29,99 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
Preparing for the Certified Cloud Security Professional (CCSP) exam can be challenging, as it covers a wide array of topics essential for advancing a cybersecurity professional’s career by validating their technical skills. To prepare for the CCSP exam, you need a resource that not only covers all the exam objectives but also helps you prepare for the format and structure of the exam.
Written by two seasoned cybersecurity professionals with a collective experience of hundreds of hours training CCSP bootcamps, this CCSP study guide reflects the journey you’d undertake in such training sessions.
The chapters are packed with up-to-date information necessary to pass the (ISC)2 CCSP exam. Additionally, to boost your confidence, the book provides self-assessment questions, exam tips, and mock exams with detailed answer explanations. You’ll be able to deepen your understanding using illustrative explanations that briefly review key points.
As you progress, you’ll delve into advanced technical aspects of cloud domain security, such as application security, design, managing and securing data, and infrastructure in the cloud using best practices and legal policies and procedures.
By the end of this guide, you’ll be ready to breeze through the exam and tackle real-world cloud security challenges with ease.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 842
Veröffentlichungsjahr: 2024
Ähnliche
CCSP (ISC)2 Certified Cloud Security Professional Exam Guide
Build your knowledge to pass the CCSP exam with expert guidance
Omar A. Turner
Navya Lakshmana
CCSP (ISC)2 Certified Cloud Security Professional Exam Guide
Copyright © 2024 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Authors: Omar A. Turner and Navya Lakshmana
Reviewers: Dharam Chhatbar, Eyal Estrin, and Commander Saurabh Prakash Gupta
Publishing Product Manager: Anindya Sil
Editorial Director: Alex Mazonowicz
Development Editor: M Keerthi Nair
Senior Development Editor: Ketan Giri
Presentation Designer: Shantanu Zagade
Editorial Board: Vijin Boricha, Megan Carlisle, Simon Cox, Ketan Giri, Saurabh Kadave, Alex Mazonowicz, Gandhali Raut, and Ankita Thakur
First Published: June 2024
Production Reference: 1210624
Published by Packt Publishing Ltd.
Grosvenor House
11 St Paul’s Square
Birmingham
B3 1RB
ISBN: 978-1-83898-766-4
www.packtpub.com
This book is dedicated to my family and colleagues whose unwavering support and encouragement have been the cornerstone of my success. To my family, your patience, love, and understanding during this two-year journey have been my greatest strength. To my colleagues, your collaboration, insights, and steadfast belief in my vision have been invaluable. Together, you have made this achievement possible, and for that, I am eternally grateful.
Omar A. Turner
Contributors
About the Authors
Omar A. Turner is a general manager for cloud security at Microsoft, where he brings over 25 years of experience in supporting, deploying, architecting, and securing solutions for start-ups and globally recognized organizations. He holds numerous certifications, including CISSP, CCSP, CRISC, CISA, and CISM, and he holds B.S. degrees in mathematics and computer science, as well as the Wharton CTO designation. Omar is passionate about cybersecurity enablement and training as well as career mentoring for those looking to start their journey in the amazing and important field of cloud security.
Navya Lakshmana, a cybersecurity professional with a decade of experience in information technology, earned her bachelor's degree in electronics and communication from Visvesvaraya Technological University (VTU) in Bengaluru, Karnataka, India. She is currently employed at Siemens Healthineers, a renowned healthcare service provider that creates advanced medical technology for everyone, everywhere, sustainably. Navya holds distinguished certifications, including CISSP, CCSP, GIAC Cloud Penetration Tester (GCPN), and GIAC Penetration Tester (GPEN).
Beyond her professional endeavors, Navya is dedicated to cybersecurity education. As the founder of CyberPlatter, a YouTube channel, she educates cybersecurity enthusiasts and professionals alike.
About the Reviewers
Dharam Chhatbar is a seasoned information security professional with over 14 years of experience in various verticals of information security, delivering impactful and high-quality risk-reducing work. He has helped secure many banks and retail firms and is currently working at a Fortune number 1 company. He holds a master's degree, is a fervent learner, and has earned several global certifications, including CISSP, GSLC (SANS), CCSP, CSSLP, and CIPM. His key competencies include vulnerability management, security architecture, application security, cloud security, and leading and managing security engineers/vendors. He has also reviewed books on Azure security and CISSP practice questions.
I would like to thank my parents, Bina and Jagdish, for their continued support and encouragement with everything that I do and for motivating me to always achieve my ambitions.
Eyal Estrin is a cloud and information security architect and the author of the book Cloud Security Handbook, with more than 20 years of experience in the IT industry.
He has worked in several different industries (the banking, academia, and healthcare sectors).
He has attained several top security certifications: CISSP, CCSP, CDPSE, CISA, and CCSK.
Commander Saurabh Prakash Gupta, CISSP, CCSP, CISM, GCIH, is a military veteran currently employed as a cybersecurity expert with Bosch Global Software Technologies in Bengaluru, India. Having started his journey as a marine engineer, he then developed expertise in the domains of information technology and information security over more than 20 years. He is currently leading the cybersecurity program for providing consulting and testing services to global customers in automotive, embedded, IoT, OT, cloud, and enterprise IT product domains. Previously, for the Indian Navy, he led the program for software induction and enterprise cybersecurity deployment at the Indian Navy headquarters. He loves traveling and is an avid reader.
Table of Contents
Preface
1
Core Cloud Concepts
Making the Most Out of This Book – Your Certification and Beyond
What Is Cloud Computing?
