A financial services firm is deploying a new AI-powered fraud detection system that processes highly sensitive transaction data. The security team is concerned about adversarial attacks, specifically data poisoning, where an attacker could subtly manipulate the training data to create a backdoor in the model. Which of the following is the most effective proactive control to mitigate this specific threat?
A DevOps team is building a CI/CD pipeline for a containerized application. To improve security, they want to integrate automated security testing. Which TWO of the following practices should be implemented in the pipeline to provide the most comprehensive security coverage before deployment? (Select TWO)
A healthcare provider is migrating its patient records system to a PaaS database offering. To comply with HIPAA, all data must be encrypted at rest. The cloud provider's PaaS service enables encryption by default using a provider-managed key. For enhanced security and control, the organization's CISO insists on the ability to immediately revoke access to the data in case of a breach, a process often referred to as crypto-shredding. What is the most appropriate key management strategy to meet this requirement?
During a security assessment of a cloud environment, an auditor finds that a team of developers is using a shared root account for a cloud provider to manage all their development, testing, and production resources. This practice centralizes access but poses a significant security risk. Which foundational security principle is being violated?
True or False: In a Serverless or FaaS environment, the cloud customer is responsible for patching the underlying operating system of the execution environment.
A cloud architect is designing a virtual network for a multi-tier web application. The design requires a public-facing subnet for web servers and a private subnet for database servers. The database servers must be able to initiate connections to the internet to download security patches, but they must not be directly reachable from the internet. Which combination of cloud networking components achieves this goal securely?
A government agency is setting up its cloud governance framework. They need to ensure that all newly created cloud storage buckets automatically block public access and have versioning enabled to comply with data retention policies. What is the most effective and scalable way to enforce these rules across the entire organization?
A security analyst is reviewing telemetry from a cloud environment and observes a large volume of DNS queries for known malicious domains originating from multiple virtual machines. The analyst also notes an increase in outbound network traffic to unusual IP addresses. These events, when correlated, strongly suggest a malware infection. This process of combining different telemetry sources to identify a potential threat is a core function of what type of security tool?
A company is preparing for its annual SOC 2 audit. The auditors have requested evidence that the company's cloud environment adheres to its stated security policies, particularly regarding data encryption and access control. Which type of tool would be most effective for continuously monitoring the cloud environment's configuration and providing evidence of compliance?
A new startup is building its entire infrastructure on a public cloud provider. To manage costs and administrative overhead, they want to create a single, large account to house all company resources, from marketing websites to sensitive financial data processing. Which of the following is the primary security disadvantage of this organizational hierarchy model?