The Official (ISC)2 CCSP CBK Reference
3. Edition August 2021
320 Pages, Hardcover
Practical Approach Book
ISBN:
978-1-119-60343-6
John Wiley & Sons
Further versions
The only official body of knowledge for CCSP--the most popular cloud security credential--fully revised and updated.
Certified Cloud Security Professional (CCSP) certification validates the advanced technical skills needed to design, manage, and secure data, applications, and infrastructure in the cloud. This highly sought-after global credential has been updated with revised objectives. The new third edition of The Official (ISC)² Guide to the CCSP CBK is the authoritative, vendor-neutral common body of knowledge for cloud security professionals.
This comprehensive resource provides cloud security professionals with an indispensable working reference to each of the six CCSP domains: Cloud Concepts, Architecture, and Design; Cloud Data Security; Cloud Platform and Infrastructure Security; Cloud Application Security; Cloud Security Operations; and Legal, Risk, and Compliance. Detailed, in-depth chapters contain the accurate information required to prepare for and achieve CCSP certification. Every essential area of cloud security is covered, including implementation, architecture, operations, controls, and immediate and long-term responses.
Developed by (ISC)², the world leader in professional cybersecurity certification and training, this indispensable guide:
* Covers the six CCSP domains and over 150 detailed objectives
* Provides guidance on real-world best practices and techniques
* Includes illustrated examples, tables, diagrams and sample questions
The Official (ISC)² Guide to the CCSP CBK is a vital ongoing resource for IT and information security leaders responsible for applying best practices to cloud security architecture, design, operations and service orchestration.
Acknowledgments v
About the Authors vii
About the Technical Editor ix
Foreword to the Third Edition xxi
Introduction xxiii
Domain 1: Cloud Concepts, Architecture, and Design 1
Understand Cloud Computing Concepts 1
Cloud Computing Definitions 1
Cloud Computing Roles 4
Key Cloud Computing Characteristics 5
Building Block Technologies 9
Describe Cloud Reference Architecture 12
Cloud Computing Activities 12
Cloud Service Capabilities 13
Cloud Service Categories 14
Cloud Deployment Models 15
Cloud Shared Considerations 17
Impact of Related Technologies 23
Understand Security Concepts Relevant to Cloud Computing 27
Cryptography and Key Management 27
Access Control 28
Data and Media Sanitization 29
Network Security 30
Virtualization Security 31
Common Threats 32
Understand Design Principles of Secure Cloud Computing 33
Cloud Secure Data Lifecycle 33
Cloud-Based Disaster Recovery and Business Continuity Planning 33
Cost-Benefit Analysis 34
Functional Security Requirements 35
Security Considerations for Different Cloud Categories 36
Evaluate Cloud Service Providers 38
Verification against Criteria 39
System/Subsystem Product Certifications 40
Summary 41
Domain 2: Cloud Data Security 43
Describe Cloud Data Concepts 43
Cloud Data Lifecycle Phases 44
Data Dispersion 47
Design and Implement Cloud Data Storage Architectures 48
Storage Types 48
Threats to Storage Types 50
Design and Apply Data Security Technologies and Strategies 52
Encryption and Key Management 52
Hashing 55
Masking 56
Tokenization 56
Data Loss Prevention 57
Data Obfuscation 60
Data De-identification 61
Implement Data Discovery 62
Structured Data 64
Unstructured Data 65
Implement Data Classification 66
Mapping 68
Labeling 68
Sensitive Data 69
Design and Implement Information Rights Management 71
Objectives 72
Appropriate Tools 73
Plan and Implement Data Retention, Deletion, and Archiving Policies 74
Data Retention Policies 74
Data Deletion Procedures and Mechanisms 77
Data Archiving Procedures and Mechanisms 79
Legal Hold 80
Design and Implement Auditability, Traceability, and Accountability of Data Events 81
Definition of Event Sources and Requirement of Identity Attribution 81
Logging, Storage, and Analysis of Data Events 82
Chain of Custody and Nonrepudiation 84
Summary 85
Domain 3: Cloud Platform and Infrastructure Security 87
Comprehend Cloud Infrastructure Components 88
Physical Environment 88
Network and Communications 89
Compute 90
Virtualization 91
Storage 93
Management Plane 93
Design a Secure Data Center 95
Logical Design 95
Physical Design 97
Environmental Design 98
Analyze Risks Associated with Cloud Infrastructure 99
Risk Assessment and Analysis 100
Cloud Vulnerabilities, Threats, and Attacks 101
Virtualization Risks 101
Countermeasure Strategies 102
Design and Plan Security Controls 102
