Which of the following is not a characteristic of Cloud computing?
A. multi-tenancy
B. elastic scaling
C. pay-for-use pricing
D. manual provisioning
Correct Answer: D
References:
Question 92:
Which one of the following user classification schemes best reflects what function or function performs?
A. role-based classification
B. rule-based classification
C. group-based classification
D. attribute-based classification
E. rank-based classification
Correct Answer: A
Explanation: Given the potentially large number of users of a system, access privileges are generally not assigned at the user level. Instead, users are assigned to groups (mimicking the organizational structure of a company), or roles (defined based on job functions that users perform), or some combination of the two. Access privileges are then assigned to groups and/or roles. The most natural case is that they are assigned to roles, since roles align more closely with operations users naturally perform to accomplish their job. The industry term for this is Role-Based Access Control (RBAC). RBAC is more flexible than defining access rights based on usernames or static groups and enables an organization to be more versatile when allocating resources. With RBAC the system must determine if the subject (user or client) is associated with a role that has been granted access to a resource. This process of user to role ascertainment is called role mapping.
Incorrect answers
B: Rule-based access control is very similar to fine-grained access control, where access is controlled by rules defined in policies. The twist is that rules might refer to each other. For instance, access may be granted to resource/function A as long as it is not also granted to resource/function B. This form of control can be used to ensure that a group or individual is not given privileges that create a conflict of interest or inappropriate level of authority. For instance, the approver of expenses or purchases cannot be the same as the requestor.
C: Role is better here.
D: There are times when access should be based on characteristics the user has rather than the organization or roles to which the user belongs. For instance, a customer with premium status might be granted access to exclusive offers, and a sales representative that has achieved his target sales revenue might have access to certain perks. Such levels of status vary over time, making it difficult to manage access based on relatively static group or role assignments. Attribute-based access control offers a more dynamic method of evaluation. Decisions are based on attributes assigned to users, which are free to change as business events unfold. Access policies define the attributes and values a user must have, and access decisions are evaluated against the current values assigned to the user. Attributes can be used to support both course-grained and fine-grained authorization.
E: No such thing as rank-based classification
References:
Question 93:
Which of the following combinations represent a true multi-factor authentication mechanism?
A. password and PIN
B. password and token
C. PIN and token
D. token and fingerprint
E. fingerprint and retina scan
F. password and retina scan
Correct Answer: BCDF
Explanation:
Multi-factor authentication is the requirement of more than one form of proof of identity, from more than
one type (factor) of proof. The three main types of factors are:
*
Human Factors (something you are), which includes biometrics such as retina scans, fingerprints, etc.
*
Personal Factors (something you know), such as passwords, PINs, etc.
*
Technical Factors (something you have), for instance smart card, token, etc.
A multi-factor authentication scheme must include at least one form of proof from at least two of the above factor types. For instance, it could include the use of a smart card and PIN, but not a password and PIN.
Note: Multi-factor authentication greatly reduces the risk of establishing fraudulent identity over a scheme that uses only one factor. It takes away the ability to fraudulently authenticate by obtaining any single piece of technology or password secret. One way to achieve multi-factor authentication without requiring additional proofs from the user is to track which devices the user logs in from. The device can suffice as something the user has, for instance a laptop computer. If the user logs in from a different device, or the device is used for a different user, then additional authentication challenges may be warranted.
References:
Question 94:
The principle of "Security as a Service" states that business solution; must be designed to consume common security services, where possible, as opposed to implementing custom security logic and replicating copies of security data. Which of the following statements is not an Implication of this principle?
A. Security logic must be externalized as much as possible, i.e., developers must not hand-code security logic into business solutions.
