The Official (ISC)2 Guide to the CCSP CBK. 2nd Edition

  • ID: 3615647
  • Book
  • 544 Pages
  • John Wiley and Sons Ltd
1 of 4
  • Produced by (ISC)2, the trusted source of industry expertise for cyber, information, software and infrastructure security
  • The definitive "common" body of knowledge used by candidates for the Certified Cloud Security Professional (CCSP) credential

"Securing and optimizing cloud computing environments requires a unique set of skills. Use the Official (ISC)2 Guide to the CCSP CBK as your go–to resource for acquiring the knowledge you′ll need to implement strong information security programs in cloud computing."

David Shearer, Chief Executive Officer, (ISC)2

As powerful as cloud computing is for the organization, understanding its information security risks and mitigation strategies is critical. Securing ′the cloud′ requires modified approaches and tools legacy practices are inadequate. Clearly, it is essential for organizations to utilize information technology professionals who understand how cloud services can be securely implemented and managed within their organization′s IT strategy and governance requirements.

The new Official (ISC) Guide to the CCSPSM CBK® Second Edition is a comprehensive resource providing an in–depth look at the six domains of the CCSP Common Body of Knowledge (CBK). This edition provides a current, detailed guide that is considered one of the best tools for candidates striving to become a CCSP. This second edition features clearer diagrams as well as refined explanations based on extensive expert feedback.

Numerous illustrated examples and tables are included to demonstrate concepts, frameworks and real–life scenarios. The book offers step–by–step guidance through each of CCSP′s domains, including best practices and techniques used by the world′s most experienced practitioners. Developed by (ISC)2, endorsed by the Cloud Security Alliance® (CSA), and compiled and reviewed by cloud security experts across the world, this book brings together a global, thorough perspective. The Official (ISC)2 Guide to the CCSP CBK Second Edition should be utilized as your fundamental study tool in preparation for the CCSP exam and provides a comprehensive reference that will serve you for years to come.

