Domain 5 of 6 · Chapter 1 of 6

Building Cloud Infrastructure

Hardware roots of trust: TPM and HSM

A cloud platform is only as trustworthy as the hardware it boots on, and two distinct chips carry that trust. Picture a host powering on: before any hypervisor code runs, a small chip measures what is about to execute and records a fingerprint; separately, a hardened key vault stands ready so that secrets used later never sit in ordinary memory. The first chip is the Trusted Platform Module; the second is the Hardware Security Module. They are both tamper-resistant, which is exactly why candidates blur them, but they do different jobs.

TPM: measure and attest the platform

A Trusted Platform Module (TPM) is a passive, low-throughput chip soldered to the motherboard, one per physical host. Its job is integrity, not bulk cryptography. As firmware, boot loader, and kernel load, each component is hashed and the hash is extended into a Platform Configuration Register (PCR), building a chain of measurements that cannot be rewound. The TPM can then attest that chain by signing the PCR values with a key that never leaves the chip, so a remote verifier can confirm the host booted known-good software (this is measured boot and remote attestation[1]). The TPM can also seal a small secret to a specific PCR state, so the secret only unseals if the machine boots in that exact configuration. What a TPM is not: a place to do bulk encryption or hold many keys.

HSM: generate, store, and use keys

A Hardware Security Module (HSM) is a high-throughput cryptographic processor whose defining promise is that key material never leaves its tamper-resistant boundary in plaintext. You send it data and an operation (encrypt, decrypt, sign, generate a key); it returns the result, never the key. HSMs are validated against FIPS 140-2 or its successor FIPS 140-3[2], and the validation level matters: Level 1 is software-grade, Level 2 adds tamper-evidence and role-based authentication, Level 3 adds active tamper response (the device zeroizes its keys on physical intrusion) plus identity-based operator authentication, and Level 4 adds environmental-attack resistance. Naming the exact certified level is the testable point, because a regulator that mandates "FIPS 140-2 Level 3" is naming a specific physical-tamper guarantee, not a brand.

How they appear in the cloud

In an on-premises data center you own both chips. In the cloud the split shifts with the service model. The TPM belongs to the physical host the provider operates, so a customer benefits from measured boot indirectly, through the provider's attestation, rather than touching the chip. The HSM, by contrast, is exposed as a service: a multi-tenant key management service (AWS KMS, Azure Key Vault, Google Cloud KMS) is backed by HSMs the provider shares, while a dedicated single-tenant HSM (AWS CloudHSM, Azure Dedicated HSM) gives one customer sole control of the partition for when shared custody is unacceptable.

TPM: measure + attestFirmwareBoot loaderKernelTPM PCRshashes extended in ordersignAttestationto remote verifierHSM: keys never leave the boundaryRequest:data + operationHSM boundarykey stays insideResult onlyciphertext / signature
TPM extends boot-component hashes into PCRs and signs an attestation; the HSM returns only operation results, never the key (NIST FIPS 140-3).

Type-1 vs Type-2 hypervisors and the isolation boundary

The hypervisor is the single most important security boundary in an IaaS platform, because it is what stands between one tenant's virtual machine and another's. The choice of hypervisor type is therefore a security decision before it is an operations decision, and the rule is short: production multi-tenant cloud runs Type-1.

The two types

A Type-1 (bare-metal, native) hypervisor installs directly on the hardware and is itself the lowest layer of software. There is no host operating system beneath it to be patched, compromised, or used as a pivot, so its trusted computing base is small. This is what every major IaaS provider runs (KVM, Xen, ESXi, Hyper-V in its role as the parent partition's privileged layer). A Type-2 (hosted) hypervisor runs as an ordinary application on top of a general-purpose operating system (VMware Workstation, VirtualBox). Every vulnerability in that underlying OS becomes a vulnerability beneath your guests, which is acceptable on a developer laptop and unacceptable for multi-tenant production.

The shared mental model: both types create and isolate guests, and they differ in exactly one thing, what sits below them. Below a Type-1 is bare metal; below a Type-2 is a full host OS. Fewer layers below the boundary means fewer ways for a guest to reach the boundary and escape.

