Оглавление
Leslie Fife. The Official (ISC)2 CCSP CBK Reference
Table of Contents
List of Tables
List of Illustrations
Guide
Pages
CCSP®: Certified Cloud Security Professional. The Official (ISC)2® CCSP® CBK® Reference
Acknowledgments
About the Authors
About the Technical Editor
Foreword to the Third Edition
Introduction
Domain 1: Cloud Concepts, Architecture, and Design
Domain 2: Cloud Data Security
Domain 3: Cloud Platform and Infrastructure Security
Domain 4: Cloud Application Security
Domain 5: Cloud Security Operations
Domain 6: Legal, Risk, and Compliance
HOW TO CONTACT THE PUBLISHER
DOMAIN 1 Cloud Concepts, Architecture, and Design
UNDERSTAND CLOUD COMPUTING CONCEPTS
Cloud Computing Definitions
Cloud Computing
Service Models
Deployment Models
Cloud Computing Roles
Cloud Service Customer
Cloud Service Provider
Cloud Service Partner
Cloud Service Broker
Key Cloud Computing Characteristics
On-Demand Self-Service
Broad Network Access
Multitenancy
Rapid Elasticity and Scalability
Resource Pooling
Measured Service
Building Block Technologies
Virtualization
Storage
Networking
Databases
Orchestration
DESCRIBE CLOUD REFERENCE ARCHITECTURE
Cloud Computing Activities
Cloud Service Capabilities
Application Capability Types
Platform Capability Types
Infrastructure Capability Types
Cloud Service Categories
Software as a Service
Platform as a Service
Infrastructure as a Service
Cloud Deployment Models
Public Cloud
Private Cloud
Community Cloud
Hybrid Cloud
Cloud Shared Considerations
Interoperability
Portability
Reversibility
Availability
Security
Privacy
Resiliency
Performance
Governance
Maintenance and Versioning
Service Levels and Service Level Agreements
Auditability
Regulatory
Impact of Related Technologies
Machine Learning
Artificial Intelligence
Blockchain
Internet of Things
Containers
Quantum Computing
UNDERSTAND SECURITY CONCEPTS RELEVANT TO CLOUD COMPUTING
Cryptography and Key Management
Access Control
Data and Media Sanitization
Overwriting
Cryptographic Erase
Network Security
Network Security Groups
Cloud Gateways
Contextual-Based Security
Ingress and Egress Monitoring
Virtualization Security
Hypervisor Security
Container Security
Common Threats
UNDERSTAND DESIGN PRINCIPLES OF SECURE CLOUD COMPUTING
Cloud Secure Data Lifecycle
Cloud-Based Disaster Recovery and Business Continuity Planning
Cost-Benefit Analysis
Functional Security Requirements
Portability
Interoperability
Vendor Lock-in
Security Considerations for Different Cloud Categories
Software as a Service
Platform as a Service
Infrastructure as a Service
EVALUATE CLOUD SERVICE PROVIDERS
Verification against Criteria
International Organization for Standardization/International Electrotechnical Commission
Payment Card Industry Data Security Standard
System/Subsystem Product Certifications
Common Criteria
FIPS 140-2
Summary
DOMAIN 2 Cloud Data Security
DESCRIBE CLOUD DATA CONCEPTS
Cloud Data Lifecycle Phases
Data Dispersion
DESIGN AND IMPLEMENT CLOUD DATA STORAGE ARCHITECTURES
Storage Types
IaaS
PaaS
SaaS
Threats to Storage Types
DESIGN AND APPLY DATA SECURITY TECHNOLOGIES AND STRATEGIES
Encryption and Key Management
Hashing
Masking
Tokenization
Data Loss Prevention
Data Obfuscation
Data De-identification
IMPLEMENT DATA DISCOVERY
Structured Data
Unstructured Data
IMPLEMENT DATA CLASSIFICATION
Mapping
Labeling
Sensitive Data
DESIGN AND IMPLEMENT INFORMATION RIGHTS MANAGEMENT
Objectives
Appropriate Tools
PLAN AND IMPLEMENT DATA RETENTION, DELETION, AND ARCHIVING POLICIES
Data Retention Policies
Storage Costs and Access Requirements
Specified Legal and Regulatory Retention Periods
Data Retention Practices
Data Security and Discovery
Data Deletion Procedures and Mechanisms
Data Archiving Procedures and Mechanisms
Legal Hold
DESIGN AND IMPLEMENT AUDITABILITY, TRACEABILITY, AND ACCOUNTABILITY OF DATA EVENTS
Definition of Event Sources and Requirement of Identity Attribution
Logging, Storage, and Analysis of Data Events
Chain of Custody and Nonrepudiation
SUMMARY
DOMAIN 3 Cloud Platform and Infrastructure Security
COMPREHEND CLOUD INFRASTRUCTURE COMPONENTS
Physical Environment