Essential Cloud Computing Characteristics
Cloud Stakeholders
ISO/IEC 17789 CCRA Roles and Sub-Roles
NIST Cloud Computing Key Actors
Key Cloud Computing Technologies and Building Blocks
Summary
Exam Readiness Drill – Chapter Review Questions
2
Cloud Reference Architecture
Cloud Service Models
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Cloud Service Models and Categories
Cloud Deployment Models
Shared Responsibility Model
Shared Considerations for Cloud Deployments
Emerging Technologies in Cloud Computing
Data Science
Artificial Intelligence and Machine Learning (AI/ML)
Blockchain
Internet of Things (IoT)
Containers
Quantum Computing
Edge Computing
Confidential Computing
Summary
Exam Readiness Drill – Chapter Review Questions
3
Top Threats and Essential Cloud Security Concepts and Controls
The CIA Triad—Confidentiality, Integrity, and Availability
Common Threats to Cloud Deployments
Data Breaches
Misconfiguration
Insecure APIs
Insider Threats
Account Hijacking
Security Control Categories and Types
Security Control Categories/Classes
Security Control Types and Functionality
Summary
Exam Readiness Drill – Chapter Review Questions
4
Design Principles for Secure Cloud Computing
Security for IaaS, SaaS, and PaaS
Security Considerations for Infrastructure as a Service (IaaS)
Security Considerations for Platform as a Service (PaaS)
Security Considerations for Software as a Service (SaaS)
Shared Responsibility Model for Cloud Service Models
Review of Your Responsibilities
Summary
Exam Readiness Drill – Chapter Review Questions
5
How to Evaluate Your Cloud Service Provider
Key Cloud Service Contractual Documents
CSA
AUP
SLA
Evaluation of the CSP Services
Know Your Business Needs
Assessing Security and Compliance
Summary
Exam Readiness Drill – Chapter Review Questions
6
Cloud Data Security Concepts and Architectures
Structured and Unstructured Data
Key Differences
The Cloud Data Lifecycle
Data Creation or Procurement
Data Storage
Data Usage
Data Sharing
Data Archiving
Data Destruction
Various Storage Types and Common Threats
Object Storage
File Storage
Block Storage
Prevalent Threats to Cloud Data
Security Measures for Cloud Object Storage, File Storage, and Block Storage
Data Classification and Discovery
Recommended Data Classification Process
Cloud Data Security Technologies and Common Strategies
Encryption in Cloud Data Security
IAM
SIEM
Firewall and Intrusion Detection Systems
Data Loss Prevention Tools
Critical Cloud Data Security Strategies
Importance of a Cloud Security Policy
Implementing a Cloud Security Policy
Regular Security Audits and Assessments
Employee Training and Awareness
Regular Data Backups and Recovery Planning
Best Practices for Data Retention, Archival, and Deletion
Understanding Data Lifecycle Management
Implementing Data Retention Policies
Secure Data Deletion Techniques
Effective Data Archiving Solutions
Compliance with Data Protection Regulations
Lessons from Cloud Data Security Breaches
Summary
Exam Readiness Drill – Chapter Review Questions
7
Data Governance Essentials
Data Governance
Data Dispersion in the Cloud
The Importance of Data Governance for Cloud Security
Leveraging Cloud-Specific Tools and Services
IRM
The Role of IRM in Data Governance
IRM and Cloud Computing
Implementing IRM
Implementing IRM in a Cloud Environment
Best Practices for IRM Implementation
Case Studies of Successful IRM Implementation
Auditability in Cloud Data Governance
Implementing Auditability in the Cloud
Traceability in Cloud Data Governance
Implementing Traceability in the Cloud
Tools and Technologies for Enhancing Traceability
Accountability in Cloud Data Governance
Key Components of Accountability
Implementing Accountability in Cloud Data Governance
Tools and Technologies for Enhancing Accountability
Cloud Data Life Cycle
The Role of IRM, Auditability, Traceability, and Accountability in Each Phase of the Cloud Data Life Cycle
Challenges and Solutions in Implementing IRM and Data Governance in the Cloud
Emerging Trends and Technologies in Cloud Data Governance and IRM
Summary
Exam Readiness Drill – Chapter Review Questions
8
Essential Infrastructure and Platform Components for a Secure Data Center
Cloud Infrastructure and Platform Components
Designing a Secure Data Center
Physical Design
Choosing a Location
Buying versus Building
Environmental Design
Heating, Ventilation, and Air Conditioning (HVAC)
Multi-Vendor Pathway Connectivity
Logical Design
Tenant Partitioning
Access Control
Summary
Exam Readiness Drill – Chapter Review Questions
9
Analyzing Risks
Overview of Risk Management
Key Concepts in Risk Management
Risk Management in Cloud Environments
Importance of Risk Management in Cloud Computing
Risk Identification and Analysis
Risk Frameworks
Tools and Practices for Identifying Risks in Cloud Environments
Analyzing and Assessing Cloud Security Risks
Qualitative versus Quantitative Risk Analysis Methods
Tools and Frameworks for Cloud Risk Assessments
Cloud Attack Surface Area, Vulnerabilities, Threats, and Attack Vectors
Cloud Attack Surface and Vulnerabilities
Threats, Attack Vectors, and Incident Response (IR) in Cloud
Addressing Cloud Security Risks – Safeguards and Countermeasures
Data Breaches and Data Loss
Non-Authorized Access
Administrative Concerns
Virtualization Risks
Regulatory Non-Compliance
Distributed Denial of Service (DDoS) Attacks
Man-in-the-Middle Attacks
Vendor Issues
Shadow IT
Natural Disasters
Insider Threats
Insecure APIs
Misconfigurations
Forensic Challenges in Cloud Environments and Solutions
Implementing Cloud Security Best Practices, Controls and Countermeasures
Best Practices
Controls
Summary
Exam Readiness Drill – Chapter Review Questions
10
Security Control Implementation
Physical and Environmental Protection Controls
Site Selection and Facility Design
System, Storage, and Communication Protection Controls
Protecting Data
Cryptographic Key Establishment and Management
Managing a Network to Protect Systems and Services
IAM Solutions for Identification, Authentication, and Authorization
OpenID
OAuth
Identification
Authentication
Key Cloud Control Audit Mechanisms
Log Collection
Correlation
Packet Capturing
Summary
Exam Readiness Drill – Chapter Review Questions
11
Planning for the Worst-Case Scenario – Business Continuity and Disaster Recovery
BCDR Definitions
The Importance of BCDR
Key Concepts and Terminology
BCDR Strategies
Defining the Scope of the BCDR Plan
Gathering Requirements and Generating Objectives
Integrating Requirements
Cloud Environment Options for BCDR Planning
Understanding an Organization’s Business Requirements
Identification of Critical Business Functions
Legal and Regulatory Compliance
SLAs and Vendor Management
Creation, Implementation, and Testing of a BCDR Plan
Creating Your Plan
Implementation
Testing and Maintenance of the BCDR Plan
Example Scenarios
Summary
Exam Readiness Drill – Chapter Review Questions
12
Application Security
Why is Application Security Critical?
