Cloud security is a rapidly evolving field, demanding professionals with specialized knowledge and expertise. This book equips you with the foundational understanding and practical skills necessary to excel in this critical domain, preparing you to confidently pass the CCSP exam. Discover cloud computing basics, security, and risk management in this book. Learn about data security intricacies, infrastructure protection, and secure configuration. Proactively manage risks with vulnerability assessments, threat mitigation, and incident response. Understand legal and privacy considerations, including international regulations. Dive into identity and access management using tools like SSO and CASBs. Explore cloud application architecture, incorporating security tools like WAFs and API gateways. Get ready for certifications like CCSP with dedicated exam preparation sections. Arm yourself with the knowledge and practical skills cultivated throughout this guide. Confidently navigate the ever-evolving landscape, tackle real-world challenges, and stand out as a CCSP certified professional.

• Cover
• Title Page
• Copyright Page
• Dedication Page
• About the Author
• About the Reviewers
• Acknowledgement
• Preface
• Table of Contents
• 1. Understanding Cloud Computing Concepts
  • Introduction
  • Structure
  • Objectives
  • Essence of cloud computing
  • Cloud comes in many shapes
  • Operating (in) the cloud
  • Shared responsibility
  • Cloud reference architecture
  • Building block technologies
    • Networking
    • Storage
    • Virtualization
    • Databases
    • Orchestration
  • Impact of cloud computing on other technologies
  • Cloud shared considerations
  • Conclusion
  • Learning goals
• 2. Concepts and Design Principles of Cloud Security
  • Introduction
  • Structure
  • Objectives
  • Common threats
  • Cloud design patterns
  • Business impact analysis
  • Cloud secure data lifecycle
  • Identity management, access control, and authorization
  • Cryptography and key management
  • Data and media sanitization
  • Network security
    • Regions
    • Availability zones: AVs
    • Access control lists: ACLs
    • Security groups: SGs
    • Private connections
    • Web application firewalls: WAFs
  • Virtualization security
  • Security hygiene
  • DevOps security
  • Conclusion
  • Learning goals
• 3. Evaluating Cloud Service Providers
  • Introduction
  • Structure
  • Objectives
  • Portability
  • Interoperability
  • Availability
  • Security
  • Privacy
  • Auditability
  • Costs
  • Service level agreements
  • Legal and regulatory compliance
  • Product certifications
    • Common Criteria
    • Federal Information Processing Standards (FIPS 140-2 and 140-3)
  • Conclusion
  • Learning goals
• 4. Discover, Classify, and Manage Cloud Data
  • Introduction
  • Structure
  • Objectives
  • Data types
  • Data classification
  • Data flows
  • Data mapping
  • Data labeling
  • Policies
  • Data dispersion
  • Data retention and storage
  • Deletion and archival
  • Legal holds
  • Information Rights Management
  • Conclusion
  • Learning goals
• 5. Cloud Storage Architectures and their Security Technologies
  • Introduction
  • Structure
  • Objectives
  • Storage types
  • Threats to storage types
  • Encryption and key management
    • Symmetric encryption
    • Asymmetric encryption or public key encryption
    • Block and Stream Ciphers
    • Common algorithms
    • Common attacks
    • Key size
  • Hashing
  • Applications of encryption
  • Key, secrets, and certificate management
    • Secure key generation
    • Key, secret, and certificate storage
    • Bring Your Own Key
    • Key Management System
    • Secrets management
    • Certificate Management System
  • Data obfuscation, tokenization, masking, and anonymization
  • Data loss prevention
  • Tiering, CDNs, replication, and backups
  • Sample architecture
  • Conclusion
  • Learning goals
• 6. Cloud Infrastructure and Components
  • Introduction
  • Structure
  • Objectives
  • Physical environment
  • Network and communications
    • Virtual networks/ virtual private clouds
    • Elastic IPs/ static public IPs
    • Load balancing
    • Stepping stones
    • Security groups/Access control lists
    • Encryption in transit
    • Zero Trust
    • VNet/VPC peering
    • VPNs
    • Direct connections
    • Web Application Firewall
    • Denial of Service protection
    • API Management
  • Compute and virtualization
    • Serverless
    • Containers
    • Virtual machines
    • Underlying infrastructure
    • Scaling
    • Hypervisor attacks
    • Other compute technologies
  • Storage
    • File storage, object storage, and block storage
    • Data lakes
  • Management Plane
    • Cloud console
