CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide

Introduction xxiii
Assessment Test xxxii

Chapter 1 Architectural Concepts 1
Cloud Characteristics 3
Business Requirements 5
Understanding the Existing State 6
Cost/Benefit Analysis 7
Intended Impact 10
Cloud Computing Service Categories 11
Software as a Service 11
Infrastructure as a Service 12
Platform as a Service 12
Cloud Deployment Models 13
Private Cloud 13
Public Cloud 13
Hybrid Cloud 13
Multi- Cloud 13
Community Cloud 13
Multitenancy 14
Cloud Computing Roles and Responsibilities 15
Cloud Computing Reference Architecture 16
Virtualization 18
Hypervisors 18
Virtualization Security 19
Cloud Shared Considerations 20
Security and Privacy Considerations 20
Operational Considerations 21
Emerging Technologies 22
Machine Learning and Artificial Intelligence 22
Blockchain 23
Internet of Things 24
Containers 24
Quantum Computing 25
Edge and Fog Computing 26
Confidential Computing 26
DevOps and DevSecOps 27
Summary 28
Exam Essentials 28
Review Questions 30

Chapter 2 Data Classification 35
Data Inventory and Discovery 37
Data Ownership 37
Data Flows 42
Data Discovery Methods 43
Information Rights Management 46
Certificates and IRM 47
IRM in the Cloud 47
IRM Tool Traits 47
Data Control 49
Data Retention 50
Data Audit and Audit Mechanisms 53
Data Destruction/Disposal 55
Summary 57
Exam Essentials 57
Review Questions 59

Chapter 3 Cloud Data Security 63
Cloud Data Lifecycle 65
Create 66
Store 66
Use 67
Share 67
Archive 69
Destroy 70
Cloud Storage Architectures 71
Storage Types 71
Volume Storage: File- Based Storage and Block Storage 72
Object- Based Storage 72
Databases 73
Threats to Cloud Storage 73
Designing and Applying Security Strategies for Storage 74
Encryption 74
Certificate Management 77
Hashing 77
Masking, Obfuscation, Anonymization, and Tokenization 78
Data Loss Prevention 81
Log Capture and Analysis 82
Summary 85
Exam Essentials 85
Review Questions 86

Chapter 4 Security in the Cloud 91

Chapter 5 Shared Cloud Platform Risks and Responsibilities 92
Cloud Computing Risks by Deployment Model 94
Private Cloud 95
Community Cloud 95
Public Cloud 97
Hybrid Cloud 101
Cloud Computing Risks by Service Model 102
Infrastructure as a Service (IaaS) 102
Platform as a Service (PaaS) 102
Software as a Service (SaaS) 103
Virtualization 103
Threats 105
Risk Mitigation Strategies 107
Disaster Recovery (DR) and Business Continuity (BC) 110
Cloud- Specific BIA Concerns 110
Customer/Provider Shared BC/DR Responsibilities 111
Cloud Design Patterns 114
Summary 115
Exam Essentials 115
Review Questions 116
Cloud Platform, Infrastructure, and Operational Security 121
Foundations of Managed Services 123
Cloud Provider Responsibilities 124
Shared Responsibilities by Service Type 125
IaaS 125
PaaS 126
SaaS 126
Securing Communications and Infrastructure 126
Firewalls 127
Intrusion Detection/Intrusion Prevention Systems 128
Honeypots 128
Vulnerability Assessment Tools 128
Bastion Hosts 129
Identity Assurance in Cloud and Virtual Environments 130
Securing Hardware and Compute 130
Securing Software 132
Third- Party Software Management 133
Validating Open- Source Software 134
OS Hardening, Monitoring, and Remediation 134
Managing Virtual Systems 135
Assessing Vulnerabilities 137
Securing the Management Plane 138
Auditing Your Environment and Provider 141
Adapting Processes for the Cloud 142
Planning for Cloud Audits 143
Summary 144
Exam Essentials 145
Review Questions 147

