideremployees,butsomecloudcustomerpersonnelmaybegrantedlimitedaccesstoarrangetheirorganization’scloudresources.

Regulatorsdonotoperateacustomer’smanagementplane,sooptionAisincorrect.OptionBisambiguous.However,aconsumerofdataisunlikelytohavebeengiventhe

elevatedprivilegesnecessaryofoperatethemanagementplaneinacloudenvironment.

OptionBisincorrect.

OptionDisalsoanambiguousanswer.Onlythemosttrustedadministratorsandmanagershaveaccesstotheclouddatacenter’smanagementplane.Aprivacydatasubjectisneitheramosttrustedadministratornoratrustedmanager.Therefore,optionDisincorrect.27.Whatisprobablytheoptimumwaytoavoidvendorlock-in?[單選題]A.Usenonproprietarydataformats.B.Useindustry-standardmedia.C.Usestrongcryptography.D.Usefavorablecontractlanguage.(正確答案)答案解析：D.Thecontractisprobablythecloudcustomer’sbesttoolforavoidingvendorlock-in;contracttermswillestablishhoweasyitistomigrateyourorganization’sdatatoanotherproviderinatimely,cost-effectivemanner.

OptionsAandBarealsoimportantwaystoavoidvendorlock-in,butDisthebestwer.

OptionCisincorrectandwillnotaidinavoidingvendorlock-in.28.Whowilldeterminewhetheryourorganization’scloudmigrationissatisfactoryfromacomplianceperspective?[單選題]A.ThecloudproviderB.ThecloudcustomerC.Theregulator(s)(正確答案)D.TheInternetserviceprovider(ISP)答案解析：C.Theregulator(s)overseeingyourindustry/organizationwillmakethefinaldeterminationastowhetheryourcloudconfigurationissuitabletomeettheirrequirements.Itisbesttocoordinatewithyourregulator(s)whenfirstconsideringcloudmigration.

Cloudproviders,cloudcustomers,andISPsarenotparticularlyconcernedaboutwhetheranorganization’smigrationissatisfactoryfromacomplianceperspective.Thewords,“complianceperspective”shouldautomaticallybringtomindregulator(s).OptionsA,B,andDarethereforeincorrectanswers.29.Whatisprobablythebestwaytoavoidproblemsassociatedwithvendorlock-out?[單選題]A.Usestrongcontractlanguage.B.Usenonproprietarydataandmediaformats.C.Usestrongcryptography.D.Useanotherproviderforbackuppurposes.(正確答案)答案解析：D.Vendorlock-outoccurswhentheprovidersuddenlyleavesthemarket,asduringabankruptcyoracquisition.Therisksassociatedwithlock-outincludedenialofservice,becauseoftotalunavailabilityofyourdata.Thebestwaytohandletheserisksistohaveanother,fullbackupofyourdatawithanothervendorandtheabilitytoreconstitute

youroperatingenvironmentinatimeframethatdoesn’texceedyourrecoverytimeobjective(RTO).

Theotheroptionsdonotaidinaddressingvendorlock-out.30.Inapubliccloudservicesarrangement,whocreatesgovernancethatwilldeterminewhichcontrolsareselectedforthedatacenterandhowtheyaredeployed?[單選題]A.Thecloudprovider(正確答案)B.ThecloudcustomerC.Theregulator(s)D.Theenduser答案解析：A.Becausethecloudproviderownsandoperatestheclouddatacenter,theproviderwillcraftandpromulgatethegovernancethatdeterminesthecontrolselectionandusage.Thisisanotherriskthecloudcustomermustconsiderwhenmigratingintothecloud;thecustomer’sgovernancewillnolongerhavedirectprecedenceovertheenvironmentwherethecustomer’sdataislocated.

Boththecloudcustomerandtheregulator(s)mayhavespecificcontrolmandatesthatmightrequirethecustomertodeployadditionalsecuritycontrols(atthecustomerside,withinthedata,asagentsontheuserdevices,orontheprovidersideorinapplicationprogramminginterfaces[APIs]asallowedbytheservicemodelorcontract),sooptionsBandCarealsopartiallytrue,butAisabetteranswerasitismoregeneral.

OptionDuntruebecausetheenduserdoesnotdeterminewhichcontrolsareselectedfortheclouddatacenterandhowtheyaredeployed.Thatistheresponsibilityofthecloudprovider.31.Whatisthetermthatdescribesthesituationwhenamalicioususerorattackercanexittherestrictionsofavirtualmachine(VM)andaccessanotherVMresidingonthesamehost?[單選題]A.HostescapeB.Guestescape(正確答案)C.ProviderexitD.Escalationofprivileges答案解析：B.Thequestiondescribesaguestescape.

OptionsAandCareotherrisksofoperatinginthecloud.OptionDcanleadtoAorB,butBdescribesthemorespecificsituationandthereforethecorrectanswer.32.Whatisthetermthatdescribesthesituationwhenamalicioususerorattackercanexittherestrictionsofasinglehostandaccessothernodesonthenetwork?[單選題]A.Hostescape(正確答案)B.GuestescapeC.ProviderexitD.Escalationofprivileges答案解析：A.Thequestiondescribeshostescape.

