1. Cloud Architectural Concepts
1.1 CCSP Certification Introduction
1.2 Cloud Characteristics
1.2.1 Business Requirements
1.2.2 Existing State
1.2.3 Quantifying Benefits and Opportunity Cost
1.2.4 Intended Impact
1.3 Cloud Evolution, Vernacular, and Models
1.3.1 New Technology, New Options
1.3.2 Cloud Computing Service Models
1.3.3 Cloud Deployment Models
1.4 Cloud Computing Roles and Responsibilities
1.5 Cloud Computing Definitions
1.6 Foundational Concepts of Cloud Computing
1.6.1 Auditing and Compliance
1.6.2 Cloud Service Provider Contracts
1.7 Related and Emerging Technologies
1.8 CCSP CBK Domain converage
2. Design Requirements
2.1 Business Requirements Analysis
2.1.1 Inventory of Assets
2.1.2 Valuation of Assets
2.1.3 Determination of Criticality
2.1.4 Quantitative and Qualitative Risk Assessments
2.1.5 Risk Appetite
2.2 Security Considerations for Different Cloud Categories
2.2.1 IaaS Considerations
2.2.2 PaaS Considerations
2.2.3 SaaS Considerations
2.2.4 General Considerations
2.3 Design Principles for Protecting Sensitive Data
2.3.1 Hardening Devices
2.3.2 Encryption
2.4 Layered Defense and Defense In Depth
2.4.1 A Changing Work Environment and Threat Landscape
2.4.2 Defense in Depth is Similar To Physical Security
2.4.3 Common Cybersecurity Issues
2.4.4 The Different Elements of a Defense-in-Depth System
2.4.5 How Does Defense in Depth Help?
2.4.6 What is Layered Security and How Does it Relate To Defense in Depth?
2.4.7 What Are the Essentials Layers in a Defense-in-Depth Mechanism?
2.5 CCSP CBK Domain converage
3. Data Classification
3.1 Data Inventory and Discovery
3.1.1 Data Ownership
3.1.2 The Data Lifecycle
3.1.3 Data Categorization
3.1.4 Data Classification
3.1.5 Data Mapping
3.1.6 Data Labeling
3.2 Data Discovery Methods
3.2.1 Label-Based Discovery
3.2.2 Metadata-Based Discovery
3.2.3 Content-Based Discovery
3.2.4 Data Analytics
3.2.5 Structured vs. Unstructured Data
3.3 Jurisdictional Requirements
3.4 Information Rights Management (IRM)
3.4.1 Intellectual Property Protections
3.4.2 Copyright
3.4.3 Trademarks
3.4.4 Patents
3.4.5 Trade Secrets
3.4.6 IRM Tool Traits
3.5 Data Control
3.5.1 Data Retention
3.5.2 Legal Hold
3.5.3 Data Audit
3.5.4 Data Destruction/Disposal
3.6 CCSP CBK Domain converage
4. Cloud Data Security
4.1 Cloud Data Lifecycle
4.1.1 Create
4.1.2 Store
4.1.3 Use
4.1.4 Share
4.1.5 Archive
4.1.6 Destroy
4.2 Cloud Storage Architectures
4.2.1 Volume Storage: File-Based Storage and Block Storage
4.2.2 Object-Based Storage
4.2.3 Databases
4.2.4 Content Delivery Network (CDN)
4.3 Cloud Data Security Foundational Strategies
4.3.1 Encryption
4.3.2 Key Management
4.4 Masking, Obfuscation, Anonymization, and Tokenization
4.5 Security Information and Event Management (SIEM)
4.6 Egress Monitoring (DLP)
4.7 Summary of Cloud Data Security
4.8 CCSP CBK Domain converage
5. Security in the Cloud
5.1 Shared Cloud Platform Risks and Responsibilities
5.2 Cloud Computing Risks by Deployment Model
5.2.1 Private Cloud Computing Risks
5.2.2 Community Cloud Computing Risks
5.2.3 Public Cloud Computing Risks
5.2.4 Vendor Lock-In
5.2.5 Vendor Lock-Out
5.2.6 Risks related to Multitenant Environments
5.2.7 The Brewer-Nash Model
5.2.8 Hybrid Cloud
5.3 Cloud Computing Risks by Service Model
5.3.1 Infrastructure as a Service (IaaS) Risks
5.3.2 Platform as a Service (PaaS) Risks
5.3.3 Software as a Service (SaaS) Risks
5.4 Virtualization
5.4.1 Virtualization Threats
5.4.2 Countermeasure Methodology
5.5 Disaster Recovery (DR) and Business Continuity (BC)
5.5.1 Cloud-Specific BIA Concerns
5.5.2 Customer/Provider Shared BC/DR Responsibilities
