(ISC)2 CCSP Certified Cloud Security Professional Official Study Guide E-Book

Table of Contents

Cover

Title Page

Copyright

Acknowledgments

About the Authors

About the Technical Editor

About the Technical Proofreader

Introduction

CCSP Certification

Taking the CCSP Exam

Computer-Based Testing Environment

Exam Retake Policy

Work Experience Requirement

Recertification Requirements

What Does This Book Cover?

CCSP Exam Objectives

CCSP Certification Exam Objective Map

How to Contact the Publisher

Assessment Test

Answers to Assessment Test

Chapter 1: Architectural Concepts

Cloud Characteristics

Business Requirements

Cloud Computing Service Categories

Cloud Deployment Models

Multitenancy

Cloud Computing Roles and Responsibilities

Cloud Computing Reference Architecture

Virtualization

Cloud Shared Considerations

Emerging Technologies

Summary

Exam Essentials

Review Questions

Chapter 2: Data Classification

Data Inventory and Discovery

Information Rights Management

Data Control

Summary

Exam Essentials

Review Questions

Chapter 3: Cloud Data Security

Cloud Data Lifecycle

Cloud Storage Architectures

Threats to Cloud Storage

Designing and Applying Security Strategies for Storage

Summary

Exam Essentials

Review Questions

Chapter 4: Security in the Cloud

Shared Cloud Platform Risks and Responsibilities

Cloud Computing Risks by Deployment Model

Cloud Computing Risks by Service Model

Virtualization

Disaster Recovery (DR) and Business Continuity (BC)

Cloud Design Patterns

Summary

Exam Essentials

Review Questions

Chapter 5: Cloud Platform, Infrastructure, and Operational Security

Foundations of Managed Services

Shared Responsibilities by Service Type

Securing Communications and Infrastructure

Securing Hardware and Compute

Securing Software

Managing Virtual Systems

Assessing Vulnerabilities

Securing the Management Plane

Auditing Your Environment and Provider

Summary

Exam Essentials

Review Questions

Chapter 6: Cloud Application Security

Developing Software for the Cloud

Cloud Application Architecture

Cloud-Secure Software Development Lifecycle (SDLC)

Cloud Application Assurance and Validation

Identity and Access Management

Summary

Exam Essentials

Review Questions

Chapter 7: Operations Elements

Designing a Secure Data Center

Managing Security Operations

Summary

Exam Essentials

Review Questions

Chapter 8: Operations Management

Monitoring, Capacity, and Maintenance

Change and Configuration Management

Problem and Incident Management

IT Service Management and Continual Service Improvement

Business Continuity and Disaster Recovery

Summary

Exam Essentials

Review Questions

Chapter 9: Legal and Compliance Issues

Legal Requirements and Unique Risks in the Cloud Environment

Analyzing a Law

Legal Liability

Torts and Negligence

U.S. Privacy and Security Laws

International Laws

Laws, Regulations, and Standards

Information Security Management Systems

Privacy in the Cloud

Cloud Forensics

Audit Processes, Methodologies, and Cloud Adaptations

Summary

Exam Essentials

Review Questions

Chapter 10: Cloud Vendor Management

The Impact of Diverse Geographical Locations and Legal Jurisdictions

Security Policy Framework

Enterprise Risk Management

Risk Treatment and Response

Risk Analysis

Cloud Contract Design

Government Cloud Standards

Manage Communication with Relevant Parties

Summary

Exam Essentials

Review Questions

Appendix: Answers to the Review Questions

Chapter 1: Architectural Concepts

Chapter 2: Data Classification

Chapter 3: Cloud Data Security

Chapter 4: Security in the Cloud

Chapter 5: Cloud Platform, Infrastructure, and Operational Security

Chapter 6: Cloud Application Security

Chapter 7: Operations Elements

Chapter 8: Operations Management

Chapter 9: Legal and Compliance Issues

Chapter 10: Cloud Vendor Management

Index

End User License Agreement

List of Illustrations

Chapter 1

FIGURE 1.1 Rapid scalability allows the customer to dictate the volume of re...

FIGURE 1.2 Cloud service categories

FIGURE 1.3 Type 1 and Type 2 hypervisors

FIGURE 1.4 The CIA triad

Chapter 2

FIGURE 2.1 Simplified data flow diagram for a cloud service account lifecycl...

Chapter 3

FIGURE 3.1 Stages of the data lifecycle

FIGURE 3.2 Storage class differentiation in AWS

FIGURE 3.3 Basic tokenization architecture

Chapter 4

FIGURE 4.1 Responsibilities according to service model

Chapter 5

FIGURE 5.1 Responsibilities by service model

FIGURE 5.2 Bastion host in a simple cloud environment

FIGURE 5.3 Sample baseline documentation

FIGURE 5.4 The AWS management console

Chapter 6

FIGURE 6.1 Components for virtualization and containerization

FIGURE 6.2 High-level SDLC view

FIGURE 6.3 The Waterfall SDLC model

FIGURE 6.4 Agile sprints

FIGURE 6.5 There are two general types of federation: the web-of-trust model...

Chapter 7

FIGURE 7.1 AWS's North American region map

FIGURE 7.2 Uptime Institute tiers

FIGURE 7.3 Jumpbox access to protected systems

Chapter 9

FIGURE 9.1 Excerpt from ISO 27701

Chapter 10

FIGURE 10.1 Excerpt from CMS roles and responsibilities chart

FIGURE 10.2 Excerpt from UC Berkeley Minimum Security Standards for Electron...

FIGURE 10.3 Risk exists at the intersection of a threat and a corresponding ...

FIGURE 10.4 Qualitative risk assessments use subjective rating scales to eva...

