CCSP (ISC) ® 2® Certified Cloud Security Professional Official Study Guide Brian T O’Hara Ben Malisow Development Editor: Kelly Talbot Technical Editors: Tom Updegrove, Jerry K Rayome, Valerie Nelson, Jordan Pike Production Editor: Rebecca Anderson Copy Editor: Elizabeth Welch Editorial Manager: Mary Beth Wakefield Production Manager: Kathleen Wisor Executive Editor: Jim Minatel Book Designers: Judy Fung and Bill Gibson Proofreader: Josh Chase, Word One New York Indexer: J & J Indexing Project Coordinator, Cover: Brent Savage Cover Designer: Wiley Cover Image: ©Getty Images Inc./Jeremy Woodhouse Copyright © 2017 by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-1-119-27741-5 ISBN: 978-1-119-27742-2 (ebk.) ISBN: 978-1-119-27743-9 (ebk.) Manufactured in the United States of America No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600 Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose No warranty may be created or extended by sales or promotional materials The advice and strategies contained herein may not be suitable for every situation This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services If professional assistance is required, the services of a competent professional person should be sought Neither the publisher nor the author shall be liable for damages arising herefrom The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S at (877) 762-2974, outside the U.S at (317) 572-3993 or fax (317) 572-4002 Wiley publishes in a variety of print and electronic formats and by print-on-demand Some material included with standard print versions of this book may not be included in e-books or in print-on-demand If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com For more information about Wiley products, visit www.wiley.com Library of Congress Control Number: 2017936608 TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc and/or its affiliates, in the United States and other countries, and may not be used without written permission (ISC)2 and CCSP are registered trademarks of (ISC)2 , Inc All other trademarks are the property of their respective owners John Wiley & Sons, Inc is not associated with any product or vendor mentioned in this book 10 Acknowledgments The authors would like to thank (ISC)2 for making this work possible, and the sublime publishing and editing team at Sybex, including Jim Minatel, Kelly Talbot, Rebecca Anderson, and Christine O’Connor This book is dedicated to all the candidates seeking CCSP certification We hope it helps About the Authors Brian T O’Hara,   CISA, CISM, CCSP, and CISSP, is the Information Security Officer for Do It Best Corp With over 20 years of experience providing security and audit services, he has served as the information security officer for Fortune 500 companies and has worked in PCI, healthcare, manufacturing, and financial services, providing audit and security advisory services Prior to entering the field of IS audit, Brian served as program chair for information technology at the largest community college in the country, where he helped develop the first NSA Two-Year Center of Academic Excellence in Information Security In addition to co-authoring the CISA Study Guide, he has served as a technical editor on books for Wiley, Sybex, and (ISC)2 Brian has been an active member both locally and internationally of the Information Security Systems Association (ISSA) for over 10 years and is an ISSA Fellow He currently serves as the past president of the Indiana chapter of ISACA and president of the InfraGard Indiana Members Alliance, a public–private partnership with the FBI aimed at protecting the United States’ critical infrastructures Ben Malisow,   CISSP, CISM, CCSP, and Security+, is an instructor for (ISC)2 , teaching prep classes for the CISSP and CCSP certifications He has been in the information technology and information security field for almost 25 years He wrote the internal IT security policy for DARPA, served as the Information System Security Manager for the FBI’s most-classified counterterror intelligence-sharing network, and helped develop the IT security architecture