CCSP For Dummies with Online Practice

SECURE YOUR CSSP CERTIFICATION

CCSP is the world’s leading Cloud Security certification. It covers the advanced technical skills and knowledge to design, manage, and secure data, applications, and infrastructure in the cloud using best practices, policies, and procedures.

If you’re a cloud security professional seeking your CSSP certification, this book is a perfect way to prepare for the exam. Covering in detail all six domains, the expert advice in this book gives you key information you'll need to pass the exam. In addition to the information covered on the exam, you'll get tips on setting up a study plan, tips for exam day, and access to an online test bank of questions.

* Key information for all six exam domains
* Test -taking and exam day tips and tricks
* Free online practice questions and flashcards
* Coverage of the core concepts

From getting familiar with the core concepts to establishing a study plan, this book is all you need to hang your hat on that certification!

ARTHUR J. DEANE is a security and compliance executive at Google. He is a technical professional with 13+ years experience in information security, cloud security, IT risk management, and systems engineering. Contents at a Glance

INTRODUCTION. 1

PART 1: STARTING YOUR CCSP JOURNEY. 7

Chapter 1: Familiarizing Yourself with (ISC) 2 and the CCSP Certification. 9

Chapter 2: Identifying Information Security Fundamentals. 25

PART 2: EXPLORING THE CCSP CERTIFICATION DOMAINS. 41

Chapter 3: Domain 1: Cloud Concepts, Architecture and Design 43

Chapter 4: Domain 2: Cloud Data Security. 91

Chapter 5: Domain 3: Cloud Platform and Infrastructure Security. 129

Chapter 6: Domain 4: Cloud Application Security. 173

Chapter 7: Domain 5: Cloud Security Operations. 213

Chapter 8: Domain 6: Legal, Risk and Compliance. 253

PART 3: THE PART OF TENS. 295

Chapter 9: Ten (or So) Tips to Help You Prepare for the CCSP Exam 297

Chapter 10: Ten Keys to Success on Exam Day. 303

PART 4: APPENDIXES 307

Appendix A: Glossary 309

Appendix B: Helpful Resources. 329

Index. 333

Table of Contents

Introduction 1

About this Book. 1

Foolish Assumptions. 2

Icons Used in This Book. 3

Beyond the Book. 4

Where to Go from Here. 5

PART 1: STARTING YOUR CCSP JOURNEY. 7

CHAPTER 1: FAMILIARIZING YOURSELF WITH (ISC) 2

and the CCSP Certification. 9

Appreciating (ISC) 2 and the CCSP Certification. 9

Knowing Why You Need to Get Certified. 10

Studying the Prerequisites for the CCSP. 11

Understanding the CCSP Domains. 12

Domain 1: Cloud Concepts, Architecture and Design 12

Domain 2: Cloud Data Security. 13

Domain 3: Cloud Platform and Infrastructure Security. 14

Domain 4: Cloud Application Security 15

Domain 5: Cloud Security Operations 15

Domain 6: Legal, Risk and Compliance 16

Preparing for the Exam 17

Studying on your own. 18

Learning by doing. 19

Getting official (ISC) 2 CCSP training. 19

Attending other training courses 20

Practice, practice, practice. 20

Ensuring you’re ready for the exam. 21

Registering for the Exam 21

