The "create" phase of the cloud data lifecycle concerns the initial generation of data content within the cloud environment. This includes constructing entirely new data, importing data from external systems (which is new to the cloud), and modifying existing data content to create a new version. Modifying metadata, however, involves changing the attributes or properties about the data (e.g., classification tags, file ownership, access permissions), not the actual content of the data itself. This action is a form of data management or processing, which is typically categorized under the "use" phase of the lifecycle, not the "create" phase.

B. Importing data: This action introduces data into the cloud environment for the first time, which is a form of data creation within the context of that system.

C. Modifying data: The modification or updating of existing data content is explicitly defined as part of the "create" phase, as it results in a new version of the data.

D. Constructing new data: This is the primary and most direct form of data creation, involving the generation of new digital content from scratch.

1. Cloud Security Alliance (CSA). (2017). Security Guidance for Critical Areas of Focus in Cloud Computing v4.0. Page 61

Section "Data Security Lifecycle". The document defines the "Create" phase as "The generation of new digital content

or the modification/updating of existing content." This definition includes options B

C

and D but excludes the management of attributes (metadata)

which falls under the "Use" phase ("Data is viewed

processed

or otherwise used...").

2. Ko

R.K.L.

Lee

E.W.

Lee

S.G. et al. (2021). A Reference Model for the Cloud Computing Data Life Cycle. Journal of Cloud Computing

10(13). Section 3

"Cloud Computing Data Life Cycle (CDLC) Reference Model". This academic paper describes the "Create" phase as the point where "data is generated or entered into the system

" which aligns with constructing and importing data. Modifying metadata is a subsequent management action

not the initial generation of content. DOI: https://doi.org/10.1186/s13677-021-00230-x.

3. National Institute of Standards and Technology (NIST). (2011). NIST Special Publication 800-145

The NIST Definition of Cloud Computing. While this document defines cloud computing

its principles underpin the data lifecycle. The creation of data is tied to the generation of the information asset itself

whereas metadata management is a control or administrative function applied to that asset.

According to established best practices and foundational cybersecurity frameworks, a Business Continuity and Disaster Recovery (BCDR) plan should be tested at a minimum of once per year. Annual testing ensures the plan remains effective, relevant to the current business and IT environment, and that personnel are prepared to execute their roles. This frequency provides a reasonable balance between the need for assurance and the significant cost and operational disruption that BCDR tests can cause. More frequent testing may be required for highly critical systems or in rapidly changing environments, but annually is the accepted baseline minimum.

B. Once a month: This frequency is generally considered excessive and impractical for a comprehensive BCDR plan test due to high costs and operational disruption.

C. Every six months: While semi-annual testing is a commendable practice for critical systems, it is not the universally recognized minimum requirement for all BCDR plans.

D. When the budget allows it: This approach is reactive and fails to treat BCDR as an essential, planned business function, directly contradicting best practices for risk management.

1. National Institute of Standards and Technology (NIST) Special Publication 800-34 Rev. 1

Contingency Planning Guide for Federal Information Systems. Section 5.3

"Testing

" page 41

states

"The contingency plan should be tested at least annually to determine its effectiveness and the organization’s readiness to execute the plan."

2. Cloud Security Alliance (CSA)

Security Guidance for Critical Areas of Focus in Cloud Computing v4.0. Domain 5: Business Continuity and Disaster Recovery

page 101

notes

"The BCDR plan should be tested on a regular basis (at least annually) to ensure that it works as designed."

3. ISO 22301:2019

Security and resilience — Business continuity management systems — Requirements. Clause 8.5

"Business continuity documentation

" requires organizations to establish and implement a BCM exercise program. While the standard requires exercises at "planned intervals

" industry best practice and certification audits widely interpret this as a minimum of annually for key plans.

4. Carnegie Mellon University

Software Engineering Institute

CERT Resilience Management Model (CERT-RMM) v1.2. The model emphasizes regular

planned exercises as a core process area (OPM: Operational Resilience Management). The appraisal methods for maturity levels consistently look for evidence of planned

periodic (typically annual) exercises.

