NOTE: The exam this book covered, (ISC)² Certified Cloud Security Professional was updated by (ISC)² in 2019. For coverage of the current exam, please look for the latest edition of this guide: CCSP (ISC)² Certified Cloud Security Professional Official Study Guide 2nd Edition (9781119603375).

CCSP (ISC)² Certified Cloud Security Professional Official Study Guide is your ultimate resource for the CCSP exam. As the only official study guide reviewed and endorsed by (ISC)², this guide helps you prepare faster and smarter with the Sybex study tools that include pre-test assessments that show you what you know, and areas you need further review. Objective maps, exercises, and chapter review questions help you gauge your progress along the way, and the Sybex interactive online learning environment includes access to a PDF glossary, hundreds of flashcards, and two complete practice exams. Covering all CCSP domains, this book walks you through Architectural Concepts and Design Requirements, Cloud Data Security, Cloud Platform and Infrastructure Security, Cloud Application Security, Operations, and Legal and Compliance with real-world scenarios to help you apply your skills along the way.

The CCSP is the latest credential from (ISC)² and the Cloud Security Alliance, designed to show employers that you have what it takes to keep their organization safe in the cloud. Learn the skills you need to be confident on exam day and beyond.

• Review 100% of all CCSP exam objectives
• Practice applying essential concepts and skills
• Access the industry-leading online study tool set
• Test your knowledge with bonus practice exams and more

As organizations become increasingly reliant on cloud-based IT, the threat to data security looms larger. Employers are seeking qualified professionals with a proven cloud security skillset, and the CCSP credential brings your resume to the top of the pile. CCSP (ISC)² Certified Cloud Security Professional Official Study Guide gives you the tools and information you need to earn that certification, and apply your skills in a real-world setting.