Network and Communications
Compute
Virtualization
Storage
Management Plane
DESIGN A SECURE DATA CENTER
Logical Design
Tenant Partitioning
Access Control
Physical Design
Location
Buy and Hold
Environmental Design
Heating, Ventilation, and Air Conditioning
Multivendor Pathway Connectivity
ANALYZE RISKS ASSOCIATED WITH CLOUD INFRASTRUCTURE
Risk Assessment and Analysis
Cloud Vulnerabilities, Threats, and Attacks
Virtualization Risks
Countermeasure Strategies
DESIGN AND PLAN SECURITY CONTROLS
Physical and Environmental Protection
System and Communication Protection
Virtualization Systems Protection
Identification, Authentication, and Authorization in Cloud Infrastructure
Audit Mechanisms
Log Collection
Packet Capture
PLAN DISASTER RECOVERY AND BUSINESS CONTINUITY
Risks Related to the Cloud Environment
Business Requirements
Recovery Time Objective
Recovery Point Objective
Recovery Service Level
Business Continuity/Disaster Recovery Strategy
Creation, Implementation, and Testing of Plan
Plan Creation
BCP/DRP Implementation
BCP/DRP Testing
SUMMARY
DOMAIN 4 Cloud Application Security
ADVOCATE TRAINING AND AWARENESS FOR APPLICATION SECURITY
Cloud Development Basics
Common Pitfalls
Common Cloud Vulnerabilities
CSA Top Threats to Cloud Computing
OWASP Top 10
DESCRIBE THE SECURE SOFTWARE DEVELOPMENT LIFECYCLE PROCESS
NIST Secure Software Development Framework
OWASP Software Assurance Security Model
Business Requirements
Phases and Methodologies
APPLY THE SECURE SOFTWARE DEVELOPMENT LIFECYCLE
Avoid Common Vulnerabilities During Development
Cloud-Specific Risks
CSA Security Issue 1: Data Breaches
CSA Security Issue 2: Misconfiguration and Inadequate Change Control
CSA Security Issue 3: Lack of Cloud Security Architecture and Strategy
CSA Security Issue 4: Insufficient Identity, Credential, Access, and Key Management
Quality Assurance
Threat Modeling
Software Configuration Management and Versioning
APPLY CLOUD SOFTWARE ASSURANCE AND VALIDATION
Functional Testing
Security Testing Methodologies
USE VERIFIED SECURE SOFTWARE
Approved Application Programming Interfaces
Supply-Chain Management
Third-Party Software Management
Validated Open-Source Software
COMPREHEND THE SPECIFICS OF CLOUD APPLICATION ARCHITECTURE
Supplemental Security Components
Web Application Firewall
Database Activity Monitoring
Extensible Markup Language Firewalls
Application Programming Interface Gateway
Cryptography
Sandboxing
Application Virtualization and Orchestration
DESIGN APPROPRIATE IDENTITY AND ACCESS MANAGEMENT SOLUTIONS
Federated Identity
Identity Providers
Single Sign-On
Multifactor Authentication
Cloud Access Security Broker
SUMMARY
DOMAIN 5 Cloud Security Operations
IMPLEMENT AND BUILD PHYSICAL AND LOGICAL INFRASTRUCTURE FOR CLOUD ENVIRONMENT
Hardware-Specific Security Configuration Requirements
Storage Controllers
Network Configuration
Installation and Configuration of Virtualization Management Tools
Virtual Hardware–Specific Security Configuration Requirements
Installation of Guest Operating System Virtualization Toolsets
OPERATE PHYSICAL AND LOGICAL INFRASTRUCTURE FOR CLOUD ENVIRONMENT
Configure Access Control for Local and Remote Access
Secure Network Configuration
Virtual Local Area Networks
Transport Layer Security
Dynamic Host Configuration Protocol
Domain Name System and DNS Security Extensions
DNS Attacks
Virtual Private Network
Software-Defined Perimeter
Operating System Hardening through the Application of Baselines
Availability of Stand-Alone Hosts
Availability of Clustered Hosts
High Availability
Distributed Resource Scheduling
Microsoft Virtual Machine Manager and Dynamic Optimization
Storage Clusters
Availability of Guest Operating Systems
MANAGE PHYSICAL AND LOGICAL INFRASTRUCTURE FOR CLOUD ENVIRONMENT
Access Controls for Remote Access
Operating System Baseline Compliance Monitoring and Remediation
Patch Management
✓ Equifax Data Breach
Performance and Capacity Monitoring
Hardware Monitoring
Configuration of Host and Guest Operating System Backup and Restore Functions
Network Security Controls
Firewalls
Intrusion Detection/Intrusion Prevention Systems (IDS/IPS)
