CCSK Certificate of Cloud Security Knowledge (CCSKv5.0) Questions and Answers

In a cloud environment, orchestration automates the provisioning and management of various cloud resources, including virtual machines (VMs), networking, storage, and other infrastructure components. Cloud orchestration involves the use of software to coordinate and automate tasks that would otherwise require manual intervention, improving efficiency, scalability, and consistency across the environment.

Monitoring application performance is typically handled by monitoring tools, not orchestration. Manual configuration of security policies is something that can be automated through policy management but is not the focus of orchestration. Installation of operating systems is part of provisioning resources, but orchestration primarily focuses on automating the overall management of infrastructure and services, not just the installation of operating systems.

One of the biggest challenges incloud security risk assessmentisthe lack of transparencyregardingcloud provider operations and security controls.

Key Issues with Limited Visibility:

Cloud providers manage infrastructure at a global scale:

Customerscannot directly inspectsecurity implementations.

Rely onthird-party attestationslikeSOC 2, ISO 27001, CSA STARinstead of direct assessments.

Multi-tenancy complexities:

Cloud customersshare infrastructurewith other tenants.

Data isolation mechanisms (e.g., virtual private clouds, encryption)must be trustedwithout direct verification.

Regulatory compliance challenges:

Organizations handling sensitive data (e.g., healthcare, finance)requirestrict controls.

Cloud providers may not offer sufficient audit logsor control overdata residency and processing.

Incident response limitations:

In traditional IT, organizations controllog access, forensic analysis, and recovery.

In the cloud,incident investigation depends on the provider’s logging and notification practices.

Thisvisibility issueis extensively covered in:

CCSK v5 - Security Guidance v4.0, Domain 4 (Compliance and Audit Management)

ENISA’s Cloud Computing Risk Assessment (Limited visibility into cloud provider security policies)​

Secrets management focuses on securely storing and managing sensitive information, such as API keys and passwords, to prevent unauthorized access. Reference: [Security Guidance v5, Domain 8 - Secrets Management]

An SDP creates a "dark" network, visible only to authorized users, enhancing security by hiding infrastructure from potential attackers. Reference: [Security Guidance v5, Domain 7 - Infrastructure & Networking]

The best way for organizations to establish a foundation for safeguarding data, upholding privacy, and meeting regulatory requirements in cloud applications is by integrating security at the architectural and design level. This approach ensures that security is built into the application from the start, rather than being added as an afterthought. By incorporating security features like encryption, access controls, and compliance measures during the design and development phases, organizations can better protect sensitive data, reduce vulnerabilities, and meet regulatory requirements more effectively.

While implementing encryption, multi-factor authentication, conducting audits, and deploying monitoring tools are also important, they are part of the overall security strategy rather than the foundational approach. Integrating security into the architecture ensures a more comprehensive, proactive security posture.

The multi-tenant nature of cloud computing refers to the model where multiple cloud customers share a common pool of resources (such as computing power, storage, etc.), but each customer's data and applications are segregated and isolated from the others to ensure privacy, security, and independent performance. This approach allows cloud providers to efficiently use resources while ensuring that each tenant's environment is protected and operates independently.

A Web Application Firewall (WAF) is primarily responsible for filtering and monitoring HTTP/S traffic to and from a web application. It is designed to protect web applications by filtering and monitoring traffic for malicious requests, such as SQL injection, cross-site scripting (XSS), and other common application-layer attacks. A WAF helps secure web applications by analyzing the HTTP/S traffic and blocking any harmful requests before they reach the application.

Anti-virus Software is used to detect and remove malicious software on endpoints and devices but is not designed to filter HTTP/S traffic specifically for web applications. Load Balancer is used to distribute network traffic across multiple servers to ensure performance and reliability, but it does not focus on security filtering. Intrusion Detection System (IDS) monitors network traffic for suspicious activity but operates at a different level of the network stack and is not focused solely on web application traffic.

Misconfiguration is one of the most prevalent risks in serverless and container-based environments. Given the complex nature of container orchestration (e.g., Kubernetes), CI/CD pipelines, and ephemeral infrastructure, simple missteps—such as overly permissive roles or exposed ports—can lead to significant vulnerabilities.

These workloads require strict configuration management, automated scanning, and secure defaults to prevent breaches. Unlike traditional servers, containers and functions spin up and down rapidly, making traditional visibility tools insufficient.

This is discussed thoroughly inDomain 8: Virtualization and Containers, where the CCSK guidance identifies misconfiguration as a leading cause of cloud-native exploitation.

