Adam Gordon
The Official (ISC)2 Guide to the CCSP CBK
Adam Gordon
The Official (ISC)2 Guide to the CCSP CBK
- Gebundenes Buch
- Merkliste
- Auf die Merkliste
- Bewerten Bewerten
- Teilen
- Produkt teilen
- Produkterinnerung
- Produkterinnerung
Globally recognized and backed by the Cloud Security Alliance (CSA) and the (ISC)² the CCSP credential is the ideal way to match marketability and credibility to your cloud security skill set. The Official (ISC)² Guide to the CCSP(SM) CBK Second Edition is your ticket for expert insight through the 6 CCSP domains. You will find step-by-step guidance through real-life scenarios, illustrated examples, tables, best practices, and more. This Second Edition features clearer diagrams as well as refined explanations based on extensive expert feedback. Sample questions help you reinforce what you have…mehr
Globally recognized and backed by the Cloud Security Alliance (CSA) and the (ISC)² the CCSP credential is the ideal way to match marketability and credibility to your cloud security skill set. The Official (ISC)² Guide to the CCSP(SM) CBK Second Edition is your ticket for expert insight through the 6 CCSP domains. You will find step-by-step guidance through real-life scenarios, illustrated examples, tables, best practices, and more. This Second Edition features clearer diagrams as well as refined explanations based on extensive expert feedback. Sample questions help you reinforce what you have learned and prepare smarter.Numerous illustrated examples and tables are included to demonstrate concepts, frameworks and real-life scenarios. The book offers step-by-step guidance through each of CCSP's domains, including best practices and techniques used by the world's most experienced practitioners. Developed by (ISC)², endorsed by the Cloud Security Alliance(r) (CSA) and compiled and reviewed by cloud security experts across the world, this book brings together a global, thorough perspective. The Official (ISC)² Guide to the CCSP CBK should be utilized as your fundamental study tool in preparation for the CCSP exam and provides a comprehensive reference that will serve you for years to come.
Produktdetails
- Produktdetails
- Verlag: Sybex / Wiley & Sons
- Artikelnr. des Verlages: 1W119276720
- 2. Aufl.
- Seitenzahl: 544
- Englisch
- Abmessung: 238mm x 194mm x 28mm
- Gewicht: 1059g
- ISBN-13: 9781119276722
- ISBN-10: 1119276721
- Artikelnr.: 44558710
- Verlag: Sybex / Wiley & Sons
- Artikelnr. des Verlages: 1W119276720
- 2. Aufl.
- Seitenzahl: 544
- Englisch
- Abmessung: 238mm x 194mm x 28mm
- Gewicht: 1059g
- ISBN-13: 9781119276722
- ISBN-10: 1119276721
- Artikelnr.: 44558710
Foreword xviiIntroduction xixDOMAIN 1: ARCHITECTURAL CONCEPTS AND DESIGN REQUIREMENTS 1Introduction 3Drivers for Cloud Computing 4Security, Risks, and Benefi ts 5Cloud Computing Defi nitions 7Cloud Computing Roles 12Key Cloud Computing Characteristics 12Cloud Transition Scenario 14Building Blocks 16Cloud Computing Functions 16Cloud Service Categories 18IaaS 18PaaS 19SaaS 21Cloud Deployment Models 23The Public Cloud Model 23The Private Cloud Model 23The Hybrid Cloud Model 24The Community Cloud Model 25Cloud Cross?-Cutting Aspects 25Architecture Overview 25Key Principles of an Enterprise Architecture 27The NIST Cloud Technology Roadmap 28Network Security and Perimeter 32Cryptography 33Encryption 33Key Management 35IAM and Access Control 37Provisioning and Deprovisioning 37Centralized Directory Services 38Privileged User Management 38Authorization and Access Management 39Data and Media Sanitization 40Vendor Lock?-In 40Cryptographic Erasure 41Data Overwriting 41Virtualization Security 42The Hypervisor 42Security Types 43Common Threats 43Data Breaches 43Data Loss 44Account or Service Traffic Hijacking 45Insecure Interfaces and APIs 45Denial of Service 46Malicious Insiders 46Abuse of Cloud Services 46Insufficient Due Diligence 47Shared Technology Vulnerabilities 47Security Considerations for Different Cloud Categories 48IaaS Security 48PaaS Security 50SaaS Security 52Open Web Application Security Project Top Ten Security Threats 54Cloud Secure Data Lifecycle 55Information and Data Governance Types 56Business Continuity and Disaster Recovery Planning 57Business Continuity Elements 57Critical Success Factors 58Important SLA Components 59Cost?