CCSP For Dummies with Online Practice
32,99 €*
Lieferzeit Sofort lieferbar
CCSP For Dummies with Online Practice, Wiley
Von Arthur J. Deane, im heise Shop in digitaler Fassung erhältlich
Von Arthur J. Deane, im heise Shop in digitaler Fassung erhältlich
Artikel-Beschreibung
SECURE YOUR CSSP CERTIFICATIONCCSP is the world’s leading Cloud Security certification. It covers the advanced technical skills and knowledge to design, manage, and secure data, applications, and infrastructure in the cloud using best practices, policies, and procedures.
If you’re a cloud security professional seeking your CSSP certification, this book is a perfect way to prepare for the exam. Covering in detail all six domains, the expert advice in this book gives you key information you'll need to pass the exam. In addition to the information covered on the exam, you'll get tips on setting up a study plan, tips for exam day, and access to an online test bank of questions.
* Key information for all six exam domains
* Test -taking and exam day tips and tricks
* Free online practice questions and flashcards
* Coverage of the core concepts
From getting familiar with the core concepts to establishing a study plan, this book is all you need to hang your hat on that certification!
ARTHUR J. DEANE is a security and compliance executive at Google. He is a technical professional with 13+ years experience in information security, cloud security, IT risk management, and systems engineering. Contents at a Glance
INTRODUCTION. 1
PART 1: STARTING YOUR CCSP JOURNEY. 7
Chapter 1: Familiarizing Yourself with (ISC) 2 and the CCSP Certification. 9
Chapter 2: Identifying Information Security Fundamentals. 25
PART 2: EXPLORING THE CCSP CERTIFICATION DOMAINS. 41
Chapter 3: Domain 1: Cloud Concepts, Architecture and Design 43
Chapter 4: Domain 2: Cloud Data Security. 91
Chapter 5: Domain 3: Cloud Platform and Infrastructure Security. 129
Chapter 6: Domain 4: Cloud Application Security. 173
Chapter 7: Domain 5: Cloud Security Operations. 213
Chapter 8: Domain 6: Legal, Risk and Compliance. 253
PART 3: THE PART OF TENS. 295
Chapter 9: Ten (or So) Tips to Help You Prepare for the CCSP Exam 297
Chapter 10: Ten Keys to Success on Exam Day. 303
PART 4: APPENDIXES 307
Appendix A: Glossary 309
Appendix B: Helpful Resources. 329
Index. 333
Table of Contents
Introduction 1
About this Book. 1
Foolish Assumptions. 2
Icons Used in This Book. 3
Beyond the Book. 4
Where to Go from Here. 5
PART 1: STARTING YOUR CCSP JOURNEY. 7
CHAPTER 1: FAMILIARIZING YOURSELF WITH (ISC) 2
and the CCSP Certification. 9
Appreciating (ISC) 2 and the CCSP Certification. 9
Knowing Why You Need to Get Certified. 10
Studying the Prerequisites for the CCSP. 11
Understanding the CCSP Domains. 12
Domain 1: Cloud Concepts, Architecture and Design 12
Domain 2: Cloud Data Security. 13
Domain 3: Cloud Platform and Infrastructure Security. 14
Domain 4: Cloud Application Security 15
Domain 5: Cloud Security Operations 15
Domain 6: Legal, Risk and Compliance 16
Preparing for the Exam 17
Studying on your own. 18
Learning by doing. 19
Getting official (ISC) 2 CCSP training. 19
Attending other training courses 20
Practice, practice, practice. 20
Ensuring you’re ready for the exam. 21
Registering for the Exam 21
Taking the Exam 22
Identifying What to Do After the Exam 23
CHAPTER 2: IDENTIFYING INFORMATION SECURITY FUNDAMENTALS. 25
Exploring the Pillars of Information Security. 26
Confidentiality. 26
Integrity. 27
Availability. 27
Threats, Vulnerabilities, and Risks Oh My!. 28
Threats 28
Vulnerabilities 28
Risks. 29
Table of Contents
Securing Information with Access Control. 29
Deciphering Cryptography. 30
Encryption and decryption. 30
Types of encryption. 31
Common uses of encryption. 32
Grasping Physical Security. 34
Realizing the Importance of Business Continuity and Disaster Recovery. 34
Implementing Incident Handling. 35
Preparing for incidents. 37
Detecting incidents. 37
Containing incidents. 38
Eradicating incidents. 39
Recovering from incidents. 39
