A, C, and D. Requiring multi-factor authentication is also a good idea, but it’s an example of the principle of defense in depth, not least privilege.

A and D. Strict firewall controls may help, but they don’t demonstrate defense in depth unless paired with another control. Trust boundaries are also important, and may be used to define controls, but are not a defense in depth control.

A, B, C, and D. Threat actors may want to do all of these things, although historically making money is by far the largest motivator. In addition, some threat actors may be motivated simply by the challenge of breaking in or enhancing their reputations in hacking circles.

A. Depending on the service delivery model, network security and operating security may be the cloud provider’s responsibility, or may not be. Data access security—choosing who gets access to the data—is almost always the consumer’s responsibility.

A and B. Most risk assessment systems use some form of likelihood and impact assessment to determine the overall risk level. Transferring a risk doesn’t determine the severity of the risk, but may be a way to deal with the risk. Your risk severity is also not directly affected by whether the attacker’s actions are legal or not, although taking illegal actions may raise the attacker’s risk of going to jail.

A. While you may need more than 3 data classification ...