Cantitate/Preț
Produs

The Official (ISC)2 Guide to the CCSP CBK

De (autor)
Notă GoodReads:
en Limba Engleză Carte Hardback – 24 Jun 2016
  • Produced by (ISC)2, the trusted source of industry expertise for cyber, information, software and infrastructure security
  • The definitive "common" body of knowledge used by candidates for the Certified Cloud Security Professional (CCSP) credential

"Securing and optimizing cloud computing environments requires a unique set of skills. Use the Official (ISC)2 Guide to the CCSP CBK as your go–to resource for acquiring the knowledge you′ll need to implement strong information security programs in cloud computing."
David Shearer, Chief Executive Officer, (ISC)2
As powerful as cloud computing is for the organization, understanding its information security risks and mitigation strategies is critical. Securing ′the cloud′ requires modified approaches and tools legacy practices are inadequate. Clearly, it is essential for organizations to utilize information technology professionals who understand how cloud services can be securely implemented and managed within their organization′s IT strategy and governance requirements.
The new Official (ISC)Guide to the CCSPSM CBK® Second Edition is a comprehensive resource providing an in–depth look at the six domains of the CCSP Common Body of Knowledge (CBK). This edition provides a current, detailed guide that is considered one of the best tools for candidates striving to become a CCSP. This second edition features clearer diagrams as well as refined explanations based on extensive expert feedback.
Numerous illustrated examples and tables are included to demonstrate concepts, frameworks and real–life scenarios. The book offers step–by–step guidance through each of CCSP′s domains, including best practices and techniques used by the world′s most experienced practitioners. Developed by (ISC)2, endorsed by the Cloud Security Alliance® (CSA), and compiled and reviewed by cloud security experts across the world, this book brings together a global, thorough perspective. The Official (ISC)2 Guide to the CCSP CBK Second Edition should be utilized as your fundamental study tool in preparation for the CCSP exam and provides a comprehensive reference that will serve you for years to come.

Citește tot Restrânge

Preț: 32330 lei

Preț vechi: 40412 lei
-20%

Puncte Express: 485

Preț estimativ în valută:
6508 7313$ 5840£

Carte disponibilă

Livrare economică 01-05 august
Livrare express 25-27 iulie pentru 6164 lei

Preluare comenzi: 021 569.72.76

Specificații

ISBN-13: 9781119276722
ISBN-10: 1119276721
Pagini: 544
Dimensiuni: 192 x 241 x 31 mm
Greutate: 1.04 kg
Ediția: 2nd Edition
Editura: Sybex
Locul publicării: Hoboken, United States

Public țintă

CCSP is a certification for those whose day–to–day responsibilities involve procuring, securing and managing cloud environments or purchased cloud services. It is ideal for those working in or towards positions such including Enterprise Architect, Security Administrator, Systems Engineer, Security Architect, Security Consultant, Security Engineer, Security Manager, Systems Architect

Textul de pe ultima copertă

  • Produced by (ISC)2, the trusted source of industry expertise for cyber, information, software and infrastructure security
  • The definitive "common" body of knowledge used by candidates for the Certified Cloud Security Professional (CCSP) credential

"Securing and optimizing cloud computing environments requires a unique set of skills. Use the Official (ISC)2 Guide to the CCSP CBK as your go–to resource for acquiring the knowledge you′ll need to implement strong information security programs in cloud computing."
David Shearer, Chief Executive Officer, (ISC)2
As powerful as cloud computing is for the organization, understanding its information security risks and mitigation strategies is critical. Securing ′the cloud′ requires modified approaches and tools legacy practices are inadequate. Clearly, it is essential for organizations to utilize information technology professionals who understand how cloud services can be securely implemented and managed within their organization′s IT strategy and governance requirements.
The new Official (ISC)Guide to the CCSPSM CBK® Second Edition is a comprehensive resource providing an in–depth look at the six domains of the CCSP Common Body of Knowledge (CBK). This edition provides a current, detailed guide that is considered one of the best tools for candidates striving to become a CCSP. This second edition features clearer diagrams as well as refined explanations based on extensive expert feedback.
Numerous illustrated examples and tables are included to demonstrate concepts, frameworks and real–life scenarios. The book offers step–by–step guidance through each of CCSP′s domains, including best practices and techniques used by the world′s most experienced practitioners. Developed by (ISC)2, endorsed by the Cloud Security Alliance® (CSA), and compiled and reviewed by cloud security experts across the world, this book brings together a global, thorough perspective. The Official (ISC)2 Guide to the CCSP CBK Second Edition should be utilized as your fundamental study tool in preparation for the CCSP exam and provides a comprehensive reference that will serve you for years to come.


