| Acknowledgments |
|
v | |
| About the Authors |
|
vii | |
| About the Technical Editor |
|
ix | |
| Foreword to the Third Edition |
|
xxi | |
| Introduction |
|
xxiii | |
| Domain 1 Cloud Concepts, Architecture, And Design |
|
1 | (42) |
|
Understand Cloud Computing Concepts |
|
|
1 | (11) |
|
Cloud Computing Definitions |
|
|
1 | (3) |
|
|
|
4 | (1) |
|
Key Cloud Computing Characteristics |
|
|
5 | (4) |
|
Building Block Technologies |
|
|
9 | (3) |
|
Describe Cloud Reference Architecture |
|
|
12 | (15) |
|
Cloud Computing Activities |
|
|
12 | (1) |
|
Cloud Service Capabilities |
|
|
13 | (1) |
|
|
|
14 | (1) |
|
|
|
15 | (2) |
|
Cloud Shared Considerations |
|
|
17 | (6) |
|
Impact of Related Technologies |
|
|
23 | (4) |
|
Understand Security Concepts Relevant to Cloud Computing |
|
|
27 | (6) |
|
Cryptography and Key Management |
|
|
27 | (1) |
|
|
|
28 | (1) |
|
Data and Media Sanitization |
|
|
29 | (1) |
|
|
|
30 | (1) |
|
|
|
31 | (1) |
|
|
|
32 | (1) |
|
Understand Design Principles of Secure Cloud Computing |
|
|
33 | (5) |
|
Cloud Secure Data Lifecycle |
|
|
33 | (1) |
|
Cloud-Based Disaster Recovery and Business Continuity Planning |
|
|
33 | (1) |
|
|
|
34 | (1) |
|
Functional Security Requirements |
|
|
35 | (1) |
|
Security Considerations for Different Cloud Categories |
|
|
36 | (2) |
|
Evaluate Cloud Service Providers |
|
|
38 | (5) |
|
Verification against Criteria |
|
|
39 | (1) |
|
System/Subsystem Product Certifications |
|
|
40 | (1) |
|
|
|
41 | (2) |
| Domain 2 Cloud Data Security |
|
43 | (44) |
|
Describe Cloud Data Concepts |
|
|
43 | (5) |
|
Cloud Data Lifecycle Phases |
|
|
44 | (3) |
|
|
|
47 | (1) |
|
Design and Implement Cloud Data Storage Architectures |
|
|
48 | (4) |
|
|
|
48 | (2) |
|
|
|
50 | (2) |
|
Design and Apply Data Security Technologies and Strategies |
|
|
52 | (10) |
|
Encryption and Key Management |
|
|
52 | (3) |
|
|
|
55 | (1) |
|
|
|
56 | (1) |
|
|
|
56 | (1) |
|
|
|
57 | (3) |
|
|
|
60 | (1) |
|
|
|
61 | (1) |
|
|
|
62 | (4) |
|
|
|
64 | (1) |
|
|
|
65 | (1) |
|
Implement Data Classification |
|
|
66 | (5) |
|
|
|
68 | (1) |
|
|
|
68 | (1) |
|
|
|
69 | (2) |
|
Design and Implement Information Rights Management |
|
|
71 | (3) |
|
|
|
72 | (1) |
|
|
|
73 | (1) |
|
Plan and Implement Data Retention, Deletion, and Archiving Policies |
|
|
74 | (7) |
|
|
|
74 | (3) |
|
Data Deletion Procedures and Mechanisms |
|
|
77 | (2) |
|
Data Archiving Procedures and Mechanisms |
|
|
79 | (1) |
|
|
|
80 | (1) |
|
Design and Implement Auditability, Traceability, and Accountability of Data Events |
|
|
81 | (4) |
|
Definition of Event Sources and Requirement of Identity Attribution |
|
|
81 | (1) |
|
Logging, Storage, and Analysis of Data Events |
|
|
82 | (2) |
|
Chain of Custody and Nonrepudiation |
|
|
84 | (1) |
|
|
|
85 | (2) |
| Domain 3 Cloud Platform And Infrastructure Security |
|
87 | (30) |
|
Comprehend Cloud Infrastructure Components |
|
|
88 | (7) |
|
|
|
88 | (1) |
|
Network and Communications |
|
|
89 | (1) |
|
|
|
90 | (1) |
|
|
|
91 | (2) |
|
|
|
93 | (1) |
|
|
|
93 | (2) |
|
Design a Secure Data Center |
|
|
95 | (4) |
|
|
|
95 | (2) |
|
|
|
97 | (1) |
|
|
|
98 | (1) |
|
Analyze Risks Associated with Cloud Infrastructure |
|
|
99 | (3) |
|
Risk Assessment and Analysis |
|
|
100 | (1) |
|
Cloud Vulnerabilities, Threats, and Attacks |
|
|
101 | (1) |
|
|
|
101 | (1) |
