Free Practice Questions for WGU Managing-Cloud-Security Exam

The engineers are concerned about portability. Vendor-specific APIs and tools create a dependency on a single provider, leading to vendor lock-in. This limits the ability to migrate services or workloads to another provider without significant rework.

Reliability and availability refer to service uptime and continuity, while scalability addresses performance under demand. Although important, none of these directly relate to cross-platform flexibility. Portability ensures that services, data, and applications can be easily moved or integrated across environments.

By adopting portable solutions—such as open standards, containerization, and multi-cloud strategies—organizations reduce long-term risks, increase negotiation power with providers, and enhance resilience.

Backup generators are an appropriate countermeasure for mitigating the risk of a power outage at a cloud service provider. Managing Cloud principles explain that ensuring continuous power supply is a core responsibility of the provider’s physical infrastructure management.

Backup generators, along with redundant power feeds and uninterruptible power supplies, allow data centers to continue operating during power failures. This ensures availability, resilience, and continuity of cloud services.

Database replication and storage replication address data availability, while web application firewalls protect against application-layer attacks. They do not mitigate power loss. Therefore, backup generators are the correct countermeasure.

A loss of policy control is a key risk when using a community cloud compared to a private cloud. Managing Cloud principles explain that community clouds are shared by multiple organizations with common objectives, compliance needs, or industry requirements.

Because governance is shared across participants, individual organizations may have reduced ability to enforce customized security policies, configurations, or controls. Policy decisions often require consensus, which can limit flexibility and slow response to emerging risks.

Private clouds provide full control over governance, security policies, and configurations. The other options are not inherent risks of community cloud models. Therefore, loss of policy control is the correct answer.

The Data Controller is the role responsible for ensuring that third parties implement adequate technical and organizational security measures to protect data. Managing Cloud principles emphasize that the data controller determines the purpose and means of data processing and remains accountable for how personal or sensitive data is handled, even when third parties are involved.

When data is processed by cloud providers or other external entities, the data controller must ensure that contractual agreements, policies, and controls are in place to maintain data protection standards. This includes verifying that third parties follow approved security practices, comply with legal requirements, and apply appropriate safeguards.

Other roles do not carry this responsibility. A cloud user consumes cloud services but does not define processing requirements. A cloud provider implements security controls but acts under the instructions of the data controller. A data subject is the individual whose data is being processed and has no responsibility for security enforcement. Therefore, the data controller is the correct role.

The primary safeguard against licensing risk is ensuring the organization has the correct type of license. Software licenses define usage rights, limitations, and legal obligations. Using software outside of license terms can lead to legal penalties, financial fines, and reputational damage.

Location of licenses is a management issue, not a risk control. Restricting usage to closed-source or open-source alone is not practical, as both models require compliance with license agreements.

Correct licensing includes verifying user counts, subscription terms, geographic restrictions, and intended use. It also involves monitoring for unauthorized installations and conducting regular audits. Proper license management ensures legal compliance, cost control, and operational continuity.

Securing the hypervisor is the primary security measure that controls virtualization in the cloud. Managing Cloud principles explain that the hypervisor is the foundational component that enables multiple virtual machines to share the same physical hardware.

If the hypervisor is compromised, all hosted workloads are at risk. Therefore, securing the hypervisor through hardening, access control, patching, and monitoring is critical to maintaining isolation between virtual machines and preventing privilege escalation.

Monitoring and logging provide visibility, dedicated hosting reduces shared risk, and managing image assets supports consistency, but none directly control virtualization. Therefore, securing the hypervisor is the correct answer.

The Stored Communications Act (SCA) is a United States jurisdictional data protection law enacted to limit and regulate forced disclosure of electronic communications by internet service providers. Managing Cloud principles describe the SCA as a legal framework that governs how stored electronic communications and customer data may be accessed by government entities.

The act establishes requirements for warrants, subpoenas, and court orders before service providers can disclose stored data. This protection is particularly relevant in cloud environments, where service providers store large volumes of customer data on behalf of organizations.

The other options are incorrect. APP8 and APP11.1 are Australian Privacy Principles, and GDPR applies to the European Union. Therefore, the Stored Communications Act is the correct U.S. jurisdictional protection.

The Change Management Board (CMB), also called the Change Advisory Board (CAB), is the formal authority responsible for reviewing, assessing, and approving planned modifications to IT environments. This group ensures that proposed changes align with business objectives, do not introduce unnecessary risks, and comply with security and regulatory requirements.

Event management teams focus on monitoring events, problem management teams handle root-cause analysis, and executive boards provide strategic direction but are not operational approval authorities. Only the CMB has the explicit role of validating technical and security implications before implementation.

By involving the CMB, organizations enforce structured governance, minimize disruptions, and establish accountability. This practice is central in ITIL and ISO/IEC 20000 standards, ensuring that operational integrity and security are preserved during change cycles.

In the Software as a Service (SaaS) model, data security is a shared responsibility between the cloud provider and the enterprise. Managing Cloud principles explain that while the cloud service provider is responsible for securing the infrastructure, platform, and application itself, the customer retains responsibility for how data is used, classified, accessed, and governed.

The provider ensures data is protected through encryption mechanisms, availability controls, and secure storage, while the enterprise is responsible for data ownership, access permissions, identity management, and compliance with regulatory requirements. This shared ownership requires close coordination to ensure confidentiality, integrity, and availability of data.

Application, platform, and physical security are primarily the provider’s responsibility in SaaS. Therefore, data is the correct answer.

The Health Insurance Portability and Accountability Act (HIPAA) defines requirements for the electronic transfer of healthcare data to a cloud service provider. Managing Cloud documentation explains that HIPAA governs the protection, transmission, and storage of protected health information (PHI).

HIPAA establishes administrative, technical, and physical safeguards to ensure confidentiality, integrity, and availability of healthcare data. When healthcare organizations use cloud services, both the organization and the cloud provider must ensure compliance with HIPAA requirements.

The other regulations do not apply to healthcare data transfer. Stark Law addresses physician self-referral, the Healthcare Quality Improvement Law focuses on peer review, and GLBA applies to financial institutions. Therefore, HIPAA is the correct answer.