Common Challenges in Securing Web Applications
Common Application Vulnerabilities
Vulnerabilities with OWASP
Broken Access Control (A01:2021)
Cryptographic Failures (A02:2021)
Injection (A03:2021)
Insecure Design (A04:2021)
Security Misconfiguration (A05:2021)
Vulnerable and Outdated Components (A06:2021)
Identification and Authentication Failures (A07:2021)
Software and Data Integrity Failures (A08:2021)
Security Logging and Monitoring Failures (A09:2021)
Server-Side Request Forgery (A10:2021)
Cloud Application Security Tools and Solutions
Types of Cloud Application Security Tools and Solutions
Summary
Exam Readiness Drill – Chapter Review Questions
13
Secure Software Development Life Cycle
Traditional SDLC to SSDLC
Benefits of the SDLC
Drawbacks of the SDLC
Why the Traditional SDLC Is Obsolete
SDLC versus SSDLC
Adding Security to SDLC
Utilizing the SSDLC in Cloud Projects
SSDLC Activities and Phases
DevOps
Why the SSDLC Is Vital for Modern Software Development
Threat Modeling
STRIDE
PASTA
DREAD
Avoiding Vulnerable Code
The CI/CD Pipeline Concept
Summary
Exam Readiness Drill – Chapter Review Questions
14
Assurance, Validation, and Verification in Security
The Importance of Assurance, Validation, and Verification
What Are Functional and Non-Functional Testing?
Comparing Functional and Non-Functional Testing
Security Testing and Quality Assurance
Two Approaches to Software Verification
Third-Party Review Processes
Measures to Secure APIs
Summary
Exam Readiness Drill – Chapter Review Questions
15
Application-Centric Cloud Architecture
Supplemental Security Components
WAFs
DAM
XML Firewalls
API Gateways
Cryptography
Sandboxing
Application Virtualization and Orchestration
Summary
Exam Readiness Drill – Chapter Review Questions
16
IAM Design
IAM
Digital Identity
Authentication
Authorization
Provisioning and Deprovisioning
Privileged User Management
Centralized Directory Services
Federated Identity
Federation Standards
IdPs
SSO
MFA
CASB
Secrets Management
Summary
Exam Readiness Drill – Chapter Review Questions
17
Cloud Physical and Logical Infrastructure (Operationalization and Maintenance)
Hardware-Specific Security Configuration Requirements
HSMs
TPMs
Storage Controllers
Network Controllers
Installation and Configuration of Management Tools
Virtual Hardware-Specific Security Configuration Requirements
Hypervisor
Network
Installation of Guest OS Virtualization Toolsets
Access Controls for Local and Remote Access
Secure Network Configuration
Virtual Local Area Networks (VLANs)
Transport Layer Security (TLS)
Dynamic Host Configuration Protocol (DHCP)
DNS and Domain Name System Security Extensions (DNSSEC)
VPN
Network Security Controls
Firewalls
Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
Honeypots
OS Baselining
Patch Management
IaC Strategy
Availability of Clustered Hosts
Distributed Resource Scheduling (DRS)
Dynamic Optimization
Maintenance Mode
High Availability (HA)
Availability of Guest OSs
Performance and Capacity Monitoring in Cloud Environments
Hardware Monitoring in Cloud Environments
Configuration of Host and Guest OS Backup and Restore Functions
Summary
Exam Readiness Drill – Chapter Review Questions
18
International Operational Controls and Standards
Operational Controls and Standards
ITIL
ISO/IEC 20000-1
Change Management
Continuity Management
Information Security Management
Continual Service Improvement Management
Incident Management
Problem Management
An Instance of Problem Management
Release Management
Deployment Management
Configuration Management
Service-Level Management
Availability Management
An Instance of Availability Management
Capacity Management
Summary
Exam Readiness Drill – Chapter Review Questions
19
Digital Forensics
Digital forensics
Forensic data collection methodologies
Evidence management
Collecting, acquiring, and preserving digital evidence
Applying Technical Readiness in Cloud Forensics
Best practices for evidence preservation
Summary
Exam Readiness Drill – Chapter Review Questions
20
Managing Communications
Managing communication with relevant parties
Vendors
Customers
Partners
Regulators
Other stakeholders
Summary
Exam Readiness Drill – Chapter Review Questions
21
Security Operations Center Management
SOC
Monitoring of Security Controls
Log Capture and Analysis
Log Management
Security Information and Event Management (SIEM)
Incident Management
Vulnerability Assessments
Summary
Exam Readiness Drill – Chapter Review Questions
22
Legal Challenges and the Cloud
Legal Requirements and Unique Risks Within the Cloud
Conflicting International Legislation
Evaluation of Legal Risks Specific to Cloud Computing
Legal Framework and Guidelines
eDiscovery and Forensics Requirements
Understanding the Implications of Cloud to Enterprise Risk Management
Assessing Provider Risk Management Programs
Difference Between Data Owner/Controller and Data Custodian/Processor
Regulatory Transparency Requirements
Risk Treatment
Different Risk Frameworks
Metrics for Risk Management
Assessment of Risk Environment
Understanding Outsourcing and Cloud Contract Design
Business Requirements
Vendor Management
Contract Management
Supply-Chain Management
Summary
Exam Readiness Drill – Chapter Review Questions
23
Privacy and the Cloud
Privacy Issues
The Organization for Economic Co-operation and Development (OECD)
Difference between Contractual and Regulated Private Data
Country-Specific Legislation Related to Private Data
European Union
Asia-Pacific
United States
EU-U.S. Privacy Shield
Australia
Canada
Jurisdictional Differences in Data Privacy
Standard Privacy Requirements
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27018
Generally Accepted Privacy Principles (GAPP)
Privacy Impact Assessments (PIAs)
