Table of Contents

Acknowledgments xvii

Introduction xix

Chapter 1 How to Obtain the CCSP and Introduction to Security 1

Why Get Certified? 1

How to Get Certified 2

CCSP Domains 3

Domain 1 Cloud Concepts, Architecture, and Design 3

Domain 2 Cloud Data Security 5

Domain 3 Cloud Platform and Infrastructure Security 6

Domain 4 Cloud Application Security 7

Domain 5 Cloud Security Operations 8

Domain 6 Legal, Risk, and Compliance 10

Introduction to IT Security 11

Basic Security Concepts 11

Risk Management 15

Business Continuity and Disaster Recovery 16

Chapter Review 16

Chapter 2 Cloud Concepts, Architecture, and Design 17

Understand Cloud Computing Concepts 18

Cloud Computing Definitions 18

Cloud Computing Roles 19

Key Cloud Computing Characteristics 20

Building-Block Technologies 23

Describe a Cloud Reference Architecture 23

Cloud Computing Activities 23

Cloud Service Capabilities 24

Cloud Service Categories 25

Cloud Deployment Models 30

Cloud Shared Considerations 34

Impact of Related Technologies 38

Understand Security Concepts Relevant to Cloud Computing 43

Cryptography 43

Identity and Access Control 45

Data and Media Sanitation 48

Network Security 50

Virtualization Security 52

Common Threats 54

Security Hygiene 58

Understand Design Principles of Secure Cloud Computing 58

Cloud Secure Data Lifecycle 58

Cloud-Based Business Continuity/Disaster Recovery Planning 59

Business Impact Analysis 61

Functional Security Requirements 62

Security Considerations for the Different Cloud Categories 63

Cloud Design Patterns 67

DevOps Security 71

Evaluate Cloud Service Providers 71

Verification Against Criteria 71

System/Subsystem Product Certifications 76

Exercise 78

Chapter Review 78

Questions 78

Questions and Answers 82

Chapter 3 Cloud Data Security 89

Describe Cloud Data Concepts 89

Cloud Data Lifecycle Phases 89

Data Dispersion 92

Data Flows 93

Design and Implement Cloud Data Storage Architectures 93

Storage Types 94

Threats to Storage Types 96

Design and Apply Data Security Technologies and Strategies 96

Encryption 97

Hashing 98

Key Management 99

Tokenization 100

Data Loss Prevention 101

Data De-Identification 102

Application of Technologies 103

Emerging Technologies 104

Implement Data Discovery 105

Structured Data 107

Unstructured Data 107

Privacy Roles and Responsibilities 107

Implementation of Data Discovery 107

Classification of Discovered Sensitive Data 108

Mapping and Definition of Controls 108

Application of Defined Controls 109

Implement Data Classification 110

Mapping 110

Labeling 111

Sensitive Data 111

Design and Implement Information Rights Management (IRM) 112

Data Rights Objectives 112

Tools 113

Plan and Implement Data Retention, Deletion, and Archiving Policies 114

Data Retention Policies 114

Data Deletion Procedures and Mechanisms 115

Data Archiving Procedures and Mechanisms 115

Legal Hold 118

Design and Implement Auditability, Traceability, and Accountability of Data Events 118