Introduction xv

Assessment Test xxiii

Chapter 1 Architectural Concepts 1

Business Requirements 4

Existing State 4

Quantifying Benefits and Opportunity Cost 5

Intended Impact 8

Cloud Evolution, Vernacular, and Definitions 8

New Technology, New Options 8

Cloud Computing Service Models 10

Cloud Deployment Models 11

Cloud Computing Roles and Responsibilities 13

Cloud Computing Definitions 13

Foundational Concepts of Cloud Computing 16

Sensitive Data 17

Virtualization 17

Encryption 17

Auditing and Compliance 18

Cloud Service Provider Contracts 18

Summary 19

Exam Essentials 19

Written Labs 19

Review Questions 20

Chapter 2 Design Requirements 25

Business Requirements Analysis 26

Inventory of Assets 26

Valuation of Assets 27

Determination of Criticality 27

Risk Appetite 29

Boundaries of Cloud Models 31

IaaS Boundaries 31

PaaS Boundaries 32

SaaS Boundaries 32

Design Principles for Protecting Sensitive Data 34

Hardening Devices 34

Encryption 35

Layered Defenses 36

Summary 37

Exam Essentials 37

Written Labs 37

Review Questions 38

Chapter 3 Data Classification 43

Data Inventory and Discovery 45

Data Ownership 45

The Data Life Cycle 46

Data Discovery Methods 49

Jurisdictional Requirements 50

Data Rights Management 51

Intellectual Property Protections 51

DRM Tool Traits 55

Data Control 57

Data Retention 58

Data Audit 59

Data Destruction/Disposal 61

Summary 62

Exam Essentials 63

Written Labs 63

Review Questions 64

Chapter 4 Cloud Data Security 67

Cloud Data Life Cycle 69

Create 70

Store 70

Use 71

Share 71

Archive 72

Destroy 74

Cloud Storage Architectures 74

Volume Storage: File-Based Storage and Block Storage 74

Object-Based Storage 74

Databases 75

Content Delivery Network (CDN) 75

Cloud Data Security Foundational Strategies 75

Encryption 75

Masking, Obfuscation, Anonymization, and Tokenization 77

Security Information and Event Management 80

Egress Monitoring (DLP) 81

Summary 82

Exam Essentials 82

Written Labs 83

Review Questions 84

Chapter 5 Security in the Cloud 87

Shared Cloud Platform Risks and Responsibilities 88

Cloud Computing Risks by Deployment and Service Model 90

Private Cloud 91

Community Cloud 91

Public Cloud 92

Hybrid Cloud 97

IaaS (Infrastructure as a Service) 97

PaaS (Platform as a Service) 97

SaaS (Software as a Service) 98

Virtualization 98

Cloud Attack Surface 99

Threats by Deployment Model 100

Countermeasure Methodology 102

Disaster Recovery (DR) and Business Continuity Management (BCM) 105

Cloud-Specific BIA Concerns 105

Customer/Provider Shared BC/DR Responsibilities 106

Summary 108

Exam Essentials 109

Written Labs 109

Review Questions 110

Chapter 6 Responsibilities in the Cloud 115

Foundations of Managed Services 118

Business Requirements 119

Business Requirements: The Cloud Provider Perspective 119

Shared Responsibilities by Service Type 125

IaaS 125

PaaS 125

SaaS 125

Shared Administration of OS, Middleware, or Applications 126

Operating System Baseline Configuration and Management 126

Share Responsibilities: Data Access 128

Customer Directly Administers Access 128

Provider Administers Access on Behalf of the Customer 129

Third-Party (CASB) Administers Access on Behalf of the Customer 129

Lack of Physical Access 131

Audits 131

Shared Policy 134

Shared Monitoring and Testing 134

Summary 135

Exam Essentials 135

Written Labs 136

Review Questions 137

Chapter 7 Cloud Application Security 141

Training and Awareness 143

Common Cloud Application Deployment Pitfalls 146

Cloud-Secure Software Development Life Cycle (SDLC) 148

ISO/IEC 27034-1 Standards for Secure Application Development 150

Identity and Access Management (IAM) 151

Identity Repositories and Directory Services 153

Single Sign-On (SSO) 153

Federated Identity Management 153

Federation Standards 154

Multifactor Authentication 155

Supplemental Security Devices 155

Cloud Application Architecture 157

Application Programming Interfaces 157

Tenancy Separation 159

Cryptography 159

Sandboxing 162

Application Virtualization 162

Cloud Application Assurance and Validation 162

Threat Modeling 163

Quality of Service 166

Software Security Testing 166

Approved APIs 171

Software Supply Chain (API) Management 171

Securing Open Source Software 172

Runtime Application Self-Protection (RASP) 173

Secure Code Reviews 173

OWASP Top 9 Coding Flaws 173

Summary 174

Exam Essentials 174

Written Labs 175

Review Questions 176

Chapter 8 Operations Elements 181

Physical/Logical Operations 183

Facilities and Redundancy 184

Virtualization Operations 194

Storage Operations 195

Physical and Logical Isolation 197

Security Training and Awareness 198

Training Program Categories 199

Additional Training Insights 203

Basic Operational Application Security 203

Threat Modeling 204

Application Testing Methods 205

Summary 206

Exam Essentials 206

Written Labs 207

Review Questions 208

Chapter 9 Operations Management 213

Monitoring, Capacity, and Maintenance 215

Monitoring 215

Maintenance 217

Change and Configuration Management (CM) 221

Baselines 221

Deviations and Exceptions 222

Roles and Process 223

Business Continuity and Disaster Recovery (BC/DR) 225

Primary Focus 226

Continuity of Operations 227

The BC/DR Plan 227

The BC/DR Kit 229

Relocation 230

Power 231

Testing 232

Summary 233

Exam Essentials 233

Written Labs 234

Review Questions 235

Chapter 10 Legal and Compliance Part 1 239

Legal Requirements and Unique Risks in the Cloud Environment 241

Legal Concepts 241

U.S. Laws 247

International Laws 252

Laws, Frameworks, and Standards Around the World 252

The Difference Between Laws, Regulations and Standards 261

Potential Personal and Data Privacy Issues in the Cloud Environment 261

eDiscovery 262

Forensic Requirements 263

International Conflict Resolution 263

Cloud Forensic Challenges 263

Contractual and Regulated PII 264

Direct and Indirect Identifiers 264

Audit Processes, Methodologies, and Cloud Adaptations 265

Virtualization 265

Scope 266

Gap Analysis 266

Information Security Management Systems (ISMSs) 266

The Right to Audit in Managed Services 267

Audit Scope Statements 267

Policies 268

Different Types of Audit Reports 268

Auditor Independence 269

AICPA Reports and Standards 270

Summary 271

Exam Essentials 272

Written Labs 273

Review Questions 274

Chapter 11 Legal and Compliance Part 2 279

The Impact of Diverse Geographical Locations and Legal Jurisdictions 281

Policies 282

Implications of the Cloud for Enterprise Risk Management 287

Choices Involved in Managing Risk 288

Risk Management Frameworks 291

Risk Management Metrics 293

Contracts and Service-Level Agreements (SLAs) 294

Business Requirements 297

Cloud Contract Design and Management for Outsourcing 297

Identifying Appropriate Supply Chain and Vendor Management Processes 298

Common Criteria Assurance Framework (ISO/IEC 15408-1:2009) 299

Cloud Computing Certification 299

CSA Security, Trust, and Assurance Registry (STAR) 300

Supply Chain Risk 302

Summary 303

Exam Essentials 303

Written Labs 304

Review Questions 305

Appendix A Answers to the Review Questions 309

Chapter 1: Architectural Concepts 310

Chapter 2: Design Requirements 311

Chapter 3: Data Classification 312

Chapter 4: Cloud Data Security 314

Chapter 5: Security in the Cloud 316

Chapter 6: Responsibilities in the Cloud 317

Chapter 7: Cloud Application Security 319

Chapter 8: Operations Elements 320

Chapter 9: Operations Management 321

Chapter 10: Legal and Compliance Part 1 323

Chapter 11: Legal and Compliance Part 2 325

Appendix B Answers to the Written Labs 327

Chapter 1 328

Chapter 2 328

Chapter 3 329

Chapter 4 330

Chapter 5 331

Chapter 6 331

Chapter 7 332

Chapter 8 332

Chapter 9 333

Chapter 10 333

Chapter 11 334

Index 335