Certified Cloud Security Professional (CCSP) certification validates the advanced technical skills needed to design, manage, and secure data, applications, and infrastructure in the cloud. This highly sought-after global credential has been updated with revised objectives. The new third edition of The Official (ISC)2 Guide to the CCSP CBK is the authoritative, vendor-neutral common body of knowledge for cloud security professionals.
This comprehensive resource provides cloud security professionals with an indispensable working reference to each of the six CCSP domains: Cloud Concepts, Architecture and Design; Cloud Data Security; Cloud Platform and Infrastructure Security; Cloud Application Security; Cloud Security Operations; and Legal, Risk and Compliance. Detailed, in-depth chapters contain the accurate information required to prepare for and achieve CCSP certification. Every essential area of cloud security is covered, including implementation, architecture, operations, controls, and immediate and long-term responses.
Developed by (ISC)2, the world leader in professional cybersecurity certification and training, this indispensable guide: - Covers the six CCSP domains and over 150 detailed objectives - Provides guidance on real-world best practices and techniques - Includes illustrated examples, tables, and diagrams
The Official (ISC)2 Guide to the CCSP CBK is a vital ongoing resource for IT and information security leaders responsible for applying best practices to cloud security architecture, design, operations and service orchestration.
Table of Contents
Foreword to the Fourth Edition xxi
Introduction xix
Chapter 1 Cloud Concepts, Architecture, and Design 1
Understand Cloud Computing Concepts 2
Cloud Computing Definitions 2
Cloud Computing Roles and Responsibilities 3
Key Cloud Computing Characteristics 7
Building Block Technologies 11
Describe Cloud Reference Architecture 14
Cloud Computing Activities 14
Cloud Service Capabilities 15
Cloud Service Categories 17
Cloud Deployment Models 18
Cloud Shared Considerations 21
Impact of Related Technologies 27
Understand Security Concepts Relevant to Cloud Computing 33
Cryptography and Key Management 33
Identity and Access Control 34
Data and Media Sanitization 36
Network Security 37
Virtualization Security 39
Common Threats 41
Security Hygiene 41
Understand Design Principles of Secure Cloud Computing 43
Cloud Secure Data Lifecycle 43
Cloud- Based Business Continuity and Disaster Recovery Plan 44
Business Impact Analysis 45
Functional Security Requirements 46
Security Considerations for Different Cloud Categories 48
Cloud Design Patterns 49
DevOps Security 51
Evaluate Cloud Service Providers 51
Verification against Criteria 52
System/Subsystem Product Certifications 54
Summary 56
Chapter 2 Cloud Data Security 57
Describe Cloud Data Concepts 58
Cloud Data Lifecycle Phases 58
Data Dispersion 61
Data Flows 62
Design and Implement Cloud Data Storage Architectures 63
Storage Types 63
Threats to Storage Types 66
Design and Apply Data Security Technologies and Strategies 67
Encryption and Key Management 67
Hashing 70
Data Obfuscation 71
Tokenization 73
Data Loss Prevention 74
Keys, Secrets, and Certificates Management 77
Implement Data Discovery 78
Structured Data 79
Unstructured Data 80
Semi- structured Data 81
Data Location 82
Implement Data Classification 82
Data Classification Policies 83
Mapping 85
Labeling 86
Design and Implement Information Rights Management 87
Objectives 88
Appropriate Tools 89
Plan and Implement Data Retention, Deletion, and Archiving Policies 89
Data Retention Policies 90
Data Deletion Procedures and Mechanisms 93
Data Archiving Procedures and Mechanisms 94
Legal Hold 95
Design and Implement Auditability, Traceability, and Accountability of Data Events 96
Definition of Event Sources and Requirement of Event Attribution 97
Logging, Storage, and Analysis of Data Events 99
Chain of Custody and Nonrepudiation 100
Summary 101
Chapter 3 Cloud Platform and Infrastructure Security 103
Comprehend Cloud Infrastructure and Platform Components 104
Physical Environment 104
Network and Communications 106
Compute 107
Virtualization 108
Storage 110
Management Plane 111
Design a Secure Data Center 113
Logical Design 114
Physical Design 116
Environmental Design 117
Analyze Risks Associated with Cloud Infrastructure and Platforms 119
Risk Assessment 119
Cloud Vulnerabilities, Threats, and Attacks 122
Risk Mitigation Strategies 123
Plan and Implementation of Security Controls 124
Physical and Environmental Protection 124
System, Storage, and Communication Protection 125
Identification, Authentication, and Authorization in Cloud Environments 127
Audit Mechanisms 128
Plan Disaster Recovery and Business Continuity 131
Business Continuity/Disaster Recovery Strategy 131
Business Requirements 132
Creation, Implementation, and Testing of Plan 134
Summary 138
Chapter 4 Cloud Application Security 139