Cuprins

Foreword xvii

Introduction xix
DOMAIN 1: ARCHITECTURAL CONCEPTS AND DESIGN REQUIREMENTS 1
Introduction 3
Drivers for Cloud Computing 4
Security, Risks, and Benefi ts 5
Cloud Computing Defi nitions 7
Cloud Computing Roles 12
Key Cloud Computing Characteristics 12
Cloud Transition Scenario 14
Building Blocks 16
Cloud Computing Functions 16
Cloud Service Categories 18
IaaS 18
PaaS 19
SaaS 21
Cloud Deployment Models 23
The Public Cloud Model 23
The Private Cloud Model 23
The Hybrid Cloud Model 24
The Community Cloud Model 25
Cloud Cross –Cutting Aspects 25
Architecture Overview 25
Key Principles of an Enterprise Architecture 27
The NIST Cloud Technology Roadmap 28
Network Security and Perimeter 32
Cryptography 33
Encryption 33
Key Management 35
IAM and Access Control 37
Provisioning and Deprovisioning 37
Centralized Directory Services 38
Privileged User Management 38
Authorization and Access Management 39
Data and Media Sanitization 40
Vendor Lock –In 40
Cryptographic Erasure 41
Data Overwriting 41
Virtualization Security 42
The Hypervisor 42
Security Types 43
Common Threats 43
Data Breaches 43
Data Loss 44
Account or Service Traffic Hijacking 45
Insecure Interfaces and APIs 45
Denial of Service 46
Malicious Insiders 46
Abuse of Cloud Services 46
Insufficient Due Diligence 47
Shared Technology Vulnerabilities 47
Security Considerations for Different Cloud Categories 48
IaaS Security 48
PaaS Security 50
SaaS Security 52
Open Web Application Security Project Top Ten Security Threats 54
Cloud Secure Data Lifecycle 55
Information and Data Governance Types 56
Business Continuity and Disaster Recovery Planning 57
Business Continuity Elements 57
Critical Success Factors 58
Important SLA Components 59
Cost –Benefit Analysis 60
Certification Against Criteria 62
System and Subsystem Product Certification 69
Summary 72
Review Questions 73
Notes 77
DOMAIN 2: CLOUD DATA SECURITY 79
Introduction 81
The Cloud Data Lifecycle Phases 82
Location and Access of Data 83
Location 83
Access 84
Functions, Actors, and Controls of the Data 84
Key Data Functions 85
Controls 85
Process Overview 86
Tying It Together 86
Cloud Services, Products, and Solutions 87
Data Storage 87
IaaS 87
PaaS 88
SaaS 89
Threats to Storage Types 90
Technologies Available to Address Threats 91
Relevant Data Security Technologies 91
Data Dispersion in Cloud Storage 92
DLP 92
Encryption 95
Masking, Obfuscation, Anonymization, and Tokenization 102
Application of Security Strategy Technologies 105
Emerging Technologies 106
Bit Splitting 106
Homomorphic Encryption 107
Data Discovery 108
Data Discovery Approaches 108
Different Data Discovery Techniques 109
Data Discovery Issues 110
Challenges with Data Discovery in the Cloud 111
Data Classifi cation 112
Data Classifi cation Categories 112
Challenges with Cloud Data 113
Data Privacy Acts 113
Global P&DP Laws in the United States 114
Global P&DP Laws in the European Union 115
Global P&DP Laws in APEC 115
Differences Between Jurisdiction and Applicable Law 115
Essential Requirements in P&DP Laws 116
Typical Meanings for Common Privacy Terms 116
Privacy Roles for Customers and Service Providers 117
Responsibility Depending on the Type of Cloud Services 118
Implementation of Data Discovery 119
Classification of Discovered Sensitive Data 120
Mapping and Definition of Controls 123
Privacy Level Agreement 124
PLA Versus Essential P&DP Requirements Activity 124
Application of Defi ned Controls for PII 128
Cloud Security Alliance Cloud Controls Matrix 129
Management Control for Privacy and Data –Protection Measures 133
Data Rights Management Objectives 134
IRM Cloud Challenges 134
IRM Solutions 135
Data –Protection Policies 136
Data –Retention Policies 137
Data –Deletion Procedures and Mechanisms 138
Data –Archiving Procedures and Mechanisms 139
Events 140
Event Sources 140
Identifying Event Attribute Requirements 142
