Certificate of Cloud Security Knowledge (CCSK v5) Official Study Guide In-Depth Guidance and Practice (Graham Thompson) (z-library.sk, 1lib.sk, z-lib.sk)

📄 File Format: PDF

💾 File Size: 7.8 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

Graham Thompson In-Depth Guidance and Practice Certif icate of Cloud Security Knowledge (CCSK v5) Study Guide

📄 Page 2

ISBN: 978-1-098-17341-8 US $59.99 CAN $74.99 CLOUD COMPUTING As cloud technology becomes increasingly essential across industries, the need for thorough security knowledge and certification has never been more crucial. The Certificate of Cloud Security Knowledge (CCSK) exam, globally recognized and highly respected, presents a formidable challenge for many. Author Graham Thompson offers you in-depth guidance and practical tools not only to pass the exam but also to grasp the broader implications of cloud security. This book is filled with real-world examples, targeted practice questions, and the latest on zero trust and AI security—all designed to mirror the actual exam. By reading this book, you will: • Understand critical topics such as cloud architecture, governance, compliance, and risk management • Prepare for the exam with chapter tips, concise reviews, and practice questions to enhance retention • See the latest on securing different workloads (containers, PaaS, FaaS) and on incident response in the cloud • Equip yourself with the knowledge necessary for significant career advancement in cloud security Graham Thompson is an information security professional with over 25 years of enterprise experience across engineering, architecture, assessment, and training disciplines. He is the author of the CCSK All-in-One Exam Guide (v4) and has been conducting training for Cloud Security Alliance courses for over a decade. Certificate of Cloud Security Knowledge (CCSK v5) Study Guide “This book serves as an excellent starting point for cloud security professionals. It simplifies CCSK topics while laying a strong knowledge foundation.” Harini Joshi Lead infrastructure security engineer for Prudential Insurance

📄 Page 3

Graham Thompson Certificate of Cloud Security Knowledge (CCSK v5) Official Study Guide In-Depth Guidance and Practice

📄 Page 4

978-1-098-17341-8 [LSI] Certificate of Cloud Security Knowledge (CCSK v5) Official Study Guide by Graham Thompson Copyright © 2025 Graham Thompson. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 141 Stony Circle, Suite 195, Santa Rosa, CA 95401. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com. Acquisitions Editor: Megan Laddusaw Development Editor: Sara Hunter Production Editor: Jonathon Owen Copyeditor: Audrey Doyle Proofreader: Krsta Technology Solutions Indexer: nSight, Inc. Cover Designer: Susan Brown Cover Illustrator: Karen Montgomery Interior Designer: David Futato Interior Illustrator: Kate Dullea August 2025: First Edition Revision History for the First Edition 2025-08-18: First Release See http://oreilly.com/catalog/errata.csp?isbn=9781098173418 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Certificate of Cloud Security Knowledge (CCSK v5) Official Study Guide, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. The views expressed in this work are those of the author and do not represent the publisher’s views. While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

📄 Page 5

Table of Contents Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi 1. Cloud Computing Concepts and Architectures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Defining Cloud Computing 4 Resource Pools 4 Tools 4 Two Definitions of Cloud Computing 5 Logical Model of the Cloud 6 Infostructure 6 Applistructure 6 Metastructure 7 Infrastructure 8 Cloud Computing Models 9 Essential Characteristics 9 Cloud Service Models 11 Cloud Deployment Models 17 Cloud Security Responsibilities, Frameworks, and Process Models 20 Shared Security Responsibility Model 20 Cloud Security Frameworks and Patterns 21 Summary 24 2. Principles of Cloud and IT Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Corporate Governance 26 IT Governance 27 Cloud Governance Changes and Challenges 29 Effective Cloud Governance 30 1. Establish a Governance Hierarchy 30 2. Leverage Cloud-Specific Security Frameworks 30 iii