Physical and Environmental Protection 103
System and Communication Protection 103
Virtualization Systems Protection 104
Identification, Authentication, and Authorization in Cloud Infrastructure 105
Audit Mechanisms 106
Plan Disaster Recovery and Business Continuity 107
Risks Related to the Cloud Environment 108
Business Requirements 109
Business Continuity/Disaster Recovery Strategy 111
Creation, Implementation, and Testing of Plan 112
Summary 116
Domain 4: Cloud Application Security 117
Advocate Training and Awareness for Application Security 117
Cloud Development Basics 118
Common Pitfalls 118
Common Cloud Vulnerabilities 119
Describe the Secure Software Development Lifecycle Process 120
NIST Secure Software Development Framework 120
OWASP Software Assurance Security Model 121
Business Requirements 121
Phases and Methodologies 122
Apply the Secure Software Development Lifecycle 123
Avoid Common Vulnerabilities During Development 123
Cloud-Specific Risks 124
Quality Assurance 127
Threat Modeling 127
Software Configuration Management and Versioning 128
Apply Cloud Software Assurance and Validation 129
Functional Testing 130
Security Testing Methodologies 131
Use Verified Secure Software 132
Approved Application Programming Interfaces 132
Supply-Chain Management 133
Third-Party Software Management 134
Validated Open Source Software 134
Comprehend the Specifics of Cloud Application Architecture 135
Supplemental Security Components 136
Cryptography 138
Sandboxing 139
Application Virtualization and Orchestration 139
Design Appropriate Identity and Access Management Solutions 140
Federated Identity 140
Identity Providers 141
Single Sign-On 141
Multifactor Authentication 142
Cloud Access Security Broker 142
Summary 143
Domain 5: Cloud Security Operations 145
Implement and Build Physical and Logical Infrastructure for Cloud Environment 145
Hardware-Specific Security Configuration Requirements 146
Installation and Configuration of Virtualization Management Tools 149
Virtual Hardware-Specific Security Configuration Requirements 150
Installation of Guest Operating System Virtualization Toolsets 152
Operate Physical and Logical Infrastructure for Cloud Environment 152
Configure Access Control for Local and Remote Access 153
Secure Network Configuration 155
Operating System Hardening through the Application of Baselines 160
Availability of Stand-Alone Hosts 162
Availability of Clustered Hosts 162
Availability of Guest Operating Systems 165
Manage Physical and Logical Infrastructure for Cloud Environment 166
Access Controls for Remote Access 166
Operating System Baseline Compliance Monitoring and Remediation 168
Patch Management 169
Performance and Capacity Monitoring 172
Hardware Monitoring 173
Configuration of Host and Guest Operating System Backup
and Restore Functions 174
Network Security Controls 175
Management Plane 179
Implement Operational Controls and Standards 180
Change Management 180
Continuity Management 182
Information Security Management 184
Continual Service Improvement Management 185
Incident Management 186
Problem Management 189
Release Management 190
Deployment Management 191
Configuration Management 192
Service Level Management 194
Availability Management 195
Capacity Management 196
Support Digital Forensics 197
Forensic Data Collection Methodologies 197
Evidence Management 200
Collect, Acquire, and Preserve Digital Evidence 201
Manage Communication with Relevant Parties 204
Vendors 205
Customers 206
Shared Responsibility Model 206
Partners 208
Regulators 208
Other Stakeholders 209
Manage Security Operations 210
Security Operations Center 210
Monitoring of Security Controls 215
Log Capture and Analysis 217
Incident Management 220
Summary 226
Domain 6: Legal, Risk, and Compliance 227
Articulating Legal Requirements and Unique Risks Within the Cloud Environment 227
Conflicting International Legislation 228
Evaluation of Legal Risks Specific to Cloud Computing 229
Legal Frameworks and Guidelines That Affect Cloud Computing 229
Forensics and eDiscovery in the Cloud 236
Understanding Privacy Issues 238
Difference between Contractual and Regulated Private Data 239
Country-Specific Legislation Related to Private Data 242
Jurisdictional Differences in Data Privacy 247
Standard Privacy Requirements 248
Understanding Audit Process, Methodologies, and Required Adaptations for a Cloud Environment 250
Internal and External Audit Controls 251
Impact of Audit Requirements 251
Identity Assurance Challenges of Virtualization and Cloud 252
Types of Audit Reports 252
Restrictions of Audit Scope Statements 255
Gap Analysis 256
Audit Planning 257