The escape that everything else exists to prevent

The defining threat is VM escape (also called guest-to-host breakout or hyperjacking): a guest exploits a flaw in the hypervisor or in emulated virtual hardware to execute code at the host level, which on a shared host means access to co-tenants. Build-phase defenses are all about shrinking the path to that escape: run Type-1 to remove the host-OS layer, keep the hypervisor patched to a known baseline, strip the management interface down and isolate it on its own network, and lean on the CPU's hardware virtualization extensions (Intel VT-x/AMD-V, with VT-d/AMD-Vi for I/O) so isolation is enforced in silicon rather than fragile software emulation. The exam frames this as choosing the architecture that minimizes attack surface, and Type-1 is consistently the right answer for a cloud host.

A note on containers

Containers are not a third hypervisor type. They share one host kernel and isolate at the OS level (namespaces and cgroups), which is a weaker boundary than a hypervisor's, so a kernel exploit can cross between containers. When strong isolation is required for untrusted workloads, the pattern is to run each container (or pod) inside its own lightweight VM on a Type-1 hypervisor, getting the hypervisor boundary back. Do not treat the container boundary as equivalent to the VM boundary on the exam.

Type-1 (bare-metal)Guest VMGuest VMType-1 hypervisorHardwareBoundary = hypervisor; no host OS belowType-2 (hosted)Guest VMGuest VMType-2 hypervisor (app)Host OSHardwareExtra host-OS layer below guests = larger attack surface
Type-1 places the hypervisor directly on hardware; Type-2 inserts a host OS layer beneath the guests, enlarging the attack surface.

Securing the virtual hardware: network, storage, memory, CPU

Once the hypervisor is chosen, the build must lock down the virtual hardware it hands to each guest. The principle is the same across all four resource types: a guest must never be able to read, reach, or starve what belongs to another tenant. Configure each at provision time, before workloads arrive.

Network

Virtual networking is where tenants are most likely to leak into each other. Segment tenants with their own virtual networks or VLANs/VXLANs, attach default-deny security groups so only declared traffic flows, and isolate the management plane onto a separate network that guest workloads cannot route to. Disable promiscuous mode and MAC-address changes on virtual switch port groups so a guest cannot sniff a neighbor's traffic or spoof another's identity. East-west traffic between guests on the same host should pass policy, not flow freely.

Storage

The risk here is data remanence: a virtual disk reassigned from one tenant to another must not carry the previous tenant's bytes. Enforce encryption at rest for every volume and image so a discarded block is unreadable, and rely on the platform's zeroing or cryptographic-erase of reclaimed blocks (cryptographic erase, destroying the key, is the fast, scalable way to sanitize cloud storage, consistent with NIST SP 800-88 media sanitization[3]). Separate guest data stores from the hypervisor's own boot and configuration storage.

Memory

Memory is shared physical RAM partitioned among guests, so the threats are cross-VM reads and side channels. Disable transparent page sharing / memory deduplication across tenants (it has enabled cross-VM information leaks), and for high-isolation or confidential workloads enable hardware memory encryption (AMD SEV, Intel SGX enclaves or TDX trust domains) so guest memory is encrypted from the hypervisor and host operator, not just from other guests.

CPU

The CPU must enforce isolation in hardware. Require the virtualization extensions (Intel VT-x / AMD-V, plus VT-d / AMD-Vi for DMA isolation of passthrough devices) so a guest cannot use a malicious device to read host memory. Apply microcode and firmware updates that mitigate speculative-execution side channels, and avoid over-committing physical cores in ways that create timing channels between tenants. The recurring exam idea: hardware-enforced isolation beats software emulation, so the build that turns these extensions on is the more secure one.

Tenant isolation at buildconfigure virtual hardwareNetworkVLAN + default-deny SGStorageencrypt + crypto-eraseMemoryno dedup; SEV/SGXCPUVT-x/AMD-V + VT-dGoal: no cross-tenant read, reach, or starve
Each virtual-hardware resource gets a build-time isolation control so no guest can read, reach, or starve another tenant.

The secure baseline build and management tooling

Build is the one moment the platform is clean, so what ships from build defines the security floor for everything that runs later. The rule: every host, hypervisor, and golden guest image is produced from a defined, hardened baseline and captured as an immutable image, never hand-configured from a default install.

What a baseline contains

Start from a recognized hardening standard rather than inventing one. A CIS Benchmark[4] or a DISA STIG gives a per-platform checklist; map your baseline to it so it is auditable. The baseline removes default and unused accounts, changes or removes every default credential (including the management agent's), disables unused services, daemons, and ports, sets the host firewall to default-deny, enables disk encryption, configures secure logging and time sync, and enforces least privilege on local accounts. For the guest, install the virtualization guest toolset (VMware Tools, virtio drivers, the cloud-init/agent) from the trusted source so paravirtualized drivers and the orchestration hook are present, then harden the guest OS itself.