Real-time visibility allows for monitoring container behavior during runtime, helping to identify and respond to security incidents as they occur. Reference: [Security Guidance v5, Domain 8 - Cloud Workload Security]

Taking snapshots of virtual machines (VMs) is one of the most effective techniques for preserving digital evidence in a cloud environment. Snapshots capture the entire state of a VM, including its memory, configuration, and disk contents at a particular point in time. This allows investigators to preserve evidence as it was at the moment of the incident, enabling detailed analysis without altering the original state of the system.

While isolating the compromised system is important to prevent further damage, snapshots are more directly useful for preserving evidence. Backing up data and analyzing management plane logs are also valuable for incident response, but they don't capture the complete state of a compromised system as effectively as snapshots do.

The correct answer isA. Authorization. In Identity and Access Management (IAM),authorizationis the process of determining whether a subject (user, application, or device) has the right to access a specific system object, such as networks, data, or applications. Authorization decisions are made after successful authentication and are based on the subject's permissions, roles, or attributes.

Key Characteristics of Authorization:

Decision Making:Determines if access ispermitted or deniedbased on policies or permissions.

Role and Attribute-Based Access:Often uses Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC) mechanisms to enforce policies.

Post-Authentication Process:Occursafter authenticationhas verified the user's identity.

Resource-Specific:Determines the level of access or specific operations (like read, write, execute) a user is allowed.

Example Scenario:

When a user logs into a cloud platform, the system firstauthenticatesthe user (verifies their identity) and thenauthorizestheir access to specific resources, such as viewing data in an S3 bucket or managing a VM instance. The access policies define what actions the authenticated user can perform.

Why Other Options Are Incorrect:

B. Federation:Involves linking a user's identity across multiple systems or domains but does not decide access permissions.

C. Authentication:The process of verifying a user's identity, typically through passwords, biometrics, or multi-factor authentication (MFA), but it does not determine resource access.

D. Provisioning:Refers to creating and managing user accounts and permissions, but it does not make real-time access decisions.

Real-World Context:

In cloud environments, services like AWS IAM or Azure AD use policies toauthorizeuser actions after they have beenauthenticated. For instance, an AWS IAM policy might allow a user to list S3 buckets but deny deletion.

One of the primary advantages of including Static Application Security Testing (SAST) in Continuous Integration (CI) pipelines is that it allows developers to identify code vulnerabilities early in the development process. By scanning the source code for potential security issues as it is being written and integrated into the pipeline, SAST helps to catch vulnerabilities before they make it to later stages of development or production, improving overall security and reducing the cost and effort of fixing issues later.

While SAST does not directly impact the speed of deployment, runtime performance, or user interface, its early identification of security flaws contributes to better code quality and a more secure application.

During the Detection and Analysis phase of incident response, the primary objective is to validate alerts to determine whether they represent a genuine security incident, and to estimate the scope of the incident to understand the potential impact on the organization. This phase involves analyzing evidence, confirming the nature of the incident, and gathering the necessary information to move forward with containment and remediation.

Developing and updating incident response policies is important but occurs more during the preparation phase, not during the detection and analysis of an active incident. Performing detailed forensic investigations typically takes place during later phases, such as Containment, Eradication, & Recovery or Post-Incident Analysis. Implementing network segmentation and isolation may be part of the Containment phase but is not the primary focus during the Detection and Analysis phase.

A key aspect of cloud risk management is taking a structured approach to identify, assess, and address risks related to using cloud services. This includes evaluating potential risks such as security vulnerabilities, data privacy issues, service outages, and compliance challenges. Effective risk management helps organizations proactively mitigate potential threats, ensuring the cloud environment is secure, compliant, and resilient.

A structured approach for performance optimization of cloud services is more related to performance management, not risk management. A structured approach to establishing the different what/if scenarios for cloud vs on-premise decisions refers to decision-making scenarios, not the identification and management of risks. A structured approach to SWOT analysis) is a strategic planning tool that focuses on strengths, weaknesses, opportunities, and threats, but it is not specifically focused on cloud risk management.

Documenting lessons learned is essential in the post-incident phase, as it helps improve future incident response processes. Reference: [Security Guidance v5, Domain 11 - Incident Response]

Cloud governance establishes controls and policies that align with the organization’s goals for security, compliance, and efficient management in the cloud. Reference: [Security Guidance v5, Domain 2 - Cloud Governance]

The correct answer isD. Cloud Security Posture Management (CSPM).