Internal Information Security Management Systems 258
Internal Information Security Controls System 259
Policies 260
Identification and Involvement of Relevant Stakeholders 262
Specialized Compliance Requirements for Highly Regulated Industries 264
Impact of Distributed Information Technology Models 264
Understand Implications of Cloud to Enterprise Risk Management 266
Assess Providers Risk Management Programs 266
Differences Between Data Owner/Controller vs. Data Custodian/Processor 268
Regulatory Transparency Requirements 269
Risk Treatment 270
Risk Frameworks 270
Metrics for Risk Management 272
Assessment of Risk Environment 273
Understanding Outsourcing and Cloud Contract Design 276
Business Requirements 277
Vendor Management 278
Contract Management 279
Supply Chain Management 281
Summary 282
Index 283
About the Authors vii
About the Technical Editor ix
Foreword to the Third Edition xxi
Introduction xxiii
Domain 1: Cloud Concepts, Architecture, and Design 1
Understand Cloud Computing Concepts 1
Cloud Computing Definitions 1
Cloud Computing Roles 4
Key Cloud Computing Characteristics 5
Building Block Technologies 9
Describe Cloud Reference Architecture 12
Cloud Computing Activities 12
Cloud Service Capabilities 13
Cloud Service Categories 14
Cloud Deployment Models 15
Cloud Shared Considerations 17
Impact of Related Technologies 23
Understand Security Concepts Relevant to Cloud Computing 27
Cryptography and Key Management 27
Access Control 28
Data and Media Sanitization 29
Network Security 30
Virtualization Security 31
Common Threats 32
Understand Design Principles of Secure Cloud Computing 33
Cloud Secure Data Lifecycle 33
Cloud-Based Disaster Recovery and Business Continuity Planning 33
Cost-Benefit Analysis 34
Functional Security Requirements 35
Security Considerations for Different Cloud Categories 36
Evaluate Cloud Service Providers 38
Verification against Criteria 39
System/Subsystem Product Certifications 40
Summary 41
Domain 2: Cloud Data Security 43
Describe Cloud Data Concepts 43
Cloud Data Lifecycle Phases 44
Data Dispersion 47
Design and Implement Cloud Data Storage Architectures 48
Storage Types 48
Threats to Storage Types 50
Design and Apply Data Security Technologies and Strategies 52
Encryption and Key Management 52
Hashing 55
Masking 56
Tokenization 56
Data Loss Prevention 57
Data Obfuscation 60
Data De-identification 61
Implement Data Discovery 62
Structured Data 64
Unstructured Data 65
Implement Data Classification 66
Mapping 68
Labeling 68
Sensitive Data 69
Design and Implement Information Rights Management 71
Objectives 72
Appropriate Tools 73
Plan and Implement Data Retention, Deletion, and Archiving Policies 74
Data Retention Policies 74
Data Deletion Procedures and Mechanisms 77
Data Archiving Procedures and Mechanisms 79
Legal Hold 80
Design and Implement Auditability, Traceability, and Accountability of Data Events 81
Definition of Event Sources and Requirement of Identity Attribution 81
Logging, Storage, and Analysis of Data Events 82
Chain of Custody and Nonrepudiation 84
Summary 85
Domain 3: Cloud Platform and Infrastructure Security 87
Comprehend Cloud Infrastructure Components 88
Physical Environment 88
Network and Communications 89
Compute 90
Virtualization 91
Storage 93
Management Plane 93
Design a Secure Data Center 95
Logical Design 95
Physical Design 97
Environmental Design 98
Analyze Risks Associated with Cloud Infrastructure 99
Risk Assessment and Analysis 100
Cloud Vulnerabilities, Threats, and Attacks 101
Virtualization Risks 101
Countermeasure Strategies 102
Design and Plan Security Controls 102
Physical and Environmental Protection 103
System and Communication Protection 103
Virtualization Systems Protection 104
Identification, Authentication, and Authorization in Cloud Infrastructure 105
Audit Mechanisms 106
Plan Disaster Recovery and Business Continuity 107
Risks Related to the Cloud Environment 108
Business Requirements 109
Business Continuity/Disaster Recovery Strategy 111
Creation, Implementation, and Testing of Plan 112
Summary 116
Domain 4: Cloud Application Security 117
Advocate Training and Awareness for Application Security 117
Cloud Development Basics 118
Common Pitfalls 118
Common Cloud Vulnerabilities 119
Describe the Secure Software Development Lifecycle Process 120
NIST Secure Software Development Framework 120
OWASP Software Assurance Security Model 121
Business Requirements 121
Phases and Methodologies 122
Apply the Secure Software Development Lifecycle 123
Avoid Common Vulnerabilities During Development 123
Cloud-Specific Risks 124
Quality Assurance 127
Threat Modeling 127
Software Configuration Management and Versioning 128
