book

CCSP (ISC)2 Certified Cloud Security Professional Exam Guide

Name: CCSP (ISC)2 Certified Cloud Security Professional Exam Guide
ISBN: 9781838987664

by Omar A. Turner, Navya Lakshmana

June 2024

Beginner to intermediate

560 pages

15h 31m

English

Packt Publishing

Read now

Unlock full access

CCSP (ISC)2 Certified Cloud Security Professional Exam Guide
ContributorsAbout the AuthorsAbout the Reviewers
Preface
Who This Book Is ForWhat This Book CoversHow to Get the Most Out of This BookOnline Practice ResourcesDownload the Color ImagesConventions UsedGet in TouchShare Your ThoughtsDownload a Free PDF Copy of This Book
Chapter 1: Core Cloud Concepts
Making the Most Out of This Book – Your Certification and BeyondWhat Is Cloud Computing?Essential Cloud Computing CharacteristicsCloud StakeholdersISO/IEC 17789 CCRA Roles and Sub-RolesCloud Service CustomerCSPCloud Service PartnerCloud AuditorNIST Cloud Computing Key ActorsCloud ConsumerCloud ProviderCloud BrokerCloud Auditor (CA)Cloud Carrier (CC)Key Cloud Computing Technologies and Building BlocksSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 2: Cloud Reference Architecture
Cloud Service ModelsSoftware as a Service (SaaS)Platform as a Service (PaaS)Infrastructure as a Service (IaaS)Cloud Service Models and CategoriesCloud Deployment ModelsShared Responsibility ModelShared Considerations for Cloud DeploymentsEmerging Technologies in Cloud ComputingData ScienceArtificial Intelligence and Machine Learning (AI/ML)BlockchainInternet of Things (IoT)ContainersQuantum ComputingQuantum as a Service (QaaS)Quantum-Enhanced Optimization and MLQuantum Simulation and ModelingQuantum Cloud-Based Software DevelopmentEdge ComputingConfidential ComputingSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 3: Top Threats and Essential Cloud Security Concepts and Controls
The CIA Triad—Confidentiality, Integrity, and AvailabilityCommon Threats to Cloud DeploymentsData BreachesMisconfigurationInsecure APIsInsider ThreatsAccount HijackingSecurity Control Categories and TypesSecurity Control Categories/ClassesSecurity Control Types and FunctionalitySummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 4: Design Principles for Secure Cloud Computing
Security for IaaS, SaaS, and PaaSSecurity Considerations for Infrastructure as a Service (IaaS)Core Elements of Security for IaaSSecurity Considerations for Platform as a Service (PaaS)Core Elements of Security for PaaSSecurity Considerations for Software as a Service (SaaS)Core Elements of Security for SaaSShared Responsibility Model for Cloud Service ModelsReview of Your ResponsibilitiesSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 5: How to Evaluate Your Cloud Service Provider
Key Cloud Service Contractual DocumentsCSAThe Customer AgreementThe CSA from a CSP PerspectiveAUPThe Purpose of an AUPThe Importance of an AUPSLAThe Purpose of an SLAThe Key Characteristics of an SLAThe Importance of an SLAEvaluation of the CSP ServicesKnow Your Business NeedsAssessing Security and ComplianceSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 6: Cloud Data Security Concepts and Architectures
Structured and Unstructured DataKey DifferencesThe Cloud Data LifecycleData Creation or ProcurementData StorageData UsageData SharingData ArchivingData DestructionVarious Storage Types and Common ThreatsObject StorageFile StorageBlock StoragePrevalent Threats to Cloud DataSecurity Measures for Cloud Object Storage, File Storage, and Block StorageData Classification and DiscoveryRecommended Data Classification ProcessCloud Data Security Technologies and Common StrategiesEncryption in Cloud Data SecurityIAMSIEMFirewall and Intrusion Detection SystemsData Loss Prevention ToolsCritical Cloud Data Security StrategiesImportance of a Cloud Security PolicyImplementing a Cloud Security PolicyRegular Security Audits and AssessmentsEmployee Training and AwarenessRegular Data Backups and Recovery PlanningBest Practices for Data Retention, Archival, and DeletionUnderstanding Data Lifecycle ManagementImplementing Data Retention PoliciesSecure Data Deletion TechniquesEffective Data Archiving SolutionsCompliance with Data Protection RegulationsLessons from Cloud Data Security BreachesSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 7: Data Governance Essentials
Data GovernanceData Dispersion in the CloudThe Importance of Data Governance for Cloud SecurityLeveraging Cloud-Specific Tools and ServicesIRMThe Role of IRM in Data GovernanceKey Components of an Effective IRM SystemIRM and Cloud ComputingImplementing IRMImplementing IRM in a Cloud EnvironmentBest Practices for IRM ImplementationCase Studies of Successful IRM ImplementationAuditability in Cloud Data GovernanceImplementing Auditability in the CloudTraceability in Cloud Data GovernanceImplementing Traceability in the CloudTools and Technologies for Enhancing TraceabilityAccountability in Cloud Data GovernanceKey Components of AccountabilityImplementing Accountability in Cloud Data GovernanceTools and Technologies for Enhancing AccountabilityCloud Data Life CycleThe Role of IRM, Auditability, Traceability, and Accountability in Each Phase of the Cloud Data Life CycleChallenges and Solutions in Implementing IRM and Data Governance in the CloudEmerging Trends and Technologies in Cloud Data Governance and IRMSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 8: Essential Infrastructure and Platform Components for a Secure Data Center
Cloud Infrastructure and Platform ComponentsPhysical EnvironmentNetwork and CommunicationsVMsStorageVirtualizationManagement PlaneDesigning a Secure Data CenterPhysical DesignChoosing a LocationBuying versus BuildingEnvironmental DesignHeating, Ventilation, and Air Conditioning (HVAC)Multi-Vendor Pathway ConnectivityLogical DesignTenant PartitioningAccess ControlSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing

Chapter 9: Analyzing Risks
Overview of Risk ManagementKey Concepts in Risk ManagementRisk Management in Cloud EnvironmentsIaaSPaaSSaaSDistinction between Cloud Service Models and Deployment Models (Public, Private, Hybrid, and Community)CybersecurityImportance of Risk Management in Cloud ComputingThe Outsourcing ModelVendor-Lock InData Residency – Processing, Storage, and Transfer ConsiderationsAccess to ResourcesResources that are not persistent (ephemeral)Risk Identification and AnalysisRisk FrameworksAssessing the CSP’s RiskSLAsIdentifying Cloud Security RisksTools and Practices for Identifying Risks in Cloud EnvironmentsRisk Assessments and ToolsExternal Third-Party AssessmentsAnalyzing and Assessing Cloud Security RisksQualitative versus Quantitative Risk Analysis MethodsTools and Frameworks for Cloud Risk AssessmentsCloud Attack Surface Area, Vulnerabilities, Threats, and Attack VectorsCloud Attack Surface and VulnerabilitiesHypervisorDirect Connections from Remote DevicesThreats, Attack Vectors, and Incident Response (IR) in CloudIR Planning for Cloud EnvironmentsRisk Response StrategiesAddressing Cloud Security Risks – Safeguards and CountermeasuresData Breaches and Data LossNon-Authorized AccessAdministrative ConcernsVirtualization RisksRegulatory Non-ComplianceDistributed Denial of Service (DDoS) AttacksMan-in-the-Middle AttacksVendor IssuesShadow ITNatural DisastersInsider ThreatsInsecure APIsMisconfigurationsForensic Challenges in Cloud Environments and SolutionsImplementing Cloud Security Best Practices, Controls and CountermeasuresBest PracticesControlsData Encryption and Protection Techniques in the CloudIAM in Cloud EnvironmentsInformation Rights Management (IRM) / Digital Rights Management (DRM)VirtualizationNetwork SegmentationFirewalls and Other DevicesDLP Tools / Egress MonitoringSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 10: Security Control Implementation
Physical and Environmental Protection ControlsSite Selection and Facility DesignSystem, Storage, and Communication Protection ControlsProtecting DataCryptographic Key Establishment and ManagementManaging a Network to Protect Systems and ServicesLanding ZonesVirtualization SystemsIAM Solutions for Identification, Authentication, and AuthorizationOpenIDOAuthIdentificationAuthenticationAuthentication MethodsConditional Authentication PoliciesAuthorizationFederationKey Cloud Control Audit MechanismsLog CollectionCorrelationPacket CapturingSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 11: Planning for the Worst-Case Scenario – Business Continuity and Disaster Recovery
BCDR DefinitionsThe Importance of BCDRKey Concepts and TerminologyBCDR StrategiesDefining the Scope of the BCDR PlanGathering Requirements and Generating ObjectivesIntegrating RequirementsAssessing RiskPerformance Issues Due to Location ChangeCost and Effort to Maintain RedundancyFailover IssuesLegal and Compliance IssuesCloud Environment Options for BCDR PlanningUnderstanding an Organization’s Business RequirementsIdentification of Critical Business FunctionsRisk Assessment and Impact AnalysisLegal and Regulatory ComplianceSLAs and Vendor ManagementCreation, Implementation, and Testing of a BCDR PlanCreating Your PlanImplementationTesting and Maintenance of the BCDR PlanTabletop ExercisesFull InterruptionWalk-Through TestsFunctional DrillsExample ScenariosScenario 1 – a Multi-Region Deployment and BCDR Strategy for a Sample Retail CompanyScenario 2 – a Multi-Region Deployment and BCDR Strategy for a Financial Services FirmSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 12: Application Security
Why is Application Security Critical?Common Challenges in Securing Web ApplicationsCommon Application VulnerabilitiesVulnerabilities with OWASPBroken Access Control (A01:2021)Cryptographic Failures (A02:2021)Injection (A03:2021)Mitigation Strategies for A03:2021-InjectionInsecure Design (A04:2021)Security Misconfiguration (A05:2021)Vulnerable and Outdated Components (A06:2021)Identification and Authentication Failures (A07:2021)Software and Data Integrity Failures (A08:2021)Security Logging and Monitoring Failures (A09:2021)Server-Side Request Forgery (A10:2021)Cloud Application Security Tools and SolutionsTypes of Cloud Application Security Tools and SolutionsCloud-Native Application Protection Platform (CNAPP)Cloud Access Security Brokers (CASBs)Cloud Web Application and API Protection (WAAP)SummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 13: Secure Software Development Life Cycle