Summary
Exam Readiness Drill – Chapter Review Questions
24
Cloud Audit Processes and Methodologies
Understanding the Audit Process, Methodologies, and Required Adaptations for a Cloud Environment
Internal and External Audit Controls
Internal Audit Controls
External Audit Controls
Impact of Audit Requirements
Identify Assurance Challenges of Virtualization and the Cloud
Types of Audit Reports
Statement on Standards for Attestation Engagements (SSAE) and Service Organization Control (SOC)
International Standard on Assurance Engagements (ISAE)
Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR)
Restrictions of Audit Scope Statements
Gap Analysis
Audit Planning
Internal ISMS
Internal Information Security Controls System
Policies
Organizational Policies
Functional Policies
Cloud Computing Policies
Identification and Involvement of Relevant Stakeholders
Specialized Compliance Requirements for Highly Regulated Industries
Impact of Distributed IT Model
Summary
Exam Readiness Drill – Chapter Review Questions
25
Accessing the Online Practice Resources
How to Access These Materials
Purchased from Packt Store (packtpub.com)
Packt+ Subscription
Purchased from Amazon and Other Sources
Troubleshooting Tips
Share Feedback
Back to the Book
Why subscribe?
Other Books You May Enjo
Download a Free PDF Copy of This Book
Thanks for purchasing this book!
Do you like to read on the go but are unable to carry your print books everywhere?
Is your eBook purchase not compatible with the device of your choice?
Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.
Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.
The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily.
Follow these simple steps to get the benefits:
Scan the QR code or visit the link below:https://packt.link/free-ebook/9781838987664
Submit your proof of purchase.That’s it! We’ll send your free PDF and other benefits to your email directly.1
Core Cloud Concepts
In this chapter, you will be introduced to the cloud computing characteristics and concepts of cloud service models, cloud deployment models, and different types of stakeholders in cloud computing. In addition to this, you will learn about the core elements required to provide and use cloud-based solutions.
The chapter will cover the most common cloud computing concepts, such as the customer, the provider, the partner, measurable services, scalability, virtualization, storage, and networking. You’ll also learn about the cloud reference architecture that forms the foundation of modern cloud providers. Finally, you’ll learn about cloud computing security and design concepts, as well as the cost-benefit analysis of cloud-based systems.
Making the Most Out of This Book – Your Certification and Beyond
This book and its accompanying online resources are designed to be a complete preparation tool for your CCSP Exam.
The book is written in a way that you can apply everything you’ve learned here even after your certification. The online practice resources that come with this book (Figure 1.1) are designed to improve your test-taking skills. They are loaded with timed mock exams, interactive flashcards, and exam tips to help you work on your exam readiness from now till your test day.
Before You Proceed
To learn how to access these resources, head over to Chapter 25, Accessing the Online Practice Resources, at the end of the book.
Figure 1.1 – Dashboard interface of the online practice resources
Here are some tips on how to make the most out of this book so that you can clear your certification and retain your knowledge beyond your exam:
Read each section thoroughly.Make ample notes: You can use your favorite online note-taking tool or use a physical notebook. The free online resources also give you access to an online version of this book. Click the BACK TO THE BOOK link from the Dashboard to access the book in Packt Reader. You can highlight specific sections of the book there.Chapter Review Questions: At the end of this chapter, you’ll find a link to review questions for this chapter. These are designed to test your knowledge of the chapter. Aim to score at least 75% before moving on to the next chapter. You’ll find detailed instructions on how to make the most of these questions at the end of this chapter in the Exam Readiness Drill - Chapter Review Questions section. That way, you’re improving your exam-taking skills after each chapter, rather than at the end.Flashcards: After you’ve gone through the book and scored 75% more in each of the chapter review questions, start reviewing the online flashcards. They will help you memorize key concepts.Mock Exams: Solve the mock exams that come with the book till your exam day. If you get some answers wrong, go back to the book and revisit the concepts you’re weak in.Exam Tips: Review these from time to time to improve your exam readiness even further.By the end of this chapter, you will be able to confidently answer questions on the following topics:
Cloud computingEssential cloud computing characteristicsCloud stakeholdersKey cloud computing technologies and building blocksYou will now go through each topic above.What Is Cloud Computing?
Cloud computing significantly altered some of the established IT conventions, even though the majority of the underlying technology and security fundamentals remain the same. Many of the key IT principles addressed in this chapter reaffirm the underlying features that remain constant as cloud computing provisioning and consumption models are embraced. The cloud computing Software-as-a-Service (SaaS) model uses internet-based computing resources to provide scalable and elastic IT-enabled capabilities to internal or external consumers.
