The Official (ISC)2® CCSP® CBK® Reference Third Edition CCSP®: Certified Cloud Security Professional The Official (ISC)2® CCSP® CBK® Reference Third Edition LESLIE FIFE AARON KRAUS BRYAN LEWIS Copyright © 2021 by John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. ISBN: 978- 1- 119- 60343- 6 ISBN: 978- 1- 119- 60345- 0 (ebk.) ISBN: 978- 1- 119- 60346- 7 (ebk.) No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Pub- lisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be avail- able in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com. Library of Congress Control Number: 2021934228 TRADEMARKS: WILEY and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/ or its affiliates, in the United States and other countries, and may not be used without written permission. (ISC)2, CCSP, and CBK are service marks or registered trademarks of Information Systems Security Certification Consortium, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. Cover Design: Wiley and (ISC)2 Acknowledgments First and foremost, we offer our deepest appreciation to our spouses, children, and families. Their support and understanding during the long hours of writing and review gave us the time necessary to create this book. This book would not have been possible without our wonderful families. We would also like to express our appreciation to (ISC)2 for providing the CCSP certification and these certification preparation materials. We are excited to be part of this trans- formative growth and development of secure cloud computing in the world today. We would also like to thank John Wiley & Sons, and associate publisher Jim Mina- tel for entrusting us with the role of creating this study guide. We wish to thank Aaron Kraus for his review and input on the work of other sections, and our technical editor Raven Sims, whose attention to detail made this book so much better. Thanks also goes to project editor Kelly Talbot, content refinement specialist Saravanan Dakshinamurthy, copy editor Kim Wimpsett, and the entire team at Wiley for their guidance and assistance in making this book. We’d also like to thank all of our colleagues and experts who consulted with us while writing this book. You are too many to name here, but we are grateful for your suggestions and contributions. More than anyone else, we would like to thank our readers. We are grateful for the trust you have placed in us to help you study for the exam. — The Authors v About the Authors Leslie D. Fife, CISSP- ISSMP, CCSP, C|CISO, CISA, CISM, CRISC, GDAT, GCED, CBCP, CIPM (and more than 20 other certifications), has more than 40 years of experience in information technology, cybersecurity, and risk management. He is currently an information security risk manager for the Church of Jesus Christ of Latter- day Saints, an assistant professor of practice at Southern Illinois University Carbondale, and an adjunct at the University of Utah. He is also a commissioner for the Computing Accreditation Commission of ABET. His career includes the U.S. Navy submarine service, software development in the defense industry and the oil and gas field service industry, incident response and business continuity in the financial services sector, as well as 22 years as a professor of computer science. He has a PhD in computer science from the University of Oklahoma. Aaron Kraus, CCSP, CISSP, is an information security professional with more than 15 years of experience in security risk management, auditing, and teaching information security topics. He has worked in security and compliance roles across industries including U.S. federal government civilian agencies, financial services, and technology startups, and he is currently the security engagement manager at Coalition, Inc., a cyber risk insurtech company. His expe- rience includes creating alignment between security teams and the organizations they support, by evaluating the unique threat landscape facing each organization and the unique objectives each organization is pursuing to deliver a balanced, risk- based security control program. As a consultant to a financial services firm he designed, executed, and matured the third- party vendor audit programs to provide oversight of key compliance initiatives, and he led the global audit teams to perform reviews covering physical security, logical security, and regulatory com- pliance. Aaron is a course author, instructor, and cybersecurity curriculum dean with more than 13 years of experience at Learning Tree International, and he most recently taught the Official (ISC)2 CISSP CBK Review Seminar. He has served as a technical editor for numerous Wiley publications including (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide, 2nd Edition; CCSP Official (ISC)2 Practice Tests, 1st Edition; The Official (ISC)2 Guide to the CISSP CBK Reference, 5th Edition; and (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests, 2nd Edition. vii Bryan Lewis, EdD, currently serves as an assistant dean and IT area lecturer for the McIntire School of Commerce at the University of Virginia. Certified as both a CISSP and CCSP, he has extensive experience with cybersecurity operations, research, and instruction