FIGURE 10.5 Risk register excerpt

FIGURE 10.6 Risk matrix

Guide

Cover Page

Table of Contents

Title Page

Copyright

Acknowledgments

About the Authors

About the Technical Editor

About the Technical Proofreader

Introduction

Begin Reading

Appendix: Answers to the Review Questions

Index

End User License Agreement

Pages

iii

vi

v

vii

ix

xi

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

xxxv

xxxvi

xxxvii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

(ISC)2®CCSP® Certified Cloud Security Professional

Official Study Guide

Third Edition

Copyright © 2023 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada and the United Kingdom.

ISBN: 978-1-119-90937-8ISBN: 978-1-119-90938-5 (ebk.)ISBN: 978-1-119-90939-2 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.

Trademarks: WILEY, the Wiley logo, Sybex and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. (ISCP)2 and CCSP are registered trademarks or certification marks of International Information Systems Security Certification Consortium, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our website at www.wiley.com.

Library of Congress Control Number: 2022942264

Cover image: © Jeremy Woodhouse/Getty ImagesCover design: Wiley

Acknowledgments

The authors would like to thank the many people who made this book possible. Thanks to Jim Minatel at Wiley Publishing, who helped us extend the Sybex certification preparation franchise to include this title and has continued to champion our work with the International Information Systems Security Certification Consortium (ISC)2. Thanks also to Carole Jelen, our agent, who tackles all the back-end magic for our writing efforts and worked on both the logistical details and the business side of the book with her usual grace and commitment to excellence. Sharif Nijim and Charles Gaughf, our technical editors, pointed out many opportunities to improve our work and deliver a high-quality final product. John Whiteman, our technical proofreader, and Judy Flynn, our copy editor, ensured a polished product. John Sleeva served as our project manager and made sure everything fit together. Many other people we'll never meet worked behind the scenes to make this book a success, and we really appreciate their time and talents to make this next edition come together.

The publisher and (ISC)2 would like to acknowledge and thank the previous edition author Ben Malisow for his dedicated effort to advance the cause of CCSP and cloud security education.

About the Authors

Mike Chapple, Ph.D. CCSP, CISSP, is an author of the best-selling CISSP (ISC)2Certified Information Systems Security Professional Official Study Guide (Sybex, 2021), now in its ninth edition. He is an information security professional with two decades of experience in higher education, the private sector, and government.

Mike currently serves as teaching professor of IT, Analytics, and Operations at the University of Notre Dame's Mendoza College of Business. He previously served as senior director for IT Service Delivery at Notre Dame, where he oversaw the information security, data governance, IT architecture, project management, strategic planning, and product management functions for the University.

Before returning to Notre Dame, Mike served as executive vice president and chief information officer of the Brand Institute, a Miami-based marketing consultancy. Mike also spent four years in the information security research group at the National Security Agency and served as an active duty intelligence officer in the U.S. Air Force.

Mike has written more than 30 books, including Cyberwarfare: Information Operations in a Connected World (Jones & Bartlett, 2021), CompTIA Security+ SY0-601 Study Guide (Wiley, 2021), and the CompTIA Cybersecurity Analyst+ (CySA+) Study Guide (Wiley, 2020) and Practice Tests (Wiley, 2020).

Mike earned both his BS and PhD degrees from Notre Dame in computer science and engineering. He also holds an MS in computer science from the University of Idaho and an MBA from Auburn University. His IT certifications include the CISSP, Security+, CySA+, CISA, PenTest+, CIPP/US, CISM, CCSP, and PMP credentials.

Mike provides books, video-based training, and free study groups for a wide variety of IT certifications at his website, CertMike.com.

David Seidl, CISSP, is vice president for information technology and CIO at Miami University. During his IT career, he has served in a variety of technical and information security roles, including senior director for Campus Technology Services at the University of Notre Dame, where he co-led Notre Dame's move to the cloud and oversaw cloud operations, ERP, databases, identity management, and a broad range of other technologies and services. He also served as Notre Dame's director of information security and led Notre Dame's information security program. He has taught information security and networking undergraduate courses as an instructor for Notre Dame's Mendoza College of Business and has written books on security certification and cyberwarfare, including coauthoring the previous editions of CISSP (ISC)2Official Practice Tests (Sybex, 2021) and CompTIA CySA+ Study Guide: Exam CS0-002, CompTIA CySA+ Practice Tests: Exam CS0-002, CompTIA Security+ Study Guide: Exam SY0-601, and CompTIA Security+ Practice Tests: Exam SY0-601, as well as other certification guides and books on information security.

David holds a bachelor's degree in communication technology and a master's degree in information security from Eastern Michigan University, as well as CISSP, CySA+, Pentest+, GPEN, and GCIH certifications.

About the Technical Editor

Sharif Nijim is an associate teaching professor of IT, Analytics, and Operations in the Mendoza College of Business at the University of Notre Dame, where he teaches undergraduate and graduate business analytics and information technology courses.

Before becoming part of the Mendoza faculty, Sharif served as the senior director for IT service delivery in the University of Notre Dame's Office of Information Technologies. In this role, he was part of the senior leadership team for the Office of Information Technologies, overseeing data stewardship, information security and compliance, learning platforms, product services, project management, and enterprise architecture. Prior to Notre Dame, Sharif co-founded and was a board member of a customer data integration company catering to the airline industry. He also spent more than a decade building and performance-optimizing enterprise-class transactional and analytical systems for clients in the logistics, telecommunications, energy, manufacturing, insurance, real estate, healthcare, travel and transportation, and hospitality sectors.

About the Technical Proofreader

John L. Whiteman is a security researcher for Intel Corporation with over 20 years experience. He is a part-time adjunct cybersecurity instructor for the University of Portland and also teaches the UC Berkeley Extension’s Cybersecurity Boot Camp. He holds multiple security certifications including CISSP and CCSP. John holds a MSCS from Georgia Institute of Technology and a BSCS from Portland State University.