-Benefit Analysis 60Certification Against Criteria 62System and Subsystem Product Certification 69Summary 72Review Questions 73Notes 77DOMAIN 2: CLOUD DATA SECURITY 79Introduction 81The Cloud Data Lifecycle Phases 82Location and Access of Data 83Location 83Access 84Functions, Actors, and Controls of the Data 84Key Data Functions 85Controls 85Process Overview 86Tying It Together 86Cloud Services, Products, and Solutions 87Data Storage 87IaaS 87PaaS 88SaaS 89Threats to Storage Types 90Technologies Available to Address Threats 91Relevant Data Security Technologies 91Data Dispersion in Cloud Storage 92DLP 92Encryption 95Masking, Obfuscation, Anonymization, and Tokenization 102Application of Security Strategy Technologies 105Emerging Technologies 106Bit Splitting 106Homomorphic Encryption 107Data Discovery 108Data Discovery Approaches 108Different Data Discovery Techniques 109Data Discovery Issues 110Challenges with Data Discovery in the Cloud 111Data Classifi cation 112Data Classifi cation Categories 112Challenges with Cloud Data 113Data Privacy Acts 113Global P&DP Laws in the United States 114Global P&DP Laws in the European Union 115Global P&DP Laws in APEC 115Differences Between Jurisdiction and Applicable Law 115Essential Requirements in P&DP Laws 116Typical Meanings for Common Privacy Terms 116Privacy Roles for Customers and Service Providers 117Responsibility Depending on the Type of Cloud Services 118Implementation of Data Discovery 119Classification of Discovered Sensitive Data 120Mapping and Definition of Controls 123Privacy Level Agreement 124PLA Versus Essential P&DP Requirements Activity 124Application of Defi ned Controls for PII 128Cloud Security Alliance Cloud Controls Matrix 129Management Control for Privacy and Data?-Protection Measures 133Data Rights Management Objectives 134IRM Cloud Challenges 134IRM Solutions 135Data?-Protection Policies 136Data?-Retention Policies 137Data?-Deletion Procedures and Mechanisms 138Data?-Archiving Procedures and Mechanisms 139Events 140Event Sources 140Identifying Event Attribute Requirements 142Storage and Analysis of Data Events 144SIEM 145Supporting Continuous Operations 146Chain of Custody and Nonrepudiation 147Summary 148Review Questions 149Notes 152DOMAIN 3: CLOUD PLATFORM AND INFRASTRUCTURE SECURITY 155Introduction 157The Physical Environment of the Cloud Infrastructure 157Data Center Design 158Network and Communications in the Cloud 159Network Functionality 159Software?-Defined Networking 160The Compute Parameters of a Cloud Server 161Virtualization 161Scalability 162The Hypervisor 162Storage Issues in the Cloud 163Object Storage 164Management Plane 164Management of Cloud Computing Risks 166Risk Assessment and Analysis 166Cloud Attack Vectors 170Countermeasure Strategies Across the Cloud 170Continuous Uptime 171Automation of Controls 171Access Controls 171Physical and Environmental Protections 172Key Regulations 173Examples of Controls 173Protecting Data Center Facilities 173System and Communication Protections 173Automation of Confi guration 174Responsibilities of Protecting the Cloud System 174Following the Data Lifecycle 175Virtualization Systems Controls 176Managing Identification, Authentication, and Authorization in the Cloud Infrastructure 178Managing Identification 178Managing Authentication 179Managing Authorization 179Accounting for Resources 179Managing Identity and Access Management 179Making Access Decisions 179The Entitlement Process 180The Access Control Decision?-Making Process 180Risk Audit Mechanisms 181The Cloud Security Alliance Cloud Controls Matrix 182Cloud Computing Audit Characteristics 182Using a VM 183Understanding the Cloud Environment Related to BCDR 183On?