Why does cloud homogeneity make security auditing easier?
Because standardised infrastructure reduces variability, making tests, patches, and configurations consistent across large environments.
State two reasons cloud providers often have better security than on-premise IT.
They have dedicated security teams and higher investment in advanced security infrastructure.
What does “you can outsource responsibility but not accountability” mean in cloud security?
Even if a CSP handles operations, the organization remains legally and ethically accountable for breaches and data misuse.
Why are companies still afraid to adopt cloud services?
Mainly due to loss of control, lack of trust, multi-tenancy risks, and governance issues like failing SLAs or unfriendly data-center jurisdictions.
Explain the difference between responsibility and accountability in cloud security.
The CSP is responsible for operations; the customer is accountable for the results, compliance, and consequences of breaches.
What are the top three customer security concerns according to survey data?
IP/data protection, regulatory enforcement, and unauthorized data use.
Why is multi-tenancy a major risk in cloud computing?
Multiple customers share infrastructure; isolation failure could expose data or allow cross-tenant attacks.
Describe one method to minimize lack of trust in cloud environments.
Use policy languages and certifications (like ISO 27001) to enforce transparent and standardized security controls.
How does the shift from private to public cloud create a perception of loss of control?
Organizations no longer know exactly where data resides, who manages it, or how it’s backed up.
What high-level concern is created by the need to comply with laws like SOX or HIPAA in the cloud?
Some workloads cannot legally move to the cloud without auditability and strict control guarantees.
List the four major “PAIN” security fundamentals.
Privacy, Authorization/Authentication, Integrity, Non-repudiation.
Why is “Assured Information Access” now considered a fifth security requirement?
Modern threats (DDoS, worms) require guaranteeing reliable access even under attack conditions.
Which cloud threat involves consuming a victim’s resources without direct compromise?
Economic Denial of Service (EDoS).
Give an example of “Customer Isolation Failure”.
A vulnerability in the hypervisor that allows one VM to access another customer’s data.
Why is insecure data deletion a major cloud risk?
Deleted data may still exist on shared storage systems, leading to unauthorized recovery by others.
Explain how subpoenas and legal jurisdiction changes create cloud risk.
Governments may demand access to data stored in their territory, even without customer consent.
Why must organizations demand the right to audit their cloud provider?
To ensure compliance, security controls, and integrity of stored data, especially for regulated industries.
What is the key challenge in data lifecycle management in the cloud?
Assuring proper data destruction and tracking replicas across distributed systems.
What is the role of Business Continuity/Disaster Recovery (BC/DR) in cloud security?
Ensures resilience, guarantees recovery locations, validates SLAs, and protects mission-critical workloads.
Why is interoperability critical for long-term cloud success?
It prevents vendor lock-in and supports migration across cloud platforms using open standards.
Why must sensitive cloud data always be encrypted?
To protect confidentiality when stored, transmitted, or accessed in multi-tenant environments.
What is a major risk of VM image provisioning in virtualized clouds?
Insecure or untrusted images may contain vulnerabilities or backdoors.
Why is federated identity management essential in cloud services?
It allows secure cross-platform authentication while maintaining strong password and SSO policies.
What privacy risk arises from cross-jurisdictional storage?
Data might be governed by foreign laws, leading to unauthorized government access or weaker privacy protections.