for the Department of Homeland Security’s Transportation Security Administration Ben has taught courses at many schools and universities, including Carnegie Mellon’s CERT/SEI, UTSA, the College of Southern Nevada, and grades 6–12 at a school for troubled youths in Las Vegas He is widely published in the field, having written for SecurityFocus.com, ComputerWorld, and various other publications, as well as several books About the Technical Editors Tom Updegrove,   CCSP and EC-Council security trainer, is the CEO of Internetwork Service, an AWS and Microsoft Azure partner With over 20 years of experience providing technical and security services, he has worked in PCI, healthcare, manufacturing, and financial services, providing security consulting services In addition to contributing to the CCSP (ISC)2 Study Guide, he has served as a technical editor on security-related books for Wiley and Sybex, as well as presenting the Social Engineering course for ITProTV He has helped develop the Liberty University MIS lab infrastructure and currently serves as a technical editor for Hakin9 and Pen Testing magazines Jerry K Rayome,   BS/MS Computer Science, CISSP, is a member of the Cyber Security Program at Lawrence Livermore National Laboratory He has over 20 years of experience providing cybersecurity services, including software development, penetration testing, incident response, firewall implementation, firewall auditing, cyber forensic investigations, NIST 80053 control implementation/assessment, cloud risk assessment, and cloud security auditing Contents at a Glance Introduction xv Assessment Test xxiii Chapter Architectural Concepts Chapter Design Requirements 25 Chapter Data Classification 43 Chapter Cloud Data Security 67 Chapter Security in the Cloud  87 Chapter Responsibilities in the Cloud 115 Chapter Cloud Application Security 141 Chapter Operations Elements 181 Chapter Operations Management 213 Chapter 10 Legal and Compliance Part 239 Chapter 11 Legal and Compliance Part 279 Appendix A Answers to the Review Questions 309 Appendix B Answers to the Written Labs 327 Index 335 Contents Introduction xv Assessment Test Chapter xxiii Architectural Concepts Business Requirements Existing State Quantifying Benefits and Opportunity Cost Intended Impact Cloud Evolution, Vernacular, and Definitions New Technology, New Options Cloud Computing Service Models 10 Cloud Deployment Models 11 Cloud Computing Roles and Responsibilities 13 Cloud Computing Definitions 13 Foundational Concepts of Cloud Computing 16 Sensitive Data 17 Virtualization 17 Encryption 17 Auditing and Compliance 18 Cloud Service Provider Contracts 18 Summary 19 Exam Essentials 19 Written Labs 19 Review Questions 20 Chapter Design Requirements 25 26 Business Requirements Analysis Inventory of Assets 26 Valuation of Assets 27 Determination of Criticality 27 Risk Appetite 29 Boundaries of Cloud Models 31 IaaS Boundaries 31 PaaS Boundaries 32 SaaS Boundaries 32 Design Principles for Protecting Sensitive Data 34 Hardening Devices 34 Encryption 35 Layered Defenses 36 viii  Contents Summary 37 37 Exam Essentials Written Labs 37 Review Questions 38 Chapter Data Classification 43 45 Data Inventory and Discovery Data Ownership 45 The Data Life Cycle 46 49 Data Discovery Methods Jurisdictional Requirements 50 Data Rights Management 51 Intellectual Property Protections 51 55 DRM Tool Traits Data Control 57 58 Data Retention Data Audit 59 Data Destruction/Disposal 61 Summary 62 Exam Essentials 63 Written Labs 63 Review Questions 64 Chapter Cloud Data Security 67 Cloud Data Life Cycle 69 Create 70 Store 70 Use 71 Share 71 Archive 72 Destroy 74 Cloud Storage Architectures 74 74 Volume Storage: File-Based Storage and Block Storage Object-Based Storage 74 Databases 75 Content Delivery Network (CDN) 75 75 Cloud Data Security Foundational Strategies Encryption 75 Masking, Obfuscation, Anonymization, and Tokenization 77 Security Information and Event Management 80 Egress Monitoring (DLP) 81 Summary 82 Exam Essentials 82 Written Labs 83 Review Questions 84 Contents  Chapter Security in the Cloud  ix 87 88 Shared