Various cloud service providers, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform, have their own definitions of cloud computing, based on their respective service offerings. The non-regulatory agency of the United States Department of Commerce, the National Institute of Standards and Technology (NIST), in its Special Publication (SP) 800-145, provides the most widely used definition for cloud computing, which is cited by IT experts and cloud computing professionals when communicating the basic terminology:
“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.”
Note
You can read about the NIST publication 800-145 cloud computing definition here: https://csrc.nist.gov/publications/detail/sp/800-145/final.
Now that you are familiar with the definition of cloud computing, it is time to focus on the five essential characteristics of cloud computing.
Essential Cloud Computing Characteristics
Cloud computing, as described by the NIST publication 800-145, is an innovative computing paradigm that delivers computer resources, services, and applications via the internet on demand. It enables users to remotely access, store, and administer data and applications without having to invest in or maintain physical infrastructure or hardware.
As per the NIST publication 800-145, the cloud computing model can be further defined by having five fundamental characteristics, three service models, and four deployment methods:
The five essential characteristics of cloud computing are as follows:On-demand self-service: Cloud services can be deployed and maintained by the user without the service provider’s participationExtensive network access: Cloud services are accessible over the internet, making them accessible from several devices and placesResource pooling: Cloud providers share resources such as storage, computation, memory, and bandwidth to serve several consumers simultaneouslyRapid elasticity: Cloud resources can be readily scaled up or down to meet variable demands, allowing peak loads to be accommodated without compromising performanceMeasured service: Cloud consumption is monitored, controlled, and reported so that users only pay for the resources they consumeThe three service models are as follows:SaaS: The SaaS approach provides internet-based applications that are ready for use. Consumers need not concern themselves with infrastructure, software upgrades, or maintenance.Platform as a service: Platform as a Service (PaaS) provides an environment to create, deploy, and maintain applications. Users can concentrate on application development without thinking about the underlying infrastructure.Infrastructure as a service: Infrastructure as a Service (IaaS) offers virtualized computing resources, including Virtual Machines (VMs), storage, and networking. The user controls their infrastructure, while the Cloud Service Provider (CSP) oversees the physical hardware.The four deployment models are as follows:Private cloud: The cloud infrastructure is devoted to a single enterprise, providing more security and data privacy controlsCommunity cloud: This deployment approach supports several enterprises that have common concerns, such as security needs or regulatory compliancePublic cloud: The cloud infrastructure is owned and managed by a service provider, who sells services to the general public or a major industrial groupHybrid cloud: This model combines two or more of the preceding deployment methods, enabling enterprises to make use of the benefits of each while keeping separate environmentsNote
You can find more resources about cloud computing and its characteristics here: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf.
As a cloud security expert, it is crucial that you understand these definitions and components in order to create, implement, and maintain security solutions that safeguard sensitive data and guarantee compliance with industry requirements. Cloud security comprises a vast array of techniques and technologies, including identity and access management, encryption, intrusion detection, and secure data transfer that protect cloud-based resources and services. By understanding the specific characteristics of cloud computing, security professionals can better minimize possible risks and vulnerabilities in an environment that is rapidly evolving.
In this section, you learned about the essential cloud computing characteristics. The next section will focus on cloud stakeholders.
Cloud Stakeholders
The International Information Systems Security Certification Consortium (ISC2) CCSPCommon Body of Knowledge (CBK) identifies multiple cloud computing stakeholders with specific responsibilities, based primarily on the following International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) standards and NIST special publications:
ISO/IEC 17789 Cloud Computing Reference Architecture (CCRA)NIST SP 500-292 CCRANote
You can read more about the ISO/IEC 17789 CCRA here - https://www.iso.org/standard/60545.html, and the NIST SP 500-292 CCRA here - https://www.nist.gov/publications/nist-cloud-computing-reference-architecture.
The key differences you need to be aware of concerning the identification of these cloud stakeholders are as follows:
The ISO/IEC 17789 CCRA defines three main roles with multiple sub-roles in each main roleThe NIST CCRA defines fivekey actorsNote
It is important to focus on the cloud service models and cloud delivery models in this chapter. You will learn about the shared responsibility model, the three service models, and the six common deployment models (as mentioned in the NIST definition) in Chapter 2, Cloud Reference Architecture.
You will now go through each role and actor of ISO/IEC 17789 CCRA and NIST CCRA respectively.
ISO/IEC 17789 CCRA Roles and Sub-Roles
ISO/IEC 17789 is a standard developed by the ISO and the IEC, providing an extensive framework for CCRA. The purpose of this standard is to establish a common language, concepts, and structure to create, deliver, and manage cloud services across various domains.
ISO/IEC 17789 defines a CCRA that includes numerous roles and sub-roles, representing the major actors within the cloud computing ecosystem. You will learn about the duties and interactions between entities within this environment for effective operation and efficiency.
Cloud Service Customer
A Cloud Service Customer (CSC) is an entity that purchases cloud services from a CSP for itself or its users. CSCs can include organizations, departments within organizations, and individuals.
Sub-Roles of the CSC
A Cloud Service User (CSU) is an individual or application that utilizes cloud services provided by the CSP on behalf of the CSC.
CSP
A CSP is the entity responsible for supplying, running, and supporting cloud services. CSPs offer various cloud solutions such as SaaS, PaaS, and IaaS that CSCs can access.