Honeypots and Honeynets
Vulnerability Assessments
Management Plane
IMPLEMENT OPERATIONAL CONTROLS AND STANDARDS
Change Management
Continuity Management
Information Security Management
Continual Service Improvement Management
Incident Management
Problem Management
Release Management
Deployment Management
✓ Immutable Infrastructure
Configuration Management
✓ Infrastructure as Code
Service Level Management
Availability Management
Capacity Management
SUPPORT DIGITAL FORENSICS
Forensic Data Collection Methodologies
Evidence Management
Collect, Acquire, and Preserve Digital Evidence
Preparing for Evidence Collection
Evidence Collection Best Practices
Evidence Preservation Best Practices
MANAGE COMMUNICATION WITH RELEVANT PARTIES
Vendors
Customers
Shared Responsibility Model
Partners
Regulators
Other Stakeholders
MANAGE SECURITY OPERATIONS
Security Operations Center
Monitoring of Security Controls
Log Capture and Analysis
Log Management
Incident Management
Incident Classification
Incident Response Phases
Cloud-Specific Incident Management
Incident Management Standards
SUMMARY
DOMAIN 6 Legal, Risk, and Compliance
ARTICULATING LEGAL REQUIREMENTS AND UNIQUE RISKS WITHIN THE CLOUD ENVIRONMENT
Conflicting International Legislation
Evaluation of Legal Risks Specific to Cloud Computing
Legal Frameworks and Guidelines That Affect Cloud Computing
The Organization for Economic Cooperation and Development
Asia Pacific Economic Cooperation Privacy Framework
General Data Protect Regulation
Additional Legal Controls
Laws and Regulations
Forensics and eDiscovery in the Cloud
eDiscovery Challenges in the Cloud
eDiscovery Considerations
Conducting eDiscovery Investigations
Cloud Forensics and Standards
UNDERSTANDING PRIVACY ISSUES
Difference between Contractual and Regulated Private Data
Contractual Private Data
Regulated Private Data
Components of a Contract
Country-Specific Legislation Related to Private Data
The European Union (GDPR)
Australia
The United States
Privacy Shield
The Health Insurance Portability and Accountability Act of 1996
The Gramm–Leach–Bliley Act (GLBA) of 1999
The Stored Communication Act of 1986
The California Consumer Privacy Act of 2018
Jurisdictional Differences in Data Privacy
Standard Privacy Requirements
Generally Accepted Privacy Principles
Standard Privacy Rights Under GDPR
UNDERSTANDING AUDIT PROCESS, METHODOLOGIES, AND REQUIRED ADAPTATIONS FOR A CLOUD ENVIRONMENT
Internal and External Audit Controls
Impact of Audit Requirements
Identity Assurance Challenges of Virtualization and Cloud
Types of Audit Reports
Service Organization Controls
Cloud Security Alliance
Restrictions of Audit Scope Statements
Gap Analysis
Audit Planning
Internal Information Security Management Systems
Benefits of an ISMS
Internal Information Security Controls System
Policies
Organizational Policies
Functional Policies
Cloud Computing Policies
Identification and Involvement of Relevant Stakeholders
Stakeholder Identification Challenges
Governance Challenges
Specialized Compliance Requirements for Highly Regulated Industries
Impact of Distributed Information Technology Models
Communications
Coordination of Activities
Governance of Activities
UNDERSTAND IMPLICATIONS OF CLOUD TO ENTERPRISE RISK MANAGEMENT
Assess Providers Risk Management Programs
Risk Profile
Risk Appetite
Differences Between Data Owner/Controller vs. Data Custodian/Processor
Regulatory Transparency Requirements
Breach Notifications
Sarbanes–Oxley Act
GDPR and Transparency
Risk Treatment
Risk Frameworks
ISO 31000:2018
European Network and Information Security Agency
National Institute of Standards and Technology (NIST)
Metrics for Risk Management
Assessment of Risk Environment
ISO 15408-1:2009: The Common Criteria
Cloud Security Alliance (CSA) STAR
ENISA Cloud Certification Schemes List and Metaframework
UNDERSTANDING OUTSOURCING AND CLOUD CONTRACT DESIGN
Business Requirements
Key SLA Requirements
Vendor Management
Contract Management
Cyber Risk Insurance
Supply Chain Management
ISO 27036: Information Security for Supplier Relationships
SUMMARY
Index
WILEY END USER LICENSE AGREEMENT