📄 Page 6

3. Define Cloud Security Policies 31 4. Set Control Objectives and Specify Control Specifications 31 5. Define Roles and Responsibilities 31 6. Establish a Cloud Center of Excellence or Similar Model 31 7. Conduct Requirements and Information Gathering 31 8. Manage Risks 32 9. Classify Data and Assets 32 10. Comply with Legal and Regulatory Requirements 32 11. Maintain a Cloud Registry 32 Cloud Center of Excellence 34 Key Components of a CCoE 35 Benefits of a CCoE 36 Structuring IT Security Governance 36 Frameworks 37 Policies 37 Control Objectives 40 Control Specifications and Implementation Guidance 40 Thinking All the Way Through the Governance Stack 43 Foundational Governance Principles and Guidelines 44 Determining Risk Tolerance 44 Classifying Data and Assets 45 Identifying Regulatory and Legal Requirements 46 Cloud Security Alliance Tools 46 Cloud Controls Matrix 46 Security, Trust, Assurance, and Risk Registry 48 Summary 48 3. Navigating Risk, Audit, and Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Basics of Risk Management 51 Understanding the Risk Management Process 54 Step 0: Determining Risk Tolerance 55 Step 1: Risk Identification 55 Step 2: Risk Assessment (or Risk Analysis) 55 Step 3: Risk Treatment 56 Step 4: Risk Monitoring 57 Step 5: Risk Communication and Reporting 58 Assessing Cloud Services 58 Step 1: Assess the Business Request 59 Step 2: Review CSP Documentation 59 Step 3: Review External Sources 64 Step 4: Map to Compliance Requirements 64 Step 5: Map to Data Classification 65 iv | Table of Contents

📄 Page 7

Step 6: Define Required and Compensating Controls 66 Step 7: Obtain Final Approval 66 Governance, Risk Management, and Compliance Tools 66 Where Compliance Requirements Come From 67 Artifacts of Compliance 68 Jurisdictions 68 Data Localization Laws 72 Compliance in the Cloud 73 Summary 74 4. Guide to Cloud Organization Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Organizational Hierarchy Models 75 Definitions 76 Organizational Structures 76 Organizational Capabilities Within a Cloud Service Provider 79 Building a Hierarchy Within a Provider 80 Managing Organization-Level Security Within a Provider 81 Considerations for Hybrid and Multicloud Deployments 85 Organizational Management for Hybrid Cloud Security 86 Organizational Management for Multicloud Security 89 Tooling and Staffing for IaaS/PaaS Multicloud 90 Organizational Management for SaaS Hybrid and Multicloud 91 Summary 94 5. Identity and Access Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 How IAM Is Different in the Cloud 97 Fundamental Terms for Understanding IAM 98 Persona 100 Attribute 100 Entitlement 100 Entitlement Matrix 100 Role 100 Attribute-Based Access Control 101 Policy-Based Access Control 101 Authoritative Source 103 Federated Identity Management 103 Identity Provider 103 Relying Party 103 Assertion 104 Federated Identity Management 104 Common Federation Standards 104 How Federation Works 105 Table of Contents | v

📄 Page 8

Managing Users and Identities for Cloud Computing 108 Strong Authentication and Authorization 110 Authorization 110 Authentication 111 Privileged User Management 112 Privileged Identity Management 112 Privileged Access Management 113 Summary 113 6. Detecting Threats in the Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Cloud Monitoring 115 Logs and Events 117 Posture Management 119 Cloud Telemetry Sources 119 Management Plane Logs 119 Service Logs 120 Resource Logs 121 Cloud Native Security Tools 121 Cloud Security Posture Management 122 SaaS Security Posture Management 122 Cloud Workload Protection Platform 122 Data Security Posture Management 123 Application Security Posture Management 123 Cloud Infrastructure Entitlement Management 123 Cloud Detection and Response 124 SIEM and SOAR: The Detective and the Robot Guard 124 Security Information and Event Management 124 Security Orchestration, Automation, and Response 127 Collection Architectures 128 Log Storage and Retention 128 Cascading Log Architecture 129 AI for Security Monitoring 130 Summary 130 7. Infrastructure and Networking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Cloud Infrastructure Security 133 Cloud Customer Security Techniques 134 CSP Infrastructure Security Responsibilities 135 Infrastructure Resilience 136 Single-Region Resiliency 137 Multiregion Resiliency 138 Multiprovider Resiliency 138 vi | Table of Contents

