Details

<p>Foreword to the Fourth Edition xxi</p> <p>Introduction xix</p> <p><b>Chapter 1 Cloud Concepts, Architecture, and Design 1</b></p> <p>Understand Cloud Computing Concepts 2</p> <p>Cloud Computing Definitions 2</p> <p>Cloud Computing Roles and Responsibilities 3</p> <p>Key Cloud Computing Characteristics 7</p> <p>Building Block Technologies 11</p> <p>Describe Cloud Reference Architecture 14</p> <p>Cloud Computing Activities 14</p> <p>Cloud Service Capabilities 15</p> <p>Cloud Service Categories 17</p> <p>Cloud Deployment Models 18</p> <p>Cloud Shared Considerations 21</p> <p>Impact of Related Technologies 27</p> <p>Understand Security Concepts Relevant to Cloud Computing 33</p> <p>Cryptography and Key Management 33</p> <p>Identity and Access Control 34</p> <p>Data and Media Sanitization 36</p> <p>Network Security 37</p> <p>Virtualization Security 39</p> <p>Common Threats 41</p> <p>Security Hygiene 41</p> <p>Understand Design Principles of Secure Cloud Computing 43</p> <p>Cloud Secure Data Lifecycle 43</p> <p>Cloud- Based Business Continuity and Disaster Recovery Plan 44</p> <p>Business Impact Analysis 45</p> <p>Functional Security Requirements 46</p> <p>Security Considerations for Different Cloud Categories 48</p> <p>Cloud Design Patterns 49</p> <p>DevOps Security 51</p> <p>Evaluate Cloud Service Providers 51</p> <p>Verification against Criteria 52</p> <p>System/Subsystem Product Certifications 54</p> <p>Summary 56</p> <p><b>Chapter 2 Cloud Data Security 57</b></p> <p>Describe Cloud Data Concepts 58</p> <p>Cloud Data Lifecycle Phases 58</p> <p>Data Dispersion 61</p> <p>Data Flows 62</p> <p>Design and Implement Cloud Data Storage Architectures 63</p> <p>Storage Types 63</p> <p>Threats to Storage Types 66</p> <p>Design and Apply Data Security Technologies and Strategies 67</p> <p>Encryption and Key Management 67</p> <p>Hashing 70</p> <p>Data Obfuscation 71</p> <p>Tokenization 73</p> <p>Data Loss Prevention 74</p> <p>Keys, Secrets, and Certificates Management 77</p> <p>Implement Data Discovery 78</p> <p>Structured Data 79</p> <p>Unstructured Data 80</p> <p>Semi- structured Data 81</p> <p>Data Location 82</p> <p>Implement Data Classification 82</p> <p>Data Classification Policies 83</p> <p>Mapping 85</p> <p>Labeling 86</p> <p>Design and Implement Information Rights Management 87</p> <p>Objectives 88</p> <p>Appropriate Tools 89</p> <p>Plan and Implement Data Retention, Deletion, and Archiving Policies 89</p> <p>Data Retention Policies 90</p> <p>Data Deletion Procedures and Mechanisms 93</p> <p>Data Archiving Procedures and Mechanisms 94</p> <p>Legal Hold 95</p> <p>Design and Implement Auditability, Traceability, and Accountability of Data Events 96</p> <p>Definition of Event Sources and Requirement of Event Attribution 97</p> <p>Logging, Storage, and Analysis of Data Events 99</p> <p>Chain of Custody and Nonrepudiation 100</p> <p>Summary 101</p> <p><b>Chapter 3 Cloud Platform and Infrastructure Security 103</b></p> <p>Comprehend Cloud Infrastructure and Platform Components 104</p> <p>Physical Environment 104</p> <p>Network and Communications 106</p> <p>Compute 107</p> <p>Virtualization 108</p> <p>Storage 110</p> <p>Management Plane 111</p> <p>Design a Secure Data Center 113</p> <p>Logical Design 114</p> <p>Physical Design 116</p> <p>Environmental Design 117</p> <p>Analyze Risks Associated with Cloud Infrastructure and Platforms 119</p> <p>Risk Assessment 119</p> <p>Cloud Vulnerabilities, Threats, and Attacks 122</p> <p>Risk Mitigation Strategies 123</p> <p>Plan and Implementation of Security Controls 124</p> <p>Physical and Environmental Protection 124</p> <p>System, Storage, and Communication Protection 125</p> <p>Identification, Authentication, and Authorization in Cloud Environments 127</p> <p>Audit Mechanisms 128</p> <p>Plan Disaster Recovery and Business Continuity 131</p> <p>Business Continuity/Disaster Recovery Strategy 