The Official (ISC)2 CCSP CBK Reference E-Book

Table of Contents

Cover

Title Page

Copyright

Acknowledgments

About the Author

About the Technical Editor

Foreword to the Fourth Edition

Introduction

Chapter 1: Cloud Concepts, Architecture, and Design

Understand Cloud Computing Concepts

Describe Cloud Reference Architecture

Understand Security Concepts Relevant to Cloud Computing

Understand Design Principles of Secure Cloud Computing

Evaluate Cloud Service Providers

Summary

Chapter 2: Cloud Data Security

Describe Cloud Data Concepts

Design and Implement Cloud Data Storage Architectures

Design and Apply Data Security Technologies and Strategies

Implement Data Discovery

Implement Data Classification

Design and Implement Information Rights Management

Plan and Implement Data Retention, Deletion, and Archiving Policies

Design and Implement Auditability, Traceability, and Accountability of Data Events

Summary

Chapter 3: Cloud Platform and Infrastructure Security

Comprehend Cloud Infrastructure and Platform Components

Design a Secure Data Center

Analyze Risks Associated with Cloud Infrastructure and Platforms

Plan and Implementation of Security Controls

Plan Disaster Recovery and Business Continuity

Summary

Chapter 4: Cloud Application Security

Advocate Training and Awareness for Application Security

Describe the Secure Software Development Life Cycle Process

Apply the Secure Software Development Life Cycle

Apply Cloud Software Assurance and Validation

Use Verified Secure Software

Comprehend the Specifics of Cloud Application Architecture

Design Appropriate Identity and Access Management Solutions

Summary

Chapter 5: Cloud Security Operations

Build and Implement Physical and Logical Infrastructure for Cloud Environment

Operate Physical and Logical Infrastructure for Cloud Environment

Manage Physical and Logical Infrastructure for Cloud Environment

Implement Operational Controls and Standards

Support Digital Forensics

Manage Communication with Relevant Parties

Manage Security Operations

Summary

Chapter 6: Legal, Risk, and Compliance

Articulating Legal Requirements and Unique Risks within the Cloud Environment

Understand Privacy Issues

Understanding Audit Process, Methodologies, and Required Adaptations for a Cloud Environment

Understand Implications of Cloud to Enterprise Risk Management

Understand Outsourcing and Cloud Contract Design

Summary

Index

End User License Agreement

List of Tables

Chapter 1

TABLE 1.1 Cloud Shared Responsibility Model

Chapter 5

TABLE 5.1 Cloud Shared Responsibility Model

Chapter 6

TABLE 6.1 Types of Private Data

TABLE 6.2 AICPA Service Organization Control (SOC) Reports

List of Illustrations

Chapter 2

FIGURE 2.1 The secure data lifecycle

FIGURE 2.2 Cloud web app data flow diagram

Chapter 5

FIGURE 5.1 NIST incident response lifecycle phases

Guide

Cover

Table of Contents

Title Page

Copyright

Acknowledgments

About the Authors

About the Technical Editor

Foreword to the Fourth Edition

Introduction

Begin Reading

Index

End User License Agreement

Pages

iii

iv

v

vii

ix

xix

xxi

xxii

xxiii

xxiv

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

CCSP®: Certified Cloud Security ProfessionalAn (ISC)2®Certification

The Official (ISC)2® CCSP® CBK® Reference

Fourth Edition

Copyright © 2023 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

ISBN: 978-1-119-90901-9ISBN: 978-1-119-90902-6 (ebk.)ISBN: 978-1-119-90903-3 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.

Trademarks: WILEY, the Wiley logo, Sybex, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. (ISC)2, CCSP, and CBK are service marks or registered trademarks of Information Systems Security Certification Consortium, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

If you believe you've found a mistake in this book, please bring it to our attention by emailing our reader support team at [email protected] with the subject line “Possible Book Errata Submission.”