Introduction

The Certified Cloud Security Professional (CCSP) certification satisfies the growing demand for trained and qualified cloud security professionals. It is not easy to earn this credential; the exam is extremely difficult, and the endorsement process is lengthy and detailed.

The CCSP (ISC)2Certified Cloud Security Professional Official Study Guide offers the cloud professional a solid foundation for taking and passing the Certified Cloud Security Professional (CCSP) exam.

The more information you have at your disposal and the more hands-on experience you gain, the better off you'll be when attempting the exam. This study guide was written with that in mind. The goal was to provide enough information to prepare you for the test, but not so much that you'll be overloaded with information that's outside the scope of the exam.

This book presents the material at an intermediate technical level. Experience with and knowledge of security concepts, operating systems, and application systems will help you get a full understanding of the challenges that you'll face as a security professional.

We've included review questions at the end of each chapter to give you a taste of what it's like to take the exam. If you're already working in the security field, we recommend that you check out these questions first to gauge your level of expertise. You can then use the book mainly to fill in the gaps in your current knowledge. This study guide will help you round out your knowledge base before tackling the exam.

If you can answer 90 percent or more of the review questions correctly for a given chapter, you can feel safe moving on to the next chapter. If you're unable to answer that many correctly, reread the chapter and try the questions again. Your score should improve.

Don't just study the questions and answers! The questions on the actual exam will be different from the practice questions included in this book. The exam is designed to test your knowledge of a concept or objective, so use this book to learn the objectives behind the questions.

CCSP Certification

The CCSP certification is offered by the International Information System Security Certification Consortium, or (ISC)2, a global nonprofit organization. The mission of (ISC)2 is to support and provide members and constituents with credentials, resources, and leadership to address cybersecurity as well as information, software, and infrastructure security to deliver value to society. (ISC)2 achieves this mission by delivering the world's leading information security certification program. The CCSP is the cloud-focused credential in this series and is accompanied by several other (ISC)2 programs:

Certified Information Systems Security Professional (CISSP)

Systems Security Certified Practitioner (SSCP)

Certified Authorization Professional (CAP)

Certified Secure Software Lifecycle Professional (CSSLP)

HealthCare Information Security and Privacy Practitioner (HCISPP)

The CCSP certification covers six domains of cloud security knowledge. These domains are meant to serve as the broad knowledge foundation required to succeed in cloud security roles:

Cloud Concepts, Architecture, and Design

Cloud Data Security

Cloud Platform and Infrastructure Security

Cloud Application Security

Cloud Security Operations

Legal, Risk, and Compliance

The CCSP domains are periodically updated by (ISC)2. The most recent revision in August 2022 slightly modified the weighting for Cloud Data Security from 19 to 20 percent while changing the focus on Cloud Security Operations from 17 to 16 percent. It also added or expanded coverage of emerging topics in cloud security.

Complete details on the CCSP Common Body of Knowledge (CBK) are contained in the Exam Outline (Candidate Information Bulletin). It includes a full outline of exam topics and can be found on the (ISC)2 website at www.isc2.org.

Taking the CCSP Exam

The CCSP exam is administered in English, Chinese, German, Japanese, Korean, and Spanish using a computer-based testing format. Your exam will contain 150 questions and have a four-hour time limit. You will not have the opportunity to skip back and forth as you take the exam: you only have one chance to answer each question correctly, so be careful!

Passing the CCSP exam requires achieving a score of at least 700 out of 1,000 points. It's important to understand that this is a scaled score, meaning that not every question is worth the same number of points. Questions of differing difficulty may factor into your score more or less heavily, and adaptive exams adjust to the test taker.

That said, as you work through the practice exams included in this book, you might want to use 70 percent as a goal to help you get a sense of whether you're ready to sit for the actual exam. When you're ready, you can schedule an exam at a location near you through the (ISC)2 website.

Questions on the CCSP exam use a standard multiple-choice format where you are presented with a question and four possible answer choices, one of which is correct. Remember to read the full question and all of the answer options very carefully. Some of those questions can get tricky!

Computer-Based Testing Environment

The CCSP exam is administered in a computer-based testing (CBT) format. You'll register for the exam through the Pearson Vue website and may take the exam in the language of your choice.

You'll take the exam in a computer-based testing center located near your home or office. The centers administer many different exams, so you may find yourself sitting in the same room as a student taking a school entrance examination and a healthcare professional earning a medical certification. If you'd like to become more familiar with the testing environment, the Pearson Vue website offers a virtual tour of a testing center:

https://home.pearsonvue.com/test-taker/Pearson-Professional-Center-Tour.aspx

When you take the exam, you'll be seated at a computer that has the exam software already loaded and running. It's a pretty straightforward interface that allows you to navigate through the exam. You can download a practice exam and tutorial from the Pearson Vue website:

www.vue.com/athena/athena.asp

Exam policies can change from time to time. We highly recommend that you check both the (ISC)2 and Pearson VUE sites for the most up-to-date information when you begin your preparing, when you register, and again a few days before your scheduled exam date.

Exam Retake Policy

If you don't pass the CCSP exam, you shouldn't panic. Many individuals don't reach the bar on their first attempt but gain valuable experience that helps them succeed the second time around. When you retake the exam, you'll have the benefit of familiarity with the CBT environment and the CCSP exam format. You'll also have time to study the areas where you felt less confident.

After your first exam attempt, you must wait 30 days before retaking the computer-based exam. If you're not successful on that attempt, you must then wait 60 days before your third attempt and 90 days before your fourth attempt. You may not take the exam more than four times in any 12-month period.