Cloud Security Posture Management (CSPM) is a comprehensive tool designed to identify and remediate misconfigurations and compliance violations incloud management planes. It helps organizations maintain secure and compliant cloud environments by continuously monitoring configurations against industry standards and best practices.

Key Functions of CSPM:

Configuration Management:Identifies misconfigurations and alerts administrators to fix them.

Compliance Monitoring:Continuously assesses cloud environments against compliance frameworks such as CIS, NIST, GDPR, and others.

Automated Remediation:Automatically fixes known configuration errors based on predefined policies.

Visibility:Provides a comprehensive view of security and compliance risks across multi-cloud environments.

Risk Assessment:Analyzes risks related to identity, data exposure, and network configurations.

Why CSPM is Most Effective:

Cloud environments are dynamic, and maintaining secure configurations is challenging. CSPM solutions likeAWS Config,Azure Security Center, andGoogle Cloud Security Command Centerautomate the process of checking forsecurity policy violationsandconfiguration drift.

Why Other Options Are Incorrect:

A. Data Security Posture Management (DSPM):Focuses on data security, data loss prevention, and data governance, rather than configuration and compliance management.

B. SaaS Security Posture Management (SSPM):Specifically targets SaaS applications, managing security settings and compliance of cloud-based software rather than infrastructure.

C. Cloud Detection and Response (CDR):Focuses on threat detection and incident response rather than configuration management and compliance.

Real-World Example:

A CSPM tool likePalo Alto Prisma CloudorAWS Configcan automatically detect ifIAM policiesare overly permissive or ifS3 bucketsare publicly accessible, helping to maintain compliance and reduce attack surfaces.

The principle of Segregation of Duties (SoD) focuses on implementing multiple security layers by dividing responsibilities among different individuals or systems to ensure that no single entity has enough control to misuse or compromise access. This principle helps to prevent fraud, error, and misuse by ensuring that critical tasks are divided and that sensitive actions require multiple people or processes to perform, adding an extra layer of security.

Continuous Monitoring refers to the ongoing observation of activities to detect unusual behavior, but it is not directly about diluting access power. Federation involves linking multiple identity management systems together to allow access across different domains but does not specifically address limiting access power through multiple security layers. Principle of Least Privilege ensures that users have only the minimum necessary access to perform their tasks, but it does not directly involve dividing duties or responsibilities.

Enforcing the principle of least privilege is the practice of granting users and systems the minimum level of access necessary to perform their tasks. By limiting root or core access and restricting the creation of deployments to onlythose who absolutely need it, the risk of unauthorized access, misuse, or damage is minimized. This helps ensure that critical systems and sensitive data are protected by reducing the number of people or services with high-level access.

Trust and verify on demand is not a standard security practice and could create security gaps. Disabling multi-factor authentication is a poor security practice, as multi-factor authentication (MFA) enhances security by adding an additional layer of verification. Deploying applications with full access) contradicts the principle of least privilege and could expose the system to unnecessary risks.

In multi-tenant technologies, the fundamental security requirement issegmented and segregated customer environments. Multi-tenancy means that multiple customers (tenants) share the same physical or virtual infrastructure while maintaining logical separation to prevent data leakage and unauthorized access between tenants.

To ensure security and compliance in multi-tenant environments, providers implement:

Network segmentation (VLANs, Virtual Private Clouds)

Isolation mechanisms (such as virtual firewalls and access control lists)

Data isolation through encryption and access controls

Hypervisor-based isolation in virtualized environments

The goal is to create stronglogical isolationbetween tenants to mitigate risks likedata leakage, guest-hopping attacks, and unauthorized access.

Why Other Options Are Incorrect:

B. Limited resource allocation:While resource limits may help performance management, they do not inherently ensure security in multi-tenant settings.

C. Resource pooling:Though fundamental to cloud computing, it does not address the isolation needed for secure multi-tenancy.

D. Abstraction and automation:These are key elements in cloud computing but do not directly address multi-tenant security.

The management plane is used for governing and configuring cloud resources and is considered a top priority in cloud security programs. It provides the tools and interfaces for administrators to manage, configure, and control cloud resources, such as virtual machines, storage, and networking. It is critical to secure the management plane because it often has access to sensitive configurations and the ability to modify cloud environments, making it a prime target for attacks.