Conducting a Post-Mortem. 39
Utilizing Defense-in-Depth. 40
PART 2: EXPLORING THE CCSP CERTIFICATION DOMAINS. 41
CHAPTER 3: DOMAIN 1: CLOUD CONCEPTS, ARCHITECTURE AND DESIGN 43
Knowing Cloud Computing Concepts. 44
Defining cloud computing terms. 44
Identifying cloud computing roles 46
Recognizing key cloud computing characteristics 47
Building block technologies. 49
Describing Cloud Reference Architecture. 49
Cloud computing activities. 50
Cloud service capabilities. 51
Cloud service categories. 51
Cloud deployment models. 55
Cloud shared considerations. 58
Impact of related technologies. 63
Identifying Security Concepts Relevant to Cloud Computing. 64
Cryptography and key management. 65
Access control 67
Data and media sanitization 69
Network security. 69
Virtualization security. 70
Common threats. 71
Comprehending Design Principles of Secure Cloud Computing. 76
Cloud Secure Data Lifecycle. 76
Cloud based disaster recovery (DR) and business continuity (BC) planning. 78
CCSP For Dummies with Online Practice
Cost benefit analysis. 78
Security considerations for different cloud categories. 79
Evaluating Cloud Service Providers. 82
Verifying against certification criteria. 82
Meeting system/subsystem product certifications 88
CHAPTER 4: DOMAIN 2: CLOUD DATA SECURITY. 91
Describing Cloud Data Concepts. 91
Cloud data lifecycle phases. 92
Data dispersion. 94
Designing and Implementing Cloud Data Storage Architectures. 94
Storage types. 94
Threats to storage types. 97
Designing and Implementing Data Security Technologies and Strategies 98
Encryption and key management. 99
Hashing. 101
Data loss prevention (DLP). 102
Data de-identification. 105
Implementing Data Discovery. 107
Structured data. 108
Unstructured data. 109
Implementing Data Classification. 109
Mapping 109
Labeling. 110
Sensitive data. 110
Designing and Implementing Information Rights Management (IRM). 112
Objectives. 113
Appropriate tools. 114
Planning and Implementing Data Retention, Deletion, and Archiving Policies. 115
Data retention policies. 115
Data deletion procedures and mechanisms. 116
Data archiving procedures and mechanisms. 117
Legal hold. 118
Designing and Implementing Auditability, Traceability and Accountability of Data Events 118
Defining event sources and requirements of identity attribution 119
Logging, storing, and analyzing data events. 124
Chain of custody and nonrepudiation. 127
Table of Contents
CHAPTER 5: DOMAIN 3: CLOUD PLATFORM AND INFRASTRUCTURE SECURITY. 129
Comprehending Cloud Infrastructure Components 130
Physical environment. 131
Network and communications 132
Compute. 134
Virtualization 136
Storage. 139
Management plane. 140
Designing a Secure Data Center. 141
Logical design. 141
Physical design. 142
Environmental design. 144
Analyzing Risks Associated with Cloud Infrastructure. 145
Risk assessment and analysis. 145
Cloud vulnerabilities, threats, and attacks. 147
Virtualization risks. 150
Countermeasure strategies. 152
Designing and Planning Security Controls. 152
Physical and environmental protection. 153
System and communication protection. 154
Virtualization systems protection. 155
Identification, authentication, and authorization in cloud infrastructure 159
Audit mechanisms. 161
Planning Business Continuity (BC) and Disaster Recovery (DR). 162
Risks related to the cloud environment. 162
Business requirements. 166
Business continuity/disaster recovery strategy 166
CHAPTER 6: DOMAIN 4: CLOUD APPLICATION SECURITY 173
Advocating Training and Awareness for Application Security 174
Cloud development basics. 174
Common pitfalls 175
Common cloud vulnerabilities. 178
Describing the Secure Software Development Lifecycle (SDLC) Process. 180
Business requirements. 180
Phases. 180
Methodologies. 184
Applying the SDLC Process 186
Common vulnerabilities during development 186
Cloud-specific risks. 191
Quality Assurance (QA). 192
CCSP For Dummies with Online Practice
Threat modeling 192
Software configuration management and versioning. 196