Sub-Functions of a CSP
There are three sub-functions of a CSP:
Cloud Service Development: The Cloud Service Development (CSD) sub-role is responsible for designing, creating, and deploying cloud services that meet the demands of CSCs.Cloud Service Operation: The Cloud Service Operation (CSO) sub-role is responsible for managing, monitoring, and operating cloud services provided by the CSP. This involves ensuring those services’ availability, performance, and security.Cloud Service Support: The Cloud Service Support (CSS) sub-role is responsible for offering technical assistance, troubleshooting, and resolving issues related to cloud services for CSCs.Cloud Service Partner
A Cloud Service Partner (CSN) is an entity that collaborates with the CSP to provide value-added services or support to CSCs. CSNs can be suppliers, resellers, or other organizations working closely with the CSP to improve cloud services as a whole.
Sub-Functions of a CSN
There are two sub-functions of a CSN as listed below:
Cloud Broker: The Cloud Broker (CB) serves as an intermediary between the CSC and various CSPs.Cloud Carrier: The Cloud Carrier (CC) facilitates network connectivity between a CSP and the CSCs to guarantee secure, dependable communication.Cloud Auditor
The Cloud Auditor (CA) is an independent body that reviews and validates a CSP and its services’ adherence to applicable standards, laws, and best practices.
You will now learn about the key actors as per the NIST CCRA.
NIST Cloud Computing Key Actors
NIST Cloud Computing Reference Architecture (NIST SP 500-292), is a document published by the NIST, with the aim of offering an in-depth framework to comprehend, design, and implement cloud computing services and solutions. This reference architecture is intended to produce a uniform, technology-neutral framework that allows communication, cooperation, and the creation of cloud computing standards among diverse stakeholders, such as CSPs, users, and regulators.
The NIST CCRA is composed of five essential components, often termed as actors. These components describe the fundamental functions and duties inside a cloud computing system, therefore clarifying their interrelationships. The five major elements of the NIST CCRA are as follows.
Cloud Consumer
The cloud consumer is a person, group, or business that utilizes cloud services offered by the cloud provider. The cloud consumer obtains and administers cloud services in accordance with its needs and can access these services through a variety of interfaces and devices.
Cloud Provider
The cloud provider is the entity tasked with making cloud services accessible to the cloud customer. This covers the design, management, and maintenance of the cloud infrastructure, platforms, and applications necessary to offer the services. Cloud providers can provide a variety of service models, including IaaS, PaaS, and SaaS.
Cloud Broker
The cloud broker is an agent that helps cloud customers choose, manage, and integrate cloud services from numerous cloud providers. Cloud brokers can provide value-added services, such as collecting and integrating various offers, negotiating contracts, and maintaining Service-Level Agreements (SLAs) to guarantee that the demands of cloud consumers are satisfied.
Cloud Auditor (CA)
The CA is an independent, responsible body that assesses and evaluates the cloud services offered by the cloud provider. This involves confirming the cloud services’ performance, security, and compliance with industry standards, legislation, and best practices. CAs contribute to the confidence and trust of cloud consumers by verifying that cloud providers achieve the necessary service levels and customer expectations.
Cloud Carrier (CC)
The CC is responsible for delivering the connectivity and transport services required for cloud consumer access to a cloud provider’s cloud services. CCs provide the delivery of data and communication between cloud consumers and cloud providers, guaranteeing safe and dependable access to cloud services.
In addition to these core aspects, the NIST CCRA highlights many cross-functional characteristics that are essential to the installation and operation of cloud computing services. They include security, privacy, and compliance, which are vital for ensuring data protection and adherence to applicable laws and regulations.
By providing a structured and thorough reference architecture, NIST SP 500-292 fosters a shared understanding of cloud computing ideas and terminology, enabling stakeholders to make informed decisions and ease the development of interoperable cloud computing solutions. This reference design is a great resource for enterprises intending to adopt cloud computing or to enhance their current cloud-based services.
You will now understand the definitions and specifics of cloud stakeholders as seen from the perspective of two organizations. The ISO/IEC 17789 CCRA, with its focus on the CSC, the sub-role of the CSU, the CSP (with its associated sub-roles), the CSN, and the CA, offers a comprehensive view of the dynamics of each of the aforementioned roles, while the NIST reference architecture looks at the five primary actors of consumer, provider, broker, CA, and CC. Both are equally important, and it is essential to understand the differences between the two for the CCSP exam.
In the next section, you will dive into the key core technologies that allow cloud computing to exist and be used at scale for those requiring the use of the cloud.
Key Cloud Computing Technologies and Building Blocks
Cloud computing technologies enable on-demand, scalable, and adaptable computing resources and services. These hardware, software, and networking components enable enterprises to upgrade their IT infrastructures, reduce costs, and quickly adjust according to changing business demands. The fundamental elements that comprise cloud computing technology are as follows:
Compute resources: Cloud computing relies on compute resources for the execution of applications, services, and workloads. These can be virtualized to provide multiple VMs or containers running on one physical server, providing efficient hardware usage and flexible resource allocation.Storage resources: Storage resources are essential for storing and managing cloud-based data. They offer various storage solutions, such as block storage, file storage, and object storage, to meet various data types, access patterns, and performance demands. On-demand scalability of cloud storage capacity ensures cost-effective and efficient solutions.Networking resources: Networking resources provide connectivity between cloud users and services, allowing communication between cloud components. These include virtual networks, routers, load balancers, and firewalls that ensure secure, dependable data transfer inside and across cloud environments.Middleware and runtime: Middleware and runtime components provide the platform and environment required to deliver, manage, and execute cloud applications and services. This consists of application servers, databases, as well as other platform-level elements that facilitate the creation of applications based on various programming languages and frameworks.Cloud management and orchestration: Management and orchestration technologies are essential for automating the management and control of cloud resources, services, and applications. They aid in the provisioning, monitoring, scalability, and optimization of these resources to ensure optimal resource allocation and use. Moreover, these solutions offer resource life cycle management – guaranteeing resources are available when needed and relinquished when no longer necessary – thus providing optimal resource life cycle management.Security and privacy: Securing cloud-based data, applications, and infrastructure requires security and privacy components. To safeguard these resources from potential threats or vulnerabilities, they include encryption, identity and access management, intrusion detection systems, and secure data transmission methods.Service models: Cloud computing offers three basic service models that define the customer’s control scope and level – IaaS, PaaS, and SaaS. Each model isolates different levels of the underlying infrastructure, allowing customers to focus on core business needs while taking advantage of cloud technology benefits.Deployment models: Deployment models refer to how cloud resources are organized and made accessible to users. The public cloud, private cloud, hybrid cloud, and community cloud are the four primary deployment options. Each offers varying degrees of control, security, and scalability to meet the unique demands and expectations of organizations.Billing and metering: Billing and metering components enable the tracking and reporting of cloud resource usage, enabling consumption-based pricing so that users only pay for what they use. This pay-as-you-go model offers a flexible yet cost-effective method to access and manage cloud resources.Although this knowledge may appear basic, it is essential for CCSP candidates to comprehend the fundamental principles of cloud computing. To effectively secure cloud environments, they must possess an in-depth understanding of cloud technologies such as compute resources, storage resources, networking resources, middleware, and runtime, as well as service and deployment patterns. Having this understanding allows them to detect and address potential security risks or vulnerabilities within cloud infrastructures.