Implementing network segmentation with Virtual LANs (VLANs) is a fundamental and highly effective measure for enforcing tenant partitioning. By assigning each tenant to a unique VLAN, their network traffic is logically isolated at Layer 2 of the OSI model. This segregation prevents direct communication between tenants' resources, contains broadcast traffic within each tenant's virtual network, and forms a crucial boundary for applying access control policies via firewalls and routers. This directly addresses the core requirement of preventing unauthorized access and data leakage between tenants in a multi-tenant architecture.

A. Disabling logging and monitoring critically undermines security by removing the ability to detect, investigate, and respond to unauthorized access attempts or policy violations.

B. A common management interface without strict, tenant-aware access controls is a major security flaw that could easily lead to cross-tenant data exposure or misconfiguration.

C. Using shared storage without access controls completely violates the principles of confidentiality and isolation, allowing any tenant to read, modify, or delete another's data.

1. National Institute of Standards and Technology (NIST) Special Publication 800-125B

Secure Virtual Network Configuration for Virtual Machine (VM) Protection

Section 4.2

"Virtual Network-Based Protections

" states: "VLANs are a common mechanism for creating isolated virtual local area networks (VLANs) on a physical local area network (LAN)... This allows VMs on the same VLAN to communicate with each other as if they were on the same physical LAN segment

while preventing them from communicating with VMs on different VLANs at the data link layer."

2. Ruirui

Z.

& Zhibin

Z. (2010). The Security of Multi-tenancy in Cloud Computing. In 2010 International Conference on Computer Application and System Modeling (ICCASM 2010) (Vol. 9

pp. V9-229). This paper discusses isolation as a key security requirement in multi-tenancy

noting that "Network isolation is usually achieved by VLANs

which can isolate broadcast domains." (Section 3

Paragraph 2). DOI: 10.1109/ICCASM.2010.5620522

3. Cloud Security Alliance (CSA). Security Guidance for Critical Areas of Focus in Cloud Computing v4.0

Domain 1: Cloud Computing Concepts and Architectures

Section on "Multi-Tenancy

" discusses the importance of isolation controls. It implicitly supports segmentation by stating that logical isolation mechanisms are essential to prevent tenants from accessing each other's resources

with network controls being a primary example.

A Service-Level Agreement (SLA) is the specific, legally binding contract or part of a contract that defines the level of service a customer can expect from a cloud service provider. It quantifies the minimum performance and availability guarantees, such as 99.9% uptime or specific data throughput rates. The SLA is the primary document focused on these metrics and includes remedies or penalties (e.g., service credits) if the provider fails to meet the agreed-upon levels. While an MSA governs the overall relationship, the SLA contains the enforceable details for service performance and availability.

B. Master Service Agreement (MSA): This is a foundational contract that outlines the general terms of the relationship but typically lacks the specific, measurable service metrics found in an SLA.

C. Statement of Work (SOW): This document defines the scope, deliverables, and timeline for a specific project, not the ongoing, operational guarantees for a service.

D. Non-Disclosure Agreement (NDA): This agreement is focused solely on protecting the confidentiality of shared information and does not address service performance or availability.

1. National Institute of Standards and Technology (NIST). (2011). NIST Cloud Computing Reference Architecture (NIST Special Publication 500-292). Section 5.3.5

"Cloud Service Management

" states: "The SLA specifies the levels of service (e.g.

availability

performance

and data protection) that are negotiated and agreed upon in a contract (SLA document) between a cloud consumer and a cloud provider."

2. Mell

P.

& Grance

T. (2011). The NIST Definition of Cloud Computing (NIST Special Publication 800-145). While this document defines cloud characteristics

the concept of "measured service" (Section 2) implies the need for a document like an SLA to define and enforce those measurements.