READ MORE
Note: Product cover images may vary from those shown
2 of 4

Foreword xvii

Introduction xix

DOMAIN 1: ARCHITECTURAL CONCEPTS AND DESIGN REQUIREMENTS 1

Introduction 3

Drivers for Cloud Computing 4

Security, Risks, and Benefi ts 5

Cloud Computing Defi nitions 7

Cloud Computing Roles 12

Key Cloud Computing Characteristics 12

Cloud Transition Scenario 14

Building Blocks 16

Cloud Computing Functions 16

Cloud Service Categories 18

IaaS 18

PaaS 19

SaaS 21

Cloud Deployment Models 23

The Public Cloud Model 23

The Private Cloud Model 23

The Hybrid Cloud Model 24

The Community Cloud Model 25

Cloud Cross –Cutting Aspects 25

Architecture Overview 25

Key Principles of an Enterprise Architecture 27

The NIST Cloud Technology Roadmap 28

Network Security and Perimeter 32

Cryptography 33

Encryption 33

Key Management 35

IAM and Access Control 37

Provisioning and Deprovisioning 37

Centralized Directory Services 38

Privileged User Management 38

Authorization and Access Management 39

Data and Media Sanitization 40

Vendor Lock –In 40

Cryptographic Erasure 41

Data Overwriting 41

Virtualization Security 42

The Hypervisor 42

Security Types 43

Common Threats 43

Data Breaches 43

Data Loss 44

Account or Service Traffic Hijacking 45

Insecure Interfaces and APIs 45

Denial of Service 46

Malicious Insiders 46

Abuse of Cloud Services 46

Insufficient Due Diligence 47

Shared Technology Vulnerabilities 47

Security Considerations for Different Cloud Categories 48

IaaS Security 48

PaaS Security 50

SaaS Security 52

Open Web Application Security Project Top Ten Security Threats 54

Cloud Secure Data Lifecycle 55

Information and Data Governance Types 56

Business Continuity and Disaster Recovery Planning 57

Business Continuity Elements 57

Critical Success Factors 58

Important SLA Components 59

Cost –Benefit Analysis 60

Certification Against Criteria 62

System and Subsystem Product Certification 69

Summary 72

Review Questions 73

Notes 77

DOMAIN 2: CLOUD DATA SECURITY 79

Introduction 81

The Cloud Data Lifecycle Phases 82

Location and Access of Data 83

Location 83

Access 84

Functions, Actors, and Controls of the Data 84

Key Data Functions 85

Controls 85

Process Overview 86

Tying It Together 86

Cloud Services, Products, and Solutions 87

Data Storage 87

IaaS 87

PaaS 88

SaaS 89

Threats to Storage Types 90

Technologies Available to Address Threats 91

Relevant Data Security Technologies 91

Data Dispersion in Cloud Storage 92

DLP 92

Encryption 95

Masking, Obfuscation, Anonymization, and Tokenization 102

Application of Security Strategy Technologies 105

Emerging Technologies 106

Bit Splitting 106

Homomorphic Encryption 107

Data Discovery 108

Data Discovery Approaches 108

Different Data Discovery Techniques 109

Data Discovery Issues 110

Challenges with Data Discovery in the Cloud 111

Data Classifi cation 112

Data Classifi cation Categories 112

Challenges with Cloud Data 113

Data Privacy Acts 113

Global P&DP Laws in the United States 114

Global P&DP Laws in the European Union 115

Global P&DP Laws in APEC 115

Differences Between Jurisdiction and Applicable Law 115

Essential Requirements in P&DP Laws 116

Typical Meanings for Common Privacy Terms 116

Privacy Roles for Customers and Service Providers 117

Responsibility Depending on the Type of Cloud Services 118

Implementation of Data Discovery 119

Classification of Discovered Sensitive Data 120

Mapping and Definition of Controls 123

Privacy Level Agreement 124

PLA Versus Essential P&DP Requirements Activity 124

Application of Defi ned Controls for PII 128

Cloud Security Alliance Cloud Controls Matrix 129

Management Control for Privacy and Data –Protection Measures 133

Data Rights Management Objectives 134

IRM Cloud Challenges 134

IRM Solutions 135

Data –Protection Policies 136

Data –Retention Policies 137

Data –Deletion Procedures and Mechanisms 138

Data –Archiving Procedures and Mechanisms 139

Events 140

Event Sources 140

Identifying Event Attribute Requirements 142

Storage and Analysis of Data Events 144

SIEM 145

Supporting Continuous Operations 146

Chain of Custody and Nonrepudiation 147

Summary 148

Review Questions 149

Notes 152

DOMAIN 3: CLOUD PLATFORM AND INFRASTRUCTURE SECURITY 155

Introduction 157

The Physical Environment of the Cloud Infrastructure 157

Data Center Design 158

Network and Communications in the Cloud 159

Network Functionality 159

Software –Defined Networking 160

The Compute Parameters of a Cloud Server 161

Virtualization 161

Scalability 162

The Hypervisor 162

Storage Issues in the Cloud 163

Object Storage 164

Management Plane 164

Management of Cloud Computing Risks 166

Risk Assessment and Analysis 166

Cloud Attack Vectors 170

Countermeasure Strategies Across the Cloud 170

Continuous Uptime 171

Automation of Controls 171

Access Controls 171

Physical and Environmental Protections 172

Key Regulations 173

Examples of Controls 173

Protecting Data Center Facilities 173

System and Communication Protections 173

Automation of Confi guration 174

Responsibilities of Protecting the Cloud System 174

Following the Data Lifecycle 175

Virtualization Systems Controls 176

Managing Identification, Authentication, and Authorization in the Cloud Infrastructure 178

Managing Identification 178

Managing Authentication 179

Managing Authorization 179

Accounting for Resources 179

Managing Identity and Access Management 179

Making Access Decisions 179

The Entitlement Process 180

The Access Control Decision –Making Process 180

Risk Audit Mechanisms 181

The Cloud Security Alliance Cloud Controls Matrix 182

Cloud Computing Audit Characteristics 182

Using a VM 183

Understanding the Cloud Environment Related to BCDR 183

On –Premises, Cloud as BCDR 184

Cloud Service Consumer, Primary Provider BCDR 184

Cloud Service Consumer, Alternative Provider BCDR 185

BCDR Planning Factors 185

Relevant Cloud Infrastructure Characteristics 185

Understanding the Business Requirements Related to BCDR 186

Understanding the BCDR Risks 188

BCDR Risks Requiring Protection 188

BCDR Strategy Risks 188

Potential Concerns About the BCDR Scenarios 189

BCDR Strategies 190

Location 191

Data Replication 191

Functionality Replication 192

Planning, Preparing, and Provisioning 192

Failover Capability 192

Returning to Normal 193

Creating the BCDR Plan 193

The Scope of the BCDR Plan 193

Gathering Requirements and Context 193

Analysis of the Plan 194

Risk Assessment 194

Plan Design 194

Other Plan Considerations 195

Planning, Exercising, Assessing, and Maintaining the Plan 195

Test Plan Review 197

Testing and Acceptance to Production 201

Summary 201

Review Questions 202

Notes 204

DOMAIN 4: CLOUD APPLICATION SECURITY 205

Introduction 207

Determining Data Sensitivity and Importance 208

Understanding the API Formats 208

Common Pitfalls of Cloud Security Application Deployment 209

On –Premises Does Not Always Transfer (and Vice Versa) 210

Not All Apps Are Cloud Ready 210

Lack of Training and Awareness 210

Lack of Documentation and Guidelines 211

Complexities of Integration 211

Overarching Challenges 211

Awareness of Encryption Dependencies 213

Understanding the Software Development Lifecycle Process for a Cloud Environment 213