|
Countermeasure Strategies |
|
|
102 | (1) |
|
Design and Plan Security Controls |
|
|
102 | (5) |
|
Physical and Environmental Protection |
|
|
103 | (1) |
|
System and Communication Protection |
|
|
103 | (1) |
|
Virtualization Systems Protection |
|
|
104 | (1) |
|
Identification, Authentication, and Authorization in Cloud Infrastructure |
|
|
105 | (1) |
|
|
|
106 | (1) |
|
Plan Disaster Recovery and Business Continuity |
|
|
107 | (9) |
|
Risks Related to the Cloud Environment |
|
|
108 | (1) |
|
|
|
109 | (2) |
|
Business Continuity/Disaster Recovery Strategy |
|
|
111 | (1) |
|
Creation, Implementation, and Testing of Plan |
|
|
112 | (4) |
|
|
|
116 | (1) |
| Domain 4 Cloud Application Security |
|
117 | (28) |
|
Advocate Training and Awareness for Application Security |
|
|
117 | (3) |
|
|
|
118 | (1) |
|
|
|
118 | (1) |
|
Common Cloud Vulnerabilities |
|
|
119 | (1) |
|
Describe the Secure Software Development Lifecycle Process |
|
|
120 | (3) |
|
NIST Secure Software Development Framework |
|
|
120 | (1) |
|
OWASP Software Assurance Security Model |
|
|
121 | (1) |
|
|
|
121 | (1) |
|
|
|
122 | (1) |
|
Apply the Secure Software Development Lifecycle |
|
|
123 | (6) |
|
Avoid Common Vulnerabilities During Development |
|
|
123 | (1) |
|
|
|
124 | (3) |
|
|
|
127 | (1) |
|
|
|
127 | (1) |
|
Software Configuration Management and Versioning |
|
|
128 | (1) |
|
Apply Cloud Software Assurance and Validation |
|
|
129 | (3) |
|
|
|
130 | (1) |
|
Security Testing Methodologies |
|
|
131 | (1) |
|
Use Verified Secure Software |
|
|
132 | (3) |
|
Approved Application Programming Interfaces |
|
|
132 | (1) |
|
|
|
133 | (1) |
|
Third-Party Software Management |
|
|
134 | (1) |
|
Validated Open Source Software |
|
|
134 | (1) |
|
Comprehend the Specifics of Cloud Application Architecture |
|
|
135 | (5) |
|
Supplemental Security Components |
|
|
136 | (2) |
|
|
|
138 | (1) |
|
|
|
139 | (1) |
|
Application Virtualization and Orchestration |
|
|
139 | (1) |
|
Design Appropriate Identity and Access Management Solutions |
|
|
140 | (3) |
|
|
|
140 | (1) |
|
|
|
141 | (1) |
|
|
|
141 | (1) |
|
Multifactor Authentication |
|
|
142 | (1) |
|
Cloud Access Security Broker |
|
|
142 | (1) |
|
|
|
143 | (2) |
| Domain 5 Cloud Security Operations |
|
145 | (82) |
|
Implement and Build Physical and Logical Infrastructure for Cloud Environment |
|
|
145 | (7) |
|
Hardware-Specific Security Configuration Requirements |
|
|
146 | (3) |
|
Installation and Configuration of Virtualization Management Tools |
|
|
149 | (1) |
|
Virtual Hardware-Specific Security Configuration Requirements |
|
|
150 | (2) |
|
Installation of Guest Operating System Virtualization Toolsets |
|
|
152 | (1) |
|
Operate Physical and Logical Infrastructure for Cloud Environment |
|
|
152 | (14) |
|
Configure Access Control for Local and Remote Access |
|
|
153 | (2) |
|
Secure Network Configuration |
|
|
155 | (5) |
|
Operating System Hardening through the Application of Baselines |
|
|
160 | (2) |
|
Availability of Stand-Alone Hosts |
|
|
162 | (1) |
|
Availability of Clustered Hosts |
|
|
162 | (3) |
|
Availability of Guest Operating Systems |
|
|
165 | (1) |
|
Manage Physical and Logical Infrastructure for Cloud Environment |
|
|
166 | (14) |
|
Access Controls for Remote Access |
|
|
166 | (2) |
|
Operating System Baseline Compliance Monitoring and Remediation |