Golden image and immutability

Capture the hardened result as a golden image and provision every host and VM from that single artifact. Immutability is the security property: identical hosts mean configuration drift is detectable (anything that differs from the image is suspect), patching is a rebuild-and-replace rather than an in-place edit, and a compromised instance is discarded rather than cleaned. Sign or hash the image and verify it at launch so a tampered image is caught.

Securing the management plane and tooling

The management plane (the hypervisor's management interface, the orchestration and configuration tools, the cloud control APIs) is the highest-value target because it controls every guest, so the build must harden it before handing it to operators. Install management tools from verified sources, isolate the management network from tenant traffic, require MFA and least-privilege RBAC for administrators, and turn on full audit logging of management actions from day one. Treat the configuration-management and IaC tooling as part of this surface: the credentials those tools hold can rebuild the whole estate, so they belong in a secrets manager, never in an image or a repository.

Where build hands off to operate

Build produces the hardened, immutable starting state; keeping it hardened over time (patch management, drift remediation, monitoring, backup/restore, availability tuning) is the operate phase, covered in the sibling operating-cloud-infrastructure subtopic. The clean handoff matters on the exam: questions about standing up infrastructure point to baselines, golden images, and trust anchors, while questions about maintaining it point to patching and monitoring.

CIS / STIGhardening standardBaselinestrip defaults, denyGolden imagesigned, immutableHosts + VMsidentical fleetManagement plane hardened firstisolated network, MFA, RBAC, audit log
A hardening standard drives the baseline, which becomes a signed immutable golden image; the management plane is hardened before any operator touches it.

Trust-anchor hardware and hypervisor build choices

PropertyTPMCloud HSM (dedicated)Type-1 hypervisorType-2 hypervisor
Primary jobMeasure + attest platform stateGenerate, store, use keysIsolate guests on bare metalRun guests atop a host OS
Where it sitsSoldered to one physical hostSingle-tenant appliance/serviceDirectly on hardwareAs an app on a host OS
Holds key materialTiny sealed secret onlyYes, never leaves the boundaryNoNo
FIPS 140 validationOften, as a chipYes, selectable levelNot applicableNot applicable
Cloud production fitProvider-operated host controlCustomer single-tenant custodyRequired for IaaS hostsDev/lab only

Decision tree

Multi-tenant productioncloud host?No (dev/lab)YesType-2 hypervisoracceptable on laptopType-1 hypervisorTPM measured bootCustomer must hold keysin single-tenant custody?NoYesMulti-tenant KMSHSM-backed, sharedDedicated cloud HSMpick FIPS 140 levelConfidentialworkload?if yesHardware memory encryptionAMD SEV / Intel SGX / TDXAlways: harden to a baseline, ship an immutable golden image

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A TPM measures and attests platform state; it is not a key vault

A Trusted Platform Module is a passive chip soldered to one physical host that hashes firmware, boot loader, and kernel into Platform Configuration Registers as they load, then signs those values so a remote verifier can confirm the host booted known-good software (measured boot and remote attestation). It can also seal a small secret to a specific PCR state so the secret only unseals on that exact configuration. It is not built for bulk encryption or holding many keys.

Trap Reaching for a TPM to store and serve application encryption keys; that throughput-and-storage role belongs to an HSM, while the TPM only measures, attests, and seals a tiny secret.

1 question tests this
An HSM keeps key material inside its boundary and returns only the result

A Hardware Security Module is a high-throughput cryptographic processor whose defining guarantee is that the private key never leaves its tamper-resistant boundary in plaintext. You send it data plus an operation (encrypt, decrypt, sign, generate); it performs the operation internally and returns only the result. That property is what lets you prove a key was never exposed to the operating system or to a co-tenant.

3 questions test this
FIPS 140 levels name specific physical-tamper guarantees, not brands

HSMs are validated against FIPS 140-2 or its successor FIPS 140-3, and the level is the testable detail. Level 1 is software-grade with no physical security; Level 2 adds tamper-evidence and role-based authentication; Level 3 adds active tamper response (the device zeroizes its keys on physical intrusion) plus identity-based operator authentication; Level 4 adds resistance to environmental attacks. When a mandate says "FIPS 140-2 Level 3" it is specifying the tamper-response and operator-auth guarantee, so record the certificate number as evidence.

