WIXLIB

Software Supply Chain (API) ManagementSecuring Open Source SoftwareIdentity and Access ManagementIdentity ManagementAccess ManagementIdentity Repository and Directory ServicesFederated Identity ManagementFederation StandardsFederated Identity ProvidersFederated SSOMultifactor AuthenticationSupplemental Security DevicesCryptographyTokenizationData MaskingSandboxingApplication VirtualizationCloud‐Based Functional DataCloud‐Secure Development LifecycleISO/IEC 27034‐1Organizational Normative FrameworkApplication Normative FrameworkApplication Security Management ProcessApplication Security TestingStatic Application Security TestingDynamic Application Security TestingRuntime Application Self‐ProtectionVulnerability Assessments and Penetration TestingSecure Code ReviewsOWASP RecommendationsSummaryReview 6236237238239Domain 5: Operations241IntroductionModern Data Centers and Cloud Service OfferingsFactors That Affect Data Center DesignLogical DesignPhysical DesignEnvironmental Design Considerations243243243244246249Contentsxi

Multivendor Pathway ConnectivityImplementing Physical Infrastructure for Cloud EnvironmentsEnterprise OperationsSecure Configuration of Hardware: Specific RequirementsBest Practices for ServersBest Practices for Storage ControllersNetwork Controllers Best PracticesVirtual Switches Best PracticesInstallation and Configuration of Virtualization Management Tools for the HostLeading PracticesRunning a Physical Infrastructure for Cloud EnvironmentsConfiguring Access Control and SecureKernel‐Based Virtual MachineSecuring the Network ConfigurationNetwork IsolationProtecting VLANsUsing TLSUsing DNSUsing IPSecIdentifying and Understanding Server ThreatsUsing Standalone HostsUsing Clustered HostsResource SharingDistributed Resource Scheduling/Compute Resource SchedulingAccounting for Dynamic OperationUsing Storage ClustersClustered Storage ArchitecturesStorage Cluster GoalsUsing Maintenance ModeProviding HA on the CloudMeasuring System AvailabilityAchieving HAThe Physical Infrastructure for Cloud EnvironmentsConfiguring Access Control for Remote AccessPerforming Patch ManagementThe Patch Management ProcessExamples of AutomationChallenges of Patch ManagementPerformance MonitoringOutsourcing MonitoringHardware MonitoringRedundant System ArchitectureMonitoring 6276276276277278279281282282283285285285286286

Backing Up and Restoring the Host ConfigurationImplementing Network Security Controls: Defense in DepthFirewallsLayered SecurityUtilizing HoneypotsConducting Vulnerability AssessmentsLog Capture and Log ManagementUsing Security Information and Event ManagementDeveloping a Management PlanMaintenanceOrchestrationBuilding a Logical Infrastructure for Cloud EnvironmentsLogical DesignPhysical DesignSecure Configuration of Hardware‐Specific RequirementsRunning a Logical Infrastructure for Cloud EnvironmentsBuilding a Secure Network ConfigurationOS Hardening via Application BaselineAvailability of a Guest OSManaging the Logical Infrastructure for Cloud EnvironmentsAccess Control for Remote AccessOS Baseline Compliance Monitoring and RemediationBacking Up and Restoring the Guest OS ConfigurationImplementation of Network Security ControlsLog Capture and AnalysisManagement Plan Implementation Through the Management PlaneEnsuring Compliance with Regulations and ControlsUsing an ITSM SolutionConsiderations for Shadow ITOperations ManagementInformation Security ManagementConfiguration ManagementChange ManagementIncident ManagementProblem ManagementRelease and Deployment ManagementService‐Level ManagementAvailability ManagementCapacity ManagementBusiness Continuity ManagementContinual Service Improvement ManagementHow Management Processes Relate to Each OtherIncorporating Management 10310311315317318319319319320321321323Contentsxiii

xivManaging Risk in Logical and Physical InfrastructuresThe Risk‐Management Process OverviewFraming RiskRisk AssessmentRisk ResponseRisk MonitoringUnderstanding the Collection and Preservation of Digital EvidenceCloud Forensics ChallengesData Access Within Service ModelsForensics ReadinessProper Methodologies for Forensic Collection of DataThe Chain of CustodyEvidence ManagementManaging Communications with Relevant PartiesThe Five Ws and One HCommunicating with Vendors and PartnersCommunicating with CustomersCommunicating with RegulatorsCommunicating with Other StakeholdersWrap‐Up: Data Breach ExampleSummaryReview 350350351351353353354354354356361Domain 6: Legal and Compliance363IntroductionInternational Legislation ConflictsLegislative ConceptsFrameworks and Guidelines Relevant to Cloud ComputingISO/IEC 27017:2015 Information Technology—Security Techniques—Code of Practice for Information Security Controls Based onISO/IEC 27002 for Cloud ServicesOrganization for Economic Cooperation and Development—Privacyand Security GuidelinesAsia‐Pacific Economic Cooperation Privacy Framework4EU Data Protection DirectiveGeneral Data Protection RegulationePrivacy DirectiveBeyond Frameworks and GuidelinesCommon Legal RequirementsLegal Controls and Cloud Service 373374