Storage and Analysis of Data Events 144
SIEM 145
Supporting Continuous Operations 146
Chain of Custody and Nonrepudiation 147
Summary 148
Review Questions 149
Notes 152
DOMAIN 3: CLOUD PLATFORM AND INFRASTRUCTURE SECURITY 155
Introduction 157
The Physical Environment of the Cloud Infrastructure 157
Data Center Design 158
Network and Communications in the Cloud 159
Network Functionality 159
Software –Defined Networking 160
The Compute Parameters of a Cloud Server 161
Virtualization 161
Scalability 162
The Hypervisor 162
Storage Issues in the Cloud 163
Object Storage 164
Management Plane 164
Management of Cloud Computing Risks 166
Risk Assessment and Analysis 166
Cloud Attack Vectors 170
Countermeasure Strategies Across the Cloud 170
Continuous Uptime 171
Automation of Controls 171
Access Controls 171
Physical and Environmental Protections 172
Key Regulations 173
Examples of Controls 173
Protecting Data Center Facilities 173
System and Communication Protections 173
Automation of Confi guration 174
Responsibilities of Protecting the Cloud System 174
Following the Data Lifecycle 175
Virtualization Systems Controls 176
Managing Identification, Authentication, and Authorization in the Cloud Infrastructure 178
Managing Identification 178
Managing Authentication 179
Managing Authorization 179
Accounting for Resources 179
Managing Identity and Access Management 179
Making Access Decisions 179
The Entitlement Process 180
The Access Control Decision –Making Process 180
Risk Audit Mechanisms 181
The Cloud Security Alliance Cloud Controls Matrix 182
Cloud Computing Audit Characteristics 182
Using a VM 183
Understanding the Cloud Environment Related to BCDR 183
On –Premises, Cloud as BCDR 184
Cloud Service Consumer, Primary Provider BCDR 184
Cloud Service Consumer, Alternative Provider BCDR 185
BCDR Planning Factors 185
Relevant Cloud Infrastructure Characteristics 185
Understanding the Business Requirements Related to BCDR 186
Understanding the BCDR Risks 188
BCDR Risks Requiring Protection 188
BCDR Strategy Risks 188
Potential Concerns About the BCDR Scenarios 189
BCDR Strategies 190
Location 191
Data Replication 191
Functionality Replication 192
Planning, Preparing, and Provisioning 192
Failover Capability 192
Returning to Normal 193
Creating the BCDR Plan 193
The Scope of the BCDR Plan 193
Gathering Requirements and Context 193
Analysis of the Plan 194
Risk Assessment 194
Plan Design 194
Other Plan Considerations 195
Planning, Exercising, Assessing, and Maintaining the Plan 195
Test Plan Review 197
Testing and Acceptance to Production 201
Summary 201
Review Questions 202
Notes 204
DOMAIN 4: CLOUD APPLICATION SECURITY 205
Introduction 207
Determining Data Sensitivity and Importance 208
Understanding the API Formats 208
Common Pitfalls of Cloud Security Application Deployment 209
On –Premises Does Not Always Transfer (and Vice Versa) 210
Not All Apps Are Cloud Ready 210
Lack of Training and Awareness 210
Lack of Documentation and Guidelines 211
Complexities of Integration 211
Overarching Challenges 211
Awareness of Encryption Dependencies 213
Understanding the Software Development Lifecycle Process for a Cloud Environment 213
Secure Operations Phase 214
Disposal Phase 215
Assessing Common Vulnerabilities 215
Cloud –Specific Risks 218
Threat Modeling 220
STRIDE Threat Model 220
Approved Application Programming Interfaces 221
Software Supply Chain (API) Management 221
Securing Open Source Software 222
Identity and Access Management 222
Identity Management 223
Access Management 223
Identity Repository and Directory Services 223
Federated Identity Management 224
Federation Standards 224
Federated Identity Providers 225
Federated SSO 225
Multifactor Authentication 225
Supplemental Security Devices 226
Cryptography 227
Tokenization 228
Data Masking 228
Sandboxing 229
Application Virtualization 229
Cloud –Based Functional Data 230
Cloud –Secure Development Lifecycle 231