-Premises, Cloud as BCDR 184Cloud Service Consumer, Primary Provider BCDR 184Cloud Service Consumer, Alternative Provider BCDR 185BCDR Planning Factors 185Relevant Cloud Infrastructure Characteristics 185Understanding the Business Requirements Related to BCDR 186Understanding the BCDR Risks 188BCDR Risks Requiring Protection 188BCDR Strategy Risks 188Potential Concerns About the BCDR Scenarios 189BCDR Strategies 190Location 191Data Replication 191Functionality Replication 192Planning, Preparing, and Provisioning 192Failover Capability 192Returning to Normal 193Creating the BCDR Plan 193The Scope of the BCDR Plan 193Gathering Requirements and Context 193Analysis of the Plan 194Risk Assessment 194Plan Design 194Other Plan Considerations 195Planning, Exercising, Assessing, and Maintaining the Plan 195Test Plan Review 197Testing and Acceptance to Production 201Summary 201Review Questions 202Notes 204DOMAIN 4: CLOUD APPLICATION SECURITY 205Introduction 207Determining Data Sensitivity and Importance 208Understanding the API Formats 208Common Pitfalls of Cloud Security Application Deployment 209On?-Premises Does Not Always Transfer (and Vice Versa) 210Not All Apps Are Cloud Ready 210Lack of Training and Awareness 210Lack of Documentation and Guidelines 211Complexities of Integration 211Overarching Challenges 211Awareness of Encryption Dependencies 213Understanding the Software Development Lifecycle Process for a Cloud Environment 213Secure Operations Phase 214Disposal Phase 215Assessing Common Vulnerabilities 215Cloud?-Specific Risks 218Threat Modeling 220STRIDE Threat Model 220Approved Application Programming Interfaces 221Software Supply Chain (API) Management 221Securing Open Source Software 222Identity and Access Management 222Identity Management 223Access Management 223Identity Repository and Directory Services 223Federated Identity Management 224Federation Standards 224Federated Identity Providers 225Federated SSO 225Multifactor Authentication 225Supplemental Security Devices 226Cryptography 227Tokenization 228Data Masking 228Sandboxing 229Application Virtualization 229Cloud?-Based Functional Data 230Cloud?-Secure Development Lifecycle 231ISO/IEC 27034?-1 232Organizational Normative Framework 232Application Normative Framework 233Application Security Management Process 233Application Security Testing 234Static Application Security Testing 234Dynamic Application Security Testing 235Runtime Application Self?-Protection 235Vulnerability Assessments and Penetration Testing 235Secure Code Reviews 236OWASP Recommendations 236Summary 237Review Questions 238Notes 239DOMAIN 5: OPERATIONS 241Introduction 243Modern Data Centers and Cloud Service Offerings 243Factors That Aff ect Data Center Design 243Logical Design 244Physical Design 246Environmental Design Considerations 249Multivendor Pathway Connectivity 253Implementing Physical Infrastructure for Cloud Environments 253Enterprise Operations 254Secure Configuration of Hardware: Specific Requirements 255Best Practices for Servers 255Best Practices for Storage Controllers 256Network Controllers Best Practices 258Virtual Switches Best Practices 259Installation and Confi guration of Virtualization Management Tools for the Host 260Leading Practices 261Running a Physical Infrastructure for Cloud Environments 261Configuring Access Control and SecureKernel?-Based Virtual Machine 265Securing the Network Configuration 266Network Isolation 266Protecting VLANs 267Using TLS 268Using DNS 268Using IPSec 269Identifying and Understanding Server Threats 270Using Standalone Hosts 271Using Clustered Hosts 273Resource Sharing 273Distributed Resource Scheduling/Compute Resource Scheduling 274Accounting for Dynamic Operation 274Using Storage Clusters 275Clustered Storage Architectures 275Storage Cluster Goals 276Using Maintenance Mode 276Providing HA on the Cloud 276Measuring System Availability 276Achieving HA 277The Physical Infrastructure for Cloud Environments 278Configuring Access Control for Remote Access 279Performing Patch Management 281The Patch Management Process 282Examples of Automation 282Challenges of Patch Management 283Performance Monitoring 285Outsourcing Monitoring 285Hardware Monitoring 285Redundant System Architecture 286Monitoring Functions 286Backing Up and Restoring the Host Configuration 287Implementing Network Security Controls: Defense in Depth 288Firewalls 288Layered Security 289Utilizing Honeypots 292Conducting Vulnerability Assessments 293Log Capture and Log Management 293Using Security Information and Event Management 295Developing a Management Plan 296Maintenance 297Orchestration 297Building a Logical Infrastructure for Cloud Environments 298Logical Design 298Physical Design 298Secure Configuration of Hardware?