Taking the Exam 22

Identifying What to Do After the Exam 23

CHAPTER 2: IDENTIFYING INFORMATION SECURITY FUNDAMENTALS. 25

Exploring the Pillars of Information Security. 26

Confidentiality. 26

Integrity. 27

Availability. 27

Threats, Vulnerabilities, and Risks Oh My!. 28

Threats 28

Vulnerabilities 28

Risks. 29

Table of Contents

Securing Information with Access Control. 29

Deciphering Cryptography. 30

Encryption and decryption. 30

Types of encryption. 31

Common uses of encryption. 32

Grasping Physical Security. 34

Realizing the Importance of Business Continuity and Disaster Recovery. 34

Implementing Incident Handling. 35

Preparing for incidents. 37

Detecting incidents. 37

Containing incidents. 38

Eradicating incidents. 39

Recovering from incidents. 39

Conducting a Post-Mortem. 39

Utilizing Defense-in-Depth. 40

PART 2: EXPLORING THE CCSP CERTIFICATION DOMAINS. 41

CHAPTER 3: DOMAIN 1: CLOUD CONCEPTS, ARCHITECTURE AND DESIGN 43

Knowing Cloud Computing Concepts. 44

Defining cloud computing terms. 44

Identifying cloud computing roles 46

Recognizing key cloud computing characteristics 47

Building block technologies. 49

Describing Cloud Reference Architecture. 49

Cloud computing activities. 50

Cloud service capabilities. 51

Cloud service categories. 51

Cloud deployment models. 55

Cloud shared considerations. 58

Impact of related technologies. 63

Identifying Security Concepts Relevant to Cloud Computing. 64

Cryptography and key management. 65

Access control 67

Data and media sanitization 69

Network security. 69

Virtualization security. 70

Common threats. 71

Comprehending Design Principles of Secure Cloud Computing. 76

Cloud Secure Data Lifecycle. 76

Cloud based disaster recovery (DR) and business continuity (BC) planning. 78

CCSP For Dummies with Online Practice

Cost benefit analysis. 78

Security considerations for different cloud categories. 79

Evaluating Cloud Service Providers. 82

Verifying against certification criteria. 82

Meeting system/subsystem product certifications 88

CHAPTER 4: DOMAIN 2: CLOUD DATA SECURITY. 91

Describing Cloud Data Concepts. 91

Cloud data lifecycle phases. 92

Data dispersion. 94

Designing and Implementing Cloud Data Storage Architectures. 94

Storage types. 94

Threats to storage types. 97

Designing and Implementing Data Security Technologies and Strategies 98

Encryption and key management. 99

Hashing. 101

Data loss prevention (DLP). 102

Data de-identification. 105

Implementing Data Discovery. 107

Structured data. 108

Unstructured data. 109

Implementing Data Classification. 109

Mapping 109

Labeling. 110

Sensitive data. 110

Designing and Implementing Information Rights Management (IRM). 112

Objectives. 113

Appropriate tools. 114

Planning and Implementing Data Retention, Deletion, and Archiving Policies. 115

Data retention policies. 115

Data deletion procedures and mechanisms. 116

Data archiving procedures and mechanisms. 117

Legal hold. 118

Designing and Implementing Auditability, Traceability and Accountability of Data Events 118