Management Console is an interface that interacts with the management plane, but it is not the underlying system for governance and configuration. Orchestrators are used to automate the management and deployment of cloud resources but are not the primary component for governing andsecuring cloud environments. Abstraction layer refers to the layer that hides the complexity of underlying infrastructure, but it does not directly govern or configure cloud resources.

Differential privacy is a strategy designed to protect data confidentiality by ensuring that the output of a machine learning model does not expose sensitive information about individual data points. In the context of model inversion attacks, where attackers try to infer confidential data from the model, differential privacy introduces noise into the model’s output in a way that prevents attackers from accurately reconstructing the input data. This helps safeguard against attacks that threaten the privacy of the data used to train the model.

Secure multi-party computation is useful for enabling collaborative computation on encrypted data but does not specifically address model inversion attacks. Encryption is important for securing data at rest or in transit but does not directly protect against model inversion attacks. Model hardening refers to general measures to make models more robust to adversarial attacks, but it does not directly mitigate the specific risk of model inversion attacks related to data confidentiality.

Snapshots serve as recovery points, enabling quick rollback to previous states if issues arise during updates or changes. This is crucial for VM lifecycle management. Reference: [Security Guidance v5, Domain 7 - Infrastructure & Networking]

Many cloud providers offer default encryption for data at rest, which is typically enabled automatically for data stored within the cloud. In these cases, the encryption is often done using the cloud provider's keys as part of the provider’s security infrastructure, and it is usually provided at no additional cost to the customer. This ensures that data is protected while at rest, reducing the risk of unauthorized access.

Infrastructure as a Service (IaaS) primarily provides users with storage, computing resources, and networking capabilities. In the IaaS model, cloud providers offer virtualized computing resources over the internet. Users can rent servers, storage, and networking equipment without needing to manage the physical hardware themselves. This allows for flexible scaling and resource management according to the users' needs.

FaaS focuses on serverless computing where users run code in response to events. PaaS provides a platform that allows users to develop, run, and manage applications without worrying about the underlying infrastructure. SaaS delivers fully managed applications over the internet, where users access software without managing the infrastructure.

Consulting with stakeholders is crucial for ensuring that the cloud security strategy aligns with the overall business objectives and needs. Stakeholders — such as business leaders, IT teams, legal, and compliance officers — bring unique perspectives on what the cloud strategy needs to accomplish, from security to compliance, scalability, and performance. By involving stakeholders, organizations can ensure that the security strategy supports business goals, addresses various concerns, and is comprehensive.

Simplifying the cloud platform selection process is a potential benefit but not the primary reason for consulting stakeholders. Selecting the right cloud platform is part of the broader strategy. Reducing the overall cost of cloud services is not necessarily the outcome of involving stakeholders, although cost considerations may be part of the discussion. Ensuring compliance with technical standards only is too narrow; stakeholders help ensure compliance with both technical and business requirements.

Infrastructure as Code (IaC)facilitates rapid recovery in cybersecurity by enablingautomated and consistent deployment of recovery environments. IaC allows organizations to define infrastructure configurations as code, which can be versioned, tested, and deployed quickly to rebuild environments after an incident, ensuring consistency and reducing recovery time.

From theCCSK v5.0 Study Guide, Domain 11 (Incident Response and Recovery), Section 11.4:

“Infrastructure as Code (IaC) enhances rapid recovery by allowing organizations to automate the deployment of infrastructure and applications. By defining recovery environments as code, organizations can quickly and consistently rebuild systems after a security incident, minimizing downtime and ensuring operational continuity.”

Option B (IaC enables automated and consistent deployment of recovery environments) is the correct answer.

Option A (IaC is primarily used for designing network security policies) is incorrect because IaC focuses on infrastructure deployment, not policy design.

Option C (IaC provides encryption and secure key management) is incorrect because IaC does not directly handle encryption or key management.

Option D (IaC automates incident detection and alerting) is incorrect because IaC is not used for detection or alerting.

DevOps aims to improve collaboration and integration between development and operations teams, streamlining delivery and enhancing software quality. Reference: [CCSK Study Guide, Domain 10 - DevOps & DevSecOps]

Cloud telemetry provides detailed insights and visibility into security events and system behaviors in cloud environments, which helps detect and respond to threats. Reference: [Security Guidance v5, Domain 6 - Security Monitoring]

Controlling traffic flows between networks is critical in a cybersecurity context toreduce the blast radius of attacks. By segmenting networks and implementing controls such as firewalls, organizations can limit the lateral movement of attackers, containing breaches and minimizing their impact.