B. Security enforcement, decisions, and management must be performed by dedicated, shared services and Infrastructure.
C. Wherever possible, security services must be built upon open standards.
D. Security services must use Web Service (SOAP) interfaces and XML payloads in order to promote Interoperability.
Correct Answer: ABC
Explanation:
Rationale: Security services allow multiple solutions to share common security logic, features, policies, and
identity information. This provides a more secure environment by eliminating
redundancies and associated risks. It also enables more effective management of security in the IT
environment.
Implications:
*
Security logic must be externalized as much as possible, i.e., developers must not hand-code security logic into business solutions.(A)
*
Security enforcement, decisions, and management must be performed by dedicated, shared services and infrastructure.(B)
*
Security services must leverage open standards for interface protocols and message formats where possible in order to promote interoperability.(C)
*
The availability and performance characteristics of security services must meet or exceed the specifications required to support the business solutions.
References:
Question 95:
Which of the following statements are true about defense-in-depth strategy?
A. It saves money by allowing organizations to remove costly perimeter security Infrastructure.
B. It is a strategy designed to win the battle by attrition. It consists of multiple security measures at various levels as opposed to a single barrier.
C. It includes security measures for the network, the operating system, the application, and data.
D. Due to network overhead issues, it should not be used in a distributed computing environment such as SOA or cloud computing.
E. It is a good strategy to protect an organization from insider threats.
Correct Answer: BCE
Explanation:
Defense in depth is a security strategy in which multiple, independent, and mutually reinforcing security
controls are leveraged to secure an IT environment.
The basic premise is that a combination of mechanisms, procedures and policies at different layers within
a system are harder to bypass than a single or small number security mechanisms. An attacker may
penetrate the outer layers but will be stopped before reaching the target, which is usually the data or
content stored in the 'innermost' layers of the environment. Defense in depth is also adopted from military
defense strategy, where the enemy is defeated by attrition as it battles its way against several layers of
defense.
Defense in depth should be applied so that a combination of firewalls, intrusion detection and prevention,
user management, authentication, authorization, and encryption mechanisms are employed across tiers
and network zones.
The strategy also includes protection of data persisted in the form of backups and transportable/mobile
devices. Defense in depth should take into account OS and VM hardening as well as configuration control
as means of preventing attackers from thwarting the system by entering via the OS or by tampering with
application files.
References:
Question 96:
Which of the following environments are typically clustered?
A. Development Environment
B. User Acceptance Testing (UAT) Environment
C. Staging Environment
D. Nonfunctional Testing Environment
Correct Answer: B
Explanation:
UAT (also known as beta testing) : Formal testing with respect to user needs, requirements, and business
processes conducted to determine whether or not a system satisfies the acceptance criteria and to enable
the user, customers or other authorized entity to determine whether or not to accept the system.
Incorrect answer:
The staging tier is a environment that is as identical to the production environment as possible. The
purpose of the Staging environment is to simulate as much of the Production environment as possible. The
Staging environment can also double as a Demonstration/Training environment.
References:
Question 97:
Which statement best describes the use of point-to-point integrations within a Service-Oriented Integration (SOI) architecture?
A. point-to-point integrations using web services are an Integral part of SOI and should be used extensively.
B. Only web service-based point-to-point integrations are allowed (but discouraged).
C. Point-to-point integrations should be avoided but are allowed as exceptions when requirements can be met only by point-to-point integration.
D. Point-to-point integrations are brittle and expensive to maintain and therefore should never be used.
Correct Answer: C
Explanation:
Avoid Point-to-Point Integrations. Point-to-point integrations are brittle, inflexible, and expensive to
maintain. There are cases where point-to-point integrations are required but these should be handled as
exception cases. Example exceptions include performance requirements that can only be met using pointto-point connections and when large amounts of data must be moved.
References:
Question 98:
Oracle Entitlements Server (OES) provides fine grained authorization capabilities that, along with Oracle Access Manager (OAM), comprise the XACML based Authorization Service. What factors should be considered when choosing how to specify and deploy OES policy decision points (PDPs)?
