ebook img

CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide PDF

374 Pages·2017·3.83 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide

® 2® CCSP (ISC) Certified Cloud Security Professional Official Study Guide Brian T. O’Hara Ben Malisow www.allitebooks.com Development Editor: Kelly Talbot Technical Editors: Tom Updegrove, Jerry K. Rayome, Valerie Nelson, Jordan Pike Production Editor: Rebecca Anderson Copy Editor: Elizabeth Welch Editorial Manager: Mary Beth Wakefield Production Manager: Kathleen Wisor Executive Editor: Jim Minatel Book Designers: Judy Fung and Bill Gibson Proofreader: Josh Chase, Word One New York Indexer: J & J Indexing Project Coordinator, Cover: Brent Savage Cover Designer: Wiley Cover Image: ©Getty Images Inc./Jeremy Woodhouse Copyright © 2017 by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-1-119-27741-5 ISBN: 978-1-119-27742-2 (ebk.) ISBN: 978-1-119-27743-9 (ebk.) Manufactured in the United States of America No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or war- ranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002. Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley prod- ucts, visit www.wiley.com. Library of Congress Control Number: 2017936608 TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be 2 2 used without written permission. (ISC) and CCSP are registered trademarks of (ISC) , Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. 10 9 8 7 6 5 4 3 2 1 www.allitebooks.com Acknowledgments The authors would like to thank (ISC)2 for making this work possible, and the sublime publishing and editing team at Sybex, including Jim Minatel, Kelly Talbot, Rebecca Anderson, and Christine O’Connor. This book is dedicated to all the candidates seeking CCSP certifcation. We hope it helps. www.allitebooks.com About the Authors Brian T. O’Hara, CISA, CISM, CCSP, and CISSP, is the Information Security Offcer for Do It Best Corp. With over 20 years of experience providing security and audit services, he has served as the information security offcer for Fortune 500 companies and has worked in PCI, healthcare, manufacturing, and fnancial services, providing audit and security advisory services. Prior to entering the feld of IS audit, Brian served as program chair for information technology at the largest community college in the country, where he helped develop the frst NSA Two-Year Center of Academic Excellence in Information Security. In addition to co-authoring the CISA Study Guide, he has served as a technical editor on books for Wiley, Sybex, and (ISC)2. Brian has been an active member both locally and internationally of the Information Security Systems Association (ISSA) for over 10 years and is an ISSA Fellow. He currently serves as the past president of the Indiana chapter of ISACA and president of the InfraGard Indiana Members Alliance, a public–private partnership with the FBI aimed at protecting the United States’ critical infrastructures. Ben Malisow, CISSP, CISM, CCSP, and Security+, is an instructor for (ISC)2, teaching prep classes for the CISSP and CCSP certifcations. He has been in the information technology and information security feld for almost 25 years. He wrote the internal IT security policy for DARPA, served as the Information System Security Manager for the FBI’s most-classifed counterterror intelligence-sharing network, and helped develop the IT security architecture for the Department of Homeland Security’s Transportation Security Administration. Ben has taught courses at many schools and universities, including Carnegie Mellon’s CERT/SEI, UTSA, the College of Southern Nevada, and grades 6–12 at a school for troubled youths in Las Vegas. He is widely published in the feld, having written for SecurityFocus.com, ComputerWorld, and various other publications, as well as several books. About the Technical Editors Tom Updegrove, CCSP and EC-Council security trainer, is the CEO of Internetwork Service, an AWS and Microsoft Azure partner. With over 20 years of experience provid- ing technical and security services, he has worked in PCI, healthcare, manufacturing, and fnancial services, providing security consulting services. In addition to contributing to the CCSP (ISC)2 Study Guide, he has served as a technical editor on security-related books for Wiley and Sybex, as well as presenting the Social Engineering course for ITProTV. He has helped develop the Liberty University MIS lab infrastructure and currently serves as a tech- nical editor for Hakin9 and Pen Testing magazines. Jerry K. Rayome, BS/MS Computer Science, CISSP, is a member of the Cyber Security Program at Lawrence Livermore National Laboratory. He has over 20 years of experience providing cybersecurity services, including software development, penetration testing, incident response, frewall implementation, frewall auditing, cyber forensic investigations, NIST 800- 53 control implementation/assessment, cloud risk assessment, and cloud security auditing. www.allitebooks.com Contents at a Glance Introduction xv Assessment Test xxiii Chapter 1 Architectural Concepts 1 Chapter 2 Design Requirements 25 Chapter 3 Data Classification 43 Chapter 4 Cloud Data Security 67 Chapter 5 Security in the Cloud  87 Chapter 6 Responsibilities in the Cloud 115 Chapter 7 Cloud Application Security 141 Chapter 8 Operations Elements 181 Chapter 9 Operations Management 213 Chapter 10 Legal and Compliance Part 1 239 Chapter 11 Legal and Compliance Part 2 279 Appendix A Answers to the Review Questions 309 Appendix B Answers to the Written Labs 327 Index 35 www.allitebooks.com Contents Introduction xv Assessment Test xxiii Chapter 1 Architectural