-Specific Requirements 299Running a Logical Infrastructure for Cloud Environments 300Building a Secure Network Configuration 300OS Hardening via Application Baseline 301Availability of a Guest OS 303Managing the Logical Infrastructure for Cloud Environments 304Access Control for Remote Access 304OS Baseline Compliance Monitoring and Remediation 305Backing Up and Restoring the Guest OS Configuration 305Implementation of Network Security Controls 306Log Capture and Analysis 306Management Plan Implementation Through the Management Plane 307Ensuring Compliance with Regulations and Controls 307Using an ITSM Solution 308Considerations for Shadow IT 308Operations Management 309Information Security Management 310Configuration Management 310Change Management 311Incident Management 315Problem Management 317Release and Deployment Management 318Service?-Level Management 319Availability Management 319Capacity Management 319Business Continuity Management 320Continual Service Improvement Management 321How Management Processes Relate to Each Other 321Incorporating Management Processes 323Managing Risk in Logical and Physical Infrastructures 323The Risk?-Management Process Overview 323Framing Risk 324Risk Assessment 324Risk Response 334Risk Monitoring 339Understanding the Collection and Preservation of Digital Evidence 340Cloud Forensics Challenges 341Data Access Within Service Models 342Forensics Readiness 343Proper Methodologies for Forensic Collection of Data 343The Chain of Custody 349Evidence Management 350Managing Communications with Relevant Parties 350The Five Ws and One H 351Communicating with Vendors and Partners 351Communicating with Customers 353Communicating with Regulators 353Communicating with Other Stakeholders 354Wrap?-Up: Data Breach Example 354Summary 354Review Questions 356Notes 361DOMAIN 6: LEGAL AND COMPLIANCE 363Introduction 365International Legislation Conflicts 365Legislative Concepts 366Frameworks and Guidelines Relevant to Cloud Computing 368ISO/IEC 27017:2015 Information Technology--Security Techniques--Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services 368Organization for Economic Cooperation and Development--Privacy and Security Guidelines 369Asia?-Pacifi c Economic Cooperation Privacy Framework4 369EU Data Protection Directive 370General Data Protection Regulation 372ePrivacy Directive 372Beyond Frameworks and Guidelines 372Common Legal Requirements 373Legal Controls and Cloud Service Providers 374e?-Discovery 375e?-Discovery Challenges 375Considerations and Responsibilities of e?-Discovery 376Reducing Risk 376Conducting e?-Discovery Investigations 377Cloud Forensics and ISO/IEC 27050?-1 377Protecting Personal Information in the Cloud 378Differentiating Between Contractual and Regulated PII 379Country?-Specific Legislation and Regulations Related to PII, Data Privacy, and Data Protection 383Auditing in the Cloud 392Internal and External Audits 392Types of Audit Reports 393Impact of Requirement Programs by the Use of Cloud Services 396Assuring Challenges of the Cloud and Virtualization 396Information Gathering 397Audit Scope 398Cloud?-Auditing Goals 401Audit Planning 401Standard Privacy Requirements (ISO/IEC 27018) 403GAPP 404Internal ISMS 405The Value of an ISMS 405Internal Information Security Controls System: ISO 27001:2013 Domains 406Repeatability and Standardization 406Implementing Policies 407Organizational Policies 407Functional Policies 408Cloud Computing Policies 408Bridging the Policy Gaps 409Identifying and Involving the Relevant Stakeholders 410Stakeholder Identifi cation Challenges 410Governance Challenges 411Communication Coordination 411Impact of Distributed IT Models 412Clear Communications 412Coordination and Management of Activities 413Governance of Processes and Activities 413Coordination Is Key 414Security Reporting 414Understanding the Implications of the Cloud to Enterprise Risk Management 415Risk Profile 416Risk Appetite 416Difference Between the Data Owner and Controller and the Data Custodian and Processor 416SLA 417Risk Mitigation 422Risk?