Definition of Event Sources 118

Identity Attribution Requirements 120

Data Event Logging 122

Storage and Analysis of Data Events 123

Continuous Optimizations 126

Chain of Custody and Nonrepudiation 127

Exercise 127

Chapter Review 128

Questions 128

Questions and Answers 131

Chapter 4 Cloud Platform and Infrastructure Security 137

Comprehend Cloud Infrastructure and Platform Components 137

Physical Hardware and Environment 137

Networking 139

Computing 140

Storage 141

Virtualization 142

Management Plane 143

Design a Secure Data Center 144

Logical Design 144

Physical Design 146

Environmental Design 148

Design Resilient 149

Analyze Risks Associated with Cloud Infrastructure and Platforms 150

Risk Assessment and Analysis 151

Virtualization Risks 152

Risk Mitigation Strategies 153

Plan and Implementation of Security Controls 153

Physical and Environmental Protection 154

System, Storage, and Communication Protection 155

Virtualization Systems Protection 155

Identification, Authentication, and Authorization in a Cloud Infrastructure 157

Audit Mechanisms 159

Plan Business Continuity (BC) and Disaster Recovery (DR) 162

Understanding the Cloud Environment 162

Understanding Business Requirements 163

Understanding Risks 164

Disaster Recovery/Business Continuity Strategy 165

Exercise 169

Chapter Review 169

Questions 170

Questions and Answers 173

Chapter 5 Cloud Application Security 179

Advocate Training and Awareness for Application Security 179

Cloud Development Basics 180

Common Pitfalls 180

Common Cloud Vulnerabilities 182

Describe the Secure Software Development Lifecycle (SDLC) Process 189

Business Requirements 189

Phases 189

Methodologies 191

Apply the Secure Software Development Lifecycle 192

Cloud-Specific Risks 192

Threat Modeling 194

Secure Coding 197

Software Configuration Management and Versioning 198

Apply Cloud Software Assurance and Validation 199

Cloud-Based Functional Testing 199

Cloud Secure Development Lifecycle (CSDLC) 199

Security Testing 200

Quality of Service 201

Use Verified Secure Software 202

Approved API 202

Supply Chain Management 202

Community Knowledge 203

Comprehend the Specifics of Cloud Application Architecture 203

Supplemental Security Devices 204

Cryptography 206

Sandboxing 206

Application Virtualization 207

Design Appropriate Identity and Access Management (IAM) Solutions 208

Federated Identity 208

Identity Providers 210

Single Sign-On 210

Multifactor Authentication 211

Cloud Access Security Broker 211

Exercise 212

Chapter Review 212

Questions 212

Questions and Answers 214

Chapter 6 Cloud Security Operations 221

Implement and Build the Physical and Logical Infrastructure for the Cloud Environment 221

Hardware-Specific Security Configuration Requirements 221

Installation and Configuration of Management Tools 222

Virtual Hardware Specific Security Configuration Requirements 223

Installation of Guest Operating System Virtualization Toolsets 228

Operate the Physical and Logical Infrastructure for the Cloud Environment 228

Access Controls for Local and Remote Access 228

Secure Network Configuration 231

Network Security Controls 235

OS Hardening via Application of Baselines 239

Patch Management 241

Infrastructure as Code Strategy 243

Availability of Standalone Hosts 243

Availability of Clustered Hosts 244

Availability of the Guest Operating System 245

Performance Monitoring 246

Hardware Monitoring 246

Backup and Restore Functions 247

Management Plane 247

Implement Operational Controls and Standards 249

Change Management 249

Continuity Management 251

Information Security Management 251

Continual Service Improvement Management 252

Incident Management 252

Problem Management 252

Release and Deployment Management 253

Configuration Management 253

Service Level Management 254

Availability Management 254

Capacity Management 254

Support Digital Forensics 255

Forensic Data Collection Methodologies 255

Evidence Management 256

Manage Communication with Relevant Parties 257

Vendors 257

Customers 257

Partners 258

Regulators 258

Other Stakeholders 258

Manage Security Operations 258

Security Operations Center 258

Monitoring of Security Controls 259

Log Capture and Analysis 259

Exercise 261

Chapter Review 261

Questions 261

Questions and Answers 263

Chapter 7 Legal, Risk, and Compliance 269

Articulate Legal Requirements and Unique Risks Within the Cloud Environment 269

Conflicting International Legislation 269

Evaluation of Legal Risks Specific to Cloud Computing 270

Legal Framework and Guidelines 270

eDiscovery 271

Forensics Requirements 275

Understand Privacy Issues 276

Difference Between Contractual and Regulated Personally Identifiable Information 276

Country-Specific Legislation Related to PII and Data Privacy 277

Differences Among Confidentiality, Integrity, Availability, and Privacy 279

Standard Privacy Requirements 282

Privacy Impact Assessments 284

Understand Audit Processes, Methodologies, and Required Adaptations for a Cloud Environment 284

Internal and External Audit Controls 284

Impact of Audit Requirements 285

Identify Assurance Challenges of Virtualization and Cloud 285

Types of Audit Reports 286

Restrictions of Audit Scope Statements 289

Gap Analysis 291

Audit Planning 291

Internal Information Security Management System 296

Internal Information Security Controls System 297

Policies 298

Identification and Involvement of Relevant Stakeholders 298

Specialized Compliance Requirements for Highly Regulated Industries 299

Impact of Distributed IT Model 301

Understand Implications of Cloud to Enterprise Risk Management 302

Assess Provider's Risk Management 302

Difference Between Data Owner/Controller vs. Data Custodian/Processor 302

Risk Treatment 303

Different Risk Frameworks 307

Metrics for Risk Management 308

Assessment of the Risk Environment 309

Understand Outsourcing and Cloud Contract Design 309

Business Requirements 309

Vendor Management 310

Contract Management 312

Executive Vendor Management 314

Supply Chain Management 314

Exercise 315

Chaptet Review 315

Questions 315

Questions and Answers 318

Appendix A Exam Review Questions 323

Questions 323

Quick Answers 343

Questions and Comprehensive Answer Explanations 344

Appendix B About the Online Content 423

System Requirements 423

Your Total Seminars Training Hub Account 423

Privacy Notice 423

Single User License Terms and Conditions 423

TotalTester Online 425

Technical Support 425

Glossary 427

Index 443