Free WGU Managing-Cloud-Security Practice Exam with Questions & Answers

The Process for Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling methodology that explicitly focuses on simulating real-world attacks from an adversary’s perspective. Unlike STRIDE or DREAD, which classify threats and rate severity, PASTA evaluates how an attacker would exploit vulnerabilities step by step.

PASTA has seven stages, including defining objectives, decomposing applications, and simulating attacks. This methodology helps organizations understand both technical and business risks by looking at the application as an attacker would.

STRIDE categorizes threats, DREAD provides scoring, and ATASM emphasizes architecture and mitigation. While valuable, they are not primarily attack-simulation frameworks. PASTA enables proactive testing of defenses against realistic adversary behaviors, making it especially relevant in modern cloud and DevSecOps environments.

The Stored Communications Act (SCA) restricts the government’s ability to force a cloud service provider to disclose customer data. Managing Cloud guidance explains that the SCA establishes legal protections for stored electronic communications and customer records held by service providers.

The act defines conditions under which government entities may request access to stored data, requiring appropriate legal processes such as warrants or court orders. This provides a level of privacy protection for cloud customers and limits unauthorized or excessive disclosure.

GLBA focuses on financial data, SOX addresses corporate governance, and ECPA is broader legislation that includes the SCA but does not directly define cloud disclosure limitations on its own. Therefore, SCA is the correct answer.

A CCSP practitioner is the subject matter expert relied upon to draft policies related to an organization’s cloud operations. Managing Cloud principles explain that cloud security specialists possess technical, architectural, and governance expertise specific to cloud environments.

CCSP practitioners understand shared responsibility models, cloud risk management, identity and access controls, data protection, and compliance requirements. This expertise enables them to develop practical and effective cloud-specific security policies.

Attorneys provide legal guidance, risk management supports analysis, and senior management approves policies but does not draft them. Therefore, a CCSP practitioner is the correct answer.

With SaaS, applications are delivered entirely by the provider, and customers have little to no control over the underlying platform or data portability. This creates a higher risk of vendor lock-in, as migrating away from one SaaS provider to another may require reworking applications or losing features.

In contrast, PaaS gives customers more flexibility by allowing them to build, deploy, and manage their own applications while relying on standardized frameworks and platforms. Because applications are customer-managed, switching providers or migrating workloads can be easier compared to SaaS.

Vendor lock-out, personnel threats, and natural disasters are risks in any service model. The key differentiator here is portability and flexibility. Choosing PaaS reduces dependence on a single provider’s application features, thereby lowering vendor lock-in risk while still offloading infrastructure management.

The Stored Communications Act (SCA) is a United States jurisdictional data protection law enacted to limit and regulate forced disclosure of electronic communications by internet service providers. Managing Cloud principles describe the SCA as a legal framework that governs how stored electronic communications and customer data may be accessed by government entities.

The act establishes requirements for warrants, subpoenas, and court orders before service providers can disclose stored data. This protection is particularly relevant in cloud environments, where service providers store large volumes of customer data on behalf of organizations.

The other options are incorrect. APP8 and APP11.1 are Australian Privacy Principles, and GDPR applies to the European Union. Therefore, the Stored Communications Act is the correct U.S. jurisdictional protection.

Provisioning is the first phase of identity management used to assert a user’s identity. Managing Cloud documentation explains that identity management begins with establishing and registering a user within an identity system. Provisioning involves creating a digital identity, assigning unique identifiers, and associating credentials that allow the user to be recognized by systems and applications.

This phase forms the foundation for all subsequent identity and access management processes. Without proper provisioning, authentication and authorization cannot occur because the system has no trusted identity to evaluate. Provisioning also includes defining initial roles and access levels based on organizational policies.

Centralization and decentralization describe architectural approaches to managing identities rather than lifecycle phases. Deprovisioning occurs at the end of the lifecycle when access is revoked. Therefore, provisioning is correctly identified as the first phase where the user’s identity is established and asserted.

Before transmitting sensitive financial data to the cloud, the best defense against interception threats like packet capture and man-in-the-middle attacks is encryption. Encryption protects data in transit by converting plain text into cipher text, which can only be deciphered with the correct keys.

Hashing provides integrity verification but does not secure confidentiality. Change tracking monitors modifications but does not prevent interception. Metadata labeling adds context but does not protect against on-path attackers.

Using strong encryption protocols (e.g., TLS) ensures that even if traffic is intercepted, the attacker cannot read the data. Encryption also aligns with compliance requirements such as PCI DSS, which mandates encryption for financial data during transmission. By encrypting before upload, the user ensures end-to-end confidentiality across potentially insecure networks.

Tabletop testing is the disaster recovery testing method with the least impact on production systems. Managing Cloud guidance explains that tabletop exercises are discussion-based scenarios where stakeholders walk through response procedures without executing actual system changes.

This approach allows teams to validate roles, responsibilities, communication paths, and decision-making processes. Tabletop testing is cost-effective, low-risk, and ideal for early validation of disaster recovery and business continuity plans.

Dry runs and full tests involve actual system actions and can impact production. Unit testing focuses on individual components. Therefore, tabletop testing is the correct answer.

The Gramm-Leach-Bliley Act (GLBA) requires cloud service providers to protect customer data for banks and insurance companies. Managing Cloud principles explain that GLBA applies to financial institutions and mandates safeguards to protect consumers’ nonpublic personal information.

Cloud service providers supporting financial organizations must implement security controls that align with GLBA requirements, including data protection, risk management, and access controls. This ensures confidentiality and integrity of financial data stored or processed in the cloud.

IDEA governs education services, DMCA addresses digital copyright, and FERPA protects student education records. Therefore, GLBA is the correct compliance requirement.

The Data Controller is the role responsible for ensuring that third parties implement adequate technical and organizational security measures to protect data. Managing Cloud principles emphasize that the data controller determines the purpose and means of data processing and remains accountable for how personal or sensitive data is handled, even when third parties are involved.

When data is processed by cloud providers or other external entities, the data controller must ensure that contractual agreements, policies, and controls are in place to maintain data protection standards. This includes verifying that third parties follow approved security practices, comply with legal requirements, and apply appropriate safeguards.

Other roles do not carry this responsibility. A cloud user consumes cloud services but does not define processing requirements. A cloud provider implements security controls but acts under the instructions of the data controller. A data subject is the individual whose data is being processed and has no responsibility for security enforcement. Therefore, the data controller is the correct role.