e‐Discoverye‐Discovery ChallengesConsiderations and Responsibilities of e‐DiscoveryReducing RiskConducting e‐Discovery InvestigationsCloud Forensics and ISO/IEC 27050‐1Protecting Personal Information in the CloudDifferentiating Between Contractual and Regulated PIICountry‐Specific Legislation and Regulations Relatedto PII, Data Privacy, and Data ProtectionAuditing in the CloudInternal and External AuditsTypes of Audit ReportsImpact of Requirement Programs by the Use of Cloud ServicesAssuring Challenges of the Cloud and VirtualizationInformation GatheringAudit ScopeCloud‐Auditing GoalsAudit PlanningStandard Privacy Requirements (ISO/IEC 27018)GAPPInternal ISMSThe Value of an ISMSInternal Information Security Controls System: ISO 27001:2013 DomainsRepeatability and StandardizationImplementing PoliciesOrganizational PoliciesFunctional PoliciesCloud Computing PoliciesBridging the Policy GapsIdentifying and Involving the Relevant StakeholdersStakeholder Identification ChallengesGovernance ChallengesCommunication CoordinationImpact of Distributed IT ModelsClear CommunicationsCoordination and Management of ActivitiesGovernance of Processes and ActivitiesCoordination Is KeySecurity ReportingUnderstanding the Implications of the Cloud to Enterprise Risk ManagementRisk ProfileRisk 0411411412412413413414414415416416Contentsxv

xviDifference Between the Data Owner and Controller andthe Data Custodian and ProcessorSLA Risk MitigationRisk‐Management MetricsDifferent Risk FrameworksUnderstanding Outsourcing and Contract DesignBusiness RequirementsVendor ManagementUnderstanding Your Risk ExposureAccountability of ComplianceCommon Criteria Assurance FrameworkCSA STARCloud Computing CertificationContract ManagementImportance of Identifying Challenges EarlyKey Contract ComponentsSupply Chain ManagementSupply Chain RiskCSA CCMThe ISO 28000:2007 Supply Chain StandardSummaryReview 429431431432434434435435436438439Appendix A: Answers to Review Questions441Domain 1: Architectural Concepts and Design RequirementsDomain 2: Cloud Data SecurityDomain 3: Cloud Platform and Infrastructure SecurityDomain 4: Cloud Application SecurityDomain 5: OperationsDomain 6: Legal and Compliance IssuesNotes441451460466470482488Appendix B: Glossary491Appendix C: Helpful Resources and Links501Index505Contents

ForewordEvery day around the world, organizations aretaking steps to leverage cloud infrastructure, software, andservices. This is a substantial undertaking that also heightensthe complexity of protecting and securing data. As powerfulas cloud computing is to organizations, it’s essential to havequalified people who understand information security risksand mitigation strategies for the cloud. As the largest not‐for‐profit membership body of certified information securityprofessionals worldwide, (ISC)2 recognizes the need to identify and validate information security competency in securing cloud services.To help facilitate the knowledge you need to ensure strong information security in the cloud, I’m pleased to present the Official (ISC)2 Guide to the CCSPCBK. Drawing from a comprehensive, up‐to‐date global body of knowledge, theCCSP CBK ensures that you have the right information security knowledge andskills to be successful and prepares you to achieve the Certified Cloud SecurityProfessional (CCSP) credential.(ISC)2 is proud to collaborate with the Cloud Security Alliance (CSA) to builda unique credential that reflects the most current and comprehensive best practices for securing and optimizing cloud computing environments. To attain CCSPcertification, candidates must have a minimum of five years’ experience in IT, ofwhich three years must be in information security and one year in cloud computing. All CCSP candidates must be able to demonstrate capabilities found in eachof the six Common Body of Knowledge (CBK) domains: Architectural Concepts and Design Requirements Cloud Data Security Cloud Platform and Infrastructure Securityxvii

Cloud Application Security Operations Legal and ComplianceThe CCSP credential represents advanced knowledge and competency in cloudsecurity design, implementation, architecture, operations, controls, and immediate andlong‐term responses.Cloud computing has emerged as a critical area within IT that requires further security considerations. According to the 2015 (ISC)2 Global Information Security WorkforceStudy, cloud computing is identified as the top area for information security, with a growing demand for education and training within the next three years. In correlation to thedemand for education and training, 73 percent of more than 13,000 survey respondentsbelieve that cloud computing will require information security professionals to developnew skills.If you are ready to take control of the cloud, The Official (ISC)2 Guide to the CCSPCBK prepares you to securely implement and manage cloud services within your organization’s information technology (IT) strategy and governance requirements. CCSP credential holders will achieve the highest standard for cloud security expertise—managingthe power of cloud computing while keeping sensitive data secure.The recognized leader in the field of information security education and certification,(ISC)2 promotes the development of information security professionals throughout theworld. As a CCSP with all the benefits of (ISC)2 membership, you would join a globalnetwork of more than 110,000 certified professionals who are working to inspire a safeand secure cyber world.Qualified people are the key to cloud security. This is your opportunity to gain theknowledge and skills you need to protect and secure data in the cloud.Regards,David P. ShearerCEO(ISC)2xviiiForeword