📄 Page 9

Cloud Network Fundamentals 139 Common SDN-Based Components 142 Cloud Connectivity 144 Cloud Network Security and Secure Architectures 145 Preventive Controls 145 Detective Security Controls 146 Infrastructure as Code 147 Zero Trust for Cloud Infrastructure and Networks 148 Software-Defined Perimeter 149 Zero Trust Network Access 150 Secure Access Service Edge 150 Summary 152 8. Cloud Workload Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Securing Virtual Machines 153 Virtual Machine Challenges and Mitigations 155 Creating Secure VM Images with Factories 155 Recommended Tools and Best Practices for VMs 157 The Vulnerability Management Lifecycle 158 Snapshots, Public Exposures, and Exfiltration 159 Securing Containers 160 Container Image Creation 160 Container Networking 162 Container Orchestration and Management Systems 163 Container Orchestration Security 166 Secure Artifact Repositories 166 Runtime Protection for Containers 167 Securing Serverless and Function as a Service 168 FaaS Security Issues 169 IAM for Serverless Computing 169 Securing AI Workloads 170 Large Language Model Assets 170 Top Nine Large Language Model System Threats 171 AI Risk Mitigation and Shared Responsibilities 173 Data Security for AI 174 Model Security 174 Infrastructure Security 174 Supply Chain Security 175 Summary 175 9. Keeping Data Safe in the Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Data Structures 177 Table of Contents | vii

📄 Page 10

Storage Security Primer 178 Cloud Storage Types 178 Object Storage 178 Volume Storage 181 Database Storage 181 Other Types of Storage 182 Data Security Tools and Techniques 183 Data Classification 183 Identity and Access Management 185 Access Policies 186 Data Loss Prevention 186 Cloud Data Encryption at Rest 186 Encryption and Key Management 187 Key Management Service 187 Hardware Security Module 187 Encryption Key Options 187 Encryption Implementation Options 189 Symmetric Versus Asymmetric Encryption 191 Data Encryption Recommendations 195 Data Security Posture Management 196 Summary 196 10. Building Secure Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Secure Development Lifecycle 200 Stages of the CSA DevSecOps SDLC 201 Threat Modeling 204 Risk Assessment Matrix 206 Testing: Predeployment 207 Testing: Post Deployment 209 Architecture’s Role in Secure Cloud Applications 210 The Impact of the Cloud on Architecture-Level Security 211 Architectural Resilience 211 IAM and Application Security 212 Secrets Management 212 Secrets Management Workflow 213 DevOps and DevSecOps 213 The DevOps/DevSecOps Lifecycle 214 CI/CD Pipelines 215 Web Application Firewalls and API Gateways 217 Agent-Based Deployment 218 Cloud Native Provider Services 218 Third-Party Marketplace Solutions 218 viii | Table of Contents

📄 Page 11

WAF and DDoS Protection as a Service 219 Summary 219 11. Incident Response: From Detection to Recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Incident Response 222 Incident Response Lifecycle 222 Phase 1: Preparation 223 Phase 2: Detection and Analysis 223 Phase 3: Containment, Eradication, and Recovery 224 Phase 4: Post-Incident Analysis 224 How the Preparation Phase Changes in Cloud Environments 225 Training for Cloud Incident Responders 226 How Detection and Analysis Change in Cloud Environments 228 Impact of the Cloud on Incident Analysis 228 Cloud System Forensics 229 Forensics Blast Zones 232 Cloud Forensics: Container and Serverless Considerations 233 Containment, Eradication, and Recovery 234 Containment 234 Eradication 235 Recovery 236 Post-Incident Analysis 236 Summary 237 12. Deep Dive into Zero Trust and AI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Zero Trust 239 Zero Trust Principles 241 Zero Trust Technical Objectives 241 Protective Framework 241 Simplified User Experience 242 Reduced Attack Surface 243 Reduced Complexity 244 Continuous Authentication 244 Improved Incident Containment and Management 245 Principle of Least Privilege 245 Zero Trust Business Objectives 246 Reduce Risk 246 Improve Compliance 246 Demonstrate Commitment to Cybersecurity 246 Core Logical Zero Trust Components 247 Zero Trust Security Frameworks 248 Software-Defined Perimeter 248 Table of Contents | ix

📄 Page 12

Zero Trust Network Access 248 Zero Trust Pillars 249 Zero Trust Maturity Model Levels 250 Zero Trust Design and Implementation 252 Step 1: Define the Protect Surface 252 Step 2: Map the Transaction Flows 253 Step 3: Build a Zero Trust Architecture 253 Step 4: Create a Zero Trust Policy 254 Step 5: Monitor and Maintain the Environment 254 Zero Trust and Cloud Security 255 Artificial Intelligence 256 Characteristics of AI Workloads 256 How AI Intersects with Cloud Security 256 Summary 258 13. Preparing for Your CCSK Exam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Studying for the CCSK Exam 259 Exam Details 260 Signing Up for the CCSK Exam 261 Exam Tips 261 Using ChatGPT as a Study Tool 263 About Generative AI Large Language Models 263 The Importance of Projects 265 Uploading Files 265 Downloading Files 265 Introduction to Prompt Engineering 266 Components of a Good Prompt 267 Creating Study Tools 269 Generating Pretest Questions 269 Creating Flashcards 270 Playing Games 272 Study Plans 272 ChatGPT Annoyances 272 Final Exam-Day Thoughts 273 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 x | Table of Contents

📄 Page 13

Preface “The beautiful thing about learning is nobody can take it away from you.” —B.B. King Cloud computing has fundamentally reshaped how organizations build, secure, and scale their digital infrastructure. With this transformation comes a new set of risks, responsibilities, and security approaches that professionals must understand to pro‐ tect cloud environments effectively. The Certificate of Cloud Security Knowledge (CCSK), now in its fifth version, was developed by the Cloud Security Alliance (CSA) to help professionals and organizations with a framework for building cloud security implementations. The CCSK is one of the most widely recognized vendor-agnostic certifications in cloud security. It offers a strong foundation in best practices for gov‐ ernance, cloud provider assessment, cloud security architecture, and the technical aspects of securing cloud environments. This study guide was created to support your preparation for the CCSK exam. It fol‐ lows the structure of the official CSA study guide and goes deeper into key subjects that all security professionals should be well versed in. No matter if you are a recent graduate, work in the IT field, perform a compliance role, or seek to round out your cloud knowledge as a seasoned cybersecurity professional, this book will serve you well in obtaining your CCSK certification. The following is a list of the knowledge areas covered in this book: • Cloud computing concepts and architectures • Cloud governance • Risk, audit, and compliance • Organization management • Identity and access management • Security monitoring • Infrastructure and networking xi

📄 Page 14

• Cloud workload security • Data security • Application security • Incident response and resilience • Related technologies and strategies Each chapter explains core concepts clearly, connects theory to real-world scenarios, and includes review questions to reinforce key takeaways. Whether you’re studying independently or in a group setting, this guide is designed to keep you focused on what matters most for the exam—and more importantly, for advancing your career. Who This Book Is For I wrote this book for people who want to get ahead and are considering obtaining certification in the field of cloud security. If you are reading this, you are already interested in the security field. Although my top priority in writing this book was to help you pass the CCSK exam, another objective I had during its creation was to set you up for success in obtaining other security certifications. I obviously can’t address everything in the field of security in a single book, but I can honestly say I believe the content in this book fills in the assumed knowledge of the CSA material and expands on important material beyond just the exam. My goal in writing this book was to make the content approachable, comprehensive, and real. I threw away the thesaurus in favor of creating a reader-friendly approach. I wrote this book in the same way that I teach the official CCSK training course. My goal is to teach you, not to sound like a professor. Throughout the chapters, I try to share real-world stories from my years of experience working with large, regulated companies in a variety of industries. I believe these experiences happened so that I could pass these stories on to you to assist with your learning. I hope you find this study guide useful not only for passing the exam, but also for helping you become a more effective and confident cloud security professional. Conventions Used in This Book The following typographical conventions are used in this book: Italic Indicates new terms, URLs, email addresses, filenames, and file extensions. xii | Preface

📄 Page 15

Constant width Used for program listings, as well as within paragraphs to refer to program ele‐ ments such as variable or function names, databases, data types, environment variables, statements, and keywords. Constant width bold Shows commands or other text that should be typed literally by the user. Constant width italic Shows text that should be replaced with user-supplied values or by values deter‐ mined by context. This element signifies a tip or suggestion. This element signifies a general note. This element indicates a warning or caution. O’Reilly Online Learning For more than 40 years, O’Reilly Media has provided technol‐ ogy and business training, knowledge, and insight to help companies succeed. Our unique network of experts and innovators share their knowledge and expertise through books, articles, and our online learning platform. O’Reilly’s online learning platform gives you on-demand access to live training courses, in-depth learning paths, interactive coding environments, and a vast collection of text and video from O’Reilly and 200+ other publishers. For more information, visit https://oreilly.com. Preface | xiii

📄 Page 16

How to Contact Us Please address comments and questions concerning this book to the publisher: O’Reilly Media, Inc. 141 Stony Circle, Suite 195 Santa Rosa, CA 95401 800-889-8969 (in the United States or Canada) 707-827-7019 (international or local) 707-829-0104 (fax) support@oreilly.com https://oreilly.com/about/contact.html We have a web page for this book, where we list errata and any additional informa‐ tion. You can access this page at https://oreil.ly/ccsk-v5. For news and information about our books and courses, visit https://oreilly.com. Find us on LinkedIn: https://linkedin.com/company/oreilly-media. Watch us on YouTube: https://youtube.com/oreillymedia. Acknowledgments Thanks to the team at O’Reilly for their support during the creation of this book. Sara, you are a rockstar with the patience of a saint! Megan, I can’t thank you enough for this incredible opportunity. It is truly an honor to call myself an animal author. As always, I want to thank my wife for putting up with me. I love you, Princess. You have given me everything I never knew I wanted. To my four sons, I am so proud of the men you have become. I couldn’t ask for more as a father. I love you all. xiv | Preface

📄 Page 17

CHAPTER 1 Cloud Computing Concepts and Architectures Well begun is half done. —Aristotle This chapter serves to set you on a solid footing for what is about to come in the rest of this book. To pass the Certificate of Cloud Security Knowledge (CCSK) exam, you need to fundamentally understand the similarities and differences that cloud comput‐ ing has with what I call traditional IT. Traditional IT is what companies have been doing for decades: physical datacenters, physical servers, physical networking, and physical drives. In contrast, everything in the cloud is virtual. Well, there are, of course, the physical components just men‐ tioned, but those are procured (sometimes even created) and managed by the pro‐ vider in a datacenter it runs. To the cloud service customer (CSC), everything in the cloud is virtual. Some people may argue that the cloud is just running your servers in someone else’s datacenter and that traditional IT and cloud computing aren’t that different. Some people also say the world is flat. Rest assured, it is a very different world once you start looking into some of the finer points, especially when it comes to security. Cloud computing can offer organizations significant agility, resiliency, security, and economic benefits if done properly. However, to realize these benefits, it is essential to properly understand and adopt cloud models, ensuring that cloud architectures and practices align with the features and capabilities of cloud platforms. 1

📄 Page 18

From an application perspective, simply migrating an existing application or asset to a cloud service provider (CSP) without any changes, known as forklifting or lift-and- shift, often fails to deliver the expected agility, resiliency, and security, and can even increase costs. From a security perspective, it is critical to appreciate that security in the cloud is a shared responsibility. I know, you’ve probably heard this so often that it has started to lose its importance, but it cannot be overstated. Dismissing this key aspect of the cloud can lead companies to a false sense of security. “The provider does everything for me!” is a dangerous and untrue assumption. Do you think your cloud provider does backups for you? It may, or it may not. In one real-life example, 140 customers of the European cloud provider OVHcloud launched a class action lawsuit for more than €10 million because they assumed OVHcloud backed up their data. When a fire destroyed a datacenter that was hosting their data, they lost everything. OVHcloud stated in its documentation that clients were responsible for backing up their own data, but who’s got time to read those pesky documents, right? We’ll see more about the documents you should read prior to using a CSP in Chapter 3. Now, let’s imagine the following scenario. Larry, a salesperson at Driveline Solutions (no, not you, Larry), is caught stealing customer information from the company’s cloud-based customer relationship management (CRM) vendor and selling this information to the competition. Larry is subsequently fired. Six months later, you realize Larry is still stealing client information from the CRM software. What hap‐ pened? Nobody at Driveline Solutions removed Larry’s access to the CRM software when he was terminated. Identity and access management is always the customer’s responsibility. After all, how can you expect the CRM vendor to know Larry was fired? We’ll see more about the shared responsibility model of the cloud later in this chapter. Now consider that you were hired to manage cloud access for a business that is using 50 software-as-a-service (SaaS) applications. This means you have to manage 50 dif‐ ferent identity stores. That’s a very tall task, if not frankly impossible to do at scale. I’ll talk about a way to manage identities with federated identity management (FIM) in Chapter 5. Put simply, if you don’t understand the shared responsibility model or the answer to the question “who does what,” you’ll never be able to properly secure your usage of the cloud. It’s that important. Table 1-1 highlights some examples of cloud breaches. I added them to show what can happen when the cloud customer doesn’t understand the shared responsibility model and fails to secure their usage of cloud services. 2 | Chapter 1: Cloud Computing Concepts and Architectures