    • Command Line Interface
    • APIs
    • Infrastucture as Code
    • Security
  • Conclusion
  • Learning goals
• 7. Datacenter Security
  • Introduction
  • Structure
  • Objectives
  • Physical design
    • Buy, lease, or build
    • Location
    • Security and safety
    • Intrusion detection
    • Construction materials
    • Regulatory requirements
  • Environmental design
    • Electric
    • Heating, cooling, and ventilation
    • Fire detection and suppression
    • Cabling
    • Multi-vendor pathway connectivity
  • Resilient design
  • Logical design
    • Tenant partitioning
    • Access control and identities
  • Conclusion
  • Learning goals
• 8. Risk Management in the Cloud
  • Introduction
  • Structure
  • Objectives
  • Risks
  • Risk assessments
  • Risk treatment and mitigation strategies
  • Risk frameworks
  • Metrics for risk management
  • Vendor risk management
  • Cloud vulnerabilities, threats, and attacks
  • Roles in data handling
  • Common laws and regulations
    • Breach notification laws
  • GDPR
  • California Consumer Privacy Act
  • Sarbanes-Oxley
    • Other laws and the exam
  • Conclusion
  • Learning goals
• 9. Cloud Security Controls
  • Introduction
  • Structure
  • Objectives
  • Physical and environmental protection
  • System, storage, and communication protection
    • Host-based intrusion detection and prevention
    • Data loss prevention and proxying
    • Host-based firewall
    • Anti-virus
    • Vulnerability scanning and secure configuration
    • Baselining and secure configuration
    • Principle of least privilege
    • Infrastructure as code and immutable systems
    • Mobile device management
  • Identity and access management
    • Role-based access control
    • Attribute-based access control
    • Discretionary access control
    • Mandatory access control
    • Access controls
      • Two-factor authentication/ multi-factor authentication
    • Separation of duties
    • Two-person control
    • Passphrases and passwords
    • Lockouts
    • Rotation and invalidation
    • Session lifespan
    • Out-of-band management and emergency credentials
    • Mutual certificate authentication
  • Audit mechanisms
    • Logging
    • Monitoring
    • Security incident and event monitoring
    • Security operations center
    • Security orchestration, automation, and response
    • Job rotation and mandatory vacations
  • Conclusion
  • Learning goals
• 10. Business Continuity and Disaster Recovery
  • Introduction
  • Structure
  • Objectives
  • Business continuity and disaster recovery strategy
    • NIST 800-34: Information system contingency planning process
  • Business requirements
    • RTO, RPO, and recovery service levels
    • Controls
    • Backups
    • Redundancy/ fail-over
      • Hot site
      • Warm site
      • Cold site
      • Mutual agreements
      • On-premises and cloud
      • Succession planning
  • Testing of BC/DR plans
    • Actors
    • Testing
    • Walkthrough
    • Table-top
    • Failover/parallel tests
    • Simulation tests
  • Conclusion
  • Learning goals
• 11. Secure Deployment, Awareness, and Training
  • Introduction
  • Structure
  • Objectives
  • Development methodologies
    • Waterfall
    • Agile
    • Rapid application development
    • DevOps
    • DevSecOps
  • Secure software development life cycle
    • Planning
    • Feasibility or requirements analysis
    • Designing
    • Development
    • Testing
    • Secure operations and maintenance
    • Disposal
    • Secure software development framework
  • Secure coding and development
    • Shift-left
    • Requirements gathering
    • Design
    • Threat modeling
    • STRIDE
    • DREAD
    • ATASM
    • PASTA
    • Threat intelligence
    • Code review
    • Linting
    • Code testing
    • Version control
    • Commit signing
    • Open-Source software and dependencies
    • Software Bill of Materials
    • Configuration and secrets
    • Deployment, building, and CI/CD
    • Separating environments
    • Monitoring and logging
    • OWASP
    • SANS Top 25
    • ASVS
    • Penetration testing
    • SAST and DAST
  • Security awareness and training
    • Awareness versus training
  • Recurrence
    • Positivity
  • Conclusion
  • Learning goals
• 12. Security Testing and Software Verification
  • Introduction
  • Structure
  • Objectives
  • Functional and non-functional testing
  • Security testing methodologies
    • Abuse case testing
  • Black, gray, and white box penetration testing
    • Static application security testing and dynamic application security testing
    • Software composition analysis
    • Interactive application security testing
  • Quality assurance
  • Supply-chain
    • SOC II type II