Secure Operations Phase 214

Disposal Phase 215

Assessing Common Vulnerabilities 215

Cloud –Specific Risks 218

Threat Modeling 220

STRIDE Threat Model 220

Approved Application Programming Interfaces 221

Software Supply Chain (API) Management 221

Securing Open Source Software 222

Identity and Access Management 222

Identity Management 223

Access Management 223

Identity Repository and Directory Services 223

Federated Identity Management 224

Federation Standards 224

Federated Identity Providers 225

Federated SSO 225

Multifactor Authentication 225

Supplemental Security Devices 226

Cryptography 227

Tokenization 228

Data Masking 228

Sandboxing 229

Application Virtualization 229

Cloud –Based Functional Data 230

Cloud –Secure Development Lifecycle 231

ISO/IEC 27034 –1 232

Organizational Normative Framework 232

Application Normative Framework 233

Application Security Management Process 233

Application Security Testing 234

Static Application Security Testing 234

Dynamic Application Security Testing 235

Runtime Application Self –Protection 235

Vulnerability Assessments and Penetration Testing 235

Secure Code Reviews 236

OWASP Recommendations 236

Summary 237

Review Questions 238

Notes 239

DOMAIN 5: OPERATIONS 241

Introduction 243

Modern Data Centers and Cloud Service Offerings 243

Factors That Aff ect Data Center Design 243

Logical Design 244

Physical Design 246

Environmental Design Considerations 249

Multivendor Pathway Connectivity 253

Implementing Physical Infrastructure for Cloud Environments 253

Enterprise Operations 254

Secure Configuration of Hardware: Specific Requirements 255

Best Practices for Servers 255

Best Practices for Storage Controllers 256

Network Controllers Best Practices 258

Virtual Switches Best Practices 259

Installation and Confi guration of Virtualization Management Tools for the Host 260