Cloud Platform Risks and Responsibilities Cloud Computing Risks by Deployment and Service Model 90 Private Cloud 91 91 Community Cloud Public Cloud 92 Hybrid Cloud 97 97 IaaS (Infrastructure as a Service) PaaS (Platform as a Service) 97 SaaS (Software as a Service) 98 Virtualization 98 Cloud Attack Surface 99 Threats by Deployment Model 100 Countermeasure Methodology 102 Disaster Recovery (DR) and Business Continuity Management (BCM) 105 Cloud-Specific BIA Concerns 105 Customer/Provider Shared BC/DR Responsibilities 106 Summary 108 Exam Essentials 109 Written Labs 109 Review Questions 110 Chapter Responsibilities in the Cloud 115 Foundations of Managed Services 118 Business Requirements 119 Business Requirements: The Cloud Provider Perspective 119 Shared Responsibilities by Service Type 125 IaaS 125 PaaS 125 SaaS 125 Shared Administration of OS, Middleware, or Applications 126 Operating System Baseline Configuration and Management 126 Share Responsibilities: Data Access 128 Customer Directly Administers Access 128 Provider Administers Access on Behalf of the Customer 129 Third-Party (CASB) Administers Access on Behalf of the Customer 129 131 Lack of Physical Access Audits 131 Shared Policy 134 Shared Monitoring and Testing 134 x  Contents Summary 135 135 Exam Essentials Written Labs 136 Review Questions 137 Chapter Cloud Application Security 141 143 Training and Awareness Common Cloud Application Deployment Pitfalls 146 Cloud-Secure Software Development Life Cycle (SDLC) 148 ISO/IEC 27034-1 Standards for Secure Application Development 150 Identity and Access Management (IAM) 151 Identity Repositories and Directory Services 153 153 Single Sign-On (SSO) Federated Identity Management 153 154 Federation Standards Multifactor Authentication 155 Supplemental Security Devices 155 Cloud Application Architecture 157 Application Programming Interfaces 157 Tenancy Separation 159 Cryptography 159 Sandboxing 162 162 Application Virtualization Cloud Application Assurance and Validation 162 163 Threat Modeling Quality of Service 166 Software Security Testing 166 Approved APIs 171 Software Supply Chain (API) Management 171 Securing Open Source Software 172 173 Runtime Application Self-Protection (RASP) Secure Code Reviews 173 OWASP Top Coding Flaws 173 Summary 174 Exam Essentials 174 Written Labs 175 Review Questions 176 Chapter Operations Elements 181 Physical/Logical Operations Facilities and Redundancy Virtualization Operations Storage Operations Physical and Logical Isolation 183 184 194 195 197 Contents  xi Security Training and Awareness 198 Training Program Categories 199 Additional Training Insights 203 203 Basic Operational Application Security Threat Modeling 204 Application Testing Methods 205 Summary 206 Exam Essentials 206 Written Labs 207 Review Questions 208 Chapter Operations Management 213 Monitoring, Capacity, and Maintenance 215 Monitoring 215 Maintenance 217 Change and Configuration Management (CM) 221 Baselines 221 Deviations and Exceptions 222 223 Roles and Process Business Continuity and Disaster Recovery (BC/DR) 225 226 Primary Focus Continuity of Operations 227 The BC/DR Plan 227 The BC/DR Kit 229 Relocation 230 Power 231 Testing 232 Summary 233 233 Exam Essentials Written Labs 234 235 Review Questions Chapter 10 Legal and Compliance Part 239 Legal Requirements and Unique Risks in the Cloud Environment 241 241 Legal Concepts U.S Laws 247 International Laws 252 Laws, Frameworks, and Standards Around the World 252 The Difference Between Laws, Regulations and Standards 261 ... cloud security professionals The CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide offers the cloud professional a solid foundation for taking and passing the Certified Cloud. .. Chapter Security in the Cloud ix 87 88 Shared Cloud Platform Risks and Responsibilities Cloud Computing Risks by Deployment and Service Model 90 Private Cloud 91 91 Community Cloud Public Cloud. .. 3: Data Classification Chapter 4: Cloud Data Security Chapter 5: Security in the Cloud Chapter 6: Responsibilities in the Cloud Chapter 7: Cloud Application Security Chapter 8: Operations Elements