    • ISO 27001 certification
  • Third-party and open-source software
  • Conclusion
  • Learning goals
• 13. Specifics of Cloud Security Architecture
  • Introduction
  • Structure
  • Objectives
  • Web application firewall
  • Database activity monitoring
  • API gateways
  • Virtualization and orchestration
    • Sandboxing
    • Honey potting
  • Conclusion
  • Learning goals
• 14. Identity and Access Management
  • Introduction
  • Structure
  • Objectives
  • Identity and access management
  • Identity providers
  • Single sign-on
  • Multi-factor authentication
  • Cloud access security brokers
  • Secrets management
  • Conclusion
  • Learning goals
• 15. Infrastructure Security
  • Introduction
  • Structure
  • Objectives
  • Infrastructure and multi-tenancy
  • Hardware security module
    • FIPS 140-2 and FIPS 140-3
    • PCI-DSS
  • Trusted Platform Module
  • Hypervisor security
  • Guest OS security
  • Conclusion
  • Learning goals
• 16. Secure Configuration
  • Introduction
  • Structure
  • Objectives
  • Technology and service hardening
    • Access control technologies
  • OS hardening
    • Updates, patches, and immutable infrastructure
    • Monitoring and logging
    • Host-based security controls
  • Infrastructure as Code
  • Information Technology Infrastructure Library and ISO/IEC 20000
  • Change management
  • Continuity management
  • Information security management
  • Continual service improvement management
  • Incident management
  • Problem management
  • Release management
  • Deployment management
  • Configuration management
  • Service level management
  • Availability management
  • Capacity management
  • Conclusion
  • Learning goals
• 17. Security Operations
  • Introduction
  • Structure
  • Objectives
  • Security policy and operations
  • Security processes
  • Security operations center
  • Security incident and event monitoring
  • Security orchestration, automation, and response
  • Artificial intelligence
  • Incident management and disclosure
  • Forensics
  • Chain of custody
  • Types of evidence
  • E-Discovery
  • Conclusion
  • Learning goals
• 18. Legal and Regulatory Requirements in the Cloud
  • Introduction
  • Structure
  • Objectives
  • Conflicting international legislation
  • General Data Protection Regulation
  • California Customer Privacy Act
  • Payment Card Industry: Data Security Standard
  • Evaluating legal risks in cloud environments
  • Legal frameworks and guidelines
  • Intellectual property
  • E-discovery (ISO/IEC 27050)
  • Forensics
  • Conclusion
  • Learning goals
• 19. Privacy
  • Introduction
  • Structure
  • Objectives
  • Privacy
  • Contractual versus regulated data
  • Data privacy and jurisdictions
  • Standard privacy requirements
  • Data Breach Notification Laws
  • Safe harbor agreements
  • Conclusion
  • Learning goals
• 20. Cloud Auditing and Enterprise Risk Management
  • Introduction
  • Structure
  • Objectives
  • Risk appetite
  • Risk management frameworks
  • Metrics for risk management
  • Data roles
  • Audit requirements
  • Internal and external audits
  • Logs and auditability
  • Audit challenges in the cloud
  • Audit scope
  • Stakeholder identification
  • Audit planning
  • Audit execution
  • Audit reports
  • Audit follow-up
  • Audit process summary
  • Systems and Organization Controls
  • Sarbanes-Oxley Act
  • CSA STAR
  • Gap analysis
  • Information security management system
  • Information security controls
  • PCI-DSS
  • HIPAA
  • HITECH
  • NERC/CIP
  • GDPR
  • Legal and regulatory landscape
  • Conclusion
  • Learning goals
• 21. Contracts and the Cloud
  • Introduction
  • Structure
  • Objectives
  • Service-level agreements
  • Master service agreement
  • Statement of work
  • Vendor management
  • Vendor assessments
  • Vendor lock-in risks
  • Vendor viability
  • Escrow
  • Contract management
  • Right to audit
  • Metrics
  • Definitions
  • Termination
  • Litigation
  • Assurance
  • Compliance
  • Access to cloud data
  • Cyber risk insurance
  • Supply-chain management
  • Conclusion
  • Learning goals
• 22. Duties of a CCSP
  • Introduction
  • Structure
  • Objectives
  • ISC2 code of ethics
  • How to certify
  • Certification requirements
  • Endorsement
  • Evidence
  • Maintaining certification
  • Local chapters
  • Cloud community
  • Conclusion
  • Learning goals
  • Further reading
• 23. Exam Tips
  • Introduction
  • Structure
  • Objectives
  • Exam scheduling
  • Testing center
  • Exam contents and requirements
  • Question types
  • Keywords
  • Breaks
  • Conclusion
• 24. Exam Questions
  • Introduction
  • Structure
  • Quick self-assessment
  • Self-assessment answer key
  • Practice exam
  • Practice exam answer key
• Index