-Management Metrics 422Different Risk Frameworks 423Understanding Outsourcing and Contract Design 425Business Requirements 425Vendor Management 426Understanding Your Risk Exposure 426Accountability of Compliance 427Common Criteria Assurance Framework 427CSA STAR 428Cloud Computing Certification 429Contract Management 431Importance of Identifying Challenges Early 431Key Contract Components 432Supply Chain Management 434Supply Chain Risk 434CSA CCM 435The ISO 28000:2007 Supply Chain Standard 435Summary 436Review Questions 438Notes 439APPENDIX A: ANSWERS TO REVIEW QUESTIONS 441Domain 1: Architectural Concepts and Design Requirements 441Domain 2: Cloud Data Security 451Domain 3: Cloud Platform and Infrastructure Security 460Domain 4: Cloud Application Security 466Domain 5: Operations 470Domain 6: Legal and Compliance Issues 482Notes 488APPENDIX B: GLOSSARY 491APPENDIX C: HELPFUL RESOURCES AND LINKS 501Index 505
Foreword xviiIntroduction xixDOMAIN 1: ARCHITECTURAL CONCEPTS AND DESIGN REQUIREMENTS 1Introduction 3Drivers for Cloud Computing 4Security, Risks, and Benefi ts 5Cloud Computing Defi nitions 7Cloud Computing Roles 12Key Cloud Computing Characteristics 12Cloud Transition Scenario 14Building Blocks 16Cloud Computing Functions 16Cloud Service Categories 18IaaS 18PaaS 19SaaS 21Cloud Deployment Models 23The Public Cloud Model 23The Private Cloud Model 23The Hybrid Cloud Model 24The Community Cloud Model 25Cloud Cross?-Cutting Aspects 25Architecture Overview 25Key Principles of an Enterprise Architecture 27The NIST Cloud Technology Roadmap 28Network Security and Perimeter 32Cryptography 33Encryption 33Key Management 35IAM and Access Control 37Provisioning and Deprovisioning 37Centralized Directory Services 38Privileged User Management 38Authorization and Access Management 39Data and Media Sanitization 40Vendor Lock?-In 40Cryptographic Erasure 41Data Overwriting 41Virtualization Security 42The Hypervisor 42Security Types 43Common Threats 43Data Breaches 43Data Loss 44Account or Service Traffic Hijacking 45Insecure Interfaces and APIs 45Denial of Service 46Malicious Insiders 46Abuse of Cloud Services 46Insufficient Due Diligence 47Shared Technology Vulnerabilities 47Security Considerations for Different Cloud Categories 48IaaS Security 48PaaS Security 50SaaS Security 52Open Web Application Security Project Top Ten Security Threats 54Cloud Secure Data Lifecycle 55Information and Data Governance Types 56Business Continuity and Disaster Recovery Planning 57Business Continuity Elements 57Critical Success Factors 58Important SLA Components 59Cost?-Benefit Analysis 60Certification Against Criteria 62System and Subsystem Product Certification 69Summary 72Review Questions 73Notes 77DOMAIN 2: CLOUD DATA SECURITY 79Introduction 81The Cloud Data Lifecycle Phases 82Location and Access of Data 83Location 83Access 84Functions, Actors, and Controls of the Data 84Key Data Functions 85Controls 85Process Overview 86Tying It Together 86Cloud Services, Products, and Solutions 87Data Storage 87IaaS 87PaaS 88SaaS 89Threats to Storage Types 90Technologies Available to Address Threats 91Relevant Data Security Technologies 91Data Dispersion in Cloud Storage 92DLP 92Encryption 95Masking, Obfuscation, Anonymization, and Tokenization 102Application of Security Strategy Technologies 105Emerging Technologies 106Bit Splitting 106Homomorphic Encryption 107Data Discovery 108Data Discovery Approaches 108Different Data Discovery Techniques 109Data Discovery Issues 110Challenges with Data Discovery in the Cloud 111Data Classifi cation 112Data Classifi cation Categories 112Challenges with Cloud Data 113Data Privacy Acts 113Global P&DP Laws in the United States 114Global P&DP