Trap Treating any FIPS 140 validation as equivalent; Level 1 has no physical protection at all, so it does not satisfy a Level 3 zeroize-on-intrusion requirement.

5 questions test this
Multi-tenant KMS vs dedicated HSM is a custody decision

Cloud key services come in two shapes that differ by who controls the partition. A multi-tenant key management service (AWS KMS, Azure Key Vault, Google Cloud KMS) is HSM-backed but shared across customers, which is fine for most workloads. A dedicated single-tenant HSM (AWS CloudHSM, Azure Dedicated HSM) gives one customer sole control of the hardware partition and the keys, for when regulation or contract makes shared custody unacceptable. Choose dedicated only when single-tenant custody is genuinely required, because it costs more and you operate it.

Trap Provisioning a dedicated single-tenant HSM for an ordinary workload that the multi-tenant KMS already protects; you take on cost and operational burden with no custody requirement to justify it.

1 question tests this
Production multi-tenant cloud runs Type-1 hypervisors

A Type-1 (bare-metal) hypervisor installs directly on the hardware with no host operating system beneath it, so its trusted computing base is small, which is why every IaaS provider runs one (KVM, Xen, ESXi). A Type-2 (hosted) hypervisor runs as an application on a general-purpose OS, inheriting that OS's vulnerabilities, suitable for a developer laptop but not a multi-tenant host. Fewer layers below the isolation boundary means fewer paths for a guest to escape it.

Trap Picking a Type-2 hypervisor for a multi-tenant cloud host because it is easier to set up; the underlying host OS becomes an extra attack surface directly beneath every tenant's guest.

2 questions test this
VM escape is the threat the hypervisor build exists to prevent

VM escape (guest-to-host breakout, sometimes hyperjacking) is when a guest exploits a flaw in the hypervisor or emulated virtual hardware to run code at host level, which on a shared host means reaching co-tenants. Build-phase defenses all shrink the path to it: run Type-1 to drop the host-OS layer, keep the hypervisor patched to a known baseline, strip and isolate the management interface, and enforce isolation with CPU virtualization extensions rather than fragile software emulation.

6 questions test this
CPU virtualization extensions enforce isolation in silicon

Require the hardware virtualization extensions on every host: Intel VT-x or AMD-V for CPU virtualization, plus Intel VT-d or AMD-Vi (IOMMU) for DMA isolation so a passed-through or malicious device cannot read host memory. Hardware-enforced isolation is stronger than software emulation, so the build that turns these on is the more secure one. Also apply microcode and firmware updates that mitigate speculative-execution side channels.

Trap Assuming software emulation isolates guests as well as the hardware extensions; without VT-d/AMD-Vi, a passthrough device can DMA into memory the guest should never reach.

2 questions test this
Disable memory deduplication across tenants and encrypt sensitive guest memory

Shared physical RAM is partitioned among guests, so the threats are cross-VM reads and side channels. Disable transparent page sharing and memory deduplication across tenants, because identical-page merging has enabled cross-VM information leaks. For high-isolation or confidential workloads, enable hardware memory encryption (AMD SEV, Intel SGX enclaves, or Intel TDX trust domains) so guest memory is encrypted even from the hypervisor and the host operator, not only from other guests.

Trap Relying on hypervisor partitioning alone for confidential data; without hardware memory encryption a compromised hypervisor or host operator can still read the guest's RAM.

Lock down the virtual switch so a guest cannot sniff or spoof neighbors

On virtual switch port groups, disable promiscuous mode so a guest cannot capture traffic destined for other VMs, and disable MAC-address changes and forged transmits so a guest cannot impersonate another's address. Segment tenants onto their own virtual networks or VLANs/VXLANs with default-deny security groups, and isolate the management plane onto a separate network that guest workloads cannot route to.

Trap Leaving promiscuous mode enabled on a port group for troubleshooting convenience; any guest on that group can then sniff its neighbors' traffic.

1 question tests this
Cryptographic erase is the scalable way to sanitize reclaimed cloud storage

A virtual disk reassigned from one tenant to another must not carry the previous tenant's bytes (data remanence). Encrypt every volume and image at rest, then sanitize by destroying the encryption key (cryptographic erase), which renders the data unrecoverable instantly and at scale, consistent with NIST SP 800-88 media sanitization. Physical overwrite or degaussing does not fit shared, abstracted cloud storage the way crypto-erase does.