Candidates taking the CCSP exam must also be able to evaluate CSPs and suppliers to confirm whether their products meet organizational security and compliance requirements. An understanding of cloud computing building blocks and reference designs such as NIST SP 500-292 can assist in selecting and managing cloud services effectively.
Summary
In this chapter, you learned the fundamental definitions of cloud computing, the different types of stakeholders involved, the activities, and the technology models and building blocks. These are the core CCSP exam topics.
The next chapter will provide more details regarding the cloud reference architecture, the service models, and the cloud deployment models and capabilities. The chapter will also specify the shared considerations for cloud deployments and the impact of new and emerging technologies on the evolution of cloud computing.
Exam Readiness Drill – Chapter Review Questions
Apart from a solid understanding of key concepts, being able to think quickly under time pressure is a skill that will help you ace your certification exam. That is why working on these skills early on in your learning journey is key.
Chapter review questions are designed to improve your test-taking skills progressively with each chapter you learn and review your understanding of key concepts in the chapter at the same time. You’ll find these at the end of each chapter.
How to Access These Materials
To learn how to access these resources, head over to the chapter titled Chapter 25, Accessing the Online Resources.
To open the Chapter Review Questions for this chapter, perform the following steps:
Click the link – https://packt.link/CCSPE1_CH01.Alternatively, you can scan the following QR code (Figure 1.2):
Figure 1.2 – QR code that opens Chapter Review Questions for logged-in users
Once you log in, you’ll see a page similar to the one shown in Figure 1.3:Figure 1.3 – Chapter Review Questions for Chapter 1
Once ready, start the following practice drills, re-attempting the quiz multiple times.Exam Readiness Drill
For the first three attempts, don’t worry about the time limit.
ATTEMPT 1
The first time, aim for at least 40%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix your learning gaps.
ATTEMPT 2
The second time, aim for at least 60%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix any remaining learning gaps.
ATTEMPT 3
The third time, aim for at least 75%. Once you score 75% or more, you start working on your timing.
Tip
You may take more than three attempts to reach 75%. That’s okay. Just review the relevant sections in the chapter till you get there.
Working On Timing
Target: Your aim is to keep the score the same while trying to answer these questions as quickly as possible. Here’s an example of how your next attempts should look like:
Attempt
Score
Time Taken
Attempt 5
77%
21 mins 30 seconds
Attempt 6
78%
18 mins 34 seconds
Attempt 7
76%
14 mins 44 seconds
Table 1.1 – Sample timing practice drills on the online platform
Note
The time limits shown in the above table are just examples. Set your own time limits with each attempt based on the time limit of the quiz on the website.
With each new attempt, your score should stay above 75% while your “time taken” to complete should “decrease”. Repeat as many attempts as you want till you feel confident dealing with the time pressure.
2
Cloud Reference Architecture
In the previous chapter, you were introduced to the most relevant cloud computing characteristics and concepts with regard to cloud service models, cloud deployment models, and the different types of stakeholders in cloud computing. In this chapter, you will learn about the different types of cloud service capabilities that cloud service providers offer to their clients to meet their business requirements, along with getting an overview of the key service models—Infrastructure as a Service, Platform as a Service, and Software as a Service—and how they map to cloud capabilities.
You will then move on to the five different cloud deployment models and learn how responsibility shifts between the cloud service provider and the cloud service customer depending on the cloud deployment model and cloud services categories in use. The focus will then move to a review of shared considerations for cloud deployments, and an overview of new and emerging technologies that are related to cloud computing.
By the end of this chapter, you will be able to confidently answer questions on the following:
Cloud service modelsCloud service models and categoriesCloud deployment modelsShared responsibility modelShared considerations for cloud deploymentsNew and emerging technologies related to cloud computingYou will now go through each topic in detail.
Cloud Service Models
Cloud consumers try to find solutions to their business and technical needs while searching for cloud service provider offerings that meet their functional and non-functional requirements. Cloud customers look at the service models that the cloud service providers offer and their pricing, and based on that information they are able to conduct a cost and benefit analysis for their business case. The ISO/IEC 17788:2014 (https://www.iso.org/standard/60544.html) standard provides an overview of cloud computing along with a set of terms and definitions for cloud computing, which makes it easier to learn about and discuss the many facets of this technology. You will see this later in the chapter.
The standard describes the following three primary types of cloud service models:
Software as a Service (SaaS)Platform as a Service (PaaS)Infrastructure as a Service (IaaS)You will now review each one of these capabilities separately and examine their functionality and benefits.