Defining event sources and requirements of identity attribution 119

Logging, storing, and analyzing data events. 124

Chain of custody and nonrepudiation. 127

Table of Contents

CHAPTER 5: DOMAIN 3: CLOUD PLATFORM AND INFRASTRUCTURE SECURITY. 129

Comprehending Cloud Infrastructure Components 130

Physical environment. 131

Network and communications 132

Compute. 134

Virtualization 136

Storage. 139

Management plane. 140

Designing a Secure Data Center. 141

Logical design. 141

Physical design. 142

Environmental design. 144

Analyzing Risks Associated with Cloud Infrastructure. 145

Risk assessment and analysis. 145

Cloud vulnerabilities, threats, and attacks. 147

Virtualization risks. 150

Countermeasure strategies. 152

Designing and Planning Security Controls. 152

Physical and environmental protection. 153

System and communication protection. 154

Virtualization systems protection. 155

Identification, authentication, and authorization in cloud infrastructure 159

Audit mechanisms. 161

Planning Business Continuity (BC) and Disaster Recovery (DR). 162

Risks related to the cloud environment. 162

Business requirements. 166

Business continuity/disaster recovery strategy 166

CHAPTER 6: DOMAIN 4: CLOUD APPLICATION SECURITY 173

Advocating Training and Awareness for Application Security 174

Cloud development basics. 174

Common pitfalls 175

Common cloud vulnerabilities. 178

Describing the Secure Software Development Lifecycle (SDLC) Process. 180

Business requirements. 180

Phases. 180

Methodologies. 184

Applying the SDLC Process 186

Common vulnerabilities during development 186

Cloud-specific risks. 191

Quality Assurance (QA). 192

CCSP For Dummies with Online Practice

Threat modeling 192

Software configuration management and versioning. 196

Applying Cloud Software Assurance and Validation 197

Functional testing 197

Security testing methodologies. 198

Using Verified Secure Software. 200

Approved Application Programming Interfaces (API). 200

Supply-chain management 200

Third-party software management. 201

Validated open source software. 201

Comprehending the Specifics of Cloud Application Architecture 201

Supplemental security components. 202

Cryptography. 203

Sandboxing. 204

Application virtualization and orchestration. 204

Designing Appropriate Identity and Access Management (IAM)

Solutions. 205

Federated identity. 206

Identity providers 207

Single sign-on (SSO). 208

Multifactor authentication. 209

Cloud access security broker (CASB) 210

CHAPTER 7: DOMAIN 5: CLOUD SECURITY OPERATIONS. 213

Implementing and Building a Physical and Logical Infrastructure for Cloud Environment. 214

Hardware specific security configuration requirements. 214

Installing and configuring virtualization management tools 218

Virtual hardware specific security configuration

requirements. 219

Installing guest operating system virtualization

toolsets. 220

Operating Physical and Logical Infrastructure for a Cloud Environment. 221

Configuring access control for local and remote access. 221

Secure network configuration. 223

Hardening the operating system through the application of baselines. 226

Availability of standalone hosts. 228

Availability of clustered hosts 228

Availability of guest operating system. 230

Managing Physical and Logical Infrastructure for a Cloud Environment. 230

Access controls for remote access. 230

Operating system baseline compliance

monitoring and remediation. 231

Table of Contents

Patch management. 232

Performance and capacity monitoring. 234

Hardware monitoring. 234

Configuring host and guest operating system backup and restore functions. 235

Network security controls 236

Management plane. 239

Implementing Operational Controls and Standards. 240

Change management. 241

Continuity management. 243

Information security management. 243

Continual service improvement management. 244

Incident management. 244

Problem management. 244

Release and deployment management. 244

Configuration management. 244

Service level management. 245

Availability management 245

Capacity management. 245

Supporting Digital Forensics. 246

Collecting, acquiring, and preserving digital evidence. 246

Evidence management. 248

Managing Communication with Relevant Parties. 249

Customers 249

Vendors. 250

Partners 250

Regulators. 250

Other stakeholders. 251

Managing Security Operations 251

Security operations center (SOC) 251

Monitoring of security controls. 252

CHAPTER 8: DOMAIN 6: LEGAL, RISK AND COMPLIANCE 253

Articulating Legal Requirements and Unique Risks within the Cloud Environment. 254

Conflicting international legislation 254

Evaluating legal risks specific to cloud computing. 255

Legal framework and guidelines. 257

e-Discovery. 258

Forensics requirements. 261

Understanding Privacy Issues. 262

Difference between contractual and regulated private data. 262

Country-specific legislation related to private data. 263

Jurisdictional differences in data privacy. 266

Standard privacy requirements. 266

CCSP For Dummies with Online Practice

Understanding Audit Process, Methodologies, and Required Adaptations for a Cloud Environment. 268