Applying Cloud Software Assurance and Validation 197
Functional testing 197
Security testing methodologies. 198
Using Verified Secure Software. 200
Approved Application Programming Interfaces (API). 200
Supply-chain management 200
Third-party software management. 201
Validated open source software. 201
Comprehending the Specifics of Cloud Application Architecture 201
Supplemental security components. 202
Cryptography. 203
Sandboxing. 204
Application virtualization and orchestration. 204
Designing Appropriate Identity and Access Management (IAM)
Solutions. 205
Federated identity. 206
Identity providers 207
Single sign-on (SSO). 208
Multifactor authentication. 209
Cloud access security broker (CASB) 210
CHAPTER 7: DOMAIN 5: CLOUD SECURITY OPERATIONS. 213
Implementing and Building a Physical and Logical Infrastructure for Cloud Environment. 214
Hardware specific security configuration requirements. 214
Installing and configuring virtualization management tools 218
Virtual hardware specific security configuration
requirements. 219
Installing guest operating system virtualization
toolsets. 220
Operating Physical and Logical Infrastructure for a Cloud Environment. 221
Configuring access control for local and remote access. 221
Secure network configuration. 223
Hardening the operating system through the application of baselines. 226
Availability of standalone hosts. 228
Availability of clustered hosts 228
Availability of guest operating system. 230
Managing Physical and Logical Infrastructure for a Cloud Environment. 230
Access controls for remote access. 230
Operating system baseline compliance
monitoring and remediation. 231
Table of Contents
Patch management. 232
Performance and capacity monitoring. 234
Hardware monitoring. 234
Configuring host and guest operating system backup and restore functions. 235
Network security controls 236
Management plane. 239
Implementing Operational Controls and Standards. 240
Change management. 241
Continuity management. 243
Information security management. 243
Continual service improvement management. 244
Incident management. 244
Problem management. 244
Release and deployment management. 244
Configuration management. 244
Service level management. 245
Availability management 245
Capacity management. 245
Supporting Digital Forensics. 246
Collecting, acquiring, and preserving digital evidence. 246
Evidence management. 248
Managing Communication with Relevant Parties. 249
Customers 249
Vendors. 250
Partners 250
Regulators. 250
Other stakeholders. 251
Managing Security Operations 251
Security operations center (SOC) 251
Monitoring of security controls. 252
CHAPTER 8: DOMAIN 6: LEGAL, RISK AND COMPLIANCE 253
Articulating Legal Requirements and Unique Risks within the Cloud Environment. 254
Conflicting international legislation 254
Evaluating legal risks specific to cloud computing. 255
Legal framework and guidelines. 257
e-Discovery. 258
Forensics requirements. 261
Understanding Privacy Issues. 262
Difference between contractual and regulated private data. 262
Country-specific legislation related to private data. 263
Jurisdictional differences in data privacy. 266
Standard privacy requirements. 266
CCSP For Dummies with Online Practice
Understanding Audit Process, Methodologies, and Required Adaptations for a Cloud Environment. 268
Internal and external audit controls. 269
Impact of audit requirements. 270
Identifying assurance challenges of virtualization and cloud 270
Types of audit reports. 271
Restrictions of audit scope statements. 273
Gap analysis. 274
Audit planning. 275
Internal information security management system (ISMS). 278
Internal information security controls system. 279
Policies 280
Identification and involvement of relevant stakeholders. 282
Specialized compliance requirements for highly
regulated industries 282
Impact of distributed Information Technology (IT) model 283
Understanding the Implications of Cloud to Enterprise Risk Management. 284
Assessing providers’ risk management programs. 284