|
|
168 | (1) |
|
|
|
169 | (3) |
|
Performance and Capacity Monitoring |
|
|
172 | (1) |
|
|
|
173 | (1) |
|
Configuration of Host and Guest Operating System Backup and Restore Functions |
|
|
174 | (1) |
|
Network Security Controls |
|
|
175 | (4) |
|
|
|
179 | (1) |
|
Implement Operational Controls and Standards |
|
|
180 | (17) |
|
|
|
180 | (2) |
|
|
|
182 | (2) |
|
Information Security Management |
|
|
184 | (1) |
|
Continual Service Improvement Management |
|
|
185 | (1) |
|
|
|
186 | (3) |
|
|
|
189 | (1) |
|
|
|
190 | (1) |
|
|
|
191 | (1) |
|
|
|
192 | (2) |
|
|
|
194 | (1) |
|
|
|
195 | (1) |
|
|
|
196 | (1) |
|
Support Digital Forensics |
|
|
197 | (7) |
|
Forensic Data Collection Methodologies |
|
|
197 | (3) |
|
|
|
200 | (1) |
|
Collect, Acquire, and Preserve Digital Evidence |
|
|
201 | (3) |
|
Manage Communication with Relevant Parties |
|
|
204 | (6) |
|
|
|
205 | (1) |
|
|
|
206 | (1) |
|
Shared Responsibility Model |
|
|
206 | (2) |
|
|
|
208 | (1) |
|
|
|
208 | (1) |
|
|
|
209 | (1) |
|
Manage Security Operations |
|
|
210 | (16) |
|
Security Operations Center |
|
|
210 | (5) |
|
Monitoring of Security Controls |
|
|
215 | (2) |
|
|
|
217 | (3) |
|
|
|
220 | (6) |
|
|
|
226 | (1) |
| Domain 6 Legal, Risk, And Compliance |
|
227 | (56) |
|
Articulating Legal Requirements and Unique Risks Within the Cloud Environment |
|
|
227 | (11) |
|
Conflicting International Legislation |
|
|
228 | (1) |
|
Evaluation of Legal Risks Specific to Cloud Computing |
|
|
229 | (1) |
|
Legal Frameworks and Guidelines That Affect Cloud Computing |
|
|
229 | (7) |
|
Forensics and eDiscovery in the Cloud |
|
|
236 | (2) |
|
Understanding Privacy Issues |
|
|
238 | (12) |
|
Difference between Contractual and Regulated Private Data |
|
|
239 | (3) |
|
Country-Specific Legislation Related to Private Data |
|
|
242 | (5) |
|
Jurisdictional Differences in Data Privacy |
|
|
247 | (1) |
|
Standard Privacy Requirements |
|
|
248 | (2) |
|
Understanding Audit Process, Methodologies, and Required Adaptations for a Cloud Environment |
|
|
250 | (16) |
|
Internal and External Audit Controls |
|
|
251 | (1) |
|
Impact of Audit Requirements |
|
|
251 | (1) |
|
Identity Assurance Challenges of Virtualization and Cloud |
|
|
252 | (1) |
|
|
|
252 | (3) |
|
Restrictions of Audit Scope Statements |
|
|
255 | (1) |
|
|
|
256 | (1) |
|
|
|
257 | (1) |
|
Internal Information Security Management Systems |
|
|
258 | (1) |
|
Internal Information Security Controls System |
|
|
259 | (1) |
|
|
|
260 | (2) |
|
Identification and Involvement of Relevant Stakeholders |
|
|
262 | (2) |
|
Specialized Compliance Requirements for Highly Regulated Industries |
|
|
264 | (1) |
|
Impact of Distributed Information Technology Models |
|
|
264 | (2) |
|
Understand Implications of Cloud to Enterprise Risk Management |
|
|
266 | (10) |
|
Assess Providers Risk Management Programs |
|
|
266 | (2) |
|
Differences Between Data Owner/Controller vs. Data Custodian/Processor |
|
|
268 | (1) |
|
Regulatory Transparency Requirements |
|
|
269 | (1) |
|
|
|
270 | (1) |
|
|
|
270 | (2) |
|
Metrics for Risk Management |
|
|
272 | (1) |
|
Assessment of Risk Environment |
|
|
273 | (3) |
|
Understanding Outsourcing and Cloud Contract Design |
|
|
276 | (6) |
|
|
|
277 | (1) |
|
|
|
278 | (1) |
|
|
|
279 | (2) |
|
|
|
281 | (1) |
|
|
|
282 | (1) |
| Index |
|
283 | |