A. If a policy enforcement point exists in the DMZ, then a remote PDP should be deployed behind the inner firewall.
B. If both OAM and OES are used, then OES should be configured to use the PDP embeddedin OAM.
C. OES includes a security provider for Oracle WebLogic Server that will handle policy decisions locally.
D. Oracle Advanced Security includes a universal stand-alone PDP that provides access for Java, NET, and SOAP clients.
E. It is best to use a local PDP whenever possible to avoid network calls between the PEP and PDP. A remote PDP ran be used when a local PDP is not available for the client technology, or for other various exceptional cases.
Correct Answer: ACE
Explanation:
A, E:Policy decision points (PDPs) for computingnodes located outside the secure environment. For
example, web servers located in theDMZ might leverage a central PDP, deployed behind a firewall.
Policy enforcement is
still local to the web servers but decisions are made remotely.
C: OES integrates with OPSS (and other security platforms) to enable the use of local PEPs and PDPs. OPSS is a standards-based Java framework of plug-in security services and APIs. It provides the platform security for Oracle WebLogic Server.
Note: OES is a fine-grained authorization engine that simplifies the management of complex entitlement policies. The authorization engine includes both local and centralized PDPs. OES integrates with OPSS (and other security platforms) to enable the use of local PEPs and PDPs. Policy administration is centralized, providing a broad perspective of access privileges, yet delegated, enabling multiple stakeholders to maintain the policies that affect them.
Note 2: PDP - Policy Decision Point, where policy is evaluated and a decision is made. PDPs may be distributed throughout the IT environment and physically co-located with PEPs to avoid network latency.
Note 3: PEP - Policy Enforcement Point, where permit/deny access decisions are enforced. This is generally included in SOA Service or application infrastructure, such as J2EE containers that manage security. It may also be represented as custom code within a SOA Service or application, providing fine grained entitlements evaluation.
References:
Question 99:
The Oracle Reference Architecture (ORA) contains both horizontal and vertical architectural layers. Which statements best describe the layers within ORA?
A. Lavers only provide a means to partition the capabilities encompassed by ORA and have no significance.
B. Horizontal layers are used to depict that upper layers build on the capabilities provided by lower layers
C. Vertical layers are used to depict capabilities applied across all the horizontal layers.
D. Horizontal layers are used to signify that the lower layers can be accessed only via the upper layers.
E. Vertical layers are used to depict enterprise-wide capabilities, whereas horizontal layers departmental capabilities.
F. Horizontal layers are stateful, whereas vertical layers are stateless.
Correct Answer: BC
Explanation:
B: The horizontal layers illustrate that upper layers build upon or use the capabilities of lower layers. Examples: Shared Infrastructure, Information Management, Information Assets, Application Infrastructure C:Layers depicted vertically are orthogonal to the horizontal layers and apply across the entire platform, working in conjunction with horizontal layers to provide a complete solution.
Note: In order to promote modularity and encapsulation, an architecture will usually be divided into layers. Each layer has a specific purpose and leverages technologies, standards, and products designed specifically to address that purpose. Layers generally build upon the layers below and provide benefits and capabilities to the layers above. The ORA diagram in the figure below illustrates the many aspects of enterprise computing in the form of horizontal and vertical layers
Question 100:
Which of the following are examples of dynamic modeling?
A. Behavior Modeling
B. Interaction Modeling
C. Static Modeling
D. Data Modeling
Correct Answer: AB
Explanation: Static modeling focuses on capturing the instance attributes and snapshots of nodes and objects. Dynamic modeling generally refers to one or both of the following
*
Behavior modeling that focuses on the internal state changes
*
Interaction modeling that focuses on external collaborations.
Note: Modeling is a prime and foremost activity of the engineering process. Modeling bridges the gap between business and technology worlds through the language common to both sides.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Oracle exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your 1Z0-574 exam preparations and Oracle certification application, do not hesitate to visit our Vcedump.com to find your solutions here.