Difference between data owner/controller versus data custodian/processor 284
Regulatory transparency requirements. 285
Risk tolerance and risk profile. 285
Risk assessment. 286
Risk treatment. 287
Different risk frameworks 289
Metrics for risk management 290
Assessment of risk environment. 290
Understanding Outsourcing and Cloud Contract Design. 291
Business requirements. 291
Vendor management 292
Contract management. 292
Supply-chain management 294
PART 3: THE PART OF TENS. 295
CHAPTER 9: TEN (OR SO) TIPS TO HELP YOU PREPARE FOR THE CCSP EXAM. 297
Brush Up on the Prerequisites 297
Register for the Exam. 298
Create a Study Plan. 298
Find a Study Buddy. 299
Take Practice Exams. 299
Get Hands-On 299
Table of Contents
Attend a CCSP Training Seminar. 300
Plan Your Exam Strategy 300
Get Some Rest and Relaxation 301
CHAPTER 10: TEN KEYS TO SUCCESS ON EXAM DAY. 303
Making Sure You Wake Up. 303
Dressing for the Occasion 304
Eating a Great Meal. 304
Warming Up Your Brain. 304
Bringing Snacks and Drinks. 304
Planning Your Route. 305
Arriving Early 305
Taking Breaks. 305
Staying Calm. 306
Remembering Your Strategy. 306
PART 4: APPENDIXES 307
Appendix A: Glossary. 309
Appendix B: Helpful Resources. 329
(ISC) 2 and CCSP Exam Resources 329
Standards and Guidelines. 329
Technical References 331
Index. 333
CCSP For Dummies with Online Practice
NTRODUCTION 1
About this Book 1
Foolish Assumptions 2
Icons Used in This Book 3
Beyond the Book 4
Where to Go from Here 5
PART 1: STARTING YOUR CCSP JOURNEY 7
CHAPTER 1: FAMILIARIZING YOURSELF WITH (ISC)2 AND THE CCSP CERTIFICATION 9
Appreciating (ISC)2 and the CCSP Certification 9
Knowing Why You Need to Get Certified 10
Studying the Prerequisites for the CCSP 11
Understanding the CCSP Domains 12
Domain 1: Cloud Concepts, Architecture and Design 12
Domain 2: Cloud Data Security 13
Domain 3: Cloud Platform and Infrastructure Security 14
Domain 4: Cloud Application Security 15
Domain 5: Cloud Security Operations 15
Domain 6: Legal, Risk and Compliance 16
Preparing for the Exam 17
Studying on your own 18
Learning by doing 19
Getting official (ISC)2 CCSP training 19
Attending other training courses 20
Practice, practice, practice 20
Ensuring you’re ready for the exam 21
Registering for the Exam 21
Taking the Exam 22
Identifying What to Do After the Exam 23
CHAPTER 2: IDENTIFYING INFORMATION SECURITY FUNDAMENTALS 25
Exploring the Pillars of Information Security 26
Confidentiality 26
Integrity 27
Availability 27
Threats, Vulnerabilities, and Risks…Oh My! 28
Threats 28
Vulnerabilities 28
Risks 29
Securing Information with Access Control 29
Deciphering Cryptography 30
Encryption and decryption 30
Types of encryption 31
Common uses of encryption 32
Grasping Physical Security 34
Realizing the Importance of Business Continuity and Disaster Recovery 34
Implementing Incident Handling 35
Preparing for incidents 37
Detecting incidents 37
Containing incidents 38
Eradicating incidents 39
Recovering from incidents 39
Conducting a Post-Mortem 39
Utilizing Defense-in-Depth 40
PART 2: EXPLORING THE CCSP CERTIFICATION DOMAINS 41
CHAPTER 3: DOMAIN 1: CLOUD CONCEPTS, ARCHITECTURE AND DESIGN 43
Knowing Cloud Computing Concepts 44
Defining cloud computing terms 44
Identifying cloud computing roles 46
Recognizing key cloud computing characteristics 47
Building block technologies 49
Describing Cloud Reference Architecture 49
Cloud computing activities 50
Cloud service capabilities 51
Cloud service categories 51
Cloud deployment models 55
Cloud shared considerations 58
Impact of related technologies 63
Identifying Security Concepts Relevant to Cloud Computing 64
Cryptography and key management 65
Access control 67
Data and media sanitization 69
Network security 69
Virtualization security 70
Common threats 71
Comprehending Design Principles of Secure Cloud Computing 76
Cloud Secure Data Lifecycle 76
Cloud based disaster recovery (DR) and business continuity (BC) planning 78
Cost benefit analysis 78
Security considerations for different cloud categories 79