Leading Practices 261

Running a Physical Infrastructure for Cloud Environments 261

Configuring Access Control and Secure

Kernel –Based Virtual Machine 265

Securing the Network Configuration 266

Network Isolation 266

Protecting VLANs 267

Using TLS 268

Using DNS 268

Using IPSec 269

Identifying and Understanding Server Threats 270

Using Standalone Hosts 271

Using Clustered Hosts 273

Resource Sharing 273

Distributed Resource Scheduling/Compute Resource Scheduling 274

Accounting for Dynamic Operation 274

Using Storage Clusters 275

Clustered Storage Architectures 275

Storage Cluster Goals 276

Using Maintenance Mode 276

Providing HA on the Cloud 276

Measuring System Availability 276

Achieving HA 277

The Physical Infrastructure for Cloud Environments 278

Configuring Access Control for Remote Access 279

Performing Patch Management 281

The Patch Management Process 282

Examples of Automation 282

Challenges of Patch Management 283

Performance Monitoring 285

Outsourcing Monitoring 285

Hardware Monitoring 285

Redundant System Architecture 286

Monitoring Functions 286

Backing Up and Restoring the Host Configuration 287

Implementing Network Security Controls: Defense in Depth 288

Firewalls 288

Layered Security 289

Utilizing Honeypots 292

Conducting Vulnerability Assessments 293

Log Capture and Log Management 293

Using Security Information and Event Management 295

Developing a Management Plan 296

Maintenance 297

Orchestration 297

Building a Logical Infrastructure for Cloud Environments 298

Logical Design 298

Physical Design 298

Secure Configuration of Hardware –Specific Requirements 299

Running a Logical Infrastructure for Cloud Environments 300

Building a Secure Network Configuration 300

OS Hardening via Application Baseline 301

Availability of a Guest OS 303

Managing the Logical Infrastructure for Cloud Environments 304

Access Control for Remote Access 304

OS Baseline Compliance Monitoring and Remediation 305

Backing Up and Restoring the Guest OS Configuration 305

Implementation of Network Security Controls 306

Log Capture and Analysis 306

Management Plan Implementation Through the Management Plane 307

Ensuring Compliance with Regulations and Controls 307

Using an ITSM Solution 308

Considerations for Shadow IT 308

Operations Management 309

Information Security Management 310

Configuration Management 310

Change Management 311

Incident Management 315

Problem Management 317

Release and Deployment Management 318

Service –Level Management 319

Availability Management 319

Capacity Management 319

Business Continuity Management 320

Continual Service Improvement Management 321

How Management Processes Relate to Each Other 321

Incorporating Management Processes 323

Managing Risk in Logical and Physical Infrastructures 323

The Risk –Management Process Overview 323

Framing Risk 324

Risk Assessment 324

Risk Response 334

Risk Monitoring 339

Understanding the Collection and Preservation of Digital Evidence 340

Cloud Forensics Challenges 341

Data Access Within Service Models 342

Forensics Readiness 343

Proper Methodologies for Forensic Collection of Data 343

The Chain of Custody 349

Evidence Management 350

Managing Communications with Relevant Parties 350

The Five Ws and One H 351

Communicating with Vendors and Partners 351

Communicating with Customers 353

Communicating with Regulators 353

Communicating with Other Stakeholders 354

Wrap –Up: Data Breach Example 354

Summary 354

Review Questions 356

Notes 361

DOMAIN 6: LEGAL AND COMPLIANCE 363

Introduction 365

International Legislation Conflicts 365

Legislative Concepts 366

Frameworks and Guidelines Relevant to Cloud Computing 368

ISO/IEC 27017:2015 Information Technology Security Techniques Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services 368

Organization for Economic Cooperation and Development Privacy and Security Guidelines 369

Asia –Pacifi c Economic Cooperation Privacy Framework4 369

EU Data Protection Directive 370

General Data Protection Regulation 372

ePrivacy Directive 372

Beyond Frameworks and Guidelines 372

Common Legal Requirements 373

Legal Controls and Cloud Service Providers 374

e –Discovery 375

e –Discovery Challenges 375

Considerations and Responsibilities of e –Discovery 376

Reducing Risk 376

Conducting e –Discovery Investigations 377

Cloud Forensics and ISO/IEC 27050 –1 377

Protecting Personal Information in the Cloud 378

Differentiating Between Contractual and Regulated PII 379

Country –Specific Legislation and Regulations Related to PII, Data Privacy, and Data Protection 383

Auditing in the Cloud 392

Internal and External Audits 392

Types of Audit Reports 393

Impact of Requirement Programs by the Use of Cloud Services 396

Assuring Challenges of the Cloud and Virtualization 396

Information Gathering 397

Audit Scope 398

Cloud –Auditing Goals 401

Audit Planning 401

Standard Privacy Requirements (ISO/IEC 27018) 403

GAPP 404

Internal ISMS 405

The Value of an ISMS 405

Internal Information Security Controls System: ISO 27001:2013 Domains 406

Repeatability and Standardization 406

Implementing Policies 407

Organizational Policies 407

Functional Policies 408

Cloud Computing Policies 408

Bridging the Policy Gaps 409

Identifying and Involving the Relevant Stakeholders 410

Stakeholder Identifi cation Challenges 410

Governance Challenges 411

Communication Coordination 411

Impact of Distributed IT Models 412

Clear Communications 412

Coordination and Management of Activities 413

Governance of Processes and Activities 413

Coordination Is Key 414

Security Reporting 414

Understanding the Implications of the Cloud to Enterprise Risk Management 415

Risk Profile 416

Risk Appetite 416

Difference Between the Data Owner and Controller and the Data Custodian and Processor 416

SLA 417

Risk Mitigation 422

Risk –Management Metrics 422

Different Risk Frameworks 423

Understanding Outsourcing and Contract Design 425

Business Requirements 425

Vendor Management 426

Understanding Your Risk Exposure 426

Accountability of Compliance 427

Common Criteria Assurance Framework 427

CSA STAR 428

Cloud Computing Certification 429

Contract Management 431

Importance of Identifying Challenges Early 431

Key Contract Components 432

Supply Chain Management 434

Supply Chain Risk 434

CSA CCM 435

The ISO 28000:2007 Supply Chain Standard 435

Summary 436

Review Questions 438

Notes 439

APPENDIX A: ANSWERS TO REVIEW QUESTIONS 441

Domain 1: Architectural Concepts and Design Requirements 441

Domain 2: Cloud Data Security 451

Domain 3: Cloud Platform and Infrastructure Security 460

Domain 4: Cloud Application Security 466

Domain 5: Operations 470

Domain 6: Legal and Compliance Issues 482

Notes 488

APPENDIX B: GLOSSARY 491

APPENDIX C: HELPFUL RESOURCES AND LINKS 501

Index 505

Note: Product cover images may vary from those shown
3 of 4

Loading
LOADING...

4 of 4
Adam Gordon
Note: Product cover images may vary from those shown
5 of 4
Note: Product cover images may vary from those shown
Adroll
adroll