Exam CISSP topic 1 question 9 discussion

Answer D: Why, glad you asked.... Least privilege extends beyond human access. The model can be applied to applications, systems or connected devices that require privileges or permissions to perform a required task. So internet access is being limited until it is needed to perform a specific task. A) is incorrect because they are giving 1 admin all the core roles when they may not need all of them to do their job. Of course the argument can be made that they are the only admin and will need all core admin rights, but that is not the same as limiting access for a particular system or person to only have the rights they need to do their job.

a single cloud admin cannot be configured to access core fiction. the risk is high. what if he is not available what will happen to the business? answer is D

The correct answer is A. A single cloud administrator is configured to access core functions. The principle of least privilege refers to granting users, systems, or processes the minimum level of access or permissions necessary to perform their tasks. In a cloud environment, this means restricting administrative access to only those who need it. For example, having a single cloud administrator with access to core functions aligns with this principle, as it limits the potential for unauthorized or unnecessary access. The other options describe general security practices but do not specifically relate to the principle of least privilege: B. Internet traffic is inspected for all incoming and outgoing packets refers to traffic monitoring. C. Routing configurations are regularly updated with the latest routes refers to network routing management. D. Network segments remain private if unneeded to access the internet relates to network segmentation, not least privilege.

I wonder why anyone would even think A is correct. That is a single point of failure and in no way related to PoLP. Least privilege is restricting access to what you or an application need to do its job. A single admin having access to a core service is in no way least privilege. D is the suitable answer.

Correct answer is D. A doesn't describe least privilege, if you needed to have two cloud administrators access core functions, you would have to give them to the second one and that doesn't relate to least privilege at all. That may be more related to segregation of functions if you decide you only need one cloud administrator for that or if you see that having 2 admins and divide their core functions access would be most secure. D, on the other hand, is related to least privilege through segregation of the network, ensuring users in an environment don't access other environments they don't need for their work functions.

D sound more correct. Network is restricted when if Internet is not required. Option A sound more like a demonstration of elevated privilege, which is right for an administrator.

Priviledge has to do with access. So, the correct answer is A. Access could've been granted to all the administrators but the key word here is "single".

Answer D, least privilege principal, provider user/resource enough privilege to perform role/duty.

Preventing unnecessary access is D. A is a violation of PoLP and is a SPF.

Answer: A - I think what they're trying to refer to is how you create one admin account in cloud environments to do the "core" management and then everything is is delegated to other roles. CISSP tries to be vendor agnostic but it looks like they're describing the MS Azure practice of creating one global admin (or as few as possible) to do certain functions.

Least Privilege is basically based on User roles and privileges. BCD are Security Practices.

I say D, A is close but I don't know if a single admin account that controls the core is the right way to go. Youd likely need one as a (not truly) global, another as a "break glass account" that no one uses and has a fido key in a safe or something somewhere, and the rest of the admins would be granted permissions under those.

The correct answer is D. "Network segments remain private if unneeded to access the internet." The least privilege principle in a cloud environment advocates for providing users and systems with the minimum level of access or permissions necessary to perform their tasks or functions. By restricting access to only what is essential, the risk of unauthorized access or potential security breaches is minimized. Option D reflects the least privilege principle by emphasizing that network segments should remain private unless there is a specific need for them to access the internet. This approach helps limit exposure and potential attack vectors, aligning with the concept of least privilege.

The correct answer is A. The reason option D is not the BEST answer in the context of least privilege is that it specifically refers to network segments and their connectivity to the internet. While it is a valid security practice, the least privilege principle is more commonly associated with user and system access permissions rather than network segmentation.

A is correct because the user is doing core functions and D is wrong because you need to ask for higher privileges to access other networks.

Option D is the best answer because it best describes the principle of least privilege in a cloud environment. The least privilege principle states that users should only be given the minimum permissions necessary to perform their duties. Option D reflects this by suggesting network segments remain private and isolated if they don't need internet access. This restricts exposure and limits access to only what is required. Option A is incorrect because having a single admin with full core access violates least privilege. Option B is unrelated to least privilege and describes firewall inspection. Option C refers to network routing, not permissions.

This is a tricky question. Considering granting access to the internet is a privilege. And considering a network zone in the cloud can host users, applications and services, we can tell that all of those entities are having the least privilege to remain in the private zone unless required. So, D is possible. However, if we stick that the Principle of Least Privilege only applies for users, then it is A. But I am lenient to D.