PDF Managing-Cloud-Security Study Guide

Privileged user management is a critical aspect of strong authentication within enterprise risk management. Managing Cloud guidance explains that privileged accounts have elevated access to systems, data, and configurations, making them high-value targets for attackers.

Enterprise risk management requires identifying, protecting, and monitoring these accounts through strong authentication mechanisms such as multi-factor authentication, session monitoring, and just-in-time access. Controlling privileged access reduces the risk of insider threats, credential compromise, and unauthorized system changes.

Federated identities support access integration, entitlement consideration relates to authorization, and distributed organizations describe structure rather than authentication strength. Therefore, privileged user management is the correct answer.

The Process for Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling methodology that explicitly focuses on simulating real-world attacks from an adversary’s perspective. Unlike STRIDE or DREAD, which classify threats and rate severity, PASTA evaluates how an attacker would exploit vulnerabilities step by step.

PASTA has seven stages, including defining objectives, decomposing applications, and simulating attacks. This methodology helps organizations understand both technical and business risks by looking at the application as an attacker would.

STRIDE categorizes threats, DREAD provides scoring, and ATASM emphasizes architecture and mitigation. While valuable, they are not primarily attack-simulation frameworks. PASTA enables proactive testing of defenses against realistic adversary behaviors, making it especially relevant in modern cloud and DevSecOps environments.

The most effective way to protect network traffic from interception is Transport Layer Security (TLS). TLS provides confidentiality, integrity, and authentication by encrypting data as it travels between client and server. Unlike older protocols like SSL, which is now deprecated due to vulnerabilities, TLS is the industry-standard protocol endorsed by modern security frameworks.

Compression and password protection through GZ is not a reliable method, as it does not offer strong encryption or resistance against sophisticated interception attacks. GRE is a tunneling protocol and does not inherently provide encryption.

By implementing TLS, organizations ensure protection against on-path attacks, replay attacks, and packet sniffing. TLS also supports features such as forward secrecy and certificate-based authentication, ensuring both secure data transmission and mutual trust between endpoints. In compliance-driven industries like healthcare and finance, TLS is explicitly mandated for protecting sensitive information in transit.

When storing personally identifiable information (PII) in the cloud, the jurisdictional location of the data must be clearly understood. Managing Cloud principles emphasize that data is subject to the laws and regulations of the country or region where it is physically stored.

Different jurisdictions impose varying requirements for data protection, privacy, access, and disclosure. Knowing where data resides allows organizations to assess legal obligations, compliance requirements, and potential risks associated with government access or cross-border data transfers.

The physical location of infrastructure components such as firewalls or load balancers does not determine legal jurisdiction over stored data. Availability zones may exist within a region but do not define jurisdiction independently. Therefore, the jurisdictional location of the data itself is the critical factor.