CASP+ Cloud and Virtualization Security

Question 1

In a cloud shared responsibility model using IaaS, which component is the CUSTOMER'S responsibility to secure?

Accepted Answer

Guest operating system and installed applications

Answer

Physical data center security

Answer

Hypervisor patches

Answer

Network backbone infrastructure

Question 2

Which attack targets the hypervisor layer to escape from a virtual machine and access the underlying host or other VMs?

Accepted Answer

VM escape (hypervisor breakout)

Answer

Container escape

Answer

Side-channel attack

Answer

API injection

Question 3

A security team is implementing cloud workload protection. Which control MOST effectively detects anomalous behavior within running containers?

Accepted Answer

Runtime container security monitoring with syscall analysis

Answer

Image scanning at build time only

Answer

Network-level firewall rules

Answer

Disabling all container networking

Question 4

Which cloud security architecture pattern uses a dedicated security account/subscription to centralize logging, monitoring, and security tooling?

Accepted Answer

Hub-and-spoke (landing zone) with a dedicated security hub account

Answer

Multi-tenant shared services model

Answer

Single account with all workloads

Answer

Direct peering between all workload accounts

Question 5

Which technique allows organizations to verify that a cloud provider's hardware and firmware have not been tampered with before trusting the environment?

Accepted Answer

Remote attestation using a Trusted Platform Module (TPM) and measured boot

Answer

Reviewing the provider's marketing materials

Answer

Conducting a physical site visit

Answer

Checking the provider's compliance certifications alone

Question 6

A company migrates a regulated workload to a public cloud. Which cloud deployment model MOST effectively addresses data sovereignty requirements?

Accepted Answer

Sovereign cloud or government cloud region with contractual data residency guarantees

Answer

Public multi-region cloud with data replication globally

Answer

Hybrid cloud with no data residency controls

Answer

Public cloud with client-side encryption only