Pass the WGU Courses and Certificates Managing-Cloud-Security Questions and answers with ExamsMirror

Trust in digital certificates comes from their issuance by a Certificate Authority (CA). A CA is a trusted entity that validates identities and signs certificates. In internal environments, organizations often operate a private CA to issue certificates for users, systems, and services.

If certificates were generated by individual private keys or systems without central authority, there would be no unified trust chain, and validating authenticity across the organization would be impossible. A certificate repository server only distributes certificates but cannot establish trust.

By using an organizational CA server, all certificates are linked to a root of trust. Systems configured to trust the organization’s CA will trust any certificate it issues. This allows secure internal communications (TLS, VPN, email signing) and ensures scalability as new services come online. It also supports compliance with enterprise PKI policies.

Moving all services to the cloud provides the highest overall cost savings for organizations implementing BCDR. Managing Cloud guidance explains that cloud-based services reduce capital expenditures, eliminate the need for secondary physical data centers, and leverage on-demand scalability.

Cloud platforms offer built-in redundancy, geographic distribution, and automated recovery capabilities that significantly lower the cost of maintaining separate disaster recovery infrastructure. Pay-as-you-go pricing ensures organizations only pay for resources when needed, further reducing operational expenses.

Hot sites and cross-site replication incur ongoing costs, while tape backups offer lower cost but do not support rapid recovery. Therefore, migrating services to the cloud delivers the most comprehensive cost savings.

Before an application can store a token, it must first receive the token from the tokenization server. Managing Cloud guidance outlines that tokenization workflows follow a defined sequence: the application submits sensitive data, the tokenization server generates a token, and then the token is returned to the application.

Only after the token has been successfully returned can the application replace the original sensitive data and store the token instead. This ensures that sensitive data is not retained within the application environment, reducing exposure and simplifying compliance requirements.

The other steps occur earlier in the process. An authorized application must request tokenization, and the sensitive data must be sent to the tokenization server before a token can be generated. Therefore, the immediate step before storing the token is the tokenization server returning the token to the application.

Vendor lock-in is a risk most closely associated with the public cloud. Managing Cloud guidance explains that public cloud providers often use proprietary services, APIs, tools, and architectures that make migration to another provider difficult and costly.

Organizations may heavily invest in provider-specific technologies, which can limit flexibility and increase dependency. If pricing models change, services are discontinued, or availability issues arise, customers may face significant challenges in exiting the provider’s ecosystem.

While regulatory noncompliance, malware, and personnel threats exist in all environments, vendor lock-in is especially prominent in public cloud adoption due to its scale and proprietary service offerings. Therefore, vendor lock-in is the correct answer.

The Store phase of the cloud data lifecycle is responsible for maintaining data in cloud storage systems and is where file, block, and object storage architectures are implemented. Managing Cloud documentation explains that once data is created and prepared, it must be stored using appropriate storage technologies that support availability, durability, scalability, and performance requirements.

File storage is commonly used for shared access and hierarchical file systems, block storage supports high-performance workloads such as databases and virtual machines, and object storage is optimized for scalability and unstructured data. All these storage models fall under the Store phase because they represent how data is retained and managed at rest within the cloud environment.

The Archive phase focuses on long-term retention and cost optimization, often using cold or infrequent access storage. The Create phase is concerned with generating data, and the Share phase involves distributing data to other users or systems. None of these phases define the architectural storage models used to hold data. Therefore, the Store phase is the correct answer, as it directly implements the underlying cloud storage architectures required to securely and efficiently manage data.

In the event of a civil lawsuit resulting from inadequate security management, the organization must communicate with the board of directors. Managing Cloud guidance explains that the board of directors holds ultimate responsibility for governance, oversight, and risk management within an organization.

The board ensures that appropriate policies, controls, and management structures are in place to protect organizational assets and comply with legal obligations. In legal matters, the board must be informed to oversee response strategies, legal counsel engagement, and corrective actions.

The IT department manages technical controls but does not provide organizational oversight. High-level government agencies are regulators, not internal oversight bodies. Therefore, board members are the correct entity to contact.

Patch management is a core process implemented during the hardening of an operating system and its workloads. Managing Cloud principles explain that OS hardening involves reducing vulnerabilities by applying security patches, updates, and fixes to eliminate known weaknesses.

Patch management ensures that operating systems, applications, and dependencies are kept up to date with vendor-released security patches. This process reduces the attack surface and prevents exploitation of known vulnerabilities. Effective patch management includes testing, deployment, verification, and ongoing monitoring.

Change management governs how changes are approved, incident management handles security events, and security management is a broader governance function. Therefore, patch management is the correct process associated with OS hardening.

Infrastructure as a Service (IaaS) allows an organization to maximize control over its information. Managing Cloud principles explain that in the IaaS model, customers manage operating systems, applications, data, access controls, and security configurations.

This high level of control enables organizations to implement customized security policies, encryption mechanisms, and compliance controls tailored to their specific requirements. Customers retain direct responsibility for data protection, system hardening, and monitoring.

In contrast, PaaS and SaaS abstract more control to the provider, limiting customization. DaaS focuses on user desktops rather than data governance. Therefore, IaaS provides the greatest control over information assets.

When a SaaS solution is included within the scope of an ISO 27001 audit, the organization should provide the cloud provider’s compliance attestation as evidence of controls. Managing Cloud guidance explains that in the SaaS model, the provider manages infrastructure, platform, and application-level controls.

Because customers do not manage operating systems, firewalls, or physical data centers in SaaS, they cannot supply direct technical evidence for those controls. Instead, third-party audit reports and attestations demonstrate that the provider has implemented appropriate security controls.

Firewall rules, OS patch logs, and physical diagrams are not accessible to SaaS customers. Therefore, provider compliance attestation is the correct evidence.

Architecting for failure is a fundamental business continuity and disaster recovery consideration in cloud application architecture. Managing Cloud principles emphasize that cloud systems must be designed with the assumption that components will fail.

Architecting for failure involves implementing redundancy, fault tolerance, automated recovery, and failover mechanisms. Applications should be resilient to infrastructure outages and capable of continuing operation despite component failures. This approach reduces downtime and ensures service availability during incidents.

Health status pages provide visibility, compliance addresses regulatory needs, and message queues support communication but do not fully address BC/DR requirements. Therefore, architecting for failure is the correct answer.