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2022941286

Cover design: Wiley and (ISC)2

Acknowledgments

First and foremost, my deepest appreciation goes to my family, mentors, and colleagues. The support of my family during the long hours required to research, write, and review this book made it possible. Mentors and colleagues who have educated and guided me made it possible to produce this reference, and the excellent resources they have created are linked throughout the book for more information on a wide variety of topics.

I would also like to express appreciation to (ISC)2 for providing the CCSP certification, certification preparation materials, and reference guides for many security topics. As the world continues the shift to cloud computing, it is essential for security practitioners to have validated real-world skills to properly secure these new computing resources.

The excellent team at John Wiley & Sons is a continuing source of support, including associate publisher Jim Minatel, project editor John Sleeva, and content refinement specialist Archana Pragash. Many thanks to them for entrusting me with the task of updating this reference guide and for their ongoing help to make it the best possible. Special thanks to my technical editor Gareth Marchant, whose knowledge and insight elevated every domain.

Above all, thank you to the readers. Whether you are preparing for your CCSP exam or brushing up on a crucial aspect of cloud security, it is your hard work securing cloud computing environments that makes the world a safer place.

About the Author

Aaron Kraus, CCSP, CISSP, is an information security executive with deep experience in security risk management, auditing, and teaching information security topics. He has worked in security and compliance roles across industries including U.S. federal government civilian agencies, financial services, and technology startups, and he is currently a security director for a property technology startup. His experience includes creating alignment between security teams and the organizations they support, by evaluating the unique threat landscape facing each organization and the unique objectives each organization is pursuing to deliver a balanced, risk-based security control program. As a consultant to a financial services firm, he designed, executed, and matured the third-party vendor audit programs to provide oversight of key compliance initiatives, and he led global audit teams to perform reviews covering physical security, logical security, and regulatory compliance. Aaron is a course author, instructor, and cybersecurity curriculum dean with more than 14 years of experience at Learning Tree International, and he most recently taught the Official (ISC)2 CISSP CBK Review Seminar. He has served as a technical editor for numerous Wiley publications, including CISSP and CCSP study guides and practice tests, and is coauthor of The Official (ISC)2CISSP CBK Reference as well as coauthor of the previous edition of The Official (ISC)2CCSP CBK Reference.

About the Technical Editor

Gareth Marchant started his professional career as an electrical engineer and has worked in information technology for over 20 years. He has held systems engineering and senior leadership roles in both private and public sector organizations. The central theme throughout his career has been systems architecture and design, covering a broad range of technical services but always focused on resiliency. Gareth currently lives in Nashville, TN, but has recovered IT operations in Florida following tornado strikes and many hurricanes.

Gareth is an (ISC)2 and EC-Council certified instructor and currently holds CISSP, CEH, ECIH, SSCP, GMON, CASP+, Security+, CySA+, Network+, Cybersec First Responder, Cyber Secure Coder, and other certifications, as well as a master's degree in computer information systems. In addition to cybersecurity certification prep, he also teaches information systems and cybersecurity courses as an adjunct instructor and is the author of the Official CompTIA CASP+ Self-Paced Study Guide.

Foreword to the Fourth Edition

These are exciting times for the cybersecurity profession, and we are so glad that you are a part of it. Once recognized as a CCSP®, you will have a cloud security certification that will help you advance your career by demonstrating your expertise in securing critical assets in the cloud.

Cloud security is one of the most in-demand cybersecurity skillsets today. In fact, the opportunity has never been greater for dedicated professionals to carve out a meaningful career and make a difference in their organizations. Earning the CCSP® certification makes you a forerunner in the cybersecurity community, proving that you have the advanced skills and knowledge to design, manage, and secure data, applications, and infrastructure in the cloud.

Whether you are picking up this book in preparation to sit for the exam or you are an existing CCSP® using this as a reference, you'll find Official (ISC)2CCSP CBK Reference a valuable resource as you continue to learn about today's cloud security principles and practices.

We wish you all the best in your CCSP® journey. From the very beginning through the advancements and discoveries that you are sure to find along the way, (ISC)2 will be by your side, always advocating for you, as we work together to create a safe and secure cyber world.

