Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing an E-Commerce system that supports the new business. The solution will be deployed using a PaaS in a public cloud. As a security professional, you are assessing the risk of cloud service. Which of the following is the least concern?
A. Lock-in
B. Lock-out
C. Lack of audit rights
D. Shared responsibility

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Lack of audit rights.

Nowadays, you don’t have the chance to assert audit rights to cloud service providers. Customers share the infrastructure of cloud services. Any of them exercises audit rights is subject to break the security policy and incur too much overhead for cloud service providers.

It’s common to delegate 3rd party auditors to conduct the audit. System and Organization Controls (SOC) reports based on the Statement on Standards for Attestation Engagements no. 16 (SSAE 16), an American auditing standard for service organizations, is commonly accepted by the customers.

“Locked out from service providers” means you may lose all your data if cloud service providers go bankrupt as not all of them are as strong as Microsoft or Amazon.

“Locked in” means you are confined by the cloud service contract or proprietary technology and cannot migrate to other cloud service providers.

Shared responsibility means you are responsible for protecting your assets on the cloud to some extent.


Leave a Reply