ISSAP - Information Systems Security Architecture Professional Cloud and Hybrid Architectures Questions and Answers

Question 1

An organization has discovered that numerous employees are using unauthorized SaaS applications for business purposes, creating a significant 'shadow IT' problem.
A security architect needs to recommend a solution that provides visibility into all cloud services in use, enforces data loss prevention (DLP) policies, and offers threat protection for sanctioned and unsanctioned applications.
Which of the following is the MOST appropriate architectural component to address these requirements?

Accepted Answer

Cloud Access Security Broker (CASB)

Answer

Secure Web Gateway (SWG)

Answer

Web Application Firewall (WAF)

Answer

Zero Trust Network Access (ZTNA) Controller

Question 2

A security architect is designing a new network architecture for a highly distributed organization with a large remote workforce and extensive use of cloud applications. The goal is to move away from a traditional hub-and-spoke model that backhauls traffic to a central data center. Which of the following frameworks converges network and security functions into a single, cloud-delivered service, providing optimized and secure access for users regardless of their location?

Accepted Answer

Secure Access Service Edge (SASE)

Answer

Microsegmentation

Answer

Defense-in-Depth

Answer

Intrusion Prevention System (IPS)

Question 3

An organization is deploying a new application using a microservices architecture running in containers managed by Kubernetes. The security architect is concerned about unauthorized communication between different microservices (pods) once an attacker compromises a single container. Which of the following Kubernetes-native controls is the MOST effective for enforcing a Zero Trust policy and restricting this lateral movement?

Accepted Answer

Applying default-deny Network Policies

Answer

Implementing Pod Security Policies (PSPs)

Answer

Using a secrets management vault

Answer

Enforcing strict Role-Based Access Control (RBAC) on the API server

Question 4

Which of the following represents the MOST significant security challenge unique to a serverless (FaaS) architecture compared to a traditional Infrastructure as a Service (IaaS) model where the organization manages the full OS?

Accepted Answer

An expanded and more complex attack surface due to event-triggers and function-to-function interactions.

Answer

The need for vulnerability scanning of operating systems and kernel patching.

Answer

The requirement to configure network-level firewalls and security groups.

Answer

The responsibility for physical security of the data center hardware.

Question 5

A financial services firm is architecting a hybrid cloud solution that requires a stable, high-bandwidth, and low-latency connection for replicating large volumes of sensitive transaction data between its on-premises data center and its cloud environment. Public internet performance variability is not acceptable. Which connectivity method BEST meets these requirements?

Accepted Answer

A dedicated private network connection (e.g., AWS Direct Connect, Azure ExpressRoute)

Answer

A site-to-site IPsec VPN over the public internet

Answer

An SSL VPN established from each on-premises server to the cloud

Answer

A multi-region VPC peering connection

Question 6

A company operates a large, multi-cloud environment and is struggling to maintain a consistent security baseline. The security team needs a tool that can continuously scan cloud infrastructure configurations across AWS, Azure, and GCP to detect misconfigurations, compliance violations, and security risks in real-time. Which category of security tool is specifically designed for this purpose?

Accepted Answer

Cloud Security Posture Management (CSPM)

Answer

Cloud Workload Protection Platform (CWPP)

Answer

Security Information and Event Management (SIEM)

Answer

Next-Generation Firewall (NGFW)