in both the public and private sectors. Prior to joining the McIntire School, Dr. Lewis served as a company officer and principal for an audio visual and tele- communications design, engineering, and manufacturing company. His past experience includes large- scale network infrastructure and secure system design, deployments, and migrations, including secure distance- based learning and collaborative space design. He currently serves as a lecturer on network, data, and cloud security with a focus on defensive technologies, secure communications, and the business impacts of information security in the graduate and undergraduate curricula. His primary consulting interests focus on distance learning design, large- scale visualization, information security in the public sector, and collaborative space design projects. viii About the Authors About the Technical Editor Raven Sims, CISSP, CCSP, SSCP, is a space systems senior principal cyber architect in the Strategic Deterrent division of a notable defense contractor. In this role, Sims has responsibility for the division’s cyber architecture within the weapon system command- and- control business portfolio, including full-s pectrum cyber, cloud computing, as well as mission- enabling cyber solutions supporting domestic and international customers. Most recently, Sims was a cyber architect of the Department of Justice (DoJ) Cybersecurity Services (CSS) team in providing cloud security guidance to all 14+ DoJ components. She was responsible for designing, deploy- ing, and maintaining enterprise- class security, network, and systems management applications within an Amazon Web Services (AWS) and Azure environment. Within this role, she led inci- dent response guidance for the DoJ as it pertained to securing the cloud and how to proactively respond to events within their cloud infrastructure. Sims has held business development, functional, and program positions of increasing responsibility in multiple sectors of the company. Her program experience includes government and international partnerships. Sims earned a bachelor’s degree in computer science from Old Dominion University in Norfolk, Virginia, and a master’s degree in technology management from Georgetown University in Washington, D.C. She is now pursuing a doctoral degree from Dakota State University in cyber operations. She serves on the board of directors of FeedTheStreetsRVA (FTSRVA); is a member of Society of Women Engineers (SWE) and Zeta Phi Beta Sorority, Inc.; and is the owner of Sims Designs. Sims is nationally recognized for her advancements in cyber and mission solu- tions as an awardee of the 2019 Black Engineer of the Year (BEYA): Modern Day Technology Award, and UK Cybercenturion awards. ix Contents at a Glance   Acknowledgments v About the Authors vii About the Technical Editor ix Foreword to the Third Edition xxi Introduction xxiii DOMAIN 1: CLOUD CONCEPTS, ARCHITECTURE, AND DESIGN 1 DOMAIN 2: CLOUD DATA SECURITY 43 DOMAIN 3: CLOUD PLATFORM AND INFRASTRUCTURE SECURITY 87 DOMAIN 4: CLOUD APPLICATION SECURITY 117 DOMAIN 5: CLOUD SECURITY OPERATIONS 145 DOMAIN 6: LEGAL, RISK, AND COMPLIANCE 227 Index 283 xi Contents  Acknowledgments v About the Authors vii About the Technical Editor ix Foreword to the Third Edition xxi Introduction xxiii DOMAIN 1: CLOUD CONCEPTS, ARCHITECTURE, AND DESIGN 1 Understand Cloud Computing Concepts 1 Cloud Computing Definitions 1 Cloud Computing Roles 4 Key Cloud Computing Characteristics 5 Building Block Technologies 9 Describe Cloud Reference Architecture 12 Cloud Computing Activities 12 Cloud Service Capabilities 13 Cloud Service Categories 14 Cloud Deployment Models 15 Cloud Shared Considerations 17 Impact of Related Technologies 23 Understand Security Concepts Relevant to Cloud Computing 27 Cryptography and Key Management 27 Access Control 28 Data and Media Sanitization 29 Network Security 30 Virtualization Security 31 Common Threats 32 Understand Design Principles of Secure Cloud Computing 33 Cloud Secure Data Lifecycle 33 Cloud-Based Disaster Recovery and Business Continuity Planning 33 xiii Cost-Benefit Analysis 34 Functional Security Requirements 35 Security Considerations for Different Cloud Categories 36 Evaluate Cloud Service Providers 38 Verification against Criteria 39 System/Subsystem Product Certifications 40 Summary 41 DOMAIN 2: CLOUD DATA SECURITY 43 Describe Cloud Data Concepts 43 Cloud Data Lifecycle Phases 44 Data Dispersion 47 Design and Implement Cloud Data Storage Architectures 48 Storage Types 48 Threats to Storage Types 50 Design and Apply Data Security Technologies and Strategies 52 Encryption and Key Management 52 Hashing 55 Masking 56 Tokenization 56 Data Loss Prevention 57 Data Obfuscation 60 Data De-identification 61 Implement Data Discovery 62 Structured Data 64 Unstructured Data 65 Implement Data Classification 66 Mapping 68 Labeling 68 Sensitive Data 69 Design and Implement Information Rights Management 71 Objectives 72 Appropriate Tools 73 Plan and Implement Data Retention, Deletion, and Archiving Policies 74 Data Retention Policies 74 Data Deletion Procedures and Mechanisms 77 Data Archiving Procedures and Mechanisms 79 Legal Hold 80 xiv Contents