IntroductionThere are two main requirements that must be met to achieve the statusof Certified Cloud Security Professional (CCSP); one must take and pass the certification exam and be able to demonstrate a minimum of five years of cumulativepaid full‐time information technology experience, of which three years must be ininformation security and one year must be in one of the six domains of the CCSPexamination. A firm understanding of what the six domains of the CCSP Common Body of Knowledge (CBK) are and how they relate to the landscape of business is a vital element in successfully being able to meet both requirements andclaim the CCSP credential. The mapping of the six domains of the CCSP CBK tothe job responsibilities of the information security professional in today’s world cantake many paths based on a variety of factors, such as industry vertical, regulatoryoversight and compliance, geography, and public versus private versus military asthe overarching framework for employment in the first place. In addition, considerations such as cultural practices and differences in language and meaning canplay a substantive role in the interpretation of what aspects of the CBK will meanand how they will be implemented in any given workplace.It is not the purpose of this book to attempt to address all these issues or provide a definitive prescription as to “the” path forward in all areas. Rather, it isto provide the official guide to the CCSP CBK and, in so doing, to lay out theinformation necessary to understand what the CBK is and how it is used to buildthe foundation for the CCSP and its role in business today. Being able to map theCCSP CBK to your knowledge, experience, and understanding is the way that youwill be able to translate the CBK into actionable and tangible elements for boththe business and its users that you represent.1. The Architectural Concepts and Design Requirements domain focuses onthe building blocks of cloud‐based systems. The CCSP needs an understanding of cloud computing concepts such as definitions based on the ISO/IEC17788 standard; roles like the cloud service customer, provider, and partner;characteristics such as multitenancy, measured services, and rapid elasticityand scalability; and building block technologies of the cloud such as virtualization, storage, and networking. The cloud reference architecture willIntroductionxix

need to be described and understood, focusing on areas such as cloud computingactivities (as described in ISO/IEC 17789), clause 9, cloud service capabilities, categories, deployment models, and the cross‐cutting aspects of cloud platform architecture and design, such as interoperability, portability, governance, service levels,and performance. In addition, the CCSP should have a clear understanding of therelevant security and design principles for cloud computing, such as cryptography,access control, virtualization security, functional security requirements like vendorlock‐in and interoperability, what a secure data life cycle is for cloud‐based data, andhow to carry out a cost‐benefit analysis of cloud‐based systems. The ability to identify what a trusted cloud service is and what role certification against criteria playsin that identification—using standards such as the Common Criteria and FIPS140‐2—are further areas of focus for this domain.2. The Cloud Data Security domain contains the concepts, principles, structures, andstandards used to design, implement, monitor, and secure operating systems (OSs),equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity, and availability. The CCSP needs to understandand implement data discovery and classification technologies pertinent to cloudplatforms, as well as be able to design and implement relevant jurisdictional dataprotections for personally identifiable information (PII), such as data privacy actsand the ability to map and define controls within the cloud. Designing and implementing digital rights management (DRM) solutions with the appropriate tools andplanning for the implementation of data retention, deletion, and archiving policiesare activities that a CCSP will need to understand how to undertake.3. The Cloud Platform and Infrastructure Security domain covers knowledge of thecloud infrastructure components—both the physical and virtual—existing threats,and mitigating and developing plans to deal with those threats. Risk managementis the identification, measurement, and control of loss associated with adverseevents. It includes overall security review, risk analysis, selection and evaluation ofsafeguards, cost‐benefit analysis, management decisions, safeguard implementation,and effectiveness review. The CCSP is expected to understand risk management,including risk analysis, threats and vulnerabilities, asset identification, and riskmanagement tools and techniques. In addition, the candidate needs to understandhow to design and plan for the use of security controls such as audit mechanisms,physical and environmental protection, and the management of identification,authentication, and authorization solutions within the cloud infrastructures shemanages. Business continuity planning (BCP) facilitates the rapid recovery of business operations to reduce the overall impact of the disaster by ensuring continuity ofthe critical business functions. Disaster recovery planning includes procedures foremergency response, extended backup operations, and postdisaster recovery whenthe computer installation suffers loss of computer resources and physical facilities.The CCSP is expected to understand how to prepare a business continuity or disaster recovery plan (DRP), techniques and concepts, identification of critical data andsystems, and the recovery of lost data within cloud infrastructures.xxIntroduction

4. The Cloud Application Security domain focuses on issues to ensure that the need fortraining and awareness in application security, the processes involved with cloud software assurance and validation, and the use of verified secure software are understood.The domain refers to the controls that are included within systems and applicationssoftware and the steps used in their development (such as software development lifecycle). The CCSP should fully understand the security and controls of the develop

The Official (ISC)2 Guide to the CCSP SM CBK Second Edition ADAM GORDON CISSP-ISSAP, CISSP-ISSMP, SSCP, CCSP, CISA, CRISC, MCSE PRIVATE CLOUD, VCP-CLOUD www.allitebooks.com