Sincerely,

Introduction

The Certified Cloud Security Professional (CCSP) denotes a professional with demonstrated ability across important aspects of architecture, data security, and risk management in cloud computing. The exam covers knowledge and skills across six domains of practice related to cloud security, codified in the (ISC)2 CCSP Common Body of Knowledge (CBK).

Domain 1: Cloud Concepts, Architecture, and Design

Domain 2: Cloud Data Security

Domain 3: Cloud Platform and Infrastructure Security

Domain 4: Cloud Application Security

Domain 5: Cloud Security Operations

Domain 6: Legal, Risk, and Compliance

Passing the exam is one condition of certification, and to qualify for the certification, a professional must have five years of experience in information technology, of which three years must be in a security-specific capacity and at least one year dedicated to one or more of the six CCSP domains.

Professionals take many paths into information security, and there are variations in acceptable practices across different industries and regions. The CCSP CBK represents a baseline standard of security knowledge relevant to cloud security and management, though the rapid pace of change in cloud computing means a professional must continuously maintain their knowledge to stay current. As you read this guide, consider not only the scenarios or circumstances presented to highlight the CBK topics, but also connect it to common practices and norms in your organization, region, and culture. Once you achieve CCSP certification, you will be asked to maintain your knowledge with continuing education, so keep topics of interest in mind for further study once you have passed the exam.

Domain 1: Cloud Concepts, Architecture, and Design

Understanding cloud computing begins with the building blocks of cloud services, which the Cloud Concepts, Architecture, and Design domain introduces. This includes two vital participants: cloud service providers and cloud consumers, as well as reference architectures used to deliver cloud services like infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). There are business benefits inherent in these IT resource paradigms, like shifting spending from capital expenditure (CapEx) to operating expenditure (OpEx). This changes the way organizations budget and pay for the IT resources needed to run their business, so it is not uncommon to see financial leaders driving adoption of cloud services. New IT service models bring with them new forms of information security risks, however, which must be assessed and weighed so the organization achieves an optimal balance of cost (in the form of risk) with benefits (in the form of reduced IT spending). This will drive decisions on which cloud deployment model to adopt, like public or private cloud, as well as key internal governance initiatives when migrating to and managing cloud computing.

Domain 2: Cloud Data Security

Information security is fundamentally concerned with preserving the confidentiality, integrity, and availability of data. Although cloud computing upends many legacy IT models and practices, security risks to information systems remain. The Cloud Data Security domain introduces new concepts like the cloud data lifecycle, as well as cloud-specific considerations like data dispersion and loss of physical control over storage media that requires unique approaches to data disposal. Cloud security practitioners must understand how to implement controls for audit and accountability of data stored or processed in the cloud, as well as crucial oversight tasks like data discovery to create an inventory. This domain introduces proactive safeguards intended to manage sensitive data stored in the cloud, like masking, tokenization, data loss prevention (DLP), and classification of data. Cloud-specific considerations and adaptations of traditional controls are a primary concern, since cloud services remove security capabilities like physical destruction of disk drives. Cloud computing also introduces new capabilities like instantaneous global data replication, which can reduce availability risks.

Domain 3: Cloud Platform and Infrastructure Security

There are two perspectives treated in the Cloud Platform and Infrastructure Security domain. Cloud providers require skilled security practitioners to design, deploy, and maintain both physically and logically secure environments. This includes buildings, facilities, and utilities needed to provide the cloud service offering, as well as configuration and management of software systems like hypervisors, storage area networks (SANs), and software-defined networking (SDN) infrastructure. A key concern is the security of data stored by the cloud consumers, particularly the proper isolation of tenant data to avoid leakage between cloud tenants. From the perspective of the cloud consumer, traditional security controls will require adaptation for cloud environments, such as the use of virtualized hardware security modules (HSM) to generate and manage cryptographic keys, and additional layers of encryption required to reduce the risk associated with giving up physical control of storage media. Audit mechanisms like log collection are generally available in cloud environments, but abilities like packet capture and analysis may not be available due to multitenant data concerns. Disaster recovery and business continuity planning are also presented in this domain; while the inherent high availability of many cloud services is beneficial for organizations, proper configuration to take advantage of these features is required.

