Introduction xv
Assessment Test xxiii
Chapter 1 Architectural Concepts 1
Business Requirements 4
Existing State 4
Quantifying Benefits and Opportunity Cost 5
Intended Impact 8
Cloud Evolution, Vernacular, and Definitions 8
New Technology, New Options 8
Cloud Computing Service Models 10
Cloud Deployment Models 11
Cloud Computing Roles and Responsibilities 13
Cloud Computing Definitions 13
Foundational Concepts of Cloud Computing 16
Sensitive Data 17
Virtualization 17
Encryption 17
Auditing and Compliance 18
Cloud Service Provider Contracts 18
Summary 19
Exam Essentials 19
Written Labs 19
Review Questions 20
Chapter 2 Design Requirements 25
Business Requirements Analysis 26
Inventory of Assets 26
Valuation of Assets 27
Determination of Criticality 27
Risk Appetite 29
Boundaries of Cloud Models 31
IaaS Boundaries 31
PaaS Boundaries 32
SaaS Boundaries 32
Design Principles for Protecting Sensitive Data 34
Hardening Devices 34
Encryption 35
Layered Defenses 36
Summary 37
Exam Essentials 37
Written Labs 37
Review Questions 38
Chapter 3 Data Classification 43
Data Inventory and Discovery 45
Data Ownership 45
The Data Life Cycle 46
Data Discovery Methods 49
Jurisdictional Requirements 50
Data Rights Management 51
Intellectual Property Protections 51
DRM Tool Traits 55
Data Control 57
Data Retention 58
Data Audit 59
Data Destruction/Disposal 61
Summary 62
Exam Essentials 63
Written Labs 63
Review Questions 64
Chapter 4 Cloud Data Security 67
Cloud Data Life Cycle 69
Create 70
Store 70
Use 71
Share 71
Archive 72
Destroy 74
Cloud Storage Architectures 74
Volume Storage: File-Based Storage and Block Storage 74
Object-Based Storage 74
Databases 75
Content Delivery Network (CDN) 75
Cloud Data Security Foundational Strategies 75
Encryption 75
Masking, Obfuscation, Anonymization, and Tokenization 77
Security Information and Event Management 80
Egress Monitoring (DLP) 81
Summary 82
Exam Essentials 82
Written Labs 83
Review Questions 84
Chapter 5 Security in the Cloud 87
Shared Cloud Platform Risks and Responsibilities 88
Cloud Computing Risks by Deployment and Service Model 90
Private Cloud 91
Community Cloud 91
Public Cloud 92
Hybrid Cloud 97
IaaS (Infrastructure as a Service) 97
PaaS (Platform as a Service) 97
SaaS (Software as a Service) 98
Virtualization 98
Cloud Attack Surface 99
Threats by Deployment Model 100
Countermeasure Methodology 102
Disaster Recovery (DR) and Business Continuity
Management (BCM) 105
Cloud-Specific BIA Concerns 105
Customer/Provider Shared BC/DR Responsibilities 106
Summary 108
Exam Essentials 109
Written Labs 109
Review Questions 110
Chapter 6 Responsibilities in the Cloud 115
Foundations of Managed Services 118
Business Requirements 119
Business Requirements: The Cloud Provider Perspective 119
Shared Responsibilities by Service Type 125
IaaS 125
PaaS 125
SaaS 125
Shared Administration of OS, Middleware, or Applications 126
Operating System Baseline Configuration and
Management 126
Share Responsibilities: Data Access 128
Customer Directly Administers Access 128
Provider Administers Access on Behalf of
the Customer 129
Third-Party (CASB) Administers Access on Behalf of the Customer 129
Lack of Physical Access 131
Audits 131
Shared Policy 134
Shared Monitoring and Testing 134
Summary 135
Exam Essentials 135
Written Labs 136
Review Questions 137
Chapter 7 Cloud Application Security 141
Training and Awareness 143
Common Cloud Application Deployment Pitfalls 146
Cloud-Secure Software Development Life Cycle (SDLC) 148
ISO/IEC 27034-1 Standards for Secure Application Development 150
Identity and Access Management (IAM) 151
Identity Repositories and Directory Services 153
Single Sign-On (SSO) 153
Federated Identity Management 153
Federation Standards 154
Multifactor Authentication 155
Supplemental Security Devices 155