From theCCSK v5.0 Study Guide, Domain 9 (Network Security), Section 9.2:

“Controlling traffic flows between networks is a fundamental cybersecurity practice to reduce the blast radius of attacks. Network segmentation and micro-segmentation limit an attacker’s ability to move laterally within the environment, containing breaches and protecting critical assets.”

Option B (To reduce the blast radius of attacks) is the correct answer.

Option A (To increase the speed of data transmission) is incorrect because traffic control focuses on security, not speed.

Option C (To simplify network architecture) is incorrect because segmentation may increase complexity.

Option D (To reduce the amount of data stored) is incorrect because traffic control does not directly affect data storage.

In federated identity management, the identity provider (IdP) is responsible for authenticating users and making assertions about their identity to the relying party (which could be a service or application that trusts the IdP). The IdP and the relying party establish a trust relationship in advance, which allows the IdP to assert that a user is authenticated, often in the form of security tokens or assertions like SAML or OpenID Connect.

The IdP that authenticates users and makes assertions, not the relying party. The relying party does not make assertions to the IdP; the relying party relies on assertions made by the IdP. The IdP and relying party do have a direct trust relationship in federated identity management.

Multi-region resiliency in cloud environments is primarily used to improve fault tolerance by deploying applications and services across multiple geographical regions. This strategy ensures that if one region experiences an outage or failure, the application or service can failover to another region, maintaining availability and minimizing downtime. Multi-region deployments help organizations ensure business continuity, disaster recovery, and high availability.

Increasing the number of users in each region is not the main purpose of multi-region resiliency. While multi-region deployment can help with compliance, the primary goal is fault tolerance and availability, not compliance with data laws. While multi-region deployment may offer some efficiency benefits, the main purpose is not cost reduction; it's about ensuring reliability and availability.

Behavioral detection for IAM and management plane activities is essential for identifying unusual or suspicious actions by compromised identities, especially in environments where attackers use automated tactics. Reference: [CCSK v5 Curriculum, Domain 5 - IAM]

Encryption in object storage is used to secure stored data and protect it from unauthorized access, ensuring confidentiality. Reference: [Security Guidance v5, Domain 9 - Data Security]

Serverless computing shifts infrastructure management responsibility to the CSP, allowing customers to focus on application logic rather than infrastructure. Reference: [Security Guidance v5, Domain 8 - Cloud Workload Security]

SLAs play a key role in cloud incident management as they define response expectations and support arrangements between CSPs and CSCs. Reference: [CCSK Study Guide, Domain 11 - Incident Response]

Cloud sprawl leads to the distribution of assets across multiple locations, making it challenging to maintain visibility and security control over all resources. Reference: [Security Guidance v5, Domain 4 - Organization Management]

Zero Trust Network Access (ZTNA) enforces the principle of "never trust, always verify." Unlike traditional perimeter-based security, ZTNA continuously evaluates access requests using dynamic factors. These include:

User identity (authenticated via SSO or MFA)

Device posture (device compliance, health status)

Contextual information (time of access, location, behavior patterns)

This layered decision-making process ensures that access is tightly controlled and highly contextual, minimizing attack surfaces and mitigating lateral movement within networks.

ZTNA aligns with cloud-native security practices discussed inDomain 7: Infrastructure Security, emphasizing the transition from static access control lists to dynamic, identity-centric enforcement models.

Threat modeling is the technique used to assess potential threats by analyzing attacker capabilities, motivations, and potential targets. It involves identifying, understanding, and prioritizing potential security threats in the context of a system or application. By considering the attackers' possible objectives and methods, organizations can design security controls to mitigate these risks proactively.

Vulnerability assessment focuses on identifying and evaluating vulnerabilities in a system, but it does not explicitly analyze attacker behavior or motivations. Incident response involves responding to security incidents after they occur, not proactively assessing potential threats. Risk assessment involves evaluating potential risks to an organization, but threat modeling specifically focuses on understanding and mitigating potential threats, making it a more targeted technique for this purpose.

The correct answer isD. Virtual Machines (VMs). In the context of cloud computing,Virtual Machines (VMs)are software-based emulations of physical computers. They run an operating system (OS) and applications just like a physical machine would. VMs are often hosted on physical servers using hypervisors, which allow multiple VMs to run on a single physical machine, thereby sharing resources like CPU, memory, and storage.

Why Virtual Machines (VMs) are Suitable for Data Processing:

Full OS Environment:VMs provide a complete operating system environment, making them suitable for running complex data processing tasks that require specific OS configurations.

