Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
A company uses a SaaS vendor to host its customer database. The company would like to reduce the risk of customer data exposure if the systems are breached. Which of the following risks should the company focus on to achieve this objective?
D. Open ports and services
The question is only asking about RISKS.
"Which of the following RISKS should the company focus on to achieve this objective?"
Access auditing is not a risk so toss it out.
Misconfiguration is one of the top risks for cloud services. Do some research and you'll find many credible sources agreeing that it's one of the top risks to cloud services.
Open ports and services is a very common cloud misconfiguration.
Yes but the company outsourced its db to a cloud provider, therefore open ports is an issue that the CLOUD provider needs to focus on. The company itself only needs to worry about the cloud provider, which is a part of their supply chain. Therefore its C.
Access auditing involves monitoring and recording who accesses the data, what actions they perform, and ensuring that only authorized personnel have access to sensitive information
The company has to depend on or trust the SaaS vendor concerning B-D. Worry all it wants to about that. Get a different vendor if you can't trust it. A is the only one the company has control over to put focus upon.
The answer is C. Supply Chain because the company uses a cloud provider to manage their database, making it essential to focus on the security practices of this provider as part of their supply chain risk management.
A - If you do not audit how will you know who is accessing customer data? Key words "breach" & "exposure" whether it is the companies people or the vendors people.
Per DION Training guide 701 - Accounting (Auditing) Tracks and records user activities, logins, actions, and changes. Helps detect security incidents, identify vulnerabilities, and provide evidence in case of breaches.
Per 601 - Cloud Security Section - Configure, manage, and audit user access to virtualized servers. Security challenges with Software-as-a-Service (SaaS) providers
● Data confidentiality and integrity concerns
● Assess provider's cybersecurity protocols and support for security incidents
● Vendor selection should consider due diligence, historical performance, and commitment to security
I'm sort of agreeing with Chat GBT on this one
C. Supply chain
When a company relies on a SaaS vendor to host its customer database, the supply chain risk becomes a critical concern. Supply chain risks refer to vulnerabilities introduced through third-party providers, including SaaS vendors. If the SaaS vendor's systems are breached, it could potentially expose the customer data of the company.
Additionally, the CompTIA guide has:
Supply chain - Cloud
— many companies now run part or all of their network services via Internet-
accessible clouds. The attacker only needs to find one account, service, or host with
weak credentials to gain access. The attacker is likely to target the accounts used to
develop services in the cloud or manage cloud systems. They may also try to attack
the cloud service provider (CSP) as a way of accessing the victim system.
I picked access auditing because that's really the only thing that makes sense here if the SaaS allows it. You have zero control over the ports & services, so that's a definite non-answer. Supply Chain is completely irrelevant. Outsourced code development is irrelevant (this is SaaS, so you aren't doing coding of the application)
Supply chain seems the most probable.
If it's SaaS, the customer is most likely not responsible for port configurations. They would be if that was PaaS or IaaS.
I am leaning towards Supply chain (C) here. The question is asking about which RISK to focus on, rather than how to mitigate that risk. Third-party hosting of a database is a supply chain risk. Access auditing is how they would go about reducing the risk, however I believe that is out of the scope of the question. Again, we are being asked to identify the risk itself, not how to combat/reduce it.
B is wrong because they are not outsourcing any code development. I believe D is wrong because the SaaS vendor should be the one responsible for the service itself. Proper configuration by the vendor is definitely necessary and access auditing can be used to confirm it, however from the company's perspective, their risk is supply chain, not the open ports/services.
Since its a SaaS application, as the customer, you won't have to worry about open ports and services b/c the database will be fully controlled by the SaaS vendor. The only risk that would present itself is having the ability to audit the vendor to make sure they are adequately implementing the necessary controls to protect your data.
The question is asking what risk should the company focus on to reduce customer data exposure after a breach has already occurred. This should change how you think about the answer.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
NolanR
Highly Voted 3 months agoOlazino
4 weeks, 1 day agoganymede
Highly Voted 3 months, 3 weeks agops1hacker
1 month, 3 weeks agoShouqq
Most Recent 1 day, 3 hours agomikzer
3 days, 2 hours agoAspiringNerd
1 week, 2 days agocd48a66
1 month ago_deleteme_
1 month, 1 week agoMizzcoors
1 month, 1 week agoAinevknow01
1 month, 3 weeks agoBD69
1 month, 3 weeks agofryderyk
2 months agops1hacker
2 months agoslapster
2 months, 3 weeks agomemodrums
2 months, 3 weeks agoLinkinTheStinkin
2 months, 2 weeks agof8ecb59
2 months, 4 weeks agoBiru04
3 months, 1 week agoklinkklonk
3 months, 2 weeks ago