5.5.3 Logical Location of Backup Data/Systems
5.5.4 Declaration
5.5.5 Testing
5.6 Summary of Security in the Cloud
5.7 CCSP CBK Domain converage
6. Responsibilities in the Cloud
6.1 Foundations of Managed Services
6.2 Business Requirements
6.2.1 Business Requirements: The Cloud Provider Perspective
6.2.2 Cloud Provider Responsibilities: The Physical Plant
6.2.3 Cloud Provider Responsibilities: Secure Logical Framework
6.2.4 Cloud Provider Responsibilities: Secure Networking
6.2.5 Cloud Provider Responsibilities: Mapping and Selection of Controls
6.2.6 Shared Responsibilities by Service Type
6.3 Shared Administration of OS, Middleware, or Applications
6.4 Operating System Baseline Configuration and Management
6.5 Shared Responsibilities: Data Access
6.5.1 Customer Directly Administers Access
6.5.2 Provider Administers Access on Behalf of the Customer
6.5.3 Third-Party (CASB) Administers Access on Behalf of the Customer
6.6 Lack of Physical Access
6.6.1 Audits
6.6.2 SOC 1
6.6.3 SOC 2
6.6.4 Shared Policy
6.6.5 Shared Monitoring and Testing
6.7 Summary of Responsibilities in the Cloud
6.8 CCSP CBK Domain converage
7. Cloud Application Security
7.1 Training and Awareness
7.1.1 The CSA's Treacherous 12
7.1.2 Common Cloud Application Deployment Pitfalls
7.2 Cloud-Secure Software Development Lifecycle (SDLC)
7.2.1 Configuration Management for the SDLC
7.3 ISO/IEC 27034-1 Standards for Secure Application Development
7.3.1 ONF /ANF Example
7.4 Identity and Access Management (IAM)
7.4.1 Identity Repositories and Directory Services
7.4.2 Single Sign-On (SSO)
7.4.3 Federated Identity Management
7.4.4 Federation Standards
7.4.5 Multifactor Authentication
7.4.6 Supplemental Security Components
7.5 Cloud Application Architecture
7.5.1 Application Programming Interfaces
7.5.2 Tenancy Separation
7.5.3 Cryptography
7.5.4 Sandboxing
7.5.5 Application Virtualization
7.6 Cloud Application Assurance and Validation
7.6.1 Threat Modeling
7.6.2 STRIDE Mitigations to Web Application Security
7.6.3 Quality of Service
7.6.4 Software Security Testing
7.6.5 Approved APIs
7.6.6 Software Supply Chain (API) Management
7.6.7 Securing Open-Source Software
7.6.8 Application Orchestration
7.6.9 The Secure Network Environment
7.7 Summary of Cloud Application Security
7.8 CCSP CBK Domain converage
8. Operations Elements
8.1 Physical/Logical Operations
8.1.1 Facilities and Redundancy
8.1.2 American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE)
8.1.3 Power Redundancy
8.1.4 Power Provider Redundancy
8.1.5 Power Line Redundancy
8.1.6 Power Conditioning and Distribution Redundancy
8.1.7 Communications Redundancy
8.1.8 Personnel Redundancy
8.1.9 Security Redundancy
8.1.10 Holistic Redundancy: The Uptime Institute Tiers
8.1.11 Virtualization Operations
8.1.12 Instance Isolation
8.1.13 Storage Operations
8.1.14 Physical and Logical Isolation
8.1.15 Application Testing Methods
8.2 Security Operations Center
8.2.1 Continuous Monitoring
8.2.2 Incident Management
8.3 Summary of Operations Elements
8.4 CCSP CBK Domain converage
9. Operations Management
9.1 Monitoring, Capacity, and Maintenance
9.1.1 Monitoring
9.1.2 Maintenance
9.1.3 Updates
9.2 Change and Configuration Management (CM)
9.2.1 Baselines
9.2.2 Deviations and Exceptions
9.2.3 Roles and Process
9.2.4 Release Management
9.3 IT Service Management and Continual Service Improvement
9.4 Business Continuity and Disaster Recovery (BC/DR)
9.4.1 Primary Focus
9.4.2 Continuity of Operations
9.4.3 The BC/DR Plan
9.4.4 The BC/DR Kit
9.4.5 Relocation
9.4.6 BC /DR Terminology
9.4.7 Power
9.4.8 Testing
9.5 Summary of Operations Management
9