ISC2 Certified Cloud Security Professional (CCSP) Practice Question
A cloud provider is designing a multi-tenant DevOps PaaS that lets customers upload and run arbitrary build scripts during their CI/CD pipelines. The security team requires strong isolation so a compromised build job cannot read host files or affect other tenants, while operations staff need the solution to start in milliseconds and support thousands of concurrent jobs per host with minimal resource overhead. Which sandboxing technique best satisfies both isolation and performance requirements in this scenario?
Operating-system level containers that use Linux namespaces and cgroups
Traditional chroot jails inside the host operating system
Full virtual machines deployed on a bare-metal Type-1 hypervisor
Host-based application whitelisting enforced through a mandatory access control policy
Operating-system level containers implement sandboxing by wrapping each build job in its own set of kernel namespaces and cgroups. This confines the job's view of the filesystem, processes, network, and device nodes while limiting its CPU and memory usage. Because containers share the host kernel, they start quickly and consume far fewer resources than full virtual machines, enabling high job density. Full VMs provide strong isolation but impose significant memory, storage, and boot-time overhead. A simple chroot jail offers only filesystem separation and lacks process or network isolation, making it inadequate. Host-based application whitelisting or mandatory access controls can harden the OS but do not create discrete runtime sandboxes for each untrusted script.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Linux namespaces and cgroups?
Open an interactive chat with Bash
Why are operating-system level containers preferred over full virtual machines in this scenario?
Open an interactive chat with Bash
How does a chroot jail differ from Linux namespaces?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .