CCSP® For Dummies®, 2nd Edition, with Online Practice (Arthur J. Deane, CISSP, CCSP) (Z-Library)

📄 File Format: PDF

💾 File Size: 5.2 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

(This page has no text content)

📄 Page 2

(This page has no text content)

📄 Page 3

Quiz yourself, study with flashcards, and get certified!

📄 Page 4

(This page has no text content)

📄 Page 5

CCSP® 2nd Edition, with Online Practice by Arthur J. Deane, CISSP, CCSP

📄 Page 6

CCSP® For Dummies®, 2nd Edition, with Online Practice Published by: John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, www.wiley.com Copyright © 2024 by John Wiley & Sons, Inc., Hoboken, New Jersey Media and software compilation copyright © 2021 by John Wiley & Sons, Inc. All rights reserved. Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Trademarks: Wiley, For Dummies, the Dummies Man logo, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and may not be used without written permission. CCSP is a registered trademark of (ISC)2, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHORS HAVE USED THEIR BEST EFFORTS IN PREPARING THIS WORK, THEY MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTATIVES, WRITTEN SALES MATERIALS OR PROMOTIONAL STATEMENTS FOR THIS WORK. THE FACT THAT AN ORGANIZATION, WEBSITE, OR PRODUCT IS REFERRED TO IN THIS WORK AS A CITATION AND/OR POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE PUBLISHER AND AUTHORS ENDORSE THE INFORMATION OR SERVICES THE ORGANIZATION, WEBSITE, OR PRODUCT MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING PROFESSIONAL SERVICES. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR YOUR SITUATION. YOU SHOULD CONSULT WITH A SPECIALIST WHERE APPROPRIATE. FURTHER, READERS SHOULD BE AWARE THAT WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. NEITHER THE PUBLISHER NOR AUTHORS SHALL BE LIABLE FOR ANY LOSS OF PROFIT OR ANY OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER DAMAGES. For general information on our other products and services, please contact our Customer Care Department within the US at 877-762-2974, outside the US at 317-572-3993, or fax 317-572-4002. For technical support, please visit https://hub.wiley.com/community/support/dummies. Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com. Library of Congress Control Number: 2023949196 ISBN 978-1-394-21281-1 (pbk); ISBN 978-1-394-21280-4 (ePDF); ISBN 978-1-394-21284-2 (epub)

📄 Page 7

Contents at a Glance Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Part 1: Starting Your CCSP Journey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 CHAPTER 1: Familiarizing Yourself with (ISC)2 and the CCSP Certification . . . . . . . . . . 9 CHAPTER 2: Identifying Information Security Fundamentals . . . . . . . . . . . . . . . . . . . . 25 Part 2: Exploring the CCSP Certification Domains . . . . . . . . . . 45 CHAPTER 3: Domain 1: Cloud Concepts, Architecture, and Design, Part 1 . . . . . . . . . 47 CHAPTER 4: Domain 1: Cloud Concepts, Architecture, and Design, Part 2 . . . . . . . . . 73 CHAPTER 5: Domain 2: Cloud Data Security, Part 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 CHAPTER 6: Domain 2: Cloud Data Security, Part 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 CHAPTER 7: Domain 3: Cloud Platform and Infrastructure Security, Part 1 . . . . . . . 147 CHAPTER 8: Domain 3: Cloud Platform and Infrastructure Security, Part 2 . . . . . . . 173 CHAPTER 9: Domain 4: Cloud Application Security, Part 1 . . . . . . . . . . . . . . . . . . . . . 195 CHAPTER 10: Domain 4: Cloud Application Security, Part 2 . . . . . . . . . . . . . . . . . . . . . 223 CHAPTER 11: Domain 5: Cloud Security Operations, Part 1 . . . . . . . . . . . . . . . . . . . . . 243 CHAPTER 12: Domain 5: Cloud Security Operations, Part 2 . . . . . . . . . . . . . . . . . . . . . 273 CHAPTER 13: Domain 6: Legal, Risk, and Compliance, Part 1 . . . . . . . . . . . . . . . . . . . . 289 CHAPTER 14: Domain 6: Legal, Risk and Compliance, Part 2 . . . . . . . . . . . . . . . . . . . . . 307 Part 3: The Part of Tens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 CHAPTER 15: Ten (or So) Tips to Help You Prepare for the CCSP Exam . . . . . . . . . . . 337 CHAPTER 16: Ten Keys to Success on Exam Day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Part 4: Appendixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 APPENDIX A: Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 APPENDIX B: Helpful Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

📄 Page 8

(This page has no text content)

📄 Page 9

Table of Contents vii Table of Contents INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 About this Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Foolish Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Icons Used in This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Beyond the Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Where to Go from Here . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 PART 1: STARTING YOUR CCSP JOURNEY . . . . . . . . . . . . . . . . . . . . . 7 CHAPTER 1: Familiarizing Yourself with (ISC)2 and the CCSP Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Appreciating (ISC)2 and the CCSP Certification . . . . . . . . . . . . . . . . . . . . . 9 Knowing Why You Need to Get Certified . . . . . . . . . . . . . . . . . . . . . . . . .10 Studying the Prerequisites for the CCSP . . . . . . . . . . . . . . . . . . . . . . . . .11 Understanding the CCSP Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 Domain 1: Cloud Concepts, Architecture, and Design . . . . . . . . . . .12 Domain 2: Cloud Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Domain 3: Cloud Platform and Infrastructure Security . . . . . . . . . .14 Domain 4: Cloud Application Security . . . . . . . . . . . . . . . . . . . . . . . .15 Domain 5: Cloud Security Operations . . . . . . . . . . . . . . . . . . . . . . . .16 Domain 6: Legal, Risk, and Compliance . . . . . . . . . . . . . . . . . . . . . . .17 Preparing for the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Studying on your own . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 Learning by doing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Getting official (ISC)2 CCSP training . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Attending other training courses . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Practice, practice, practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Ensuring you’re ready for the exam . . . . . . . . . . . . . . . . . . . . . . . . . .21 Registering for the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 Taking the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22 Identifying What to Do After the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . .23 CHAPTER 2: Identifying Information Security Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Exploring the Pillars of Information Security . . . . . . . . . . . . . . . . . . . . . .26 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 Security controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

📄 Page 10

viii CCSP For Dummies Threats, Vulnerabilities, and Risks . . . Oh My! . . . . . . . . . . . . . . . . . . . . .29 Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 Understanding Identity and Access Management (IAM) . . . . . . . . . . . .31 Deciphering Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 Encryption and decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 Types of encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 Common uses of encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Grasping Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 Realizing the Importance of Business Continuity and Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 Understanding Logging and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . .38 Implementing Incident Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Preparing for incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 Detecting incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 Containing incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42 Eradicating incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42 Recovering from incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42 Conducting a post-mortem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 Utilizing Defense-in-Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 PART 2: EXPLORING THE CCSP CERTIFICATION DOMAINS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 CHAPTER 3: Domain 1: Cloud Concepts, Architecture, and Design, Part 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Understanding Cloud Computing Concepts . . . . . . . . . . . . . . . . . . . . . .48 Defining cloud computing terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Identifying cloud computing roles and responsibilities . . . . . . . . . .50 Recognizing key cloud computing characteristics . . . . . . . . . . . . . .51 Building block technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 Describing Cloud Reference Architecture . . . . . . . . . . . . . . . . . . . . . . . .55 Cloud computing activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55 Cloud service capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56 Cloud service categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56 Cloud deployment models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 Cloud shared considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64 Impact of related technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69 CHAPTER 4: Domain 1: Cloud Concepts, Architecture, and Design, Part 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Identifying Security Concepts Relevant to Cloud Computing . . . . . . . .73 Cryptography and key management . . . . . . . . . . . . . . . . . . . . . . . . .74 Identity and access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

📄 Page 11

Table of Contents ix Data and media sanitization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 Network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 Zero trust networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81 Virtualization security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81 Common threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 Security hygiene . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89 Comprehending Design Principles of Secure Cloud Computing . . . . .89 Cloud secure data lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90 Cloud based business continuity (BC) and disaster recovery (DR) planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91 Cost benefit analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92 Functional security requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 Security considerations for different cloud categories . . . . . . . . . .93 Evaluating Cloud Service Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 Verifying against certification criteria . . . . . . . . . . . . . . . . . . . . . . . . .97 Meeting system/subsystem product certifications . . . . . . . . . . . . .102 CHAPTER 5: Domain 2: Cloud Data Security, Part 1 . . . . . . . . . . . . . . 105 Describing Cloud Data Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105 Cloud data lifecycle phases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105 Data dispersion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107 Data flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 Designing and Implementing Cloud Data Storage Architectures . . . .109 Storage types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109 Threats to storage types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111 Designing and Applying Data Security Technologies and Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113 Encryption and key management . . . . . . . . . . . . . . . . . . . . . . . . . . .113 Tokenization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116 Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116 Data loss prevention (DLP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117 Data de-identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120 Masking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121 Implementing Data Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122 Structured data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 Unstructured data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 Semi-structured data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 Data location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124 CHAPTER 6: Domain 2: Cloud Data Security, Part 2 . . . . . . . . . . . . . . 125 Planning and Implementing Data Classification . . . . . . . . . . . . . . . . . .125 Data classification policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126 Data mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127 Data labeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127 Sensitive data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128

📄 Page 12

x CCSP For Dummies Designing and Implementing Information Rights Management (IRM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130 Appropriate tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131 Planning and Implementing Data Retention, Deletion, and Archiving Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Data retention policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Data deletion procedures and mechanisms . . . . . . . . . . . . . . . . . .133 Data archiving procedures and mechanisms . . . . . . . . . . . . . . . . .134 Legal hold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135 Designing and Implementing Auditability, Traceability, and Accountability of Data Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135 Defining event sources and requirements of identity attribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Logging, storing, and analyzing data events . . . . . . . . . . . . . . . . . .141 Chain of custody and nonrepudiation . . . . . . . . . . . . . . . . . . . . . . .144 CHAPTER 7: Domain 3: Cloud Platform and Infrastructure Security, Part 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Comprehending Cloud Infrastructure and Platform Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148 Physical environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 Network and communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150 Compute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154 Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157 Management plane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158 Designing a Secure Data Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159 Logical design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160 Physical design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161 Environmental design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162 Designing for resilience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163 Analyzing Risks Associated with Cloud Infrastructure and Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164 Risk assessment and analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165 Cloud vulnerabilities, threats, and attacks . . . . . . . . . . . . . . . . . . . .167 Virtualization risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169 Risk mitigation strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171 CHAPTER 8: Domain 3: Cloud Platform and Infrastructure Security, Part 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Planning and Implementing Security Controls . . . . . . . . . . . . . . . . . . .174 Physical and environmental protection . . . . . . . . . . . . . . . . . . . . . .174 System, storage, and communication protection . . . . . . . . . . . . . .175 Virtualization systems protection . . . . . . . . . . . . . . . . . . . . . . . . . . .176

📄 Page 13

Table of Contents xi Identification, authentication, and authorization in cloud infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180 Audit mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182 Planning Business Continuity (BC) and Disaster Recovery (DR) . . . . .184 Business continuity and disaster recovery strategy . . . . . . . . . . . .184 Business requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188 Creating, implementing, and testing BC and DR plans . . . . . . . . .188 CHAPTER 9: Domain 4: Cloud Application Security, Part 1 . . . . . . 195 Advocating Training and Awareness for Application Security . . . . . .196 Cloud development basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196 Common pitfalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197 Common cloud vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200 Describing the Secure Software Development Lifecycle (SDLC) Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202 Business requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202 Phases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202 Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207 Applying the SDLC Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208 Common vulnerabilities during development . . . . . . . . . . . . . . . .209 Cloud-specific risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215 Threat modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216 Secure coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220 Software configuration management and versioning . . . . . . . . . .221 CHAPTER 10: Domain 4: Cloud Application Security, Part 2 . . . . . . 223 Applying Cloud Software Assurance and Validation . . . . . . . . . . . . . .224 Functional testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224 Security testing methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224 Quality assurance (QA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227 Abuse case testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227 Using Verified Secure Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228 Securing application programming interfaces (APIs) . . . . . . . . . . .228 Supply-chain management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229 Third-party software management . . . . . . . . . . . . . . . . . . . . . . . . . .229 Validated open source software . . . . . . . . . . . . . . . . . . . . . . . . . . . .230 Comprehending the Specifics of Cloud Application Architecture . . .230 Supplemental security components . . . . . . . . . . . . . . . . . . . . . . . . .230 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232 Sandboxing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232 Application virtualization and orchestration . . . . . . . . . . . . . . . . . .233 Designing Appropriate Identity and Access Management (IAM) Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234 Federated identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234 Identity providers (IdPs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236

📄 Page 14

xii CCSP For Dummies Single sign-on (SSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237 Multifactor authentication (MFA) . . . . . . . . . . . . . . . . . . . . . . . . . . .238 Cloud access security broker (CASB) . . . . . . . . . . . . . . . . . . . . . . . .239 Secrets management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241 CHAPTER 11: Domain 5: Cloud Security Operations, Part 1 . . . . . . 243 Building and Implementing a Physical and Logical Infrastructure for a Cloud Environment . . . . . . . . . . . . . . . . . . . . . . . . .244 Hardware-specific security configuration requirements . . . . . . . .244 Installing and configuring management tools . . . . . . . . . . . . . . . .248 Virtual hardware specific security configuration requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250 Installing guest operating system virtualization toolsets . . . . . . .251 Operating and Maintaining Physical and Logical Infrastructure for a Cloud Environment . . . . . . . . . . . . . . . . . . . . . . . . .252 Configuring access control for local and remote access . . . . . . . .252 Secure network configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 Network security controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258 Hardening the operating system through the application of baselines, monitoring, and remediation . . . . . . . . . . . . . . . . . . .260 Patch management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263 Infrastructure as Code (IaC) strategy . . . . . . . . . . . . . . . . . . . . . . . .264 Availability of stand-alone hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . .265 Availability of clustered hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266 Availability of guest operating systems . . . . . . . . . . . . . . . . . . . . . .267 Performance and capacity monitoring . . . . . . . . . . . . . . . . . . . . . . .268 Hardware monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268 Configuring host and guest operating system backup and restore functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269 Management plane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271 CHAPTER 12: Domain 5: Cloud Security Operations, Part 2 . . . . . . 273 Implementing Operational Controls and Standards . . . . . . . . . . . . . .273 Change management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274 Continuity management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276 Information security management . . . . . . . . . . . . . . . . . . . . . . . . . .276 Continual service improvement management . . . . . . . . . . . . . . . .277 Incident management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277 Problem management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277 Release and deployment management . . . . . . . . . . . . . . . . . . . . . .277 Configuration management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278 Service level management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278 Availability management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278 Capacity management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278

📄 Page 15

Table of Contents xiii Supporting Digital Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279 Collecting, acquiring, and preserving digital evidence . . . . . . . . . .279 Evidence management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282 Managing Communication with Relevant Parties . . . . . . . . . . . . . . . . .282 Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283 Vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283 Partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284 Regulators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284 Other stakeholders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285 Managing Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285 Security operations center (SOC) . . . . . . . . . . . . . . . . . . . . . . . . . . .285 Intelligent monitoring of security controls . . . . . . . . . . . . . . . . . . .286 Cloud Security Posture Management (CSPM) . . . . . . . . . . . . . . . . .287 CHAPTER 13: Domain 6: Legal, Risk, and Compliance, Part 1 . . . . 289 Articulating Legal Requirements and Unique Risks within the Cloud Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290 Conflicting international legislation . . . . . . . . . . . . . . . . . . . . . . . . .290 Evaluating legal risks specific to cloud computing . . . . . . . . . . . . .291 Legal framework and guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . .293 e-Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294 Forensics requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298 Understanding Privacy Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298 Difference between contractual and regulated private data . . . .298 Country-specific legislation related to private data . . . . . . . . . . . .299 Jurisdictional differences in data privacy . . . . . . . . . . . . . . . . . . . . .303 Standard privacy requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303 Privacy impact assessments (PIAs) . . . . . . . . . . . . . . . . . . . . . . . . . .305 CHAPTER 14: Domain 6: Legal, Risk and Compliance, Part 2 . . . . . 307 Understanding the Audit Process, Methodologies, and Required Adaptations for a Cloud Environment . . . . . . . . . . . . . . . . . .308 Internal and external audit controls . . . . . . . . . . . . . . . . . . . . . . . . .308 Impact of audit requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309 Identifying assurance challenges of virtualization and cloud . . . .309 Types of audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310 Restrictions of audit scope statements . . . . . . . . . . . . . . . . . . . . . .313 Gap analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314 Audit planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314 Internal information security management system (ISMS) . . . . . .318 Internal information security controls system . . . . . . . . . . . . . . . .319 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319 Identification and involvement of relevant stakeholders . . . . . . .321

📄 Page 16

xiv CCSP For Dummies Specialized compliance requirements for highly regulated industries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322 Impact of distributed Information Technology (IT) model . . . . . .323 Understanding the Implications of Cloud to Enterprise Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323 Assessing providers’ risk management programs . . . . . . . . . . . . .323 Difference between data owner/controller versus data custodian/processor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324 Regulatory transparency requirements . . . . . . . . . . . . . . . . . . . . . .325 Risk tolerance and risk profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325 Risk assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325 Risk treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326 Different risk frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328 Metrics for risk management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330 Assessing the risk environment . . . . . . . . . . . . . . . . . . . . . . . . . . . .330 Understanding Outsourcing and Cloud Contract Design . . . . . . . . . .330 Business requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331 Vendor management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331 Contract management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332 Supply-chain management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333 PART 3: THE PART OF TENS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 CHAPTER 15: Ten (or So) Tips to Help You Prepare for the CCSP Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Brush Up on the Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337 Register for the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338 Create a Study Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338 Find a Study Buddy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339 Take Practice Exams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339 Get Hands-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339 Attend a CCSP Training Seminar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340 Plan Your Exam Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340 Get Some Rest and Relaxation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341 CHAPTER 16: Ten Keys to Success on Exam Day . . . . . . . . . . . . . . . . . . . 343 Make Sure You Wake Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343 Dress for the Occasion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344 Eat a Great Meal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344 Warm Up Your Brain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344 Bring Snacks and Drinks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344 Plan Your Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345

📄 Page 17

Table of Contents xv Arrive Early . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345 Take Breaks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345 Stay Calm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346 Remember Your Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346 PART 4: APPENDIXES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 APPENDIX A: Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 APPENDIX B: Helpful Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 (ISC)2 and CCSP Exam Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369 Standards and Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369 Technical References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371 INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

📄 Page 18

(This page has no text content)

📄 Page 19

Introduction 1 Introduction As cloud computing has exploded over the last two decades, so has the need for security professionals who understand how the cloud works. Enter the Certified Cloud Security Professional (CCSP) certification. The CCSP was introduced in 2015 and has quickly become the de facto standard for cloud security certifications around the globe. Today, more than 10,000 security professionals have earned the coveted CCSP designation worldwide, and that number is quickly growing! Cloud computing, as we know it, first became widely available circa 2006 when Amazon created the first enterprise cloud service offering, Amazon Web Services (AWS). Since then, Google, Microsoft, and a host of other companies have burst on the scene with their very own cloud services. Today, cloud computing is more mainstream than ever, with most research firms estimating the public cloud mar- ket to top $1 trillion worldwide by 2028. With most estimates putting cloud spend above 60 percent of all tech spend, the need for informed cloud professionals has never been greater. While we continue to experience this massive cloud boom, cloud security has not so quietly become front-and-center for most organizations. Companies want to ensure that their most important business and customer data remain safe when moved to the cloud, and they need skilled and qualified practitioners to make that happen. That’s where you (and the CCSP) come in! You may be familiar with the CCSP’s bigger sibling: the Certified Information Sys- tems Security Professional (CISSP). The CISSP certification has been around since 1994 and has amassed quite a following in information security circles. (As of this writing, there are more than 160,000 CISSPs worldwide.) The CCSP serves the same purpose for one of the fastest growing information security subareas  — cloud security. It’s all but inevitable that the CCSP will continue its ascent among the most essential industry certifications around the world. About this Book Information security is one of the broadest domains of Information Technology. Add to that the complexities of cloud computing, and it’s easy to see why many people are scared off by the field of cloud security. A true cloud security

📄 Page 20

2 CCSP For Dummies professional is a Jack (or Jill) of all trades — they know the ins and outs of data security and protection and also understand how cloud architectures are designed, managed, and operated. The CCSP credential seeks to validate that the holder has mastered the sweet spot between the two worlds. This task may sound daunting, but don’t fret! CCSP For Dummies breaks these topics down into bite-sized chunks to help you digest the material, pass the exam, and apply your knowledge in the real world. While you can find tons of books and resources available to study information security, cloud security resources are a bit harder to come by. Perhaps the field is still too young, or maybe it really is too daunting for some authors and publishers to assemble. Many of the books that do exist either don’t cover all of the necessary facets of cloud security or are overly complex encyclopedic volumes. In CCSP For Dummies, Wiley and I have put together a book that covers all of the topics within the CCSP Common Body of Knowledge (CBK) in a straightforward, easy-to-read manner. And this second edition has been updated to address the latest and greatest topics from the CCSP Exam Outline and beyond. You’ll find this book to be overflowing with useful information, but written with the battle-tested For Dummies approach and styling that helps countless readers learn new topics. In addition, I try to inject many of my own experiences working in cloud security to give you practical views on some otherwise abstract topics. As wonderful as I think this book is — and I hope you feel the same way after reading it — you shouldn’t consider any single resource to be the Holy Grail of cloud security. CCSP For Dummies creates a framework for your CCSP studies and includes the information you need to pass the CCSP exam, but will not single- handedly make you a cloud security know-it-all. Reaching the top of the cloud security mountain requires knowledge, skills, and practical experience. This book is a great start, but not the end of your cloud security journey. Foolish Assumptions I’ve been told that assumptions are dangerous to make, but here I am making them anyway! At a minimum, I assume the following: » You have at least five years of general IT experience, at a minimum — preferably more. In order to follow the topics in this book and pass the CCSP exam, you need to have a great deal of knowledge of the technologies that form the foundation of cloud computing. This assumption means that you’re comfortable referring to basic computing terms like CPU and RAM and also have experience with things like databases, networks, and operating systems.