Cloud Application Architecture 157
Application Programming Interfaces 157
Tenancy Separation 159
Cryptography 159
Sandboxing 162
Application Virtualization 162
Cloud Application Assurance and Validation 162
Threat Modeling 163
Quality of Service 166
Software Security Testing 166
Approved APIs 171
Software Supply Chain (API) Management 171
Securing Open Source Software 172
Runtime Application Self-Protection (RASP) 173
Secure Code Reviews 173
OWASP Top 9 Coding Flaws 173
Summary 174
Exam Essentials 174
Written Labs 175
Review Questions 176
Chapter 8 Operations Elements 181
Physical/Logical Operations 183
Facilities and Redundancy 184
Virtualization Operations 194
Storage Operations 195
Physical and Logical Isolation 197
Security Training and Awareness 198
Training Program Categories 199
Additional Training Insights 203
Basic Operational Application Security 203
Threat Modeling 204
Application Testing Methods 205
Summary 206
Exam Essentials 206
Written Labs 207
Review Questions 208
Chapter 9 Operations Management 213
Monitoring, Capacity, and Maintenance 215
Monitoring 215
Maintenance 217
Change and Configuration Management (CM) 221
Baselines 221
Deviations and Exceptions 222
Roles and Process 223
Business Continuity and Disaster Recovery (BC/DR) 225
Primary Focus 226
Continuity of Operations 227
The BC/DR Plan 227
The BC/DR Kit 229
Relocation 230
Power 231
Testing 232
Summary 233
Exam Essentials 233
Written Labs 234
Review Questions 235
Chapter 10 Legal and Compliance Part 1 239
Legal Requirements and Unique Risks in the Cloud Environment 241
Legal Concepts 241
U.S. Laws 247
International Laws 252
Laws, Frameworks, and Standards Around the World 252
The Difference Between Laws, Regulations and Standards 261
Potential Personal and Data Privacy Issues in the Cloud Environment 261
eDiscovery 262
Forensic Requirements 263
International Conflict Resolution 263
Cloud Forensic Challenges 263
Contractual and Regulated PII 264
Direct and Indirect Identifiers 264
Audit Processes, Methodologies,
and Cloud Adaptations 265
Virtualization 265
Scope 266
Gap Analysis 266
Information Security Management Systems (ISMSs) 266
The Right to Audit in Managed Services 267
Audit Scope Statements 267
Policies 268
Different Types of Audit Reports 268
Auditor Independence 269
AICPA Reports and Standards 270
Summary 271
Exam Essentials 272
Written Labs 273
Review Questions 274
Chapter 11 Legal and Compliance Part 2 279
The Impact of Diverse Geographical Locations and
Legal Jurisdictions 281
Policies 282
Implications of the Cloud for Enterprise Risk
Management 287
Choices Involved in Managing Risk 288
Risk Management Frameworks 291
Risk Management Metrics 293
Contracts and Service-Level Agreements (SLAs) 294
Business Requirements 297
Cloud Contract Design and Management for Outsourcing 297
Identifying Appropriate Supply Chain and Vendor Management Processes 298
Common Criteria Assurance Framework (ISO/IEC 15408-1:2009) 299
Cloud Computing Certification 299
CSA Security, Trust, and Assurance Registry (STAR) 300
Supply Chain Risk 302
Summary 303
Exam Essentials 303
Written Labs 304
Review Questions 305
Appendix A Answers to the Review Questions 309
Chapter 1: Architectural Concepts 310
Chapter 2: Design Requirements 311
Chapter 3: Data Classification 312
Chapter 4: Cloud Data Security 314
Chapter 5: Security in the Cloud 316
Chapter 6: Responsibilities in the Cloud 317
Chapter 7: Cloud Application Security 319
Chapter 8: Operations Elements 320
Chapter 9: Operations Management 321
Chapter 10: Legal and Compliance Part 1 323
Chapter 11: Legal and Compliance Part 2 325
Appendix B Answers to the Written Labs 327
Chapter 1 328
Chapter 2 328
Chapter 3 329
Chapter 4 330
Chapter 5 331
Chapter 6 331
Chapter 7 332
Chapter 8 332
Chapter 9 333
Chapter 10 333
Chapter 11 334
Index 335