Trap Assuming you can degauss or physically destroy a specific tenant's blocks in a shared cloud array; you do not control the physical media, so cryptographic erase via key destruction is the workable control.

3 questions test this
Containers share a kernel, so isolate untrusted workloads in their own VM

Containers are not a hypervisor type; they isolate at the OS level with namespaces and cgroups while sharing one host kernel, a weaker boundary than a hypervisor's because a kernel exploit can cross between containers. When untrusted or strongly-isolated workloads need the VM boundary back, run each container or pod inside its own lightweight VM on a Type-1 hypervisor.

Trap Treating the container boundary as equivalent to the VM boundary; a single host-kernel vulnerability can compromise every container on the host, which the hypervisor boundary would have contained.

Build every host and image from a hardened baseline, not a default install

Build is the one clean moment, so produce hosts, hypervisors, and golden guest images from a defined baseline mapped to a recognized standard such as a CIS Benchmark or DISA STIG. The baseline removes default and unused accounts, changes or removes every default credential including the management agent's, disables unused services and ports, sets the host firewall to default-deny, enables disk encryption, and configures secure logging and time sync. Anything left at vendor defaults is the easiest thing for an attacker to use.

Trap Leaving the management agent's or appliance's default credentials in place after deployment; default credentials are among the first things scanned for and exploited.

Capture the hardened build as a signed, immutable golden image

Provision every host and VM from a single golden image rather than configuring each by hand. Immutability is the security property: identical instances make configuration drift detectable (anything differing from the image is suspect), patching becomes rebuild-and-replace instead of in-place editing, and a compromised instance is discarded rather than cleaned. Sign or hash the image and verify it at launch so a tampered image is caught before it boots.

Harden the management plane before handing it to operators

The management plane (hypervisor management interface, orchestration and configuration tools, cloud control APIs) controls every guest, so it is the highest-value target. At build time isolate it on its own network away from tenant traffic, install its tools only from verified sources, require MFA and least-privilege RBAC for administrators, and enable full audit logging of management actions from day one. A breach here is a breach of the whole estate, not one tenant.

Trap Putting the management interface on the same network tenants can reach so admins can connect conveniently; that exposes the control plane of every guest to tenant-side attackers.

2 questions test this
Keep IaC and config-management credentials in a secrets manager, never in an image

Infrastructure-as-Code and configuration-management tooling is part of the build attack surface because the credentials it holds can rebuild the entire estate. Store those secrets in a dedicated secrets manager and inject them at run time; never bake them into a golden image, a container layer, or a source repository, where they persist and leak. The blast radius of a leaked build credential is the whole platform.

Trap Embedding deploy keys or API tokens directly in the golden image or IaC repo for convenience; they ship to every host and survive in version history where they are trivially harvested.

Install the guest virtualization toolset from the trusted source during build

Part of building a guest is installing its virtualization toolset (VMware Tools, virtio paravirtualized drivers, cloud-init or the cloud agent) so paravirtualized I/O performs well and the orchestration hook is present. Pull these only from the platform vendor's trusted source, then harden the guest OS itself to the baseline. The toolset runs with privilege inside the guest, so a tampered package is a direct foothold.

Build sets the secure starting state; operate keeps it secure over time

The build phase produces a hardened, immutable starting point: trust anchors, hypervisor choice, baselines, golden images. Keeping that state hardened (patch management, drift remediation, monitoring, backup/restore, availability tuning) is the operate phase, covered in the operating-cloud-infrastructure subtopic. Questions about standing up infrastructure point to baselines and trust anchors, while questions about maintaining it point to patching and monitoring.

Trap Answering a standing-up question with an operate-phase control like patch cadence; the build question is asking for the baseline, golden image, or hardware trust anchor that defines the secure starting state.

CSP-managed keys let the provider decrypt; hold the keys yourself for regulated data

When the CSP manages encryption keys it retains the technical ability to decrypt tenant data, so for regulated data the recommendation is customer-managed keys (CMK) held in a key store separate from the provider — or client-side encryption — so provider insiders cannot read the plaintext. This applies segregation of duties between the data host and the key holder.

Trap Accepting default CSP-managed platform keys for regulated data, leaving the provider technically able to decrypt it.