Chapter 6 Cloud Application Security 151
Developing Software for the Cloud 154
Common Cloud Application Deployment Pitfalls 155
Cloud Application Architecture 157
Cryptography 157
Sandboxing 158
Application Virtualization and Orchestration 158
Application Programming Interfaces 159
Multitenancy 162
Supplemental Security Components 162
Cloud- Secure Software Development Lifecycle (SDLC) 164
Software Development Phases 165
Software Development Models 166
Cloud Application Assurance and Validation 172
Threat Modeling 172
Common Threats to Applications 174
Quality Assurance and Testing Techniques 175
Supply Chain Management and Licensing 177
Identity and Access Management 177
Cloud Identity and Access Control 178
Single Sign- On 179
Identity Providers 180
Federated Identity Management 180
Multifactor Authentication 181
Secrets Management 182
Common Threats to Identity and Access Management in the Cloud 183
Zero Trust 183
Summary 183
Exam Essentials 184
Review Questions 186

Chapter 7 Operations Elements 191
Designing a Secure Data Center 193
Build vs. Buy 193
Location 194
Facilities and Redundancy 196
Data Center Tiers 200
Logical Design 201
Virtualization Operations 202
Storage Operations 205
Managing Security Operations 207
Security Operations Center (SOC) 208
Continuous Monitoring 208
Incident Management 209
Summary 209
Exam Essentials 210
Review Questions 211

Chapter 8 Operations Management 215
Monitoring, Capacity, and Maintenance 217
Monitoring 217
Physical and Environmental Protection 218
Maintenance 219
Change and Configuration Management 224
Baselines 224
Roles and Process 226
Release and Deployment Management 228
Problem and Incident Management 229
IT Service Management and Continual Service Improvement 229
Business Continuity and Disaster Recovery 231
Prioritizing Safety 231
Continuity of Operations 232
BC/DR Planning 232
The BC/DR Toolkit 234
Relocation 235
Power 237
Testing 238
Summary 239
Exam Essentials 239
Review Questions 241

Chapter 9 Legal and Compliance Issues 245
Legal Requirements and Unique Risks in the Cloud Environment 247
Constitutional Law 247
Legislation 249
Administrative Law 249
Case Law 250
Common Law 250
Contract Law 250
Analyzing a Law 251
Determining Jurisdiction 251
Scope and Application 252
Legal Liability 253
Torts and Negligence 254
U.S. Privacy and Security Laws 255
Health Insurance Portability and Accountability Act 255
The Health Information Technology for Economic and Clinical Health Act 258
Gramm–Leach–Bliley Act 259
Sarbanes–Oxley Act 261
State Data Breach Notification Laws 261
International Laws 263
European Union General Data Protection Regulation 263
Adequacy Decisions 267
U.S.- EU Safe Harbor and Privacy Shield 267
Laws, Regulations, and Standards 269
Payment Card Industry Data Security Standard 270
Critical Infrastructure Protection Program 270
Conflicting International Legislation 270
Information Security Management Systems 272
Iso/iec 27017:2015 272
Privacy in the Cloud 273
Generally Accepted Privacy Principles 273
Iso 27018 279
Direct and Indirect Identifiers 279
Privacy Impact Assessments 280
Cloud Forensics 281
Forensic Requirements 281
Cloud Forensic Challenges 281
Collection and Acquisition 282
Evidence Preservation and Management 283
e-discovery 283
Audit Processes, Methodologies, and Cloud Adaptations 284
Virtualization 284
Scope 284
Gap Analysis 285
Restrictions of Audit Scope Statements 285
Policies 286
Audit Reports 286
Summary 288
Exam Essentials 288
Review Questions 290

Chapter 10 Cloud Vendor Management 295
The Impact of Diverse Geographical Locations and Legal Jurisdictions 297
Security Policy Framework 298
Policies 298
Standards 300
Procedures 302
Guidelines 303
Exceptions and Compensating Controls 304
Developing Policies 305
Enterprise Risk Management 306
Risk Identification 308
Risk Calculation 308
Risk Assessment 309
Risk Treatment and Response 313
Risk Mitigation 313
Risk Avoidance 314
Risk Transference 314
Risk Acceptance 315
Risk Analysis 316
Risk Reporting 316
Enterprise Risk Management 318
Assessing Provider Risk Management Practices 318
Risk Management Frameworks 319
Cloud Contract Design 320
Business Requirements 321
Vendor Management 321
Data Protection 323
Negotiating Contracts 324
Common Contract Provisions 324
Contracting Documents 326
Government Cloud Standards 327
Common Criteria 327
FedRAMP 327
Fips 140- 2 327
Manage Communication with Relevant Parties 328
Summary 328
Exam Essentials 329
Review Questions 330

Appendix Answers to the Review Questions 335

Index 355