Apply Cloud Software Assurance and Validation 129
Functional Testing 130
Security Testing Methodologies 131
Use Verified Secure Software 132
Approved Application Programming Interfaces 132
Supply-Chain Management 133
Third-Party Software Management 134
Validated Open Source Software 134
Comprehend the Specifics of Cloud Application Architecture 135
Supplemental Security Components 136
Cryptography 138
Sandboxing 139
Application Virtualization and Orchestration 139
Design Appropriate Identity and Access Management Solutions 140
Federated Identity 140
Identity Providers 141
Single Sign-On 141
Multifactor Authentication 142
Cloud Access Security Broker 142
Summary 143
Domain 5: Cloud Security Operations 145
Implement and Build Physical and Logical Infrastructure for Cloud Environment 145
Hardware-Specific Security Configuration Requirements 146
Installation and Configuration of Virtualization Management Tools 149
Virtual Hardware-Specific Security Configuration Requirements 150
Installation of Guest Operating System Virtualization Toolsets 152
Operate Physical and Logical Infrastructure for Cloud Environment 152
Configure Access Control for Local and Remote Access 153
Secure Network Configuration 155
Operating System Hardening through the Application of Baselines 160
Availability of Stand-Alone Hosts 162
Availability of Clustered Hosts 162
Availability of Guest Operating Systems 165
Manage Physical and Logical Infrastructure for Cloud Environment 166
Access Controls for Remote Access 166
Operating System Baseline Compliance Monitoring and Remediation 168
Patch Management 169
Performance and Capacity Monitoring 172
Hardware Monitoring 173
Configuration of Host and Guest Operating System Backup
and Restore Functions 174
Network Security Controls 175
Management Plane 179
Implement Operational Controls and Standards 180
Change Management 180
Continuity Management 182
Information Security Management 184
Continual Service Improvement Management 185
Incident Management 186
Problem Management 189
Release Management 190
Deployment Management 191
Configuration Management 192
Service Level Management 194
Availability Management 195
Capacity Management 196
Support Digital Forensics 197
Forensic Data Collection Methodologies 197
Evidence Management 200
Collect, Acquire, and Preserve Digital Evidence 201
Manage Communication with Relevant Parties 204
Vendors 205
Customers 206
Shared Responsibility Model 206
Partners 208
Regulators 208
Other Stakeholders 209
Manage Security Operations 210
Security Operations Center 210
Monitoring of Security Controls 215
Log Capture and Analysis 217
Incident Management 220
Summary 226
Domain 6: Legal, Risk, and Compliance 227
Articulating Legal Requirements and Unique Risks Within the Cloud Environment 227
Conflicting International Legislation 228
Evaluation of Legal Risks Specific to Cloud Computing 229
Legal Frameworks and Guidelines That Affect Cloud Computing 229
Forensics and eDiscovery in the Cloud 236
Understanding Privacy Issues 238
Difference between Contractual and Regulated Private Data 239
Country-Specific Legislation Related to Private Data 242
Jurisdictional Differences in Data Privacy 247
Standard Privacy Requirements 248
Understanding Audit Process, Methodologies, and Required Adaptations for a Cloud Environment 250
Internal and External Audit Controls 251
Impact of Audit Requirements 251
Identity Assurance Challenges of Virtualization and Cloud 252
Types of Audit Reports 252
Restrictions of Audit Scope Statements 255
Gap Analysis 256
Audit Planning 257
Internal Information Security Management Systems 258
Internal Information Security Controls System 259
Policies 260
Identification and Involvement of Relevant Stakeholders 262
Specialized Compliance Requirements for Highly Regulated Industries 264
Impact of Distributed Information Technology Models 264
Understand Implications of Cloud to Enterprise Risk Management 266
Assess Providers Risk Management Programs 266
Differences Between Data Owner/Controller vs. Data Custodian/Processor 268
Regulatory Transparency Requirements 269
Risk Treatment 270
Risk Frameworks 270
Metrics for Risk Management 272
Assessment of Risk Environment 273
Understanding Outsourcing and Cloud Contract Design 276
Business Requirements 277
Vendor Management 278
Contract Management 279
Supply Chain Management 281
Summary 282
Index 283
(ISC)² is an international, nonprofit membership association for information security leaders like you. (ISC)² is committed to helping their members learn, grow and thrive. More than 150,000 certified members strong, (ISC)² empowers professionals who touch every aspect of information security.