131</p> <p>Business Requirements 132</p> <p>Creation, Implementation, and Testing of Plan 134</p> <p>Summary 138</p> <p><b>Chapter 4 Cloud Application Security 139</b></p> <p>Advocate Training and Awareness for Application Security 140</p> <p>Cloud Development Basics 140</p> <p>Common Pitfalls 141</p> <p>Common Cloud Vulnerabilities 142</p> <p>Describe the Secure Software Development Life Cycle Process 144</p> <p>NIST Secure Software Development Framework 145</p> <p>OWASP Software Assurance Maturity Model 145</p> <p>Business Requirements 145</p> <p>Phases and Methodologies 146</p> <p>Apply the Secure Software Development Life Cycle 149</p> <p>Cloud- Specific Risks 149</p> <p>Threat Modeling 153</p> <p>Avoid Common Vulnerabilities during Development 156</p> <p>Secure Coding 156</p> <p>Software Configuration Management and Versioning 157</p> <p>Apply Cloud Software Assurance and Validation 158</p> <p>Functional and Non- functional Testing 159</p> <p>Security Testing Methodologies 160</p> <p>Quality Assurance 164</p> <p>Abuse Case Testing 164</p> <p>Use Verified Secure Software 165</p> <p>Securing Application Programming Interfaces 165</p> <p>Supply- Chain Management 166</p> <p>Third- Party Software Management 166</p> <p>Validated Open- Source Software 167</p> <p>Comprehend the Specifics of Cloud Application Architecture 168</p> <p>Supplemental Security Components 169</p> <p>Cryptography 171</p> <p>Sandboxing 172</p> <p>Application Virtualization and Orchestration 173</p> <p>Design Appropriate Identity and Access Management Solutions 174</p> <p>Federated Identity 175</p> <p>Identity Providers 175</p> <p>Single Sign- on 176</p> <p>Multifactor Authentication 176</p> <p>Cloud Access Security Broker 178</p> <p>Summary 179</p> <p><b>Chapter 5 Cloud Security Operations 181</b></p> <p>Build and Implement Physical and Logical Infrastructure for Cloud Environment 182</p> <p>Hardware- Specific Security Configuration Requirements 182</p> <p>Installation and Configuration of Virtualization Management Tools 185</p> <p>Virtual Hardware–Specific Security Configuration Requirements 186</p> <p>Installation of Guest Operating System Virtualization Toolsets 188</p> <p>Operate Physical and Logical Infrastructure for Cloud Environment 188</p> <p>Configure Access Control for Local and Remote Access 188</p> <p>Secure Network Configuration 190</p> <p>Operating System Hardening through the Application of Baselines 195</p> <p>Availability of Stand- Alone Hosts 196</p> <p>Availability of Clustered Hosts 197</p> <p>Availability of Guest Operating Systems 199</p> <p>Manage Physical and Logical Infrastructure for Cloud Environment 200</p> <p>Access Controls for Remote Access 201</p> <p>Operating System Baseline Compliance Monitoring and Remediation 202</p> <p>Patch Management 203</p> <p>Performance and Capacity Monitoring 205</p> <p>Hardware Monitoring 206</p> <p>Configuration of Host and Guest Operating System Backup and Restore Functions 207</p> <p>Network Security Controls 208</p> <p>Management Plane 212</p> <p>Implement Operational Controls and Standards 212</p> <p>Change Management 213</p> <p>Continuity Management 214</p> <p>Information Security Management 216</p> <p>Continual Service Improvement Management 217</p> <p>Incident Management 218</p> <p>Problem Management 221</p> <p>Release Management 221</p> <p>Deployment Management 222</p> <p>Configuration Management 224</p> <p>Service Level Management 225</p> <p>Availability Management 226</p> <p>Capacity Management 227</p> <p>Support Digital Forensics 228</p> <p>Forensic Data Collection Methodologies 228</p> <p>Evidence Management 230</p> <p>Collect, Acquire, and Preserve Digital Evidence 231</p> <p>Manage Communication with Relevant Parties 234</p> <p>Vendors 235</p> <p>Customers 236</p> <p>Partners 238</p> <p>Regulators 238</p> <p>Other Stakeholders 239</p> <p>Manage Security Operations 239</p> <p>Security Operations