Leslie Fife

The Official (ISC)2 CCSP CBK Reference


Скачать книгу

trails that are unique to each environment, consistent with requirement 10.

       Provide processes to support forensic investigations.

      In addition to these requirements, the general auditability of the cloud environment would be beneficial in assuring compliance with PCI DSS 3.2.1.

      System/Subsystem Product Certifications

      The following are system/subsystem product certifications.

      Common Criteria

      Common Criteria (CC) is an international set of guidelines and specifications to evaluate information security products. There are two parts to CC:

       Protection profile: Defines a standard set of security requirements for a specific product type, such as a network firewall. This creates a consistent set of standards for comparing like products.

       Evaluation assurance level: Scored from level 1 to 7, with 7 being the highest. This measures the amount of testing conducted on a product. It should be noted that a level 7 product is not automatically more secure than a level 5 product. It has simply undergone more testing. The customer must still decide what level of testing is sufficient. One reason to not subject every product to level 7 is the cost involved.

      FIPS 140-2

      CC does not include a cryptographic implementation standard or test. CC is an international standard, and cryptographic standards are country specific. CC leaves cryptography to each country and organization.

      For the U.S. federal government, the cryptographic standard is FIPS 140-2. Organizations wanting to do business with the U.S. government must meet the FIPS criteria. Organizations in regulated industries and nonfederal government organizations are increasingly looking to FIPS certification as their standard. As FIPS use increases, additional industries are expected to use FIPS as their cryptographic standard.

      Cybersecurity companies are increasingly seeking FIPS certification to increase their market potential and maximize the value of their services.

      FIPS requires that encryption (both symmetric and asymmetric), hashing, and message authentication use algorithms from an approved list. This list is in FIPS 140-2. For example, message authentication can use Triple-DES, AES, or HMAC. There are more algorithms out there than are allowed in FIPS.

      Being considered FIPS-validated requires testing by one of a few specified labs through four levels of testing. Sometimes a product is referred to as FIPS-compliant, which is a much lower bar, indicating some components of the product have been tested, but perhaps not the entire product. It is important to read the fine print. Validated and compliant are not the same thing. A CCSP should also become familiar with the new FIPS 140-3, which will be replacing FIPS 140-2 over the next several years.

      Summary

      In order to discuss the cloud, each individual must be familiar with the terminology surrounding this technology. This understanding includes characteristics of cloud computing, as well as the service models and deployment models of cloud computing. It also includes the role of the CSP in cloud computing and the shared security model that exists between the CSP and the customer. Finally, the technologies that make cloud computing possible are discussed in this chapter alongside the emerging technologies that will support and transform cloud computing in the future. Understanding this chapter will make it easier to access the discussion in each of the following domains.

      Конец ознакомительного фрагмента.

      Текст предоставлен ООО «ЛитРес».

      Прочитайте эту книгу целиком, купив полную легальную версию на ЛитРес.

      Безопасно оплатить книгу можно банковской картой Visa, MasterCard, Maestro, со счета мобильного телефона, с платежного терминала, в салоне МТС или Связной, через PayPal, WebMoney, Яндекс.Деньги, QIWI Кошелек, бонусными картами или другим удобным Вам способом.

/9j/4AAQSkZJRgABAQEBLAEsAAD/7RmUUGhvdG9zaG9wIDMuMAA4QklNBAQAAAAAAAccAgAAAgAA ADhCSU0EJQAAAAAAEOjxXPMvwRihontnrcVk1bo4QklNBDoAAAAAAOUAAAAQAAAAAQAAAAAAC3By aW50T3V0cHV0AAAABQAAAABQc3RTYm9vbAEAAAAASW50ZWVudW0AAAAASW50ZQAAAABDbHJtAAAA D3ByaW50U2l4dGVlbkJpdGJvb2wAAAAAC3ByaW50ZXJOYW1lVEVYVAAAAAEAAAAAAA9wcmludFBy b29mU2V0dXBPYmpjAAAADABQAHIAbwBvAGYAIABTAGUAdAB1AHAAAAAAAApwcm9vZlNldHVwAAAA AQAAAABCbHRuZW51bQAAAAxidWlsdGluUHJvb2YAAAAJcHJvb2ZDTVlLADhCSU0EOwAAAAACLQAA ABAAAAABAAAAAAAScHJpbnRPdXRwdXRPcHRpb25zAAAAFwAAAABDcHRuYm9vbAAAAAAAQ2xicmJv b2wAAAAAAFJnc01ib29sAAAAAABDcm5DYm9vbAAAAAAAQ250Q2Jvb2wAAAAAAExibHNib29sAAAA AABOZ3R2Ym9vbAAAAAAARW1sRGJvb2wAAAAAAEludHJ