Cloud Security Alliance CCAK Reddit Questions

The CSA STAR registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings1 The registry is designed for users of cloud services to assess their cloud providers’ security and compliance posture, including the regulations, standards, and frameworks they adhere to1 The registry also promotes industry transparency and reduces complexity and costs for both providers and customers2

The provider can direct all customer inquiries to the information in the CSA STAR registry, as this would be the best recommendation to reduce the provider’s burden. By publishing to the registry, the provider can show current and potential customers their security and compliance posture, without having to fill out multiple customer questionnaires or requests for proposal (RFPs)2 The provider can also leverage the different levels of assurance available in the registry, such as self-assessment, third-party audit, or certification, to demonstrate their security maturity and trustworthiness1 The provider can also benefit from the CSA Trusted Cloud Providers program, which recognizes providers that have fulfilled additional training and volunteer requirements with CSA, demonstrating their commitment to cloud security competency and industry best practices3

The other options are not correct because:

Option A is not correct because the provider can schedule a call with each customer is not a good recommendation to reduce the provider’s burden. Scheduling a call with each customer would be time-consuming, inefficient, and impractical, especially if the provider receives multiple inquiries and RFPs every month. Scheduling a call would also not guarantee that the customer would be satisfied with the provider’s security and compliance posture, as they may still request additional information or evidence. Scheduling a call would also not help the provider differentiate themselves from other providers in the market, as they may not be able to showcase their security maturity and trustworthiness effectively.

Option B is not correct because the provider can share all security reports with customers to streamline the process is not a good recommendation to reduce the provider’s burden. Sharing all security reports with customers may not be feasible, as some reports may contain sensitive or confidential information that should not be disclosed to external parties. Sharing all security reports may also not be desirable, as some reports may be outdated, incomplete, or inconsistent, which could undermine the provider’s credibility and reputation. Sharing all security reports may also not be effective, as some customers may not have the expertise or resources to review and understand them properly.

Option C is not correct because the provider can answer each customer individually is not a good recommendation to reduce the provider’s burden. Answering each customer individually would be tedious, repetitive, and costly, as the provider would have to provide similar or identical information to different customers over and over again. Answering each customer individually would also not ensure that the provider’s security and compliance posture is consistent and accurate, as they may make mistakes or omissions in their responses. Answering each customer individually would also not help the provider stand out from other providers in the market, as they may not be able to highlight their security achievements and certifications.

References: 1: STAR | CSA 2: Why your cloud services need the CSA STAR Registry listing 3: STAR Registry | CSA

The cloud service provider is responsible for the patching of the hypervisor layer in all three cloud deployment models (IaaS, PaaS, and SaaS). The hypervisor layer is the software that allows the creation and management of virtual machines on a physical server. The hypervisor layer is part of the cloud infrastructure, which is owned and operated by the cloud service provider. The cloud service provider is responsible for ensuring that the hypervisor layer is secure, reliable, and up to date with the latest patches and updates. The cloud service provider should also monitor and report on the status and performance of the hypervisor layer, as well as any issues or incidents that may affect it.

The cloud service customer is not responsible for the patching of the hypervisor layer, as they do not have access or control over the cloud infrastructure. The cloud service customer only has access and control over the cloud resources and services that they consume from the cloud service provider, such as virtual machines, storage, databases, applications, etc. The cloud service customer is responsible for ensuring that their own cloud resources and services are secure, compliant, and updated with the latest patches and updates.

The patching of the hypervisor layer is not a shared responsibility between the cloud service provider and the cloud service customer, as it is solely under the domain of the cloud service provider. The shared responsibility model in cloud computing refers to the division of security and compliance responsibilities between the cloud service provider and the cloud service customer, depending on the type of cloud deployment model. For example, in IaaS, the cloud service provider is responsible for securing the physical infrastructure, network, and hypervisor layer, while the cloud service customer is responsible for securing their own operating systems, applications, data, etc. In PaaS, the cloud service provider is responsible for securing everything up to the platform layer, while the cloud service customer is responsible for securing their own applications and data. In SaaS, the cloud service provider is responsible for securing everything up to the application layer, while the cloud service customer is responsible for securing their own data and user access.

Patching on hypervisor layer is required, as it is essential for maintaining the security, reliability, and performance of the cloud infrastructure. Patching on hypervisor layer can help prevent vulnerabilities, bugs, errors, or exploits that may compromise or affect the functionality of the virtual machines or other cloud resources and services. Patching on hypervisor layer can also help improve or enhance the features or capabilities of the hypervisor software or hardware. References :=

Patching process - AWS Prescriptive Guidance

What is a Hypervisor in Cloud Computing and Its Types? - Simplilearn

In all three cloud deployment models, (IaaS, PaaS, and … - Exam4Training

Reference Architecture: App Layering | Citrix Tech Zone

Hypervisor - GeeksforGeeks

 Access controls are an assurance requirement when an organization is migrating to a SaaS provider because they ensure that only authorized users can access the cloud services and data. Access controls also help to protect the confidentiality, integrity and availability of the cloud resources. Access controls are part of the Cloud Control Matrix (CCM) domain IAM-01: Identity and Access Management Policy and Procedures, which states that "The organization should have a policy and procedures to manage user identities and access to cloud services and data."1 References := CCAK Study Guide, Chapter 4: A Threat Analysis Methodology for Cloud Using CCM, page 751

Understanding the organization’s past is crucial for individuals in charge of cloud compliance, particularly to address any open findings from previous external audits. This historical perspective is essential because it allows the compliance team to identify recurring issues, understand the context of past non-compliances, and ensure that corrective actions have been taken and are effective. It also helps in anticipating potential future compliance challenges based on past trends and patterns.

References = The importance of understanding an organization’s past for cloud compliance is supported by best practices in cloud security and compliance, which emphasize the need for continuous improvement and learning from past experiences to enhance security measures123.