Domain 1 – Section A Review: Cloud Fundamentals

This section review tests your ability to apply concepts from the preceding modules to realistic exam scenarios. Work through each question, commit to an answer, then reveal the reasoning. Focus on understanding WHY the correct answer is right and why the distractors are wrong.

Scenario 1

A CTO tells the board that their new hosted application qualifies as cloud computing because it uses virtualization. Resources are pre-allocated monthly, changes require a support ticket, and billing is flat-rate. Does this qualify under the NIST definition?

1. A) Yes — as long as the provider uses virtualization and the application is accessible over the internet
2. B) Yes — virtualization is the defining characteristic of cloud computing
3. C) No — cloud computing requires open-source software
4. D) No — on-demand self-service (no support ticket needed) and measured service (usage-based metering) are missing, so the NIST essential characteristics are not fully met

Scenario 2

A cloud customer experiences a data breach in their IaaS environment. The breach occurred through an unpatched vulnerability in the guest operating system. The customer blames the CSP. Who is responsible?

1. A) The CSP, because all security is their responsibility in the cloud
2. B) The cloud auditor, because they should have identified the unpatched vulnerability
3. C) Both parties share equal responsibility for OS patching in IaaS
4. D) The customer, because in IaaS the customer manages the guest OS and is responsible for patching

Scenario 3

An organization evaluates two cloud offerings. Provider A offers per-minute billing with real-time usage dashboards. Provider B offers monthly flat-rate billing with no usage visibility. Which NIST characteristic does Provider B lack?

1. A) Resource pooling
2. B) Broad network access
3. C) Measured service
4. D) Rapid elasticity

Scenario 4

A startup builds their application entirely on a PaaS provider's proprietary APIs, managed database, and serverless functions. Their investor asks about migration risk. What is the PRIMARY concern?

1. A) Vendor lock-in — proprietary PaaS services create dependencies that may require significant application rewriting to migrate to another platform
2. B) PaaS applications cannot be migrated under any circumstances
3. C) The application will be slower on another provider
4. D) The investor should not be concerned about technical infrastructure

Scenario 5

A healthcare company uses a SaaS EHR system. They want to implement custom encryption for patient records, but the SaaS provider does not support customer-managed encryption. Who has the authority to decide how the data is protected?

1. A) The cloud auditor determines appropriate encryption methods
2. B) The healthcare company (data owner) retains authority over data protection decisions and must negotiate with the provider, implement compensating controls, or choose a different provider
3. C) The SaaS provider, since they control the application
4. D) Neither party — encryption standards are set by NIST

Scenario 6

A cloud broker aggregates storage from three CSPs and presents a unified API. One of the CSPs suffers a data breach affecting the customer's data. Who is accountable to the customer?

1. A) The customer themselves, because they chose to use a broker instead of direct CSP relationships
2. B) All three CSPs share equal accountability
3. C) Only the breached CSP, since they failed their security controls
4. D) The cloud broker, because they selected and managed the CSP relationship on behalf of the customer

Scenario 7

An IT director claims their on-premises virtualized infrastructure is a private cloud because it uses VMware and is exclusively used by their organization. The infrastructure has no self-service portal, no elasticity, and no measured service. Is this accurate?

1. A) No — private cloud must be hosted by a third-party provider
2. B) Yes — private cloud only requires exclusive use and virtualization
3. C) No — private cloud must still meet NIST's essential characteristics including self-service, elasticity, and measured service. This is a virtualized data center, not a private cloud
4. D) Yes — any infrastructure using a Type 1 hypervisor qualifies as private cloud

Scenario 8

A company uses IaaS VMs for their database workload. They need storage that provides the lowest latency and highest I/O performance. Which cloud storage type should they select?

1. A) Archive storage for cost optimization
2. B) File storage for its familiar hierarchical structure
3. C) Object storage for its scalability
4. D) Block storage — it provides the lowest latency and highest IOPS, making it appropriate for database volumes

Scenario 9

A SaaS provider's internal team conducts a security assessment and shares it with a customer as evidence of their security posture. A security reviewer questions the assessment's validity. Why?

1. A) SaaS providers cannot conduct any security assessments
2. B) The assessment is valid as long as it uses recognized frameworks
3. C) An internal assessment lacks independence. A cloud auditor is defined as an independent third party. Internal assessments may have bias and do not meet the standard for independent assurance
4. D) Only government agencies can assess cloud security

Scenario 10

An organization's developers can provision cloud resources instantly through a web portal without approval. The security team discovers 200 unencrypted storage buckets created in the past month. What cloud characteristic enabled this problem?

1. A) Resource pooling created too many available resources
2. B) Broad network access allowed developers to reach the portal from anywhere
3. C) On-demand self-service — while essential for cloud, it enables rapid resource creation that without governance guardrails leads to security drift and misconfiguration
4. D) Rapid elasticity made resources too easy to scale