The Official (ISC)2 CCSP CBK Reference

Foreword to the Fourth Edition xxi

Introduction xix

Chapter 1 Cloud Concepts, Architecture, and Design 1

Understand Cloud Computing Concepts 2

Cloud Computing Definitions 2

Cloud Computing Roles and Responsibilities 3

Key Cloud Computing Characteristics 7

Building Block Technologies 11

Describe Cloud Reference Architecture 14

Cloud Computing Activities 14

Cloud Service Capabilities 15

Cloud Service Categories 17

Cloud Deployment Models 18

Cloud Shared Considerations 21

Impact of Related Technologies 27

Understand Security Concepts Relevant to Cloud Computing 33

Cryptography and Key Management 33

Identity and Access Control 34

Data and Media Sanitization 36

Network Security 37

Virtualization Security 39

Common Threats 41

Security Hygiene 41

Understand Design Principles of Secure Cloud Computing 43

Cloud Secure Data Lifecycle 43

Cloud- Based Business Continuity and Disaster Recovery Plan 44

Business Impact Analysis 45

Functional Security Requirements 46

Security Considerations for Different Cloud Categories 48

Cloud Design Patterns 49

DevOps Security 51

Evaluate Cloud Service Providers 51

Verification against Criteria 52

System/Subsystem Product Certifications 54

Summary 56

Chapter 2 Cloud Data Security 57

Describe Cloud Data Concepts 58

Cloud Data Lifecycle Phases 58

Data Dispersion 61

Data Flows 62

Design and Implement Cloud Data Storage Architectures 63

Storage Types 63

Threats to Storage Types 66

Design and Apply Data Security Technologies and Strategies 67

Encryption and Key Management 67

Hashing 70

Data Obfuscation 71

Tokenization 73

Data Loss Prevention 74

Keys, Secrets, and Certificates Management 77

Implement Data Discovery 78

Structured Data 79

Unstructured Data 80

Semi- structured Data 81

Data Location 82

Implement Data Classification 82

Data Classification Policies 83

Mapping 85

Labeling 86

Design and Implement Information Rights Management 87

Objectives 88

Appropriate Tools 89

Plan and Implement Data Retention, Deletion, and Archiving Policies 89

Data Retention Policies 90

Data Deletion Procedures and Mechanisms 93

Data Archiving Procedures and Mechanisms 94

Legal Hold 95

Design and Implement Auditability, Traceability, and Accountability of Data Events 96

