Leslie Fife

The Official (ISC)2 CCSP CBK Reference


Скачать книгу

data, applications, and infrastructure in the cloud using best practices, policies, and procedures established by the cybersecurity experts at (ISC)2.

      The recognized leader in the field of information security education and certification, (ISC)2 promotes the development of information security professionals throughout the world. As a CCSP with all the benefits of (ISC)2 membership, you are part of a global network of more than 157,000 certified professionals who are working to inspire a safe and secure cyber world.

      Drawing from a comprehensive, up-to-date global body of knowledge, the CCSP CBK provides you with valuable insights on how to implement cloud security across different digital platforms that your organization may be using.

      If you are an experienced CCSP, you will find this edition of the CCSP CBK to be an indispensable reference on best practices. If you are still gaining the experience and knowledge you need to join the ranks of CCSPs, the CCSP CBK is a deep dive that can be used to supplement your studies.

      As the largest nonprofit membership body of certified information security professionals worldwide, (ISC)2 recognizes the need to identify and validate not only information security competency, but also the ability to connect knowledge of several cloud security domains when managing or migrating data to and from the cloud. The CCSP represents advanced knowledge and competency in cloud security architecture, design, operations, and service orchestration.

      Sincerely,

      Clar Rosso

      CEO, (ISC)2

       Domain 1: Cloud Concepts, Architecture, and Design

       Domain 2: Cloud Data Security

       Domain 3: Cloud Platform and Infrastructure Security

       Domain 4: Cloud Application Security

       Domain 5: Cloud Security Operations

       Domain 6: Legal, Risk, and Compliance

      Passing the exam is one condition of certification, and to qualify for the certification, a professional must have five years of experience in information technology, of which three years must be in a security-specific capacity and at least one year dedicated to one or more of the six CCSP domains.

      Professionals take many paths into information security, and there are variations in acceptable practices across different industries and regions. The CCSP CBK represents a baseline standard of security knowledge relevant to cloud security and management, though the rapid pace of change in cloud computing means a professional must continuously maintain their knowledge to stay current. As you read this guide, consider not only the scenarios or circumstances presented to highlight the CBK topics, but also connect it to common practices and norms in your organization, region, and culture. Once you achieve CCSP certification, you will be asked to maintain your knowledge with continuing education, so keep topics of interest in mind for further study once you have passed the exam.

      Domain 1: Cloud Concepts, Architecture, and Design

      Understanding cloud computing begins with the building blocks of cloud services, and the Cloud Concepts, Architecture, and Design domain introduces these foundational concepts. This includes two vital participants: cloud service providers and cloud consumers, as well as reference architectures used to deliver cloud services like infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). These relatively new methods of accessing IT resources offer interesting business benefits like shifting spending from capital expenditure (CapEx) to operating expenditure (OpEx). This changes the way organizations budget and pay for the IT resources needed to run their business, so it is not uncommon to see financial leaders driving adoption of cloud services. New IT service models bring with them new forms of information security risks, however, which must be assessed and weighed so the organization achieves an optimal balance of cost (in the form of risk) with benefits (in the form of reduced IT spending). This will drive decisions on which cloud deployment model to adopt, like public or private cloud, as well as key internal governance initiatives when migrating to and managing cloud computing.

      Domain 2: Cloud Data Security

      Information security is fundamentally concerned with preserving the confidentiality, integrity, and availability of data. Although cloud computing upends many legacy IT models and practices, security risks to information systems remain. The Cloud Data Security domain does introduce new concepts like the cloud data lifecycle, as well as cloud-specific considerations like data dispersion and loss of physical control over storage media that requires unique approaches to data disposal. Cloud security practitioners must understand how to implement controls for audit and accountability of data stored or processed in the cloud, as well as crucial oversight tasks like data discovery to create an inventory. This domain introduces proactive safeguards intended to manage sensitive data stored in the cloud, like masking, tokenization, data loss prevention (DLP), and classification of data. Cloud-specific considerations and adaptations of traditional controls are a primary concern, since cloud services remove traditional capabilities like physical destruction of disk drives, while adding new capabilities like instantaneous global data replication.

      Domain 3: Cloud Platform and Infrastructure Security

      Domain 4: Cloud Application Security

      Security practitioners working in cloud computing environments face the challenge of more rapid deployment, coupled with the relative ease with which more users can develop sophisticated cloud applications. Again, these are advantages to the business at the possible expense of security, so the Cloud Application Security domain presents key requirements for recognizing the benefits offered by cloud applications without introducing unacceptable risks. These begin with a focus on the importance of fostering awareness throughout the organization