Internal and external audit controls. 269

Impact of audit requirements. 270

Identifying assurance challenges of virtualization and cloud 270

Types of audit reports. 271

Restrictions of audit scope statements. 273

Gap analysis. 274

Audit planning. 275

Internal information security management system (ISMS). 278

Internal information security controls system. 279

Policies 280

Identification and involvement of relevant stakeholders. 282

Specialized compliance requirements for highly

regulated industries 282

Impact of distributed Information Technology (IT) model 283

Understanding the Implications of Cloud to Enterprise Risk Management. 284

Assessing providers’ risk management programs. 284

Difference between data owner/controller versus data custodian/processor 284

Regulatory transparency requirements. 285

Risk tolerance and risk profile. 285

Risk assessment. 286

Risk treatment. 287

Different risk frameworks 289

Metrics for risk management 290

Assessment of risk environment. 290

Understanding Outsourcing and Cloud Contract Design. 291

Business requirements. 291

Vendor management 292

Contract management. 292

Supply-chain management 294

PART 3: THE PART OF TENS. 295

CHAPTER 9: TEN (OR SO) TIPS TO HELP YOU PREPARE FOR THE CCSP EXAM. 297

Brush Up on the Prerequisites 297

Register for the Exam. 298

Create a Study Plan. 298

Find a Study Buddy. 299

Take Practice Exams. 299

Get Hands-On 299

Table of Contents

Attend a CCSP Training Seminar. 300

Plan Your Exam Strategy 300

Get Some Rest and Relaxation 301

CHAPTER 10: TEN KEYS TO SUCCESS ON EXAM DAY. 303

Making Sure You Wake Up. 303

Dressing for the Occasion 304

Eating a Great Meal. 304

Warming Up Your Brain. 304

Bringing Snacks and Drinks. 304

Planning Your Route. 305

Arriving Early 305

Taking Breaks. 305

Staying Calm. 306

Remembering Your Strategy. 306

PART 4: APPENDIXES 307

Appendix A: Glossary. 309

Appendix B: Helpful Resources. 329

(ISC) 2 and CCSP Exam Resources 329

Standards and Guidelines. 329

Technical References 331

Index. 333

CCSP For Dummies with Online Practice

NTRODUCTION 1

About this Book 1

Foolish Assumptions 2

Icons Used in This Book 3

Beyond the Book 4

Where to Go from Here 5

PART 1: STARTING YOUR CCSP JOURNEY 7

CHAPTER 1: FAMILIARIZING YOURSELF WITH (ISC)2 AND THE CCSP CERTIFICATION 9

Appreciating (ISC)2 and the CCSP Certification 9

Knowing Why You Need to Get Certified 10

Studying the Prerequisites for the CCSP 11

Understanding the CCSP Domains 12

Domain 1: Cloud Concepts, Architecture and Design 12

Domain 2: Cloud Data Security 13

Domain 3: Cloud Platform and Infrastructure Security 14

Domain 4: Cloud Application Security 15

Domain 5: Cloud Security Operations 15

Domain 6: Legal, Risk and Compliance 16

Preparing for the Exam 17

Studying on your own 18

Learning by doing 19

Getting official (ISC)2 CCSP training 19

Attending other training courses 20

Practice, practice, practice 20

Ensuring you’re ready for the exam 21

Registering for the Exam 21

Taking the Exam 22

Identifying What to Do After the Exam 23

CHAPTER 2: IDENTIFYING INFORMATION SECURITY FUNDAMENTALS 25

Exploring the Pillars of Information Security 26

Confidentiality 26

Integrity 27

Availability 27

Threats, Vulnerabilities, and Risks…Oh My! 28

Threats 28

Vulnerabilities 28

Risks 29

Securing Information with Access Control 29

Deciphering Cryptography 30

Encryption and decryption 30

Types of encryption 31

Common uses of encryption 32

Grasping Physical Security 34

Realizing the Importance of Business Continuity and Disaster Recovery 34

Implementing Incident Handling 35

Preparing for incidents 37

Detecting incidents 37

Containing incidents 38

Eradicating incidents 39

Recovering from incidents 39

Conducting a Post-Mortem 39

Utilizing Defense-in-Depth 40

PART 2: EXPLORING THE CCSP CERTIFICATION DOMAINS 41

CHAPTER 3: DOMAIN 1: CLOUD CONCEPTS, ARCHITECTURE AND DESIGN 43

Knowing Cloud Computing Concepts 44

Defining cloud computing terms 44

Identifying cloud computing roles 46

Recognizing key cloud computing characteristics 47

Building block technologies 49

Describing Cloud Reference Architecture 49

Cloud computing activities 50

Cloud service capabilities 51

Cloud service categories 51