Concepts 1 Business Requirements 4 Existing State 4 Quantifying Benefits and Opportunity Cost 5 Intended Impact 8 Cloud Evolution, Vernacular, and Definitions 8 New Technology, New Options 8 Cloud Computing Service Models 10 Cloud Deployment Models 11 Cloud Computing Roles and Responsibilities 13 Cloud Computing Definitions 13 Foundational Concepts of Cloud Computing 16 Sensitive Data 17 Virtualization 17 Encryption 17 Auditing and Compliance 18 Cloud Service Provider Contracts 18 Sumary 19 Exam Essentials 19 Written Labs 19 Review Questions 20 Chapter 2 Design Requirements 25 Business Requirements Analysis 26 Inventory of Assets 26 Valuation of Assets 27 Determination of Criticality 27 Risk Appetite 29 Boundaries of Cloud Models 31 IaaS Boundaries 31 PaaS Boundaries 32 SaaS Boundaries 32 Design Principles for Protecting Sensitive Data 34 Hardening Devices 34 Encryption 35 Layered Defenses 36 www.allitebooks.com viii Contents Sumary 37 Exam Essentials 37 Written Labs 37 Review Questions 38 Chapter 3 Data Classification 43 Data Inventory and Discovery 45 Data Ownership 45 The Data Life Cycle 46 Data Discovery Methods 49 Jurisdictional Requirements 50 Data Rights Management 51 Intellectual Property Protections 51 DRM Tool Traits 55 Data Control 57 Data Retention 58 Data Audit 59 Data Destruction/Disposal 61 Sumary 62 Exam Essentials 63 Written Labs 63 Review Questions 64 Chapter 4 Cloud Data Security 67 Cloud Data Life Cycle 69 Create 70 Store 70 Use 71 Share 71 Archive 72 Destroy 74 Cloud Storage Architectures 74 Volume Storage: File-Based Storage and Block Storage 74 Object-Based Storage 74 Databases 75 Content Delivery Network (CDN) 75 Cloud Data Security Foundational Strategies 75 Encryption 75 Masking, Obfuscation, Anonymization, and Tokenization 77 Security Information and Event Management 80 Egress Monitoring (DLP) 81 Sumary 82 Exam Essentials 82 Written Labs 83 Review Questions 84 www.allitebooks.com Contents ix Chapter 5 Security in the Cloud  87 Shared Cloud Platform Risks and Responsibilities 88 Cloud Computing Risks by Deployment and Service Model 90 Private Cloud 91 Community Cloud 91 Public Cloud 92 Hybrid Cloud 97 IaaS (Infrastructure as a Service) 97 PaaS (Platform as a Service) 97 SaaS (Software as a Service) 98 Virtualization 98 Cloud Attack Surface 99 Threats by Deployment Model 100 Countermeasure Methodology 102 Disaster Recovery (DR) and Business Continuity Management (BCM) 105 Cloud-Specific BIA Concerns 105 Customer/Provider Shared BC/DR Responsibilities 106 Summary 108 Exam Essentials 109 Written Labs 109 Review Questions 110 Chapter 6 Responsibilities in the Cloud 115 Foundations of Managed Services 118 Business Requirements 119 Business Requirements: The Cloud Provider Perspective 119 Shared Responsibilities by Service Type 125 IaS 125 PaS 125 SaS 125 Shared Administration of OS, Middleware, or Applications 126 Operating System Baseline Configuration and Management 126 Share Responsibilities: Data Access 128 Customer Directly Administers Access 128 Provider Administers Access on Behalf of the Customer 129 Third-Party (CASB) Administers Access on Behalf of the Customer 129 Lack of Physical Access 131 Audits 131 Shared Policy 134 Shared Monitoring and Testing 134 www.allitebooks.com x Contents Summary 135 Exam Essentials 135 Written Labs 136 Review Questions 137 Chapter 7 Cloud Application Security 141 Training and Awareness 143 Common Cloud Application Deployment Pitfalls 146 Cloud-Secure Software Development Life Cycle (SDLC) 148 ISO/IEC 27034-1 Standards for Secure Application Development 150 Identity and Access Management (IAM) 151 Identity Repositories and Directory Services 153 Single Sign-On (SSO) 153 Federated Identity Management 153 Federation Standards 154 Multifactor Authentication 155 Supplemental Security Devices 155 Cloud Application Architecture 157 Application Programming Interfaces 157 Tenancy Separation 159 Cryptography 159 Sandboxing 162 Application Virtualization 162 Cloud Application Assurance and Validation 162 Threat Modeling 163 Quality of Service 166 Software Security Testing 166 Approved APIs 171 Software Supply Chain (API) Management 171 Securing Open Source Software 172 Runtime Application Self-Protection (RASP) 173 Secure Code Reviews 173 OWASP Top 9 Coding Flaws 173 Summary 174 Exam Essentials 174 Written Labs 175 Review Questions 176 Chapter 8 Operations Elements 181 Physical/Logical Operations 183 Facilities and Redundancy 184 Virtualization Operations 194 Storage Operations 195 Physical and Logical Isolation 197 www.allitebooks.com Contents xi Security Training and Awareness 198 Training Program Categories 199 Additional Training Insights 203 Basic Operational Application Security 203 Threat Modeling 204 Application Testing Methods 205 Summary 206 Exam Essentials 206 Written Labs 207 Review Questions 208 Chapter 9 Operations Management 213 Monitoring, Capacity, and Maintenance 215 Monitoring 215 Maintenance 217 Change and Configuration Management (CM) 221 Baselines 221 Deviations and Exceptions 222 Roles and Process 223 Business Continuity and Disaster Recovery (BC/DR) 225 Primary Focus 226 Continuity of Operations 227 The BC/DR Plan 227 The BC/DR Kit 229 Relocation 230 Power 231 Testing 232 Summary 23 Exam Essentials 233 Written Labs 234 Review Questions 235 Chapter 10 Legal and Compliance Part 1 239 Legal Requirements and Unique Risks in the Cloud Environment 241 Legal Concepts 241 U.S. Laws 247 International Laws 252 Laws, Frameworks, and Standards Around the World 252 The Difference Between Laws, Regulations and Standards 261 www.allitebooks.com

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.