Work Experience Requirement

Candidates who want to earn the CCSP credential must not only pass the exam but also demonstrate that they have at least five years of work experience in the information technology field. Your work experience must include three years of information security experience and one year of experience in one or more of the six CCSP domains.

Candidates who hold the CISSP certification may substitute that certification for the entire CCSP experience requirement. Candidates with the Certificate of Cloud Security Knowledge (CCSK) from the Cloud Security Alliance (CSA) may substitute that certification for one year of experience in the CCSP domains.

If you haven't yet completed your work experience requirement, you may still attempt the CCSP exam. An individual who passes the exam is a designated Associate of (ISC)2 and has six years to complete the work experience requirement.

Recertification Requirements

Once you've earned your CCSP credential, you'll need to maintain your certification by paying maintenance fees and participating in continuing professional education (CPE). As long as you maintain your certification in good standing, you will not need to retake the CCSP exam.

Currently, the annual maintenance fees for the CCSP credential are $125 per year. This fee covers the renewal for all (ISC)2 certifications held by an individual.

The CCSP CPE requirement mandates earning at least 90 CPE credits during each three-year renewal cycle. Associates of (ISC)2 must earn at least 15 CPE credits each year. (ISC)2 provides an online portal where certificate holders may submit CPE completion for review and approval. The portal also tracks annual maintenance fee payments and progress toward recertification.

What Does This Book Cover?

This book covers everything you need to know to pass the CCSP exam:

Chapter 1

: Architectural Concepts

Chapter 2

: Data Classification

Chapter 3

: Cloud Data Security

Chapter 4

: Security in the Cloud

Chapter 5

: Cloud Platform, Infrastructure, and Operational Security

Chapter 6

: Cloud Application Security

Chapter 7

: Operations Elements

Chapter 8

: Operations Management

Chapter 9

: Legal and Compliance Issues

Chapter 10

: Cloud Vendor Management

Appendix

: Answers to Review Questions

Study Guide Elements

This study guide uses a number of common elements to help you prepare:

Summaries

   The summary section of each chapter briefly explains the chapter, allowing you to easily understand what it covers.

Exam Essentials

   The exam essentials focus on major exam topics and critical knowledge that you should take into the test. The exam essentials focus on the exam objectives provided by (ISC)

2

.

Chapter Review Questions

   A set of questions at the end of each chapter will help you assess your knowledge and whether you are ready to take the exam based on your knowledge of that chapter's topics.

Additional Study Tools

This book comes with a number of additional study tools to help you prepare for the exam. They are described in the following sections.

Go to www.wiley.com/go/Sybextestprep to register and gain access to this interactive online learning environment and test bank with study tools.

Sybex Test Preparation Software

Sybex's test preparation software lets you prepare with electronic test versions of the review questions from each chapter, the practice exam, and the bonus exam that are included in this book. You can build and take tests on specific domains or by chapter, or cover the entire set of CCSP exam objectives using randomized tests.

Electronic Flashcards

Our electronic flashcards are designed to help you prepare for the exam. Over 100 flashcards will ensure that you know critical terms and concepts.

Glossary of Terms

Sybex provides a full glossary of terms in PDF format, allowing quick searches and easy reference to materials in this book.

Audio Review

Mike Chapple provides an audiobook version of the exam essentials from this book to help you prepare for the exam.

Like all exams, the CCSP certification from (ISC)2 is updated periodically and may eventually be retired or replaced. At some point after (ISC)2 is no longer offering this exam, the old editions of our books and online tools will be retired. If you have purchased this book after the exam was retired, or are attempting to register in the Sybex online learning environment after the exam was retired, please know that we make no guarantees that this exam’s online Sybex tools will be available once the exam is no longer available.

CCSP Exam Objectives

(ISC)2 publishes relative weightings for each of the exam's domains. The following table lists the six CCSP objective domains and the extent to which they are represented on the exam.

Domain

% of Exam

Cloud Concepts, Architecture, and Design

17%

Cloud Data Security

20%

Cloud Platform and Infrastructure Security

17%

Cloud Application Security

17%

Cloud Security Operations

16%

Legal, Risk, and Compliance

13%

CCSP Certification Exam Objective Map

Objective

Chapters

1. Cloud Concepts, Architecture, and Design

1.1 Understand cloud computing concepts

Chapter 1

1.2 Describe cloud reference architecture

Chapter 1

1.3 Understand security concepts relevant to cloud computing

Chapters 2

,

3

,

5

,

6

,

7

,

8

1.4 Understand design principles of secure cloud computing

Chapters 1

,

3

,

4

,

8

1.5 Evaluate cloud service providers

Chapter 10

2. Cloud Data Security

2.1 Describe cloud data concepts

Chapters 2

,

3

,

7

2.2 Design and implement cloud data storage architectures

Chapter 3

2.3 Design and apply data security technologies and strategies

Chapter 3

2.4 Implement data discovery

Chapter 2

2.5 Plan and implement data classification

Chapter 2

2.6 Design and implement Information Rights Management

Chapter 2

2.7 Plan and implement data retention, deletion, and archiving policies

Chapter 2

2.8 Design and implement auditability, traceability, and accountability of data events

Chapters 2

,

3

,

9

3. Cloud Platform and Infrastructure Security

3.1 Comprehend cloud infrastructure and platform components

Chapters 3

,

4

,

5

,

7

3.2 Design a secure data center

Chapter 7

3.3 Analyze risks associated with cloud infrastructure and platforms

Chapter 4

3.4 Plan and implement security controls

Chapters 2

,

5

,

6

,

8

3.5 Plan business continuity (BC) and disaster recovery (DR)

Chapter 8

4. Cloud Application Security

4.1 Advocate training and awareness for application security

Chapter 6

4.2 Describe the Secure Software Development Life Cycle (SDLC) process

Chapter 6

4.3 Apply the Secure Software Development Life Cycle (SDLC)

Chapter 6

4.4 Apply cloud software assurance and validation

Chapter 6

4.5 Use verified secure software

Chapters 5

,

6

4.6 Comprehend the specifics of cloud application architecture

Chapter 6

4.7 Design appropriate identity and access management (IAM) solutions

Chapter 6

5. Cloud Security Operations

5.1 Build and implement physical and logical infrastructure for cloud environment

Chapter 5

5.2 Operate and maintain physical and logical infrastructure for cloud environment

Chapters 5

,

7

,

8

5.3 Implement operational controls and standards (e.g., Information Technology Infrastructure Library (ITIL), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 20000-1)