Center 240</p> <p>Monitoring of Security Controls 244</p> <p>Log Capture and Analysis 245</p> <p>Incident Management 248</p> <p>Summary 253</p> <p><b>Chapter 6 Legal, Risk, and Compliance 255</b></p> <p>Articulating Legal Requirements and Unique Risks within the Cloud Environment 256</p> <p>Conflicting International Legislation 256</p> <p>Evaluation of Legal Risks Specific to Cloud Computing 258</p> <p>Legal Frameworks and Guidelines 258</p> <p>eDiscovery 265</p> <p>Forensics Requirements 267</p> <p>Understand Privacy Issues 267</p> <p>Difference between Contractual and Regulated Private Data 268</p> <p>Country- Specific Legislation Related to Private Data 272</p> <p>Jurisdictional Differences in Data Privacy 277</p> <p>Standard Privacy Requirements 278</p> <p>Privacy Impact Assessments 280</p> <p>Understanding Audit Process, Methodologies, and Required Adaptations for a Cloud Environment 281</p> <p>Internal and External Audit Controls 282</p> <p>Impact of Audit Requirements 283</p> <p>Identify Assurance Challenges of Virtualization and Cloud 284</p> <p>Types of Audit Reports 285</p> <p>Restrictions of Audit Scope Statements 288</p> <p>Gap Analysis 289</p> <p>Audit Planning 290</p> <p>Internal Information Security Management System 291</p> <p>Internal Information Security Controls System 292</p> <p>Policies 293</p> <p>Identification and Involvement of Relevant Stakeholders 296</p> <p>Specialized Compliance Requirements for Highly Regulated Industries 297</p> <p>Impact of Distributed Information Technology Model 298</p> <p>Understand Implications of Cloud to Enterprise Risk Management 299</p> <p>Assess Providers Risk Management Programs 300</p> <p>Differences between Data Owner/Controller vs. Data Custodian/Processor 301</p> <p>Regulatory Transparency Requirements 302</p> <p>Risk Treatment 303</p> <p>Risk Frameworks 304</p> <p>Metrics for Risk Management 307</p> <p>Assessment of Risk Environment 307</p> <p>Understand Outsourcing and Cloud Contract Design 309</p> <p>Business Requirements 309</p> <p>Vendor Management 311</p> <p>Contract Management 312</p> <p>Supply Chain Management 314</p> <p>Summary 316</p> <p>Index 317</p>

<p><b>“We wish you all the best in your CCSP_® journey. From the very beginning through the advancements and discoveries that you are sure to find along the way, (ISC)² will be by your side, always advocating for you, as we work together to create a safe and secure cyber world.”</b><br> – Clar Rosso, CEO of (ISC)² <p><b>The only official body of knowledge for CCSP—the most popular cloud security credential—fully revised and updated.</b> <p>Certified Cloud Security Professional (CCSP) certification validates the advanced technical skills needed to design, manage, and secure data, applications, and infrastructure in the cloud. This highly sought-after global credential has been updated with revised objectives. The new fourth edition of <i>The Official (ISC)^2® CCSP_® CBK^® Reference</i> is the authoritative, vendor-neutral common body of knowledge for cloud security professionals. <p>This comprehensive resource provides cloud security professionals with an indispensable working reference to each of the six CCSP domains: Cloud Concepts, Architecture and Design; Cloud Data Security; Cloud Platform and Infrastructure Security; Cloud Application Security; Cloud Security Operations; and Legal, Risk and Compliance. Detailed, in-depth chapters contain the accurate information required to prepare for and achieve CCSP certification. Every essential area of cloud security is covered, including implementation, architecture, operations, controls, and immediate and long-term responses. <p><i>The Official (ISC)^2®CCSP_® CBK^® Reference</i> is a vital ongoing resource for IT and information security leaders responsible for applying best practices to cloud security architecture, design, operations and service orchestration.

US