Traditional SDLC to SSDLCBenefits of the SDLCDrawbacks of the SDLCWhy the Traditional SDLC Is ObsoleteSDLC versus SSDLCAdding Security to SDLCUtilizing the SSDLC in Cloud ProjectsSSDLC Activities and PhasesPhase 1: PlanningPhase 2: Requirements and AnalysisPhase 3: DesignPhase 4: DevelopmentPhase 5: Verification and DeploymentPhase 6: MaintenanceDevOpsWhy the SSDLC Is Vital for Modern Software DevelopmentThreat ModelingSTRIDEPASTADREADAvoiding Vulnerable CodeThe CI/CD Pipeline ConceptSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 14: Assurance, Validation, and Verification in Security
The Importance of Assurance, Validation, and VerificationWhat Are Functional and Non-Functional Testing?Comparing Functional and Non-Functional TestingSecurity Testing and Quality AssuranceTwo Approaches to Software VerificationThird-Party Review ProcessesMeasures to Secure APIsSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 15: Application-Centric Cloud Architecture
Supplemental Security ComponentsWAFsDAMXML FirewallsAPI GatewaysCryptographyData-at-Rest EncryptionData-in-Motion EncryptionKey ManagementSandboxingApplication Virtualization and OrchestrationSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 16: IAM Design
IAMDigital IdentityAuthenticationAuthorizationProvisioning and DeprovisioningPrivileged User ManagementCentralized Directory ServicesFederated IdentityFederation StandardsSecurity Assertion Markup Language (SAML)OpenID ConnectOAuth 2.0 (Open Authorization)Web Services Federation (WS-Federation)IdPsSSOMFACASBSecrets ManagementSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 17: Cloud Physical and Logical Infrastructure (Operationalization and Maintenance)
Hardware-Specific Security Configuration RequirementsHSMsTPMsStorage ControllersNetwork ControllersInstallation and Configuration of Management ToolsVirtual Hardware-Specific Security Configuration RequirementsHypervisorNetworkInstallation of Guest OS Virtualization ToolsetsAccess Controls for Local and Remote AccessSecure Network ConfigurationVirtual Local Area Networks (VLANs)Transport Layer Security (TLS)Dynamic Host Configuration Protocol (DHCP)DNS and Domain Name System Security Extensions (DNSSEC)VPNNetwork Security ControlsFirewallsIntrusion Detection System (IDS) and Intrusion Prevention System (IPS)HoneypotsOS BaseliningPatch ManagementAutomated and Manual PatchingIaC StrategyAvailability of Clustered HostsDistributed Resource Scheduling (DRS)Dynamic OptimizationMaintenance ModeHigh Availability (HA)Availability of Guest OSsPerformance and Capacity Monitoring in Cloud EnvironmentsHardware Monitoring in Cloud EnvironmentsConfiguration of Host and Guest OS Backup and Restore FunctionsSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 18: International Operational Controls and Standards
Operational Controls and StandardsITILISO/IEC 20000-1Change ManagementContinuity ManagementInformation Security ManagementContinual Service Improvement ManagementIncident ManagementProblem ManagementAn Instance of Problem ManagementRelease ManagementDeployment ManagementConfiguration ManagementService-Level ManagementAvailability ManagementAn Instance of Availability ManagementCapacity ManagementSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 19: Digital Forensics
Digital forensicsForensic data collection methodologiesEvidence managementCollecting, acquiring, and preserving digital evidenceApplying Technical Readiness in Cloud ForensicsBest practices for evidence preservationSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 20: Managing Communications
Managing communication with relevant partiesVendorsCustomersPartnersRegulatorsOther stakeholdersSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 21: Security Operations Center Management
SOCMonitoring of Security ControlsLog Capture and AnalysisLog ManagementSecurity Information and Event Management (SIEM)Incident ManagementVulnerability AssessmentsSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 22: Legal Challenges and the Cloud