Evaluating Cloud Service Providers 82
Verifying against certification criteria 82
Meeting system/subsystem product certifications 88
CHAPTER 4: DOMAIN 2: CLOUD DATA SECURITY 91
Describing Cloud Data Concepts 91
Cloud data lifecycle phases 92
Data dispersion 94
Designing and Implementing Cloud Data Storage Architectures 94
Storage types 94
Threats to storage types 97
Designing and Implementing Data Security Technologies and Strategies 98
Encryption and key management 99
Hashing 101
Data loss prevention (DLP) 102
Data de-identification 105
Implementing Data Discovery 107
Structured data 108
Unstructured data 109
Implementing Data Classification 109
Mapping 109
Labeling 110
Sensitive data 110
Designing and Implementing Information Rights Management (IRM) 112
Objectives 113
Appropriate tools 114
Planning and Implementing Data Retention, Deletion, and Archiving Policies 115
Data retention policies 115
Data deletion procedures and mechanisms 116
Data archiving procedures and mechanisms 117
Legal hold 118
Designing and Implementing Auditability, Traceability and Accountability of Data Events 118
Defining event sources and requirements of
identity attribution 119
Logging, storing, and analyzing data events 124
Chain of custody and nonrepudiation 127
CHAPTER 5: DOMAIN 3: CLOUD PLATFORM AND INFRASTRUCTURE SECURITY 129
Comprehending Cloud Infrastructure Components 130
Physical environment 131
Network and communications 132
Compute 134
Virtualization 136
Storage 139
Management plane 140
Designing a Secure Data Center 141
Logical design 141
Physical design 142
Environmental design 144
Analyzing Risks Associated with Cloud Infrastructure 145
Risk assessment and analysis 145
Cloud vulnerabilities, threats, and attacks 147
Virtualization risks 150
Countermeasure strategies 152
Designing and Planning Security Controls 152
Physical and environmental protection 153
System and communication protection 154
Virtualization systems protection 155
Identification, authentication, and authorization in cloud infrastructure 159
Audit mechanisms 161
Planning Business Continuity (BC) and Disaster Recovery (DR) 162
Risks related to the cloud environment 162
Business requirements 166
Business continuity/disaster recovery strategy 166
CHAPTER 6: DOMAIN 4: CLOUD APPLICATION SECURITY 173
Advocating Training and Awareness for Application Security 174
Cloud development basics 174
Common pitfalls 175
Common cloud vulnerabilities 178
Describing the Secure Software Development Lifecycle (SDLC) Process 180
Business requirements 180
Phases 180
Methodologies 184
Applying the SDLC Process 186
Common vulnerabilities during development 186
Cloud-specific risks 191
Quality Assurance (QA) 192
Threat modeling 192
Software configuration management and versioning 196
Applying Cloud Software Assurance and Validation 197
Functional testing 197
Security testing methodologies 198
Using Verified Secure Software 200
Approved Application Programming Interfaces (API) 200
Supply-chain management 200
Third-party software management 201
Validated open source software 201
Comprehending the Specifics of Cloud Application Architecture 201
Supplemental security components 202
Cryptography 203
Sandboxing 204
Application virtualization and orchestration 204
Designing Appropriate Identity and Access Management (IAM) Solutions 205
Federated identity 206
Identity providers 207
Single sign-on (SSO) 208
Multifactor authentication 209
Cloud access security broker (CASB) 210
CHAPTER 7: DOMAIN 5: CLOUD SECURITY OPERATIONS 213
Implementing and Building a Physical and Logical Infrastructure for Cloud Environment 214
Hardware specific security configuration requirements 214
Installing and configuring virtualization management tools 218
Virtual hardware specific security configuration requirements 219
Installing guest operating system virtualization toolsets 220
Operating Physical and Logical Infrastructure for a Cloud Environment 221
Configuring access control for local and remote access 221
Secure network configuration 223