Laws in the European Union 115Global P&DP Laws in APEC 115Differences Between Jurisdiction and Applicable Law 115Essential Requirements in P&DP Laws 116Typical Meanings for Common Privacy Terms 116Privacy Roles for Customers and Service Providers 117Responsibility Depending on the Type of Cloud Services 118Implementation of Data Discovery 119Classification of Discovered Sensitive Data 120Mapping and Definition of Controls 123Privacy Level Agreement 124PLA Versus Essential P&DP Requirements Activity 124Application of Defi ned Controls for PII 128Cloud Security Alliance Cloud Controls Matrix 129Management Control for Privacy and Data?-Protection Measures 133Data Rights Management Objectives 134IRM Cloud Challenges 134IRM Solutions 135Data?-Protection Policies 136Data?-Retention Policies 137Data?-Deletion Procedures and Mechanisms 138Data?-Archiving Procedures and Mechanisms 139Events 140Event Sources 140Identifying Event Attribute Requirements 142Storage and Analysis of Data Events 144SIEM 145Supporting Continuous Operations 146Chain of Custody and Nonrepudiation 147Summary 148Review Questions 149Notes 152DOMAIN 3: CLOUD PLATFORM AND INFRASTRUCTURE SECURITY 155Introduction 157The Physical Environment of the Cloud Infrastructure 157Data Center Design 158Network and Communications in the Cloud 159Network Functionality 159Software?-Defined Networking 160The Compute Parameters of a Cloud Server 161Virtualization 161Scalability 162The Hypervisor 162Storage Issues in the Cloud 163Object Storage 164Management Plane 164Management of Cloud Computing Risks 166Risk Assessment and Analysis 166Cloud Attack Vectors 170Countermeasure Strategies Across the Cloud 170Continuous Uptime 171Automation of Controls 171Access Controls 171Physical and Environmental Protections 172Key Regulations 173Examples of Controls 173Protecting Data Center Facilities 173System and Communication Protections 173Automation of Confi guration 174Responsibilities of Protecting the Cloud System 174Following the Data Lifecycle 175Virtualization Systems Controls 176Managing Identification, Authentication, and Authorization in the Cloud Infrastructure 178Managing Identification 178Managing Authentication 179Managing Authorization 179Accounting for Resources 179Managing Identity and Access Management 179Making Access Decisions 179The Entitlement Process 180The Access Control Decision?-Making Process 180Risk Audit Mechanisms 181The Cloud Security Alliance Cloud Controls Matrix 182Cloud Computing Audit Characteristics 182Using a VM 183Understanding the Cloud Environment Related to BCDR 183On?-Premises, Cloud as BCDR 184Cloud Service Consumer, Primary Provider BCDR 184Cloud Service Consumer, Alternative Provider BCDR 185BCDR Planning Factors 185Relevant Cloud Infrastructure Characteristics 185Understanding the Business Requirements Related to BCDR 186Understanding the BCDR Risks 188BCDR Risks Requiring Protection 188BCDR Strategy Risks 188Potential Concerns About the BCDR Scenarios 189BCDR Strategies 190Location 191Data Replication 191Functionality Replication 192Planning, Preparing, and Provisioning 192Failover Capability 192Returning to Normal 193Creating the BCDR Plan 193The Scope of the BCDR Plan 193Gathering Requirements and Context 193Analysis of the Plan 194Risk Assessment 194Plan Design 194Other Plan Considerations 195Planning, Exercising, Assessing, and Maintaining the Plan 195Test Plan Review 197Testing and Acceptance to Production 201Summary 201Review Questions 202Notes 204DOMAIN 4: CLOUD APPLICATION SECURITY 205Introduction 207Determining Data Sensitivity and Importance 208Understanding the API Formats 208Common Pitfalls of Cloud Security Application Deployment 209On?-Premises Does Not Always Transfer (and Vice Versa) 210Not All Apps Are Cloud Ready 210Lack of Training and Awareness 210Lack of Documentation and Guidelines 211Complexities of Integration 211Overarching Challenges 211Awareness of Encryption Dependencies 213Understanding the Software Development Lifecycle Process for a Cloud Environment 213Secure Operations Phase 214Disposal Phase 215Assessing Common Vulnerabilities 215Cloud?