Domain 4: Cloud Application Security

Security practitioners working in cloud computing environments face the challenge of more rapid deployment, coupled with the relative ease with which more users can develop sophisticated cloud applications. Again, these are advantages to the business at the possible expense of security, so the Cloud Application Security domain presents key requirements for recognizing the benefits offered by cloud applications without introducing unacceptable risks. These begin with a focus on the importance of fostering awareness throughout the organization of common cloud security basics. Specific training for cloud app developers on vulnerabilities, pitfalls, and strategies to avoid them is also presented. Modifications to the software development life cycle (SDLC) are discussed, which help accommodate changes introduced by cloud-specific risks. These include system architecture concerns to avoid vendor lock-in and threat modeling specific to the broadly accessible nature of cloud platforms. Since many cloud computing services are delivered by third parties, this domain introduces assurance, validation, and testing methods tailored to address the lack of direct control over acquired IT services and applications. It also introduces common application security controls and specifics of their implementation for cloud environments, like web application firewalls (WAF), sandboxing, and Extensible Markup Language (XML) gateways. Many cloud services rely heavily on functionality offered via application programming interfaces (APIs), and key points regarding how data is exchanged, processed, and protected by APIs are presented in this domain.

Domain 5: Cloud Security Operations

The Cloud Security Operations domain is a companion to many of the concepts introduced in the Cloud Platform and Infrastructure Security domain. It deals with issues of implementing, building, operating, and managing the physical and logical infrastructure needed for a cloud environment. There is a heavy focus on the cloud service provider's perspective, so concepts in this domain may be unfamiliar to some security practitioners who have only worked to secure cloud services as a consumer. The concepts are largely similar to legacy or on-premises security, such as the secure configuration of BIOS and use of Trusted Platform Module (TPM) for hardware security, deployment of virtualization management tools, and configuring remote maintenance capabilities to allow remote administrative tasks. Considerations unique to cloud environments include the additional rigor required in the configuration of isolation features, which prevent data access across tenants, as well as the much larger demands of managing capacity, availability, and monitoring of vast, multicountry data centers. Traditional security operations (SecOps) are also of critical concern for security practitioners in a cloud environment, such as handling vulnerability and patch management programs, network access and security controls, and configuration and change management programs. Additional SecOps activities covered in this domain include supporting incident response and digital forensics when security incidents occur, as well as traditional security operations center (SOC) oversight and monitoring functions for network security, log capture and analysis, and service incident management. These tasks are also covered from the cloud consumer's perspective, as many cloud services and security tools provide log data that must be analyzed to support policy enforcement and incident detection.

Domain 6: Legal, Risk, and Compliance

Legal and regulatory requirements are a significant driver of the work many information security professionals perform, and cloud computing adds increased complexity due to its inherently global nature. The Legal, Risk, and Compliance domain details the conflicting international laws and regulations that organizations will encounter when using cloud services. These present financial risks, additional compliance obligations and risk, and technical challenges like verifying that cloud applications and services are configured in accordance with compliance requirements. Privacy legislation is a particularly important driver of many cloud security concerns; as many countries and localities introduce strict requirements to safeguard privacy data, organizations using the cloud must weigh financial benefits of a cloud migration against potential fines if they violate these laws. New challenges are also emerging around jurisdiction over multinational cloud services: how do you determine jurisdiction for a U.S.-based company operating a cloud data center in Kenya processing data belonging to a Swiss citizen? Three different laws potentially overlap in this scenario. Processes for audits, assurance, and reporting are also covered, as security practitioners must understand and be able to implement both internal oversight mechanisms like gap analysis and audit planning, while also selecting and supporting external auditors for standards like Service Organization Control (SOC) audit reports. Since cloud service providers are third parties not directly under the control of the organization, vendor risk management practices like contract design and service level agreements (SLAs) are often required tools for security risk management.