ISO/IEC 27034 –1 232
Organizational Normative Framework 232
Application Normative Framework 233
Application Security Management Process 233
Application Security Testing 234
Static Application Security Testing 234
Dynamic Application Security Testing 235
Runtime Application Self –Protection 235
Vulnerability Assessments and Penetration Testing 235
Secure Code Reviews 236
OWASP Recommendations 236
Summary 237
Review Questions 238
Notes 239
DOMAIN 5: OPERATIONS 241
Introduction 243
Modern Data Centers and Cloud Service Offerings 243
Factors That Aff ect Data Center Design 243
Logical Design 244
Physical Design 246
Environmental Design Considerations 249
Multivendor Pathway Connectivity 253
Implementing Physical Infrastructure for Cloud Environments 253
Enterprise Operations 254
Secure Configuration of Hardware: Specific Requirements 255
Best Practices for Servers 255
Best Practices for Storage Controllers 256
Network Controllers Best Practices 258
Virtual Switches Best Practices 259
Installation and Confi guration of Virtualization Management Tools for the Host 260
Leading Practices 261
Running a Physical Infrastructure for Cloud Environments 261
Configuring Access Control and Secure
Kernel –Based Virtual Machine 265
Securing the Network Configuration 266
Network Isolation 266
Protecting VLANs 267
Using TLS 268
Using DNS 268
Using IPSec 269
Identifying and Understanding Server Threats 270
Using Standalone Hosts 271
Using Clustered Hosts 273
Resource Sharing 273
Distributed Resource Scheduling/Compute Resource Scheduling 274
Accounting for Dynamic Operation 274
Using Storage Clusters 275
Clustered Storage Architectures 275
Storage Cluster Goals 276
Using Maintenance Mode 276
Providing HA on the Cloud 276
Measuring System Availability 276
Achieving HA 277
The Physical Infrastructure for Cloud Environments 278
Configuring Access Control for Remote Access 279
Performing Patch Management 281
The Patch Management Process 282
Examples of Automation 282
Challenges of Patch Management 283
Performance Monitoring 285
Outsourcing Monitoring 285
Hardware Monitoring 285
Redundant System Architecture 286
Monitoring Functions 286
Backing Up and Restoring the Host Configuration 287
Implementing Network Security Controls: Defense in Depth 288
Firewalls 288
Layered Security 289
Utilizing Honeypots 292
Conducting Vulnerability Assessments 293
Log Capture and Log Management 293
Using Security Information and Event Management 295
Developing a Management Plan 296
Maintenance 297
Orchestration 297
Building a Logical Infrastructure for Cloud Environments 298
Logical Design 298
Physical Design 298
Secure Configuration of Hardware –Specific Requirements 299
Running a Logical Infrastructure for Cloud Environments 300
Building a Secure Network Configuration 300
OS Hardening via Application Baseline 301
Availability of a Guest OS 303
Managing the Logical Infrastructure for Cloud Environments 304
Access Control for Remote Access 304
OS Baseline Compliance Monitoring and Remediation 305
Backing Up and Restoring the Guest OS Configuration 305
Implementation of Network Security Controls 306
Log Capture and Analysis 306
Management Plan Implementation Through the Management Plane 307
Ensuring Compliance with Regulations and Controls 307
Using an ITSM Solution 308
Considerations for Shadow IT 308
Operations Management 309
Information Security Management 310
Configuration Management 310
Change Management 311
Incident Management 315
Problem Management 317
Release and Deployment Management 318
Service –Level Management 319
Availability Management 319
Capacity Management 319
Business Continuity Management 320
Continual Service Improvement Management 321
How Management Processes Relate to Each Other 321
Incorporating Management Processes 323
Managing Risk in Logical and Physical Infrastructures 323
The Risk –Management Process Overview 323
Framing Risk 324