Advocate Training and Awareness for Application Security 140
Cloud Development Basics 140
Common Pitfalls 141
Common Cloud Vulnerabilities 142
Describe the Secure Software Development Life Cycle Process 144
NIST Secure Software Development Framework 145
OWASP Software Assurance Maturity Model 145
Business Requirements 145
Phases and Methodologies 146
Apply the Secure Software Development Life Cycle 149
Cloud- Specific Risks 149
Threat Modeling 153
Avoid Common Vulnerabilities during Development 156
Secure Coding 156
Software Configuration Management and Versioning 157
Apply Cloud Software Assurance and Validation 158
Functional and Non- functional Testing 159
Security Testing Methodologies 160
Quality Assurance 164
Abuse Case Testing 164
Use Verified Secure Software 165
Securing Application Programming Interfaces 165
Supply- Chain Management 166
Third- Party Software Management 166
Validated Open- Source Software 167
Comprehend the Specifics of Cloud Application Architecture 168
Supplemental Security Components 169
Cryptography 171
Sandboxing 172
Application Virtualization and Orchestration 173
Design Appropriate Identity and Access Management Solutions 174
Federated Identity 175
Identity Providers 175
Single Sign- on 176
Multifactor Authentication 176
Cloud Access Security Broker 178
Summary 179
Chapter 5 Cloud Security Operations 181
Build and Implement Physical and Logical Infrastructure for Cloud Environment 182
Hardware- Specific Security Configuration Requirements 182
Installation and Configuration of Virtualization Management Tools 185
Virtual Hardware-Specific Security Configuration Requirements 186
Installation of Guest Operating System Virtualization Toolsets 188
Operate Physical and Logical Infrastructure for Cloud Environment 188
Configure Access Control for Local and Remote Access 188
Secure Network Configuration 190
Operating System Hardening through the Application of Baselines 195
Availability of Stand- Alone Hosts 196
Availability of Clustered Hosts 197
Availability of Guest Operating Systems 199
Manage Physical and Logical Infrastructure for Cloud Environment 200
Access Controls for Remote Access 201
Operating System Baseline Compliance Monitoring and Remediation 202
Patch Management 203
Performance and Capacity Monitoring 205
Hardware Monitoring 206
Configuration of Host and Guest Operating System Backup and Restore Functions 207
Network Security Controls 208
Management Plane 212
Implement Operational Controls and Standards 212
Change Management 213
Continuity Management 214
Information Security Management 216
Continual Service Improvement Management 217
Incident Management 218
Problem Management 221
Release Management 221
Deployment Management 222
Configuration Management 224
Service Level Management 225
Availability Management 226
Capacity Management 227
Support Digital Forensics 228
Forensic Data Collection Methodologies 228
Evidence Management 230
Collect, Acquire, and Preserve Digital Evidence 231
Manage Communication with Relevant Parties 234
Vendors 235
Customers 236
Partners 238
Regulators 238
Other Stakeholders 239
Manage Security Operations 239
Security Operations Center 240
Monitoring of Security Controls 244
Log Capture and Analysis 245
Incident Management 248
Summary 253
Chapter 6 Legal, Risk, and Compliance 255
Articulating Legal Requirements and Unique Risks within the Cloud Environment 256
Conflicting International Legislation 256
Evaluation of Legal Risks Specific to Cloud Computing 258
Legal Frameworks and Guidelines 258
eDiscovery 265
Forensics Requirements 267
Understand Privacy Issues 267
Difference between Contractual and Regulated Private Data 268
Country- Specific Legislation Related to Private Data 272
Jurisdictional Differences in Data Privacy 277
Standard Privacy Requirements 278
Privacy Impact Assessments 280
Understanding Audit Process, Methodologies, and Required Adaptations for a Cloud Environment 281
Internal and External Audit Controls 282
Impact of Audit Requirements 283
Identify Assurance Challenges of Virtualization and Cloud 284
Types of Audit Reports 285
Restrictions of Audit Scope Statements 288
Gap Analysis 289
Audit Planning 290
Internal Information Security Management System 291
Internal Information Security Controls System 292
Policies 293
Identification and Involvement of Relevant Stakeholders 296
Specialized Compliance Requirements for Highly Regulated Industries 297
Impact of Distributed Information Technology Model 298
Understand Implications of Cloud to Enterprise Risk Management 299
Assess Providers Risk Management Programs 300
Differences between Data Owner/Controller vs. Data Custodian/Processor 301
Regulatory Transparency Requirements 302
Risk Treatment 303
Risk Frameworks 304
Metrics for Risk Management 307
Assessment of Risk Environment 307
Understand Outsourcing and Cloud Contract Design 309
Business Requirements 309
Vendor Management 311
Contract Management 312
Supply Chain Management 314
Summary 316
Index 317