-Specific Risks 218Threat Modeling 220STRIDE Threat Model 220Approved Application Programming Interfaces 221Software Supply Chain (API) Management 221Securing Open Source Software 222Identity and Access Management 222Identity Management 223Access Management 223Identity Repository and Directory Services 223Federated Identity Management 224Federation Standards 224Federated Identity Providers 225Federated SSO 225Multifactor Authentication 225Supplemental Security Devices 226Cryptography 227Tokenization 228Data Masking 228Sandboxing 229Application Virtualization 229Cloud?-Based Functional Data 230Cloud?-Secure Development Lifecycle 231ISO/IEC 27034?-1 232Organizational Normative Framework 232Application Normative Framework 233Application Security Management Process 233Application Security Testing 234Static Application Security Testing 234Dynamic Application Security Testing 235Runtime Application Self?-Protection 235Vulnerability Assessments and Penetration Testing 235Secure Code Reviews 236OWASP Recommendations 236Summary 237Review Questions 238Notes 239DOMAIN 5: OPERATIONS 241Introduction 243Modern Data Centers and Cloud Service Offerings 243Factors That Aff ect Data Center Design 243Logical Design 244Physical Design 246Environmental Design Considerations 249Multivendor Pathway Connectivity 253Implementing Physical Infrastructure for Cloud Environments 253Enterprise Operations 254Secure Configuration of Hardware: Specific Requirements 255Best Practices for Servers 255Best Practices for Storage Controllers 256Network Controllers Best Practices 258Virtual Switches Best Practices 259Installation and Confi guration of Virtualization Management Tools for the Host 260Leading Practices 261Running a Physical Infrastructure for Cloud Environments 261Configuring Access Control and SecureKernel?-Based Virtual Machine 265Securing the Network Configuration 266Network Isolation 266Protecting VLANs 267Using TLS 268Using DNS 268Using IPSec 269Identifying and Understanding Server Threats 270Using Standalone Hosts 271Using Clustered Hosts 273Resource Sharing 273Distributed Resource Scheduling/Compute Resource Scheduling 274Accounting for Dynamic Operation 274Using Storage Clusters 275Clustered Storage Architectures 275Storage Cluster Goals 276Using Maintenance Mode 276Providing HA on the Cloud 276Measuring System Availability 276Achieving HA 277The Physical Infrastructure for Cloud Environments 278Configuring Access Control for Remote Access 279Performing Patch Management 281The Patch Management Process 282Examples of Automation 282Challenges of Patch Management 283Performance Monitoring 285Outsourcing Monitoring 285Hardware Monitoring 285Redundant System Architecture 286Monitoring Functions 286Backing Up and Restoring the Host Configuration 287Implementing Network Security Controls: Defense in Depth 288Firewalls 288Layered Security 289Utilizing Honeypots 292Conducting Vulnerability Assessments 293Log Capture and Log Management 293Using Security Information and Event Management 295Developing a Management Plan 296Maintenance 297Orchestration 297Building a Logical Infrastructure for Cloud Environments 298Logical Design 298Physical Design 298Secure Configuration of Hardware?-Specific Requirements 299Running a Logical Infrastructure for Cloud Environments 300Building a Secure Network Configuration 300OS Hardening via Application Baseline 301Availability of a Guest OS 303Managing the Logical Infrastructure for Cloud Environments 304Access Control for Remote Access 304OS Baseline Compliance Monitoring and Remediation 305Backing Up and Restoring the Guest OS Configuration 305Implementation of Network Security Controls 306Log Capture and Analysis 306Management Plan Implementation Through the Management Plane 307Ensuring Compliance with Regulations and Controls 307Using an ITSM Solution 308Considerations for Shadow IT 308Operations Management 309Information Security Management 310Configuration Management 310Change Management 311Incident Management 315Problem Management 317Release and Deployment Management 318Service?