5 questions test this
Unique per-tenant keys give cryptographic isolation on shared storage

Encrypting each tenant's volumes or objects with its own unique key, managed through a centralized KMS, ensures one tenant's data cannot be decrypted with another tenant's key even if storage-layer isolation fails. Centralized key management supplies consistent lifecycle, access control, and audit across SAN, NAS, and object storage.

Trap Using one shared key across all tenants so a single key compromise exposes every tenant's data.

4 questions test this
Set EXTRACTABLE=false so an HSM key can never be exported

Creating a key with the EXTRACTABLE attribute set to false (EXTRACTABLE=0) makes it non-extractable: it can only be used for cryptographic operations inside the HSM and cannot be exported even via key wrapping. This is the configuration for highly sensitive master keys that must never leave the HSM boundary, and it cannot be reversed after creation.

Trap Leaving keys extractable for portability when the requirement is that they never leave the HSM under any circumstance.

3 questions test this
Uptime Tier III is concurrently maintainable; Tier IV is also fault tolerant

Tier III is the minimum that supports concurrent maintainability — any component can be taken offline for maintenance without disrupting service. Tier IV adds fault tolerance, so a single unplanned component failure also causes no disruption (about 99.995%, ~26 minutes annual downtime); a requirement for both fault tolerance and maintenance without interruption needs Tier IV.

Trap Selecting Tier III when the requirement also demands surviving an unplanned single-component failure — that is Tier IV.

3 questions test this
PUE is total facility power divided by IT power, so lower is more efficient

Power Usage Effectiveness is total data-center energy divided by the energy delivered to IT equipment. A PUE of 1.2 means 1 watt powers IT and 0.2 watts goes to overhead (cooling, power distribution, lighting); a PUE of 1.8 means 0.8 watts of overhead per IT watt. The closer to 1.0, the more efficient the facility.

Trap Reading a higher PUE as better — a larger ratio means more overhead and worse efficiency.

4 questions test this
A Building Management System monitors and controls facility environment proactively

A Building Management System (BMS) continuously monitors data-center temperature, humidity, airflow, and power via facility-wide sensors, automates HVAC control, and alerts operations staff as conditions approach (before they exceed) thresholds. The correct response to a trending-toward-threshold alert is to investigate and adjust proactively, not wait for the alarm.

Trap Waiting until the BMS alarm threshold is breached to act, instead of remediating while conditions are merely trending upward.

4 questions test this
Hot/cold aisle containment stops exhaust and supply air from mixing

Hot-aisle/cold-aisle containment erects physical barriers that separate server hot exhaust from cold supply air, eliminating the recirculation that causes localized hot spots and inconsistent inlet temperatures even when overall cooling capacity is adequate. It is the targeted fix for air-mixing problems and improves cooling efficiency.

Trap Adding more raw cooling capacity to chase hot spots when the root cause is hot/cold air recirculation that containment resolves.

5 questions test this
UPS provides instant bridge power until generators assume the load

On utility power loss the UPS comes online instantly, supplying short-term battery bridge power for the seconds-to-minutes it takes diesel generators to start, stabilize, and take over the sustained facility load. The UPS is the gap-filler, not the long-duration source.

Trap Expecting the UPS to carry the facility for hours — its role is to bridge only until the generators assume the load.

3 questions test this
Lowering a biometric threshold trades FRR for FAR; CER is where they meet

Loosening a biometric system's matching threshold lowers the False Rejection Rate (fewer legitimate users denied) but raises the False Acceptance Rate (more impostors admitted). The Crossover Error Rate (CER), also called Equal Error Rate, is the threshold where FAR equals FRR and is the standard single-number accuracy comparison — lower CER is a better system.

Trap Tuning only for low False Rejection (user convenience) while ignoring the rising False Acceptance Rate that admits impostors.

3 questions test this
Physical defense in depth layers controls from perimeter inward to the rack

Defense in depth applies multiple concentric physical barriers — perimeter fencing, building access control, data-center floor restrictions, then server-rack locks — so if one layer is defeated the next still protects the asset. The layers run from the outermost perimeter inward to rack-level security.

Trap Relying on a single strong control (e.g. a guarded entrance) instead of layered concentric barriers from perimeter to rack.

3 questions test this

Also tested in

References

  1. NIST CSRC Glossary — Trusted Platform Module (TPM)
  2. FIPS 140-3 — Security Requirements for Cryptographic Modules Whitepaper
  3. NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization Whitepaper
  4. CIS Benchmarks — Secure Configuration Baselines