Cloud deployment models 55

Cloud shared considerations 58

Impact of related technologies 63

Identifying Security Concepts Relevant to Cloud Computing 64

Cryptography and key management 65

Access control 67

Data and media sanitization 69

Network security 69

Virtualization security 70

Common threats 71

Comprehending Design Principles of Secure Cloud Computing 76

Cloud Secure Data Lifecycle 76

Cloud based disaster recovery (DR) and business continuity (BC) planning 78

Cost benefit analysis 78

Security considerations for different cloud categories 79

Evaluating Cloud Service Providers 82

Verifying against certification criteria 82

Meeting system/subsystem product certifications 88

CHAPTER 4: DOMAIN 2: CLOUD DATA SECURITY 91

Describing Cloud Data Concepts 91

Cloud data lifecycle phases 92

Data dispersion 94

Designing and Implementing Cloud Data Storage Architectures 94

Storage types 94

Threats to storage types 97

Designing and Implementing Data Security Technologies and Strategies 98

Encryption and key management 99

Hashing 101

Data loss prevention (DLP) 102

Data de-identification 105

Implementing Data Discovery 107

Structured data 108

Unstructured data 109

Implementing Data Classification 109

Mapping 109

Labeling 110

Sensitive data 110

Designing and Implementing Information Rights Management (IRM) 112

Objectives 113

Appropriate tools 114

Planning and Implementing Data Retention, Deletion, and Archiving Policies 115

Data retention policies 115

Data deletion procedures and mechanisms 116

Data archiving procedures and mechanisms 117

Legal hold 118

Designing and Implementing Auditability, Traceability and Accountability of Data Events 118

Defining event sources and requirements of

identity attribution 119

Logging, storing, and analyzing data events 124

Chain of custody and nonrepudiation 127

CHAPTER 5: DOMAIN 3: CLOUD PLATFORM AND INFRASTRUCTURE SECURITY 129

Comprehending Cloud Infrastructure Components 130

Physical environment 131

Network and communications 132

Compute 134

Virtualization 136

Storage 139

Management plane 140

Designing a Secure Data Center 141

Logical design 141

Physical design 142

Environmental design 144

Analyzing Risks Associated with Cloud Infrastructure 145

Risk assessment and analysis 145

Cloud vulnerabilities, threats, and attacks 147

Virtualization risks 150

Countermeasure strategies 152

Designing and Planning Security Controls 152

Physical and environmental protection 153

System and communication protection 154

Virtualization systems protection 155

Identification, authentication, and authorization in cloud infrastructure 159

Audit mechanisms 161

Planning Business Continuity (BC) and Disaster Recovery (DR) 162

Risks related to the cloud environment 162

Business requirements 166

Business continuity/disaster recovery strategy 166

CHAPTER 6: DOMAIN 4: CLOUD APPLICATION SECURITY 173

Advocating Training and Awareness for Application Security 174

Cloud development basics 174

Common pitfalls 175

Common cloud vulnerabilities 178

Describing the Secure Software Development Lifecycle (SDLC) Process 180

Business requirements 180

Phases 180

Methodologies 184

Applying the SDLC Process 186

Common vulnerabilities during development 186

Cloud-specific risks 191

Quality Assurance (QA) 192

Threat modeling 192

Software configuration management and versioning 196

Applying Cloud Software Assurance and Validation 197

Functional testing 197

Security testing methodologies 198

Using Verified Secure Software 200

Approved Application Programming Interfaces (API) 200

Supply-chain management 200

Third-party software management 201

Validated open source software 201

Comprehending the Specifics of Cloud Application Architecture 201

Supplemental security components 202

Cryptography 203

Sandboxing 204

Application virtualization and orchestration 204

Designing Appropriate Identity and Access Management (IAM) Solutions 205

Federated identity 206

Identity providers 207

Single sign-on (SSO) 208

Multifactor authentication 209

Cloud access security broker (CASB) 210

CHAPTER 7: DOMAIN 5: CLOUD SECURITY OPERATIONS 213

Implementing and Building a Physical and Logical Infrastructure for Cloud Environment 214