Hardening the operating system through the application of baselines 226
Availability of standalone hosts 228
Availability of clustered hosts 228
Availability of guest operating system 230
Managing Physical and Logical Infrastructure for a Cloud Environment 230
Access controls for remote access 230
Operating system baseline compliance
monitoring and remediation 231
Patch management 232
Performance and capacity monitoring 234
Hardware monitoring 234
Configuring host and guest operating system backup and restore functions 235
Network security controls 236
Management plane 239
Implementing Operational Controls and Standards 240
Change management 241
Continuity management 243
Information security management 243
Continual service improvement management 244
Incident management 244
Problem management 244
Release and deployment management 244
Configuration management 244
Service level management 245
Availability management 245
Capacity management 245
Supporting Digital Forensics 246
Collecting, acquiring, and preserving digital evidence 246
Evidence management 248
Managing Communication with Relevant Parties 249
Customers 249
Vendors 250
Partners 250
Regulators 250
Other stakeholders 251
Managing Security Operations 251
Security operations center (SOC) 251
Monitoring of security controls 252
CHAPTER 8: DOMAIN 6: LEGAL, RISK AND COMPLIANCE 253
Articulating Legal Requirements and Unique Risks within the Cloud Environment 254
Conflicting international legislation 254
Evaluating legal risks specific to cloud computing 255
Legal framework and guidelines 257
e-Discovery 258
Forensics requirements 261
Understanding Privacy Issues 262
Difference between contractual and regulated private data 262
Country-specific legislation related to private data 263
Jurisdictional differences in data privacy 266
Standard privacy requirements 266
Understanding Audit Process, Methodologies, and Required Adaptations for a Cloud Environment 268
Internal and external audit controls 269
Impact of audit requirements 270
Identifying assurance challenges of virtualization and cloud 270
Types of audit reports 271
Restrictions of audit scope statements 273
Gap analysis 274
Audit planning 275
Internal information security management system (ISMS) 278
Internal information security controls system 279
Policies 280
Identification and involvement of relevant stakeholders 282
Specialized compliance requirements for highly regulated industries 282
Impact of distributed Information Technology (IT) model 283
Understanding the Implications of Cloud to Enterprise Risk Management 284
Assessing providers’ risk management programs 284
Difference between data owner/controller versus data custodian/processor 284
Regulatory transparency requirements 285
Risk tolerance and risk profile 285
Risk assessment 286
Risk treatment 287
Different risk frameworks 289
Metrics for risk management 290
Assessment of risk environment 290
Understanding Outsourcing and Cloud Contract Design 291
Business requirements 291
Vendor management 292
Contract management 292
Supply-chain management 294
PART 3: THE PART OF TENS 295
CHAPTER 9: TEN (OR SO) TIPS TO HELP YOU PREPARE FOR THE CCSP EXAM 297
Brush Up on the Prerequisites 297
Register for the Exam 298
Create a Study Plan 298
Find a Study Buddy 299
Take Practice Exams 299
Get Hands-On 299
Attend a CCSP Training Seminar 300
Plan Your Exam Strategy 300
Get Some Rest and Relaxation 301
CHAPTER 10: TEN KEYS TO SUCCESS ON EXAM DAY 303
Making Sure You Wake Up 303
Dressing for the Occasion 304
Eating a Great Meal 304
Warming Up Your Brain 304
Bringing Snacks and Drinks 304
Planning Your Route 305
Arriving Early 305
Taking Breaks 305
Staying Calm 306
Remembering Your Strategy 306
PART 4: APPENDIXES 307
APPENDIX A: GLOSSARY 309
APPENDIX B: HELPFUL RESOURCES 329
(ISC)2 and CCSP Exam Resources 329
Standards and Guidelines 329
Technical References 331
Index 333
Artikel-Details
Anbieter:
Wiley
Autor:
Arthur J. Deane
Artikelnummer:
9781119648369
Veröffentlicht:
26.08.2020
Seitenanzahl:
368
Anmelden