Chapter 8

5.4Support digital forensics

Chapter 9

,

10

5.5 Manage communication with relevant parties

Chapter 10

5.6 Manage security operations

Chapters 3

,

4

,

7

6. Legal, Risk, and Compliance

6.1 Articulate legal requirements and unique risks within the cloud environment

Chapter 9

6.2 Understand privacy issues

Chapter 9

6.3 Understand audit process, methodologies, and required adaptations for a cloud environment

Chapters 4

,

9

,

10

6.4 Understand implications of cloud to enterprise risk management

Chapters 9

,

10

6.5 Understand outsourcing and cloud contract design

Chapter 10

How to Contact the Publisher

If you believe you have found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur.

In order to submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission.”

Assessment Test

What type of solutions enable enterprises or individuals to store data and computer files on the internet using a storage service provider rather than keeping the data locally on a physical disk such as a hard drive or tape backup?

Online backups

Cloud backup solutions

Removable hard drives

Masking

When using an infrastructure as a service (IaaS) solution, which of the following is not an essential benefit for the customer?

Removing the need to maintain a license library

Metered service

Energy and cooling efficiencies

Transfer of ownership cost

______________focuses on security and encryption to prevent unauthorized copying and limitations on distribution to only those who pay.

Information rights management (IRM)

Masking

Bit splitting

Degaussing

Which of the following represents the correct set of four cloud deployment models?

Public, private, joint, and community

Public, private, hybrid, and community

Public, internet, hybrid, and community

External, private, hybrid, and community

Which of the following lists the correct six components of the STRIDE threat model?

Spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege

Spoofing, tampering, refutation, information disclosure, denial of service, and social engineering elasticity

Spoofing, tampering, repudiation, information disclosure, distributed denial of service, and elevation of privilege

Spoofing, tampering, nonrepudiation, information disclosure, denial of service, and elevation of privilege

What is the term that describes the assurance that a specific author actually created and sent a specific item to a specific recipient and that the message was successfully received?

PKI

DLP

Nonrepudiation

Bit splitting

What is the correct term for the process of deliberately destroying the encryption keys used to encrypt data?

Poor key management

PKI

Obfuscation

Crypto-shredding

What is the process of replacing sensitive data with unique identification symbols/addresses?

Randomization

Elasticity

Obfuscation

Tokenization

Which of the following represents the U.S. legislation enacted to protect shareholders and the public from enterprise accounting errors and fraudulent practices?

PCI

Gramm–Leach–Bliley Act (GLBA)

Sarbanes–Oxley Act (SOX)

HIPAA

Which of the following is a device that can safely store and manage encryption keys and is used in servers, data transmission, and log files?

Private key

Hardware security module (HSM)

Public key

Trusted operating system module (TOS)

What is a type of cloud infrastructure that is provisioned for open use by the general public and is owned, managed, and operated by a cloud provider?

Private cloud

Public cloud

Hybrid cloud

Personal cloud

What is a type of assessment that employs a set of methods, principles, or rules for assessing risk based on nonnumerical categories or levels?

Quantitative assessment

Qualitative assessment

Hybrid assessment

SOC 2

Which of the following best describes the

Cloud Security Alliance Cloud Controls Matrix (CSA CCM)

?

A set of regulatory requirements for cloud service providers

A set of software development lifecycle requirements for cloud service providers

A security controls framework that provides mapping/cross relationships with the main industry-accepted security standards, regulations, and controls frameworks

An inventory of cloud service security controls that are arranged into separate security domains

When a conflict between parties occurs, which of the following is the primary means of determining the jurisdiction in which the dispute will be heard?

Tort law

Contract

Common law

Criminal law

Which of the following is

always

available to use in the disposal of electronic records within a cloud environment?

Physical destruction

Overwriting

Encryption

Degaussing

Which of the following takes advantage of the information developed in the business impact analysis (BIA)?

Calculating ROI

Risk analysis

Calculating TCO

Securing asset acquisitions

Which of the following terms best describes a managed service model where software applications are hosted by a vendor or cloud service provider and made available to customers over network resources?

Infrastructure as a service (IaaS)

Public cloud

Software as a service (SaaS)

Private cloud

Which of the following is a federal law enacted in the United States to control the way financial institutions deal with private information of individuals?

PCI DSS

ISO/IEC

Gramm–Leach–Bliley Act (GLBA)

Consumer Protection Act

What is an audit standard for service organizations?

SOC 1

SSAE 18

GAAP

SOC 2

What is a set of technologies designed to analyze application source code and binaries for coding and design conditions that are indicative of security vulnerabilities?

Dynamic Application Security Testing (DAST)

Static application security testing (SAST)

Secure coding

OWASP

Answers to Assessment Test

B. Cloud backup solutions enable enterprises to store their data and computer files on the internet using a storage service rather than storing data locally on a hard disk or tape backup. This has the added benefit of providing access to data should infrastructure or equipment at the primary business location be damaged in some way that prevents accessing or restoring data locally. Online backups and removable hard drives are other options but do not by default supply the customer with ubiquitous access. Masking is a technology used to partially conceal sensitive data.