Hardware specific security configuration requirements 214

Installing and configuring virtualization management tools 218

Virtual hardware specific security configuration requirements 219

Installing guest operating system virtualization toolsets 220

Operating Physical and Logical Infrastructure for a Cloud Environment 221

Configuring access control for local and remote access 221

Secure network configuration 223

Hardening the operating system through the application of baselines 226

Availability of standalone hosts 228

Availability of clustered hosts 228

Availability of guest operating system 230

Managing Physical and Logical Infrastructure for a Cloud Environment 230

Access controls for remote access 230

Operating system baseline compliance

monitoring and remediation 231

Patch management 232

Performance and capacity monitoring 234

Hardware monitoring 234

Configuring host and guest operating system backup and restore functions 235

Network security controls 236

Management plane 239

Implementing Operational Controls and Standards 240

Change management 241

Continuity management 243

Information security management 243

Continual service improvement management 244

Incident management 244

Problem management 244

Release and deployment management 244

Configuration management 244

Service level management 245

Availability management 245

Capacity management 245

Supporting Digital Forensics 246

Collecting, acquiring, and preserving digital evidence 246

Evidence management 248

Managing Communication with Relevant Parties 249

Customers 249

Vendors 250

Partners 250

Regulators 250

Other stakeholders 251

Managing Security Operations 251

Security operations center (SOC) 251

Monitoring of security controls 252

CHAPTER 8: DOMAIN 6: LEGAL, RISK AND COMPLIANCE 253

Articulating Legal Requirements and Unique Risks within the Cloud Environment 254

Conflicting international legislation 254

Evaluating legal risks specific to cloud computing 255

Legal framework and guidelines 257

e-Discovery 258

Forensics requirements 261

Understanding Privacy Issues 262

Difference between contractual and regulated private data 262

Country-specific legislation related to private data 263

Jurisdictional differences in data privacy 266

Standard privacy requirements 266

Understanding Audit Process, Methodologies, and Required Adaptations for a Cloud Environment 268

Internal and external audit controls 269

Impact of audit requirements 270

Identifying assurance challenges of virtualization and cloud 270

Types of audit reports 271

Restrictions of audit scope statements 273

Gap analysis 274

Audit planning 275

Internal information security management system (ISMS) 278

Internal information security controls system 279

Policies 280

Identification and involvement of relevant stakeholders 282

Specialized compliance requirements for highly regulated industries 282

Impact of distributed Information Technology (IT) model 283

Understanding the Implications of Cloud to Enterprise Risk Management 284

Assessing providers’ risk management programs 284

Difference between data owner/controller versus data custodian/processor 284

Regulatory transparency requirements 285

Risk tolerance and risk profile 285

Risk assessment 286

Risk treatment 287

Different risk frameworks 289

Metrics for risk management 290

Assessment of risk environment 290

Understanding Outsourcing and Cloud Contract Design 291

Business requirements 291

Vendor management 292

Contract management 292

Supply-chain management 294

PART 3: THE PART OF TENS 295

CHAPTER 9: TEN (OR SO) TIPS TO HELP YOU PREPARE FOR THE CCSP EXAM 297

Brush Up on the Prerequisites 297

Register for the Exam 298

Create a Study Plan 298

Find a Study Buddy 299

Take Practice Exams 299

Get Hands-On 299

Attend a CCSP Training Seminar 300

Plan Your Exam Strategy 300

Get Some Rest and Relaxation 301

CHAPTER 10: TEN KEYS TO SUCCESS ON EXAM DAY 303

Making Sure You Wake Up 303

Dressing for the Occasion 304

Eating a Great Meal 304

Warming Up Your Brain 304

Bringing Snacks and Drinks 304

Planning Your Route 305

Arriving Early 305

Taking Breaks 305

Staying Calm 306

Remembering Your Strategy 306

PART 4: APPENDIXES 307

APPENDIX A: GLOSSARY 309

APPENDIX B: HELPFUL RESOURCES 329

(ISC)2 and CCSP Exam Resources 329

Standards and Guidelines 329

Technical References 331

Index 333