Software as a Service (SaaS)
In the SaaS model, a cloud service provider makes various software applications available to end users remotely over the internet, typically through a web browser.
According to ISO/IEC 17788:2014, SaaS is distinguished by the following characteristics:
Management and control: In the SaaS model, the cloud service provider is accountable for managing and maintaining all underlying infrastructure, application software, middleware, and data, including Personal Identifiable Information (PII). You typically have very little influence or control over these elements except for certain user-specific application configuration settings.Access: SaaS applications can be accessed through the internet, enabling users to utilize them from any device that has an internet connection—regardless of their physical location. This provides greater flexibility as well as remote work and collaboration options.Scalability: This refers to the capacity of SaaS providers to modify their products and services according to customer demands. This helps guarantee that available resources are utilized efficiently and effectively, helping businesses avoid costly purchases, installations, and management of in-house software and hardware—an advantage that may not be immediately evident.Pricing modeled on subscriptions: SaaS is often sold through a subscription model. This allows customers to pay for the software on a recurring basis (for instance, monthly or annually) rather than making an initial investment in licenses. Organizations thus benefit from costs that are predictable and manageable, plus the freedom to scale up or down depending on requirements.Automatic updates: The SaaS model places responsibility for maintaining the software’s most recent version, including all available features, bug fixes, and security patches, on the cloud service provider. This guarantees users always have access to the most up-to-date version of the application while relieving customers’ IT teams of this task.Multi-tenancy: Multi-tenancy architecture is often employed by SaaS providers, as it permits multiple clients to share an application or infrastructure while still protecting their respective privacy and integrity. This may lead to better resource usage, lower overall costs for customers, and faster release of new features and updates.Platform as a Service (PaaS)
PaaS is a model in which the cloud service provider provides you with a platform that allows you to construct, run, and maintain their applications without needing to construct, maintain, or manage the underlying infrastructure and middleware. This relieves you of having to build, upgrade, or manage these components themselves.
According to ISO/IEC 17788:2014, PaaS stands out from other cloud computing models for its following attributes:
Management and control: In the PaaS model, the cloud service provider is accountable for managing and maintaining all underlying infrastructure and middleware, such as operating systems, runtime environments, and development tools, including the infrastructure and middleware of applications. You retain ownership of your own applications and data but don’t have to concern yourself with overseeing components beneath them on the platform.Tools for application development and deployment: PaaS offerings typically consist of a collection of tools and services that enable you to design, construct, test, and deploy your own software applications. This could include programming languages, frameworks, libraries, databases, and any other relevant components required for successful development.Scalability: PaaS providers can scale platform resources to meet changing user demands. This ensures applications can handle increased workloads without customers needing to manage the underlying infrastructure. Scalability is one of the major advantages of PaaS; businesses now have more time and resources for what matters most: developing new applications instead of managing infrastructure.Integration: PaaS offerings typically feature built-in integration with other cloud services, such as databases, messaging systems, and data storage services. This makes it simpler for you to construct and deploy applications that utilize these resources without needing to manage them independently.PaaS solutions come in various configurations. PaaS customers have the flexibility to customize their applications and development environments according to individual needs, while still taking advantage of the managed platform provided by their cloud service provider.
Pay-as-you-go pricing: PaaS services typically follow a pay-as-you-go pricing model, where customers only pay for resources they actually utilize. This pricing structure helps businesses save money while better aligning IT spending to actual usage patterns.Infrastructure as a Service (IaaS)
IaaS is an internet-based model of cloud computing that delivers virtualized computing resources. You have the freedom to access, configure, and manage infrastructure components such as virtual machines, storage, and networking with this service model without needing to purchase or maintain hardware. Using the IaaS model enables businesses to scale resources according to demand, optimize costs, and focus on core business operations rather than managing IT infrastructure.
IaaS stands out from other cloud computing models by virtue of the following characteristics, as defined by ISO/IEC 17788:2014:
Pooling of resources: IaaS providers utilize multi-tenant architectures to pool their available resources such as compute, storage, and networking in order to better serve their customers. This shared model allows them to efficiently allocate those resources among multiple customers while optimizing both utilization and cost.Rapid elasticity: IaaS offers customers the power to quickly scale back infrastructure resources in response to changes in demand. This flexibility allows organizations to adjust quickly to evolving requirements and workloads, leading to improved agility and flexibility.Measured service: IaaS providers typically offer a pay-as-you-go pricing model, in which customers are charged according to how many resources they actually utilize. This type of service is known as measured service. With this setup, organizations only pay for what resources are consumed, thus helping optimize costs and promote efficient resource usage.On-demand customers have access to, configure, and manage their infrastructure resources through self-service portals, Application Programming Interfaces (APIs), or management tools provided by the IaaS provider. This enables customers to have more control over their own resources with less manual intervention from the service provider.
IaaS services can be accessed over the internet from various devices, such as laptops, smartphones, and tablets. This wide network access enables users to manage and interact with their infrastructure resources from any location, thus improving overall accessibility and making remote work simpler.
This section discussed cloud service models in relation to software, platform, and infrastructure. The next section will be an extension of this discussion—cloud service categories and cloud service models. There you will again compare the ISO/ IEC 17788 standard and NIST cloud computing reference architecture and also see ISO cloud service categories related to cloud service model definitions offered by NIST.
Cloud Service Models and Categories
Cloud computing services are often provided as one of three main service models, also known as service categories. In order to pass the CCSP exam, the (ISC)2 CBK requires you to know the cloud service models and be able to describe their differences.
The NIST Special Publication 800-145 titled The NIST Definition of Cloud Computing defines three fundamental cloud computing service models as follows:
IaaS