3. Armbrust

M.

et al. (2009). Above the Clouds: A Berkeley View of Cloud Computing (Technical Report No. UCB/EECS-2009-28). University of California

Berkeley. Section 5.2

"Data Lock-In

" discusses the importance of standardized APIs and SLAs for mitigating risks

implicitly linking SLAs to service guarantees.

4. Foster

I.

& Gannon

D. B. (2017). Cloud Computing for Science and Engineering. MIT Press. Chapter 10

"Legal Issues

" discusses the contractual framework for cloud services

highlighting that "The service-level agreement (SLA) is a contract between a service provider and a customer that specifies

in measurable terms

what services the provider will furnish." (p. 261).

A Type 1 hypervisor, also known as a bare-metal hypervisor, is installed directly on the physical hardware, acting as its own minimal, specialized operating system. This design means its codebase is lean and purpose-built solely for managing virtual machines. This significantly reduces the attack surface compared to a Type 2 hypervisor, which runs as an application on top of a full-featured, general-purpose host operating system (e.g., Windows, macOS, Linux). The Type 2 hypervisor inherits all the vulnerabilities, services, and complexities of its underlying host OS, creating a much larger target for potential attacks.

A: The hypervisor manages virtual hardware, but patching the guest operating systems within the VMs is the responsibility of the VM administrator.

C: Hardware-level encryption capabilities are generally provided by the CPU and can be leveraged by both Type 1 and Type 2 hypervisors, not being an exclusive feature of Type 1.

D: A primary function of any hypervisor is to support a wide variety of guest operating systems, not restrict them to a specific type.

1. National Institute of Standards and Technology (NIST) Special Publication 800-125

Guide to Security for Full Virtualization Technologies.

Section 2.1

"Virtualization Architectures

" describes the two types of hypervisors. It states

"Type 1 hypervisors run directly on the host's hardware to control the hardware and to manage guest operating systems... Type 2 hypervisors run on a conventional operating system (OS) just as other computer programs do." This architectural difference is the basis for the security distinction.

Section 3.1

"Hypervisor Security

" discusses that the hypervisor's security is critical. A Type 1 hypervisor's smaller

specialized nature inherently presents a smaller attack surface than a Type 2 hypervisor running on a full host OS.

2. Popek

G. J.

& Goldberg

R. P. (1974). Formal requirements for virtualizable third generation architectures. Communications of the ACM

17(7)

412–421.

Section 2

"A Model of a Third Generation Machine

" This foundational paper on virtualization defines the concept of a Virtual Machine Monitor (VMM)

or hypervisor. The principles laid out explain that a VMM that controls the hardware directly (Type 1) has a more privileged and isolated position than one that operates on top of a host OS (Type 2)

which is fundamental to its security posture. DOI: https://doi.org/10.1145/361011.361073

3. Massachusetts Institute of Technology (MIT) OpenCourseWare. 6.858 Computer Systems Security

Fall 2014.

Lecture 15 Notes

"Virtualization

" discusses the security benefits of a small Trusted Computing Base (TCB). The notes explain that Type 1 hypervisors have a much smaller TCB than Type 2 hypervisors because they do not include a full host OS. A smaller TCB is a core principle of secure system design.

Platform as a Service exposes standardized run-time platforms (e.g., Java, .NET, Node.js) that sit above the individual vendor’s infrastructure. Because the application is written to the platform’s APIs—not to the underlying provider-specific hardware or VM interfaces—the same code can, in principle, be moved to any provider that supports that platform. NIST therefore notes that PaaS “can reduce the risk of proprietary lock-in.” The (ISC)² CCSP Common Body of Knowledge echoes this, listing “minimization of vendor lock-in” as a principal advantage and characteristic of PaaS offerings.

A. PaaS usually supports heterogeneous environments (multiple OSs, frameworks, DBs); homogeneity is not a defining characteristic.

B. Most commercial PaaS offerings are polyglot (Java, Python, Go, etc.); limiting to a single language is not typical.

D. PaaS scaling is predominantly automatic and policy driven; manual scaling is more associated with IaaS controls.

1. NIST SP 800-146 “Cloud Computing Synopsis and Recommendations

” §2.3

p.17–18: “PaaS… can reduce the risk of lock-in through use of open

standard platforms.”