-Level Management 319Availability Management 319Capacity Management 319Business Continuity Management 320Continual Service Improvement Management 321How Management Processes Relate to Each Other 321Incorporating Management Processes 323Managing Risk in Logical and Physical Infrastructures 323The Risk?-Management Process Overview 323Framing Risk 324Risk Assessment 324Risk Response 334Risk Monitoring 339Understanding the Collection and Preservation of Digital Evidence 340Cloud Forensics Challenges 341Data Access Within Service Models 342Forensics Readiness 343Proper Methodologies for Forensic Collection of Data 343The Chain of Custody 349Evidence Management 350Managing Communications with Relevant Parties 350The Five Ws and One H 351Communicating with Vendors and Partners 351Communicating with Customers 353Communicating with Regulators 353Communicating with Other Stakeholders 354Wrap?-Up: Data Breach Example 354Summary 354Review Questions 356Notes 361DOMAIN 6: LEGAL AND COMPLIANCE 363Introduction 365International Legislation Conflicts 365Legislative Concepts 366Frameworks and Guidelines Relevant to Cloud Computing 368ISO/IEC 27017:2015 Information Technology--Security Techniques--Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services 368Organization for Economic Cooperation and Development--Privacy and Security Guidelines 369Asia?-Pacifi c Economic Cooperation Privacy Framework4 369EU Data Protection Directive 370General Data Protection Regulation 372ePrivacy Directive 372Beyond Frameworks and Guidelines 372Common Legal Requirements 373Legal Controls and Cloud Service Providers 374e?-Discovery 375e?-Discovery Challenges 375Considerations and Responsibilities of e?-Discovery 376Reducing Risk 376Conducting e?-Discovery Investigations 377Cloud Forensics and ISO/IEC 27050?-1 377Protecting Personal Information in the Cloud 378Differentiating Between Contractual and Regulated PII 379Country?-Specific Legislation and Regulations Related to PII, Data Privacy, and Data Protection 383Auditing in the Cloud 392Internal and External Audits 392Types of Audit Reports 393Impact of Requirement Programs by the Use of Cloud Services 396Assuring Challenges of the Cloud and Virtualization 396Information Gathering 397Audit Scope 398Cloud?-Auditing Goals 401Audit Planning 401Standard Privacy Requirements (ISO/IEC 27018) 403GAPP 404Internal ISMS 405The Value of an ISMS 405Internal Information Security Controls System: ISO 27001:2013 Domains 406Repeatability and Standardization 406Implementing Policies 407Organizational Policies 407Functional Policies 408Cloud Computing Policies 408Bridging the Policy Gaps 409Identifying and Involving the Relevant Stakeholders 410Stakeholder Identifi cation Challenges 410Governance Challenges 411Communication Coordination 411Impact of Distributed IT Models 412Clear Communications 412Coordination and Management of Activities 413Governance of Processes and Activities 413Coordination Is Key 414Security Reporting 414Understanding the Implications of the Cloud to Enterprise Risk Management 415Risk Profile 416Risk Appetite 416Difference Between the Data Owner and Controller and the Data Custodian and Processor 416SLA 417Risk Mitigation 422Risk?-Management Metrics 422Different Risk Frameworks 423Understanding Outsourcing and Contract Design 425Business Requirements 425Vendor Management 426Understanding Your Risk Exposure 426Accountability of Compliance 427Common Criteria Assurance Framework 427CSA STAR 428Cloud Computing Certification 429Contract Management 431Importance of Identifying Challenges Early 431Key Contract Components 432Supply Chain Management 434Supply Chain Risk 434CSA CCM 435The ISO 28000:2007 Supply Chain Standard 435Summary 436Review Questions 438Notes 439APPENDIX A: ANSWERS TO REVIEW QUESTIONS 441Domain 1: Architectural Concepts and Design Requirements 441Domain 2: Cloud Data Security 451Domain 3: Cloud Platform and Infrastructure Security 460Domain 4: Cloud Application Security 466Domain 5: Operations 470Domain 6: Legal and Compliance Issues 482Notes 488APPENDIX B: GLOSSARY 491APPENDIX C: HELPFUL RESOURCES AND LINKS 501Index 505