Pass the WGU Courses and Certificates Managing-Cloud-Security Questions and answers with CertsForce

Outages are the primary cloud risk associated with dependency on legacy internal servers for application delivery. Managing Cloud guidance explains that legacy systems often lack redundancy, scalability, and resilience compared to cloud-native architectures.

When applications rely on aging internal infrastructure, failures in hardware, power, or connectivity can interrupt service delivery to end users. These outages can disrupt supply chains, delay transactions, and impact business continuity.

Natural disasters are external events, fast run time is not a risk, and homomorphic encryption is a cryptographic technique. Therefore, outages represent the correct risk in this context.

A vulnerability assessment requires compliance with the cloud service provider’s terms of service. Managing Cloud documentation explains that vulnerability scanning and testing can affect cloud infrastructure and other tenants if not properly authorized.

CSPs define acceptable testing activities to protect shared environments. Customers must follow these guidelines to avoid violating contracts or causing service disruptions. Many CSPs require prior notification or explicit permission before conducting vulnerability assessments.

The other methods involve internal development processes and do not impact cloud infrastructure directly. Therefore, vulnerability assessment is the correct answer.

Vendor lock-in risk arises when organizations outsource significant investments in data formats, procedures, or processes that are tightly coupled to a specific cloud provider. Managing Cloud principles explain that proprietary technologies, APIs, and workflows can make it difficult or costly to migrate to another provider.

This dependency limits flexibility and bargaining power and can increase long-term costs or operational risk if the provider changes pricing, services, or availability. Lock-in risk is a key consideration during cloud strategy planning.

Compliance risk involves regulatory obligations, overutilization concerns excessive resource usage, and exit risk relates to termination processes rather than dependency. Therefore, lock-in risk is the correct answer.

Video surveillance capability is a key security control used as part of a layered physical defense at a cloud hosting site. Managing Cloud principles explain that physical security relies on multiple overlapping controls to deter, detect, and respond to unauthorized physical access.

Video surveillance provides continuous monitoring of data center facilities, including entrances, exits, server rooms, and perimeter boundaries. It acts as both a deterrent and a detection mechanism, enabling real-time observation and post-incident investigation. Surveillance footage supports incident response, forensic analysis, and compliance requirements.

Access control enforcement and multifactor authentication are primarily logical or administrative controls, while background checks are personnel security measures. Although important, they are not physical perimeter controls. Therefore, video surveillance capability is the correct answer.

Before transmitting sensitive financial data to the cloud, the best defense against interception threats like packet capture and man-in-the-middle attacks is encryption. Encryption protects data in transit by converting plain text into cipher text, which can only be deciphered with the correct keys.

Hashing provides integrity verification but does not secure confidentiality. Change tracking monitors modifications but does not prevent interception. Metadata labeling adds context but does not protect against on-path attackers.

Using strong encryption protocols (e.g., TLS) ensures that even if traffic is intercepted, the attacker cannot read the data. Encryption also aligns with compliance requirements such as PCI DSS, which mandates encryption for financial data during transmission. By encrypting before upload, the user ensures end-to-end confidentiality across potentially insecure networks.

Reporting the work on the news is considered legal fair use of a copyrighted item. Managing Cloud guidance explains that fair use allows limited use of copyrighted material without permission when the purpose is commentary, criticism, education, or news reporting.

In news reporting, copyrighted material may be referenced or partially reproduced to inform the public, provided it does not replace the original work or cause financial harm to the copyright owner. This principle supports transparency and public awareness while balancing intellectual property rights.

The other activities typically require authorization from the copyright holder. Performing a work publicly, exporting it, or broadcasting it generally involves distribution or commercial use, which falls outside fair use protections. Therefore, reporting the work in the news is the correct example of legal fair use.

Business Impact Analysis (BIA) is the process that involves identifying and valuing assets to determine their potential effect on cloud operations. Managing Cloud documentation explains that BIA assesses how disruptions to systems, applications, or data impact business functions.

The process evaluates asset criticality, financial loss, operational downtime, and reputational damage. This information helps prioritize recovery strategies, define recovery time objectives, and guide risk management decisions in cloud environments.

Risk transfer shifts risk to third parties, vulnerability assessment identifies weaknesses, and out-of-band validation verifies controls independently. Therefore, business impact analysis is the correct answer.

This is an example of social engineering, where attackers manipulate individuals into divulging confidential information or performing actions that compromise security. In this case, the fraudulent caller convinced the help desk to disclose sensitive employee data.

Man-in-the-middle attacks involve intercepting communication between parties, escalation of privilege involves gaining higher access rights, and internal threats come from legitimate insiders. None of these fit the situation as accurately as social engineering.

Social engineering exploits human trust rather than technical vulnerabilities. Common tactics include phishing, pretexting, and phone-based fraud (vishing). Preventing such threats requires strong identity verification processes, employee awareness training, and layered authentication mechanisms. By recognizing the human element as a weak point, organizations can better prepare staff to resist manipulative tactics.

Bollards are physical barriers designed to prevent vehicles from ramming into or breaching secure facilities. They are often placed at entrances, around perimeters, or in front of critical infrastructure like data centers.

Locks, cameras, and fences provide important physical security, but they cannot stop a high-speed vehicle from causing damage. Cameras record activity, fences create boundaries, and locks secure access points, but only bollards physically block or mitigate vehicle attacks.

Governmental and critical infrastructure sites commonly deploy bollards to protect against both accidental collisions and deliberate vehicle-borne attacks. Combined with layered security measures—such as surveillance and fencing—they enhance resilience against physical threats to sensitive data centers.

In a cloud environment, responsibility for hardware management shifts primarily to the cloud provider. Customers no longer manage servers, storage devices, or physical networks directly. As a result, hardware management policies are less critical for customer audits compared to data classification, procurement, or acceptable use.

Data classification remains essential to secure sensitive information. Software procurement policies are important to control licensing and compliance. Acceptable use policies govern employee behavior in cloud environments.

While organizations may still need high-level oversight of hardware through contracts and SLAs, detailed hardware policies have a reduced role. Instead, emphasis shifts to managing the shared responsibility model, ensuring cloud provider controls complement customer governance.