Definition of Event Sources and Requirement of Event Attribution 97

Logging, Storage, and Analysis of Data Events 99

Chain of Custody and Nonrepudiation 100

Summary 101

Chapter 3 Cloud Platform and Infrastructure Security 103

Comprehend Cloud Infrastructure and Platform Components 104

Physical Environment 104

Network and Communications 106

Compute 107

Virtualization 108

Storage 110

Management Plane 111

Design a Secure Data Center 113

Logical Design 114

Physical Design 116

Environmental Design 117

Analyze Risks Associated with Cloud Infrastructure and Platforms 119

Risk Assessment 119

Cloud Vulnerabilities, Threats, and Attacks 122

Risk Mitigation Strategies 123

Plan and Implementation of Security Controls 124

Physical and Environmental Protection 124

System, Storage, and Communication Protection 125

Identification, Authentication, and Authorization in Cloud Environments 127

Audit Mechanisms 128

Plan Disaster Recovery and Business Continuity 131

Business Continuity/Disaster Recovery Strategy 131

Business Requirements 132

Creation, Implementation, and Testing of Plan 134

Summary 138

Chapter 4 Cloud Application Security 139

Advocate Training and Awareness for Application Security 140

Cloud Development Basics 140

Common Pitfalls 141

Common Cloud Vulnerabilities 142

Describe the Secure Software Development Life Cycle Process 144

NIST Secure Software Development Framework 145

OWASP Software Assurance Maturity Model 145

Business Requirements 145

Phases and Methodologies 146

Apply the Secure Software Development Life Cycle 149

Cloud- Specific Risks 149

Threat Modeling 153

Avoid Common Vulnerabilities during Development 156

Secure Coding 156

Software Configuration Management and Versioning 157

Apply Cloud Software Assurance and Validation 158

Functional and Non- functional Testing 159

Security Testing Methodologies 160

Quality Assurance 164

Abuse Case Testing 164

Use Verified Secure Software 165

Securing Application Programming Interfaces 165

Supply- Chain Management 166

Third- Party Software Management 166

Validated Open- Source Software 167

Comprehend the Specifics of Cloud Application Architecture 168

Supplemental Security Components 169

Cryptography 171

Sandboxing 172

Application Virtualization and Orchestration 173

Design Appropriate Identity and Access Management Solutions 174

Federated Identity 175

Identity Providers 175

Single Sign- on 176

Multifactor Authentication 176

Cloud Access Security Broker 178

Summary 179

Chapter 5 Cloud Security Operations 181

Build and Implement Physical and Logical Infrastructure for Cloud Environment 182

Hardware- Specific Security Configuration Requirements 182

Installation and Configuration of Virtualization Management Tools 185

Virtual Hardware-Specific Security Configuration Requirements 186

Installation of Guest Operating System Virtualization Toolsets 188

Operate Physical and Logical Infrastructure for Cloud Environment 188

Configure Access Control for Local and Remote Access 188

Secure Network Configuration 190

Operating System Hardening through the Application of Baselines 195

Availability of Stand- Alone Hosts 196

Availability of Clustered Hosts 197

Availability of Guest Operating Systems 199

Manage Physical and Logical Infrastructure for Cloud Environment 200

Access Controls for Remote Access 201

Operating System Baseline Compliance Monitoring and Remediation 202

Patch Management 203

Performance and Capacity Monitoring 205

Hardware Monitoring 206

Configuration of Host and Guest Operating System Backup and Restore Functions 207

Network Security Controls 208

Management Plane 212

Implement Operational Controls and Standards 212

Change Management 213

Continuity Management 214

Information Security Management 216

Continual Service Improvement Management 217

Incident Management 218

Problem Management 221

Release Management 221

Deployment Management 222

Configuration Management 224

Service Level Management 225

Availability Management 226

Capacity Management 227

Support Digital Forensics 228

Forensic Data Collection Methodologies 228

Evidence Management 230

Collect, Acquire, and Preserve Digital Evidence 231

Manage Communication with Relevant Parties 234

Vendors 235

Customers 236

Partners 238

Regulators 238

Other Stakeholders 239

Manage Security Operations 239

Security Operations Center 240

Monitoring of Security Controls 244

Log Capture and Analysis 245

Incident Management 248

Summary 253

Chapter 6 Legal, Risk, and Compliance 255

Articulating Legal Requirements and Unique Risks within the Cloud Environment 256

Conflicting International Legislation 256

Evaluation of Legal Risks Specific to Cloud Computing 258

Legal Frameworks and Guidelines 258

eDiscovery 265

Forensics Requirements 267

Understand Privacy Issues 267

Difference between Contractual and Regulated Private Data 268

Country- Specific Legislation Related to Private Data 272

Jurisdictional Differences in Data Privacy 277

Standard Privacy Requirements 278

Privacy Impact Assessments 280

Understanding Audit Process, Methodologies, and Required Adaptations for a Cloud Environment 281

Internal and External Audit Controls 282

Impact of Audit Requirements 283

Identify Assurance Challenges of Virtualization and Cloud 284

Types of Audit Reports 285

Restrictions of Audit Scope Statements 288

Gap Analysis 289

Audit Planning 290

Internal Information Security Management System 291

Internal Information Security Controls System 292

Policies 293

Identification and Involvement of Relevant Stakeholders 296

Specialized Compliance Requirements for Highly Regulated Industries 297

Impact of Distributed Information Technology Model 298

Understand Implications of Cloud to Enterprise Risk Management 299

Assess Providers Risk Management Programs 300

Differences between Data Owner/Controller vs. Data Custodian/Processor 301

Regulatory Transparency Requirements 302

Risk Treatment 303

Risk Frameworks 304

Metrics for Risk Management 307

Assessment of Risk Environment 307

Understand Outsourcing and Cloud Contract Design 309

Business Requirements 309

Vendor Management 311

Contract Management 312

Supply Chain Management 314

Summary 316

Index 317