Legal Requirements and Unique Risks Within the CloudConflicting International LegislationExample ScenarioEvaluation of Legal Risks Specific to Cloud ComputingLegal Framework and GuidelineseDiscovery and Forensics RequirementsUnderstanding the Implications of Cloud to Enterprise Risk ManagementAssessing Provider Risk Management ProgramsDifference Between Data Owner/Controller and Data Custodian/ProcessorRegulatory Transparency RequirementsBreach NotificationSOXGDPRRisk TreatmentRisk AvoidanceRisk MitigationRisk AcceptanceDifferent Risk FrameworksISO 31000:2018EU Agency for Cybersecurity (ENISA)Security Risks in the Cloud Identified by ENISANIST Special Publication 800-37Metrics for Risk ManagementAssessment of Risk EnvironmentService Risk AssessmentVendor Risk Assessment (Including CSPs)Infrastructure Risk AssessmentBusiness Risk AssessmentVarious Frameworks and Standards for the Assessment of the Risk EnvironmentUnderstanding Outsourcing and Cloud Contract DesignBusiness RequirementsVendor ManagementVendor AssessmentsVendor Lock-In RisksVendor ViabilityEscrowContract ManagementRight to AuditMetrics and DefinitionsTerminationLitigation and Dispute ResolutionAssurance and Service LevelsIndemnificationComplianceAccess to Cloud/DataCyber Risk InsuranceSupply-Chain ManagementSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 23: Privacy and the Cloud
Privacy IssuesThe Organization for Economic Co-operation and Development (OECD)Difference between Contractual and Regulated Private DataCountry-Specific Legislation Related to Private DataEuropean UnionEU Data Protection DirectiveGDPRAsia-PacificUnited StatesHIPAAGramm–Leach–Bliley Act (GLBA)Stored Communications Act (SCA)Clarifying Lawful Overseas Use of Data (CLOUD) ActEU-U.S. Privacy ShieldAustraliaCanadaJurisdictional Differences in Data PrivacyStandard Privacy RequirementsInternational Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27018Generally Accepted Privacy Principles (GAPP)Privacy Impact Assessments (PIAs)SummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 24: Cloud Audit Processes and Methodologies
Understanding the Audit Process, Methodologies, and Required Adaptations for a Cloud EnvironmentInternal and External Audit ControlsInternal Audit ControlsExternal Audit ControlsImpact of Audit RequirementsIdentify Assurance Challenges of Virtualization and the CloudTypes of Audit ReportsStatement on Standards for Attestation Engagements (SSAE) and Service Organization Control (SOC)International Standard on Assurance Engagements (ISAE)Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR)Restrictions of Audit Scope StatementsGap AnalysisAudit PlanningInternal ISMSInternal Information Security Controls SystemPoliciesOrganizational PoliciesFunctional PoliciesCloud Computing PoliciesIdentification and Involvement of Relevant StakeholdersSpecialized Compliance Requirements for Highly Regulated IndustriesImpact of Distributed IT ModelSummaryExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 25: Accessing the Online Practice Resources
How to Access These MaterialsPurchased from Packt Store (packtpub.com)Packt+ SubscriptionPurchased from Amazon and Other SourcesSTEP 1STEP 2STEP 3STEP 4STEP 5Troubleshooting TipsShare FeedbackBack to the Book
Why subscribe?
Other Books You May EnjoyShare Your ThoughtsDownload a Free PDF Copy of This Book

Content preview from CCSP (ISC)2 Certified Cloud Security Professional Exam Guide

4 Design Principles for Secure Cloud Computing

In the previous chapter, you studied the common threats to cloud deployments and attack vectors and also introduced the control frameworks and control types necessary to secure data, network, and virtualization layers for cloud computing. This chapter covers the fundamental principles for secure cloud computing design, an essential subject for CSSP. To fully comprehend these challenges and best practices in cloud security, you must become well versed in the realities of the shared responsibility model, data protection measures, and robust access control techniques, just to name a few. With this solid foundation in place, organizations can confidently utilize their resources on the cloud with security ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Certified Information Systems Security Professional (CISSP) Exam Guide

Publisher Resources

ISBN: 9781838987664

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

CCSP (ISC)2 Certified Cloud Security Professional Exam Guide

by Omar A. Turner, Navya Lakshmana

4

Design Principles for Secure Cloud Computing

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.