John Wiley & Sons The Official (ISC)2 CCSP CBK Reference Cover The only official body of knowledge for CCSP--the most popular cloud security credential--fully revi.. Product #: 978-1-119-60343-6 Regular price: $74.67 $74.67 Auf Lager

The Official (ISC)2 CCSP CBK Reference

Fife, Leslie / Kraus, Aaron / Lewis, Bryan


3. Auflage August 2021
320 Seiten, Hardcover

ISBN: 978-1-119-60343-6
John Wiley & Sons

Jetzt kaufen

Preis: 79,90 €

Preis inkl. MwSt, zzgl. Versand

Weitere Versionen


The only official body of knowledge for CCSP--the most popular cloud security credential--fully revised and updated.

Certified Cloud Security Professional (CCSP) certification validates the advanced technical skills needed to design, manage, and secure data, applications, and infrastructure in the cloud. This highly sought-after global credential has been updated with revised objectives. The new third edition of The Official (ISC)² Guide to the CCSP CBK is the authoritative, vendor-neutral common body of knowledge for cloud security professionals.

This comprehensive resource provides cloud security professionals with an indispensable working reference to each of the six CCSP domains: Cloud Concepts, Architecture and Design; Cloud Data Security; Cloud Platform and Infrastructure Security; Cloud Application Security; Cloud Security Operations; and Legal, Risk and Compliance. Detailed, in-depth chapters contain the accurate information required to prepare for and achieve CCSP certification. Every essential area of cloud security is covered, including implementation, architecture, operations, controls, and immediate and long-term responses.

Developed by (ISC)², the world leader in professional cybersecurity certification and training, this indispensable guide:
* Covers the six CCSP domains and over 150 detailed objectives
* Provides guidance on real-world best practices and techniques
* Includes illustrated examples, tables, and diagrams

The Official (ISC)² Guide to the CCSP CBK is a vital ongoing resource for IT and information security leaders responsible for applying best practices to cloud security architecture, design, operations and service orchestration.

Acknowledgments v

About the Authors vii

About the Technical Editor ix

Foreword to the Third Edition xxi

Introduction xxiii

Domain 1: Cloud Concepts, Architecture, and Design 1

Understand Cloud Computing Concepts 1

Cloud Computing Definitions 1

Cloud Computing Roles 4

Key Cloud Computing Characteristics 5

Building Block Technologies 9

Describe Cloud Reference Architecture 12

Cloud Computing Activities 12

Cloud Service Capabilities 13

Cloud Service Categories 14

Cloud Deployment Models 15

Cloud Shared Considerations 17

Impact of Related Technologies 23

Understand Security Concepts Relevant to Cloud Computing 27

Cryptography and Key Management 27

Access Control 28

Data and Media Sanitization 29

Network Security 30

Virtualization Security 31

Common Threats 32

Understand Design Principles of Secure Cloud Computing 33

Cloud Secure Data Lifecycle 33

Cloud-Based Disaster Recovery and Business Continuity Planning 33

Cost-Benefit Analysis 34

Functional Security Requirements 35

Security Considerations for Different Cloud Categories 36

Evaluate Cloud Service Providers 38

Verification against Criteria 39

System/Subsystem Product Certifications 40

Summary 41

Domain 2: Cloud Data Security 43

Describe Cloud Data Concepts 43

Cloud Data Lifecycle Phases 44

Data Dispersion 47

Design and Implement Cloud Data Storage Architectures 48

Storage Types 48

Threats to Storage Types 50

Design and Apply Data Security Technologies and Strategies 52

Encryption and Key Management 52

Hashing 55

Masking 56

Tokenization 56

Data Loss Prevention 57

Data Obfuscation 60

Data De-identification 61

Implement Data Discovery 62

Structured Data 64

Unstructured Data 65

Implement Data Classification 66

Mapping 68

Labeling 68

Sensitive Data 69

Design and Implement Information Rights Management 71

Objectives 72

Appropriate Tools 73

Plan and Implement Data Retention, Deletion, and Archiving Policies 74

Data Retention Policies 74

Data Deletion Procedures and Mechanisms 77

Data Archiving Procedures and Mechanisms 79

Legal Hold 80

Design and Implement Auditability, Traceability, and Accountability of Data Events 81