Risk Assessment 324
Risk Response 334
Risk Monitoring 339
Understanding the Collection and Preservation of Digital Evidence 340
Cloud Forensics Challenges 341
Data Access Within Service Models 342
Forensics Readiness 343
Proper Methodologies for Forensic Collection of Data 343
The Chain of Custody 349
Evidence Management 350
Managing Communications with Relevant Parties 350
The Five Ws and One H 351
Communicating with Vendors and Partners 351
Communicating with Customers 353
Communicating with Regulators 353
Communicating with Other Stakeholders 354
Wrap –Up: Data Breach Example 354
Summary 354
Review Questions 356
Notes 361
DOMAIN 6: LEGAL AND COMPLIANCE 363
Introduction 365
International Legislation Conflicts 365
Legislative Concepts 366
Frameworks and Guidelines Relevant to Cloud Computing 368
ISO/IEC 27017:2015 Information Technology Security Techniques Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services 368
Organization for Economic Cooperation and Development Privacy and Security Guidelines 369
Asia –Pacifi c Economic Cooperation Privacy Framework4 369
EU Data Protection Directive 370
General Data Protection Regulation 372
ePrivacy Directive 372
Beyond Frameworks and Guidelines 372
Common Legal Requirements 373
Legal Controls and Cloud Service Providers 374
e –Discovery 375
e –Discovery Challenges 375
Considerations and Responsibilities of e –Discovery 376
Reducing Risk 376
Conducting e –Discovery Investigations 377
Cloud Forensics and ISO/IEC 27050 –1 377
Protecting Personal Information in the Cloud 378
Differentiating Between Contractual and Regulated PII 379
Country –Specific Legislation and Regulations Related to PII, Data Privacy, and Data Protection 383
Auditing in the Cloud 392
Internal and External Audits 392
Types of Audit Reports 393
Impact of Requirement Programs by the Use of Cloud Services 396
Assuring Challenges of the Cloud and Virtualization 396
Information Gathering 397
Audit Scope 398
Cloud –Auditing Goals 401
Audit Planning 401
Standard Privacy Requirements (ISO/IEC 27018) 403
GAPP 404
Internal ISMS 405
The Value of an ISMS 405
Internal Information Security Controls System: ISO 27001:2013 Domains 406
Repeatability and Standardization 406
Implementing Policies 407
Organizational Policies 407
Functional Policies 408
Cloud Computing Policies 408
Bridging the Policy Gaps 409
Identifying and Involving the Relevant Stakeholders 410
Stakeholder Identifi cation Challenges 410
Governance Challenges 411
Communication Coordination 411
Impact of Distributed IT Models 412
Clear Communications 412
Coordination and Management of Activities 413
Governance of Processes and Activities 413
Coordination Is Key 414
Security Reporting 414
Understanding the Implications of the Cloud to Enterprise Risk Management 415
Risk Profile 416
Risk Appetite 416
Difference Between the Data Owner and Controller and the Data Custodian and Processor 416
SLA 417
Risk Mitigation 422
Risk –Management Metrics 422
Different Risk Frameworks 423
Understanding Outsourcing and Contract Design 425
Business Requirements 425
Vendor Management 426
Understanding Your Risk Exposure 426
Accountability of Compliance 427
Common Criteria Assurance Framework 427
CSA STAR 428
Cloud Computing Certification 429
Contract Management 431
Importance of Identifying Challenges Early 431
Key Contract Components 432
Supply Chain Management 434
Supply Chain Risk 434
CSA CCM 435
The ISO 28000:2007 Supply Chain Standard 435
Summary 436
Review Questions 438
Notes 439
APPENDIX A: ANSWERS TO REVIEW QUESTIONS 441
Domain 1: Architectural Concepts and Design Requirements 441
Domain 2: Cloud Data Security 451
Domain 3: Cloud Platform and Infrastructure Security 460
Domain 4: Cloud Application Security 466
Domain 5: Operations 470
Domain 6: Legal and Compliance Issues 482
Notes 488
APPENDIX B: GLOSSARY 491
APPENDIX C: HELPFUL RESOURCES AND LINKS 501
Index 505