📄 Page 19

Table 1-1. Cloud breaches Customer Cloud provider Year Individuals impacted Breach information Shanghai Police Alibaba Cloud 2022 ~1 billion Unsecured database exposed personal information of approximately 1 billion Chinese citizens for over a year Verifications.io Google Cloud 2019 763 million Unsecured database exposed email addresses and other personal details of over 763 million users Facebook Amazon Web Services (AWS) 2019 540 million Over 540 million user records exposed by third-party developers in publicly accessible AWS Simple Storage Service (S3) buckets Microsoft (Customer Support) Azure 2019 250 million Misconfigured security rules exposed customer support records of 250 million users Capital One AWS 2019 100 million Misconfigured web application firewall allowed access to over 100 million customer records Uber AWS 2016 57 million Attackers accessed AWS S3 buckets using compromised credentials, exposing data of 57 million users and drivers Cognyte AWS 2021 5 billion records Unsecured AWS Elasticsearch database exposed 5 billion records indexed by a search engine Prestige Software AWS 2020 Unknown (millions) Misconfigured S3 bucket exposed millions of records from travel booking platforms Verizon AWS 2017 14 million Third-party vendor misconfigured AWS S3 bucket, exposing data of 14 million customers FedEx AWS 2017 Multiple Unprotected AWS S3 bucket exposed scanned documents including passports and driver’s licenses With that introduction to the cloud out of the way, let’s discuss the concepts of cloud security as presented by the Cloud Security Alliance (CSA) and what you’ll be tested on as part of the CCSK exam. Exam Note You’ll be seeing quite a few references to standards by NIST, ISO/ IEC, and other organizations in this book. You don’t need to start studying these documents. The CCSK exam is about cloud security according to the CSA; it’s not about NIST standards. The exam is open book, so if you’re facing a question about a Special Publica‐ tion number, for example (the number, not the content within), you can quickly look it up with a Ctrl-F in the CSA’s “Certificate of Cloud Security Knowledge Official Study Guide.” This document covers everything from the CCSK study guide (and then some!). Cloud Computing Concepts and Architectures | 3

📄 Page 20

Defining Cloud Computing As mentioned in the introduction, cloud computing is built by the CSP. CSCs get access to a seemingly endless supply of resources they can procure in an instant. But what do they use to do that? The answer is pools and tools. Resource Pools Let’s start with pools. There are three different types of pools of resources: compute, network, and storage. The pools are virtualized, for the most part, with limited excep‐ tions that I’ll talk about later in this chapter. This section provides a very high-level view of the capabilities these pools supply. There are many offerings that will be covered throughout the book. For now, I’m keeping it as straightforward as possible. The virtualization for compute is much like you may imagine. There are hypervisors that allow a physical machine (called the host) to run multiple virtual machines (VMs) that are called instances (as opposed to guests in traditional IT). The hypervi‐ sor used (e.g., VMware, Xen, KVM) is not really the CSC’s concern. From a network pool perspective, the CSP has many IP addresses that can be dynam‐ ically assigned and released on demand. The network pool goes deeper than just IP addresses, but I think you get the general idea. The pools allow for something to be allocated and then released when it is no longer used by the customer. Finally, possibly the easiest pool to think of is the storage pool. Think of your typical storage area network (SAN). The SAN may have hundreds of terabytes of storage that is sliced up based on a customer’s requirement; essentially, every user gets a net‐ worked “home” drive available to them. Tools Now, on to the tools part. Quite simply, the tools I’m referring to are the abstraction, automation, and orchestration capabilities of the cloud. Everything, from the initial request of an instance (again, basically a guest VM) through to the billing on a pay- per-use basis, is abstracted, automated, and orchestrated. Abstraction Abstraction simply hides (abstracts) the complexity behind what I call the “magic curtain.” Providers are very good at masking complexity and presenting a very famil‐ iar way for customers to build and configure things. Take building a cloud server, for example. All you have to do as the customer is select the amount of processor power (vCPUs), memory, and storage you want. Most cloud providers offer a wide range of what someone once called “T-shirt sizes.” Want a server instance with one CPU and 4 | Chapter 1: Cloud Computing Concepts and Architectures