2. (ISC)² Official Guide to the CCSP CBK

2nd ed.

Chapter 2 “Cloud Service Models

” p.58: “Advantages of PaaS include developer productivity and reduction of vendor lock-in.”

3. University of California Berkeley

EECS 201 “Cloud Computing” lecture notes

Fall 2020

Slide set 6

slide 12: “PaaS abstracts infrastructure

lowering lock-in risk if multiple providers support the same platform.”

The "Create" phase is the very first stage in the cloud data lifecycle, where data is generated, captured, or modified. This represents the earliest possible point to implement security controls. Key controls such as data classification, labeling, and the application of Information Rights Management (IRM) are most effective when applied at the moment of creation. This initial classification dictates the security requirements for all subsequent phases (Store, Use, Share, etc.), ensuring that data is protected consistently throughout its entire lifecycle. Failing to apply controls at this stage means the data exists in an unprotected state, even if only for a short time.

A. Use: This phase occurs after data has already been created and stored; therefore, it is not the first opportunity for control implementation.

B. Share: Sharing or distributing data is a subsequent phase that happens after data is created, stored, and often used.

C. Store: Data must be created before it can be stored. While applying controls like encryption at rest is critical in this phase, it is not the first instance.

1. Cloud Security Alliance. (2017). Security Guidance for Critical Areas of Focus in Cloud Computing v4.0. Page 114

Domain 5: Cloud Data Security

Section "Data Security Lifecycle

" subsection "Create." The document states

"At this stage [Create]

the key security issue is data classification and labeling." This confirms that security controls are applied in the very first phase.

2. Mather

T.

Kumaraswamy

S.

& Latif

S. (2009). Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance. O'Reilly Media. Chapter 4

"The Cloud Computing Data Security Lifecycle

" page 62. The text explains that in the "Create" phase

"the primary security-related task is to classify the data." This establishes that security measures begin at data's inception.

For a large, multinational corporation's cloud infrastructure, an automated patch management system is the most effective strategy. The scale, complexity, and dynamic nature of cloud environments make manual patching impractical, slow, and prone to human error. Automation ensures that security patches for newly discovered threats are deployed consistently, rapidly, and verifiably across all systems, including virtual machines and applications. This minimizes the window of exposure, enhances the organization's security posture, and allows for centralized management, reporting, and auditing, which are critical for compliance and governance in a multinational context.

A. Manually applying patches on a quarterly basis is far too infrequent and inefficient to protect against newly discovered threats in a large-scale environment.

B. Relying on end-users is irrelevant for cloud infrastructure patching and is an unreliable method that lacks central control and verification.

D. Disabling automatic updates is a counterproductive security practice that leaves systems perpetually vulnerable and directly contradicts the goal of timely patching.

---

1. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-40 Revision 3

Guide to Enterprise Patch Management Technologies.

Page v (Executive Summary): "Patch management can be a complex and time-consuming activity. Organizations should automate patch management activities as much as possible to improve efficiency and accuracy." This directly supports automation as the most effective approach.

2. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 5

Security and Privacy Controls for Information Systems and Organizations.

Control SI-2 (Flaw Remediation): This control requires organizations to "identify

report

and correct information system flaws" and "install security-relevant software and firmware updates within the organization-defined time period." In a large cloud environment

meeting these time-based requirements is only feasible through an automated system.

3. Cavalcante

E.

et al. (2021). Automated Software Patch Management: A Definition and a Scoping Review. ACM Computing Surveys

54(3)

Article 63.

Section 1 (Introduction): The paper establishes that "manual patch management is a time-consuming

error-prone

and costly task" and that automation is essential to address the increasing volume and frequency of vulnerabilities. (DOI: https://doi.org/10.1145/3447880)

4. Massachusetts Institute of Technology (MIT) OpenCourseWare. 6.858 Computer Systems Security

Fall 2014.