A. In an IaaS model, the customer must still maintain licenses for operating systems (OSs) and applications used in the cloud environment. In PaaS models, the licensing for OSs is managed by the cloud provider, but the customer is still responsible for application licenses; in SaaS models, the customer does not need to manage a license library.

A. Information rights management (IRM) (often also referred to as digital rights management, or DRM) is designed to focus on security and encryption as a means of preventing unauthorized copying and limiting distribution of content to authorized personnel (usually, the purchasers). Masking entails hiding specific fields or data in particular user views in order to limit data exposure in the production environment. Bit splitting is a method of hiding information across multiple geographical boundaries, and degaussing is a method of deleting data permanently from magnetic media.

B. The only correct answer for this is public, private, hybrid, and community. Joint, internet, and external are not cloud models.

A. The letters in the acronym STRIDE represent

s

poofing of identity,

t

ampering with data,

r

epudiation,

i

nformation disclosure,

d

enial of service, and

e

levation (or

e

scalation) of privilege. The other options are simply mixed up or incorrect versions of the same.

C. Nonrepudiation means that a party to a transaction cannot deny they took part in that transaction.

D. The act of crypto-shredding means destroying the key that was used to encrypt the data, thereby making the data essentially impossible to recover.

D. Replacing sensitive data with unique identification symbols is known as tokenization, a way of hiding or concealing sensitive data by representing it with unique identification symbols/addresses. While randomization and obfuscation are also means of concealing information, they are done quite differently.

C. The Sarbanes–Oxley Act (SOX) was enacted in response to corporate scandals in the late 1990s/early 2000s. SOX not only forces executives to oversee all accounting practices, it also holds them accountable for fraudulent/deceptive activity. HIPAA is a U.S. law for medical information. PCI is an industry standard for credit/debit cards. GLBA is a U.S. law for the banking and insurance industries.

B. A hardware security module (HSM) is a device that can safely store and manage encryption keys. These can be used in servers, workstations, and so on. One common type is called the Trusted Platform Module (TPM) and can be found on enterprise workstations and laptops. There is no such term as

trusted operating system module

, and public and private keys are used with asymmetric encryption.

B. This is the very definition of public cloud computing.

B. A qualitative assessment is a set of methods or rules for assessing risk based on non-mathematical categories or levels. One that uses mathematical categories or levels is called a quantitative assessment. There is no such thing as a hybrid assessment, and an SOC 2 is an audit report regarding control effectiveness.

C. The CCM cross-references many industry standards, laws, and guidelines.

B. Contracts between parties can establish the jurisdiction for resolving disputes; this takes primacy in determining jurisdiction (if not specified in the contract, other means will be used). Tort law refers to civil liability suits. Common law refers to laws regarding marriage, and criminal law refers to violations of state or federal criminal code.

C. Encryption can always be used in a cloud environment, but physical destruction, overwriting, and degaussing may not be available due to access and physical separation factors.

B. Among other things, the BIA gathers asset valuation information that is crucial to risk management analysis and further selection of security controls.

C. This is the definition of the software as a service (SaaS) model. Public and private are cloud deployment models, and infrastructure as a service (IaaS) does not provide applications of any type.

C. The Gramm–Leach–Bliley Act targets U.S. financial and insurance institutions and requires them to protect account holders’ private information. PCI DSS refers to credit card processing requirements, ISO/IEC is a standards organization, and the Consumer Protection Act, while providing oversight for the protection of consumer private information, is limited in scope.

B. Both SOC 1 and SOC 2 are report formats based on the SSAE 18 standard. While SOC 1 reports on controls for financial reporting, SOC 2 (Types 1 and 2) reports on controls associated with security or privacy.

B. Static application security testing (SAST) is used to review source code and binaries to detect problems before the code is loaded into memory and run.

Chapter 1Architectural Concepts

THE OBJECTIVE OF THIS CHAPTER IS TO ACQUAINT THE READER WITH THE FOLLOWING CONCEPTS:

Domain 1: Cloud Concepts, Architecture, and Design

1.1. Understand Cloud Computing Concepts

1.1.1. Cloud Computing Definitions

1.1.2. Cloud Computing Roles and Responsibilities (e.g., cloud service customer, cloud service provider, cloud service partner, cloud service broker, regulator)

1.1.3. Key Cloud Computing Characteristics (e.g., on-demand self-service, broad network access, multitenancy, rapid elasticity and scalability, resource pooling, measured service)

1.1.4. Building Block Technologies (e.g., virtualization, storage, networking, databases, orchestration)

1.2. Describe Cloud Reference Architecture

1.2.1. Cloud Computing Activities

1.2.2. Cloud Service Capabilities (e.g., application capability types, infrastructure capability types)

1.2.3. Cloud Service Categories (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))

1.2.4. Cloud Deployment Models (e.g., public, private, hybrid, community, multi-cloud)

1.2.5. Cloud Shared Considerations (e.g., interoperability, portability, reversibility, availability, security, privacy, resiliency, performance, governance, maintenance and versioning, service levels and service-level agreements (SLA), auditability, regulatory, outsourcing)

1.2.6. Impact of Related Technologies (e.g., data science, machine learning, artificial intelligence (AI), blockchain, Internet of Things (IoT), containers, quantum computing, edge computing, confidential computing, DevSecOps)

1.4. Understand Design Principles of Secure Cloud Computing

1.4.3. Business Impact Analysis (BIA) (e.g., cost-benefit analysis, return on investment (ROI))

Cloud computing is everywhere. The modern business depends upon a wide variety of software, platforms, and infrastructure hosted in the cloud, and security professionals must understand how to protect the information and resources used by their organizations, wherever those assets reside.