Definition of Event Sources and Requirement of Identity Attribution 81

Logging, Storage, and Analysis of Data Events 82

Chain of Custody and Nonrepudiation 84

Summary 85

Domain 3: Cloud Platform and Infrastructure Security 87

Comprehend Cloud Infrastructure Components 88

Physical Environment 88

Network and Communications 89

Compute 90

Virtualization 91

Storage 93

Management Plane 93

Design a Secure Data Center 95

Logical Design 95

Physical Design 97

Environmental Design 98

Analyze Risks Associated with Cloud Infrastructure 99

Risk Assessment and Analysis 100

Cloud Vulnerabilities, Threats, and Attacks 101

Virtualization Risks 101

Countermeasure Strategies 102

Design and Plan Security Controls 102

Physical and Environmental Protection 103

System and Communication Protection 103

Virtualization Systems Protection 104

Identification, Authentication, and Authorization in Cloud Infrastructure 105

Audit Mechanisms 106

Plan Disaster Recovery and Business Continuity 107

Risks Related to the Cloud Environment 108

Business Requirements 109

Business Continuity/Disaster Recovery Strategy 111

Creation, Implementation, and Testing of Plan 112

Summary 116

Domain 4: Cloud Application Security 117

Advocate Training and Awareness for Application Security 117

Cloud Development Basics 118

Common Pitfalls 118

Common Cloud Vulnerabilities 119

Describe the Secure Software Development Lifecycle Process 120

NIST Secure Software Development Framework 120

OWASP Software Assurance Security Model 121

Business Requirements 121

Phases and Methodologies 122

Apply the Secure Software Development Lifecycle 123

Avoid Common Vulnerabilities During Development 123

Cloud-Specific Risks 124

Quality Assurance 127

Threat Modeling 127

Software Configuration Management and Versioning 128

Apply Cloud Software Assurance and Validation 129

Functional Testing 130

Security Testing Methodologies 131

Use Verified Secure Software 132

Approved Application Programming Interfaces 132

Supply-Chain Management 133

Third-Party Software Management 134

Validated Open Source Software 134

Comprehend the Specifics of Cloud Application Architecture 135

Supplemental Security Components 136

Cryptography 138

Sandboxing 139

Application Virtualization and Orchestration 139

Design Appropriate Identity and Access Management Solutions 140

Federated Identity 140

Identity Providers 141

Single Sign-On 141

Multifactor Authentication 142

Cloud Access Security Broker 142

Summary 143

Domain 5: Cloud Security Operations 145

Implement and Build Physical and Logical Infrastructure for Cloud Environment 145

Hardware-Specific Security Configuration Requirements 146

Installation and Configuration of Virtualization Management Tools 149

Virtual Hardware-Specific Security Configuration Requirements 150

Installation of Guest Operating System Virtualization Toolsets 152

Operate Physical and Logical Infrastructure for Cloud Environment 152

Configure Access Control for Local and Remote Access 153

Secure Network Configuration 155

Operating System Hardening through the Application of Baselines 160

Availability of Stand-Alone Hosts 162

Availability of Clustered Hosts 162

Availability of Guest Operating Systems 165

Manage Physical and Logical Infrastructure for Cloud Environment 166

Access Controls for Remote Access 166

Operating System Baseline Compliance Monitoring and Remediation 168

Patch Management 169

Performance and Capacity Monitoring 172

Hardware Monitoring 173

Configuration of Host and Guest Operating System Backup

and Restore Functions 174

Network Security Controls 175

Management Plane 179

Implement Operational Controls and Standards 180

Change Management 180

Continuity Management 182

Information Security Management 184

Continual Service Improvement Management 185

Incident Management 186

Problem Management 189

Release Management 190

Deployment Management 191

Configuration Management 192

Service Level Management 194

Availability Management 195

Capacity Management 196

Support Digital Forensics 197

Forensic Data Collection Methodologies 197

Evidence Management 200

Collect, Acquire, and Preserve Digital Evidence 201

Manage Communication with Relevant Parties 204

Vendors 205

Customers 206

Shared Responsibility Model 206

Partners 208

Regulators 208

Other Stakeholders 209

Manage Security Operations 210

Security Operations Center 210

Monitoring of Security Controls 215

Log Capture and Analysis 217

Incident Management 220

Summary 226

Domain 6: Legal, Risk, and Compliance 227

Articulating Legal Requirements and Unique Risks Within the Cloud Environment 227

Conflicting International Legislation 228

Evaluation of Legal Risks Specific to Cloud Computing 229

Legal Frameworks and Guidelines That Affect Cloud Computing 229

Forensics and eDiscovery in the Cloud 236

Understanding Privacy Issues 238

Difference between Contractual and Regulated Private Data 239

Country-Specific Legislation Related to Private Data 242

Jurisdictional Differences in Data Privacy 247

Standard Privacy Requirements 248

Understanding Audit Process, Methodologies, and Required Adaptations for a Cloud Environment 250

Internal and External Audit Controls 251

Impact of Audit Requirements 251

Identity Assurance Challenges of Virtualization and Cloud 252

Types of Audit Reports 252

Restrictions of Audit Scope Statements 255

Gap Analysis 256

Audit Planning 257

Internal Information Security Management Systems 258

Internal Information Security Controls System 259

Policies 260

Identification and Involvement of Relevant Stakeholders 262

Specialized Compliance Requirements for Highly Regulated Industries 264

Impact of Distributed Information Technology Models 264

Understand Implications of Cloud to Enterprise Risk Management 266

Assess Providers Risk Management Programs 266

Differences Between Data Owner/Controller vs. Data Custodian/Processor 268

Regulatory Transparency Requirements 269

Risk Treatment 270

Risk Frameworks 270

Metrics for Risk Management 272

Assessment of Risk Environment 273

Understanding Outsourcing and Cloud Contract Design 276

Business Requirements 277

Vendor Management 278

Contract Management 279

Supply Chain Management 281

Summary 282

Index 283
(ISC)² is an international, nonprofit membership association for information security leaders like you. (ISC)² is committed to helping their members learn, grow and thrive. More than 150,000 certified members strong, (ISC)² empowers professionals who touch every aspect of information security.