OptionsBandCareotherrisksofoperatinginthecloud.OptionDcanleadtoAorB,butAisthemorespecificsituationandthereforethecorrectanswer.33.is/areprobablythemaincauseofvirtualizationsprawl.[單選題]A.MaliciousattackersB.LackofprovidercontrolsC.LackofcustomercontrolsD.Easeofuse(正確答案)答案解析：D.Becausemostcloudusersdon’tseedirectcostsincreatingnewVMinstances(thebillsusuallygotoasinglepointofcontactintheorganization,nottheuserortheuser’soffice),theymaytendtocreateadditionalVMsatasignificantrate,withoutrealizingtheattendantcost.Thisislargelybecauseitissoeasytodoandhasnoapparentcost,fromtheirperspective.

Alltheotheroptionsdonotcausevirtualizationsprawl.34.Sprawlismainlya(n)problem.[單選題]A.TechnicalB.ExternalC.Management(正確答案)D.Logical答案解析：C.Sprawlneedstobeaddressedfromamanagerialperspectivebecauseitiscausedbyalloweduseractions(usuallyinacompletelyauthorizedcapacity).

OptionsAandDmeanthesamethingandcouldbeconsideredascontributingtosprawlbecausethetechnologicalcapabilitiesofvirtualizationcreatetheeaseofusethatcancausesprawl.However,optionCisabetteranswer.

OptionBisincorrect;sprawloccurswithintheorganization.35.Whichofthefollowingrisksexistsinthetraditionalenvironmentbutisdramaticallyincreasedbymovingintothecloud?[單選題]A.PhysicalsecuritybreachesB.LossofutilitypowerC.FinancialupheavalD.Man-in-the-middleattacks(正確答案)答案解析：D.Becauseallcloudaccessisremoteaccess,theriskstodataintransitaredramaticallyheightenedinthecloud.

Theotheroptionsexistinboththetraditionalenvironmentandthecloudbutareprobablyactuallyreducedinthecloudbecausecloudproviderscanuseeconomiesofscaletoinvestinmeanstoreducethoserisksinwaysthatindividualorganizationswouldnotbeableto.36.Afundamentalaspectofsecurityprinciples,shouldbeimple-mentedinthecloudaswellasintraditionalenvironments.[單選題]A.ContinualuptimeB.Defenseindepth(正確答案)C.MultifactorauthenticationD.Separationofduties答案解析：B.Defenseindepth,orlayereddefense,isperhapsthemostfundamentalcharacteristicofallsecurityconcepts.

OptionsAandCaresecurityaspectsofsomeenvironments,andoptionAislikelyto

beanecessarytraitofmanagedcloudservices,buttheyarenotfundamentals—theyarespecifics.

OptionDisspecificallyanadministrativecontrol;thequestionislookingforafundamen-talaspectofsecurity.OptionBismoregeneral(itappliestoalltypesofsecurity,inallindustriesanduses)andthereforeisthecorrectchoiceforthisquestion.37.Fromasecurityperspective,automationofconfigurationaidsin[單選題]A.EnhancingperformanceB.Reducingpotentialattackvectors(正確答案)C.IncreasingeaseofuseofthesystemsD.Reducingneedforadministrativepersonnel答案解析：B.Asecurebaselineconfiguration,appliedandmaintainedautomatically,ensurestheoptimumsecurityfootprintwiththeleastattacksurface.

Alltheotheroptionsarebenefitsofautomatedconfigurationbutarenotspecificallysecu-rityenhancements.38.isthemostprevalentprotocolusedinidentityfederation.[單選題]A.HypertextTransferProtocol(HTTP)B.SecurityAssertionMarkupLanguage(SAML)(正確答案)C.FileTransferProtocol(FTP)D.WS-Federation答案解析：B.TheSecurityAssertionMarkupLanguage(SAML)isprobablythemostcommonprotocolbeingusedforidentityfederationatthemoment.

OptionsAandCarenotidentityfederationprotocols.

OptionDisafederationspecification,butitalsousesSAMLtokens.39.Ausersignsontoacloud-basedsocialmediaplatform.Inanotherbrowsertab,theuserfindsanarticleworthpostingtothesocialmediaplatform.Theuserclicksontheplat-form’siconlistedonthearticle’swebsite,andthearticleisautomaticallypostedtotheuser’saccountonthesocialmediaplatform.Thisisanexampleofwhat?[單選題]A.Singlesign-onB.InsecuredirectidentifiersC.Identityfederation(正確答案)D.Cross-sitescripting答案解析：C.Thisisaverypopularfunctionoffederatedidentity.

Singlesign-on(SSO)issimilartofederation,butitislimitedtoasingleorganization;fed-erationisbasicallySSOacrossmultipleorganizations.OptionAisincorrect.

OptionsBandDarethreatslistedintheOpenWebApplicationSecurityProject(OWASP)TopTen;theyareincorrect.40.Agroupofclinicsdecidestocreateanidentificationfederationfortheirusers(medicalprovidersandclinicians).Iftheyopttorevieweachother,forcompliancewithsecuritygovernanceandstandardstheyallfindacceptable,whatisthisfederationmodelcalled?[單選題]A.Cross-certification(正確答案)B.ProxyC.Singlesign-onD.Regulated答案解析：A.Thecross-certificationfederationmodelisalsoknownasaweboftrust.

Proxyisanothermodelforfederation,sooptionBisincorrect.

Singlesign-onissimilartofederation,butitislimitedtoasingleorganization;optionCisincorrect.

OptionDdoesnothaverelevanceinthiscontextandthereforeincorrectasananswer.41.Agroupofclinicsdecide