Isolation:Each VM operates independently, providing isolation between different workloads, which is essential when processing sensitive or diverse data sets.

Scalability:Cloud providers offer VM scaling options to meet the demands of data processing workloads.

Compatibility:VMs can run legacy applications that may not be compatible with newer cloud-native technologies.

Why Other Options Are Incorrect:

A. Platform as a Service (PaaS):PaaS provides a platform for developing and deploying applications without managing underlying infrastructure. It is not directly related to VM-based processing.

B. Serverless Functions (FaaS):Serverless computing abstracts the infrastructure and is used for running discrete functions rather than emulating entire machines.

C. Containers:Containers package applications and dependencies but share the host OS kernel. They are lightweight compared to VMs and do not fully emulate physical computers.

Real-World Example:

If a company moves a data processing application that was traditionally run on an on-premises physical server to the cloud, they might choose VMs on services like AWS EC2, Azure Virtual Machines, or Google Compute Engine to maintain the same OS environment and application compatibility.

The management plane refers to the interfaces used to manage configurations and resources in a cloud environment. It is responsible forhandling administrative tasks, such as provisioning, configuration management, and monitoring of resources. Protecting the management plane is crucial because it is where sensitive configurations and access control policies are set, which can potentially be exploited if not properly secured.

Securing the management plane involves ensuring that only authorized users and systems can make changes to the cloud infrastructure and resources, protecting these interfaces from unauthorized access or malicious activity.

Implementing these controls supports data governance and compliance by providing visibility into data handling and potential exposures. Reference: [Security Guidance v5, Domain 9 - Data Security]

The primary objective of posture management in a cloud environment is to ensure that cloud configurations are continuously monitored to ensure compliance with security policies, best practices, and regulatory requirements.Posture management involves assessing and maintaining the security posture by identifying misconfigurations, vulnerabilities, or non-compliant resources, and ensuring that the cloud environment remains secure and aligned with organizational policies.

Automating incident response procedures is important but is not the primary focus of posture management, which focuses more on proactive configuration and security monitoring. Optimizing cloud cost efficiency is a key concern in cloud management, but it is not the main focus of posture management, which deals with security and compliance. Managing user access permissions is related to Identity and Access Management (IAM), which is a separate aspect of cloud security from posture management.

The primary benefit of implementing micro-segmentation within a Zero Trust Architecture is that it enhances security by isolating workloads from each other. Micro-segmentation involves dividing the network into smaller, isolated segments, so that even if an attacker gains access to one part of the network, they cannot easily move laterally to other parts. This is crucial in a Zero Trust model, which assumes that threats may exist both inside and outside the network, and security is enforced at a granular level for each workload.

Simplifying network design is not a benefit of micro-segmentation; in fact, it can add complexity due to the increased number of network segments. Increased network performance is not a primary outcome of micro-segmentation, which may introduce overhead. Reducing the need for encryption is incorrect because micro-segmentation doesn't eliminate the need for encryption; it works alongside encryption to provide better security.

A key component of governance in cybersecurity is defining roles and responsibilities. Governance ensures that the right people within an organization are assigned specific duties related to security and that they are held accountable for those responsibilities. This helps establish clear lines of authority and accountability, ensuring that everyone knows what they are responsible for in terms of security practices, policies, and procedures.

While standardizing technical specifications, defining tools and technologies, and enforcing penetration testing are important elements of a cybersecurity strategy, defining roles and responsibilities is essential for overall governance to ensure that security practices are consistently followed.

Thehybrid clouddeployment model involves integrating a private cloud (or on-premises datacenter) with a public cloud, bound together by technology that enablesdata and application portability. This allows workloads to move seamlessly between environments, leveraging the benefits of both private and public clouds.

From theCCSK v5.0 Study Guide, Domain 1 (Cloud Computing Concepts and Architectures), Section 1.3:

“A hybrid cloud combines on-premises infrastructure (or a private cloud) with a public cloud, integrated through technology that allows data and application portability. This model enables organizations to maintain sensitive workloads on-premises while leveraging the scalability of public cloud services.”

Option A (Hybrid cloud) is the correct answer.

Option B (Public cloud) is incorrect because it involves only cloud provider resources, not a datacenter.

Option C (Multi-cloud) is incorrect because it refers to using multiple public cloud providers, not a datacenter.

Option D (Private cloud) is incorrect because it does not inherently include integration with a public cloud.