In this chapter, we introduce the basic concepts of cloud computing and help you understand the foundational material you'll need to know as you begin your journey toward the Certified Cloud Security Professional (CCSP) certification.

Cloud Characteristics

Cloud computing is the most transformative development in information technology in the past decade. Organizations around the world are retooling their entire IT strategies to embrace the cloud, and this change is causing disruptive impact across all sectors of technology.

But what is the cloud? Let's start with a simple definition: cloud computing is any case where a provider is delivering computing to a customer at a remote location over a network. This definition is broad and encompasses many different types of activity.

There are some common characteristics that we use to define cloud computing:

Broad network access

On-demand self-service

Resource pooling

Rapid elasticity and scalability

Measured, or “metered,” service

These traits are expressed succinctly in the NIST definition of cloud computing.

NIST 800-145 Cloud Computing Definition

The official NIST definition of cloud computing says, “Cloud Computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

These characteristics are also similar to how cloud computing is defined in ISO 17788 (www.iso.org/iso/catalogue_detail?csnumber=60544).

Let's explore these characteristics in more detail.

Broad network access

means services are consistently accessible over the network. We might access them by using a web browser or Secure Shell (SSH) connection, but the general idea is that no matter where we or our users are physically located, we can access resources in the cloud.

On-demand self-service

refers to the model that allows customers to scale their compute and/or storage needs with little or no intervention from or prior communication with the provider. This means that technologists can access cloud resources almost immediately when they need them to do their jobs. That's an incredible increase in agility for individual contributors and, by extension, the organization. Before the era of on-demand computing, a technologist who wanted to try out a new idea might have to spec out the servers required to implement the idea, gain funding approval, order the hardware, wait for it to arrive, physically install it, and configure an operating system before getting down to work. That might have taken weeks, while today, the same tasks can be accomplished in the cloud in a matter of seconds. On-demand self-service computing is a true game changer.

Resource pooling

is the characteristic that allows the cloud provider to meet various demands from customers while remaining financially viable. The cloud provider can make capital investments that greatly exceed what any single customer could provide on their own and can apportion these resources as needed so that the resources are not underutilized (which would mean a wasteful investment) or overtaxed (which would mean a decrease in level of service).

Rapid elasticity and scalability

allows the customer to grow or shrink the IT footprint (number of users, number of machines, size of storage, and so on) as necessary to meet operational needs without excess capacity. In the cloud, this can be done in moments as opposed to the traditional environment, where acquisition and deployment of resources (or dispensing old resources) can take weeks or months. In many cases, this scaling can occur automatically, using code to add and remove resources as demands change.

Measured service

, or metered service, means that almost everything you do in the cloud is metered. Cloud providers measure the number of seconds you use a virtual server, the amount of disk space you consume, the number of function calls you make, and many other measures. This allows them to charge you for precisely the services you use—no more and no less. This is the same model commonly used by public utilities providing commodity services such as electricity and water. The measured service model is a little intimidating when you first encounter it, but it provides cloud customers with the ability to manage their utilization effectively and achieve the economic benefits of the cloud.

Real World Scenario

Online Shopping

Think of retail demand during the pre-holiday rush toward the end of the year. The sheer volume of customers and transactions greatly exceeds all normal operations throughout the rest of the year. When this happens, retailers who offer online shopping can see great benefit from hosting their sales capability in the cloud. The cloud provider can apportion resources necessary to meet this increased demand and will charge for the increased usage at a negotiated rate, but when shopping drops off after the holiday, the retailers will not continue to be charged at the higher rate.

Elasticity vs. Scalability

Many people use the terms elasticity and scalability interchangeably, but they are actually subtly different concepts.

Strictly speaking, scalability refers to the ability of a system to grow as demand increases. This growth does not need to be automated, but it does need to be possible. Scalability may come from using the automated scaling features of a cloud provider, or it may come from adding physical hardware to a system.

Elasticity refers to the ability of a system to dynamically grow and shrink based upon the current level of demand. Administrators may set up a system to automatically add storage, processing power, or network capacity as demand increases and then release those resources when demand is lower. This provides tremendous cost efficiency by only purchasing expensive computing resources when they are actually needed.

Business Requirements

In most businesses, the IT department is not a profit center; it provides a support function that allows other business units to generate a profit. Cybersecurity teams definitely fit into this category—they generally don't do anything that generates revenue for the business, and from the perspective of business leaders, they represent a sunk cost that reduces efficiency by lowering profits. In fact, security activities often hinder business efficiency (because, generally, the more secure something is, be it a device or a process, the less efficient it will be). This is why the business needs of the organization drive security decisions and not the other way around.

A successful organization will gather as much information about operational business requirements as possible; this information can be used for many purposes, including several functions in the security realm. (We'll touch on this throughout the book, but a few examples include the business continuity and disaster recovery effort, the risk management plan, and data categorization.) Likewise, the astute security professional needs to understand as much as possible about the operation of the organization. Operational aspects of the organization can help security personnel better perform their tasks no matter what level or role they happen to be assigned to. Consider the following examples:

A network security administrator has to know what type of traffic to expect based on the business of the organization.

The intrusion detection analyst has to understand what the organization is doing, how business activities occur, and where (geographically) the business is operating to better understand the nature and intensity of potential external attacks and how to adjust baselines accordingly.

The security architect has to understand the various needs of the organizational departments to enhance their operation without compromising their security profile.

Security leaders must not only understand the technologies used by the organization but also the associated risks and how to appropriately manage them.

Functional requirements: Those performance aspects of a device, process, or employee that are necessary for the business task to be accomplished. Example: A salesperson in the field must be able to connect to the organization's network remotely.