Lecture 1: Introduction & Threats: The course materials establish the fundamental security principle that systems face a continuous stream of new threats. This implies the need for a continuous and rapid response

which in practice for a large organization

necessitates an automated patch management process rather than slow

manual

or disabled update mechanisms.

The concept described is "Measured service," one of the five essential characteristics of cloud computing defined by the National Institute of Standards and Technology (NIST). This characteristic enables the cloud provider to automatically control and optimize resource usage by leveraging a metering capability. Resource consumption (such as storage, processing, bandwidth, and active user accounts) is monitored, controlled, and reported. This provides transparency for both the provider and the consumer and is the foundation for the pay-per-use or pay-as-you-go business model, where customers are billed only for the resources they actually consume.

A. Consumable service: This is a generic description, not the specific, standardized term for the cloud's pay-per-use billing and resource management model.

C. Billable service: This term is too broad. It simply indicates that a service has a cost, but it does not describe the specific model of charging based on measured usage.

D. Metered service: While metering is the mechanism that enables a measured service, "Measured service" is the official NIST term for the overall characteristic and concept.

1. Mell

P.

& Grance

T. (2011). The NIST Definition of Cloud Computing (Special Publication 800-145). National Institute of Standards and Technology. Retrieved from https://doi.org/10.6028/NIST.SP.800-145.

Page 2

Section 2

"Essential Characteristics": "Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability... Resource usage can be monitored

controlled

and reported

providing transparency for both the provider and consumer of the utilized service."

2. Armbrust

M.

Fox

A.

Griffith

R.

Joseph

A. D.

Katz

R.

Konwinski

A.

... & Zaharia

M. (2010). A view of cloud computing. Communications of the ACM

53(4)

50-58. (Referenced in UC Berkeley courseware).

Page 51

Section 3

"Classes of Utility Computing": The paper discusses pay-for-use models as a defining feature of utility computing

the precursor concept to modern cloud services

stating

"users can pay for a portion of a service." This aligns with the principle of measured service.

3. Rittinghouse

J. W.

& Ransome

J. F. (2017). Cloud Computing: Implementation

Management

and Security. CRC Press. (Widely used as a university textbook).

Chapter 2

"The Cloud Defined": This chapter explicitly details the NIST definition

explaining that "Measured Service is what makes the pay-per-use model of cloud computing possible."

Network Data Loss Prevention (DLP) is the most effective strategy as it is specifically designed to address the core requirement: preventing sensitive data exfiltration. Network DLP solutions are deployed at network egress points to monitor, inspect, and control data in motion. They analyze the content of network traffic, including emails, web uploads, and cloud service interactions, against predefined policies. If a policy violation is detected (e.g., an attempt to send a file containing intellectual property), the DLP system can block the transmission, alert administrators, or apply encryption, directly preventing the unauthorized sharing of sensitive data.

A. Encryption protects data from unauthorized access during storage or transit but does not prevent an authorized user from decrypting and sharing the data.

B. Antivirus software is designed to detect and remove malware; it does not analyze or control the content of outbound data for policy violations.

C. Firewall rules manage network traffic based on ports, protocols, and IP addresses, but they lack the content-awareness needed to identify and block sensitive data.

1. Cloud Security Alliance (CSA). (2017). Security Guidance for Critical Areas of Focus in Cloud Computing v4.0. Page 67

Section "Data Loss Prevention (DLP)". The document states

"Network DLP... is typically installed at network egress points near the perimeter... It analyzes network traffic to detect sensitive data that is being sent in violation of information security policies."

2. National Institute of Standards and Technology (NIST). (2020). NIST Special Publication 800-53

Revision 5: Security and Privacy Controls for Information Systems and Organizations. Control ID SI-4 (18)

"Analyze Traffic | Content". This control enhancement specifies the need to "Analyze the content of network traffic to identify and position unauthorized information for removal." This directly supports the function of a Network DLP system.