Nonfunctional requirements: Those aspects of a device, process, or employee that are not necessary for accomplishing a business task but are desired or expected. Example: The salesperson's remote connection must be secure.

As organizations consider their distribution of resources between the cloud and on-premises computing environments, they must select a mix that is appropriate for their needs. This is not a decision made lightly, and the business requirements must be supported by this transition. There are also different cloud service and delivery models of cloud computing, and an organization must decide which one will optimize success.

Understanding the Existing State

A true evaluation and understanding of the business processes, assets, and requirements are essential. Failing to properly capture the full extent of the business needs could result in not having an asset or capability in the new environment after migration to the cloud.

At the start of this effort, however, the intent is not to determine what will best fulfill the business requirements but to determine what those requirements are. A full inventory of assets, processes, and requirements is necessary, and there are various methods for collecting this data. Typically, several methods are used jointly as a means to reduce the possibility of missing something.

Here are some possible methods for gathering business requirements:

Interviewing functional managers

Interviewing users

Interviewing senior management

Observing employees doing their jobs

Surveying customers

Collecting network traffic

Inventorying assets

Collecting financial records

Collecting insurance records

Collecting marketing data

Collecting regulatory mandates

After sufficient data has been collected, a detailed analysis is necessary. This is the point where a business impact analysis (BIA) takes place.

The BIA is an assessment of the priorities given to each asset and process within the organization. A proper analysis should consider the effect (impact) any harm to or loss of each asset might mean to the organization overall. During the BIA, special care should be paid to identifying critical paths and single points of failure. You also need to determine the costs of compliance—that is, the legislative and contractual requirements mandated for your organization. Your organization's regulatory restrictions will be based on many variables, including the jurisdictions where your organization operates, the industry the organization is in, the types and locations of your customers, and so on.

Assets can be tangible or intangible. They can include hardware, software, intellectual property, personnel, processes, and so on. An example of tangible assets would be things like routers and servers, whereas intangible assets are generally something you cannot touch, such as software code, expressions of ideas, and business methodologies.

Cost/Benefit Analysis

Once you have a clear picture of what your organization does in terms of lines of business and processes, you can get a better understanding of what benefits the organization might derive from cloud migration as well as the costs associated with the move. Conducting a cost/benefit analysis helps you understand this trade-off in clear financial terms.

Obviously, the greatest driver pushing organizations toward cloud migration at the moment is perceived cost savings, and that is a significant and reasonable consideration. The next few sections describe some aspects of that consideration.

Reduction in Capital Expenditure

If your organization buys a device for use in its internal environment, the capacity of that device will either be fully utilized or (more likely) not. If the device is used at its fullest capacity, then it's quite likely that the function for which it is needed may experience inefficiencies at some point. Even a small uptick in demand for that device will overload its capacity. However, if the device is not fully utilized, then the organization has paid for something for which it is getting less than full value. The unused or excess capacity goes to waste. In effect, the organization has overpaid for the device unless it uses the device to the point where it is dangerously close to overload—you cannot buy just part of a device.

Moreover, tax benefits that can be realized from the purchase of a device have to be accrued over years of operation, as depreciation of that device/asset. With a paid service (such as cloud), an operational expenditure, the entire payment (perhaps monthly or quarterly) is tax deductible as an expense.

In the cloud, however, the organization is only paying for what it uses (regardless of the number of devices, or fractions of devices, necessary to handle the load) and no more. This is the metered service aspect described earlier. As a result, the organization does not overpay for these assets. However, cloud providers do have excess capacity available to be apportioned to cloud customers, so your organization is always in a position to experience increased demand (even dramatic, rapid, and significant demand) and not be overwhelmed (this is the rapid elasticity aspect described earlier).

One way an organization can use hosted cloud services is to augment internal, private data center capabilities with managed services during times of increased demand. We refer to this as cloud bursting. The organization might have data center assets it owns, but it can't handle the increased demand during times of elevated need (crisis situations, heavy holiday shopping periods, and so on), so it rents the additional capacity as needed from an external cloud provider. See Figure 1.1.

Therefore, with deployment to a cloud environment, the organization realizes cost savings immediately (not paying for unused resources) and avoids a costly risk (the possibility of loss of service due to increased demand).

Cloud Governance

Cloud services can quickly spring up all over an organization as individual business units make adoption decisions without coordinating with the IT department or other business units.

Cloud governance programs try to bring all of an organization's cloud activities under more centralized control. They serve as a screening body helping to ensure that cloud services used by the organization meet technical, functional, and security requirements. They also provide a centralized point of monitoring for duplicative services, preventing different business units from spending money on similar services when consolidation would reduce both costs and the complexity of the operating environment.

Building a centralized governance program also helps organizations avoid the use of shadow IT, where functional units discover and provision cloud services on their own to satisfy unmet technical needs.

FIGURE 1.1 Rapid scalability allows the customer to dictate the volume of resource usage.

Reduction in Personnel Costs

For most organizations (other than those that deliver IT services), managing data is not a core competency, much less a profitable line of business. Data management is also a specialized skill, and people with IT experience and training are relatively expensive (compared to employees in other departments). The personnel required to fulfill the physical needs of an internal IT environment represent a significant and disproportionally large investment for the organization. In moving to the cloud, the organization can largely divest itself of a large percentage, if not a majority, of these personnel.

Reduction in Operational Costs

Maintaining and administering an internal environment takes a great deal of effort and expense. When an organization moves to the cloud, the cost becomes part of the price of the service, as calculated by the cloud provider. Therefore, costs are lumped in with the flat-rate cost of the contract and will not increase in response to enhanced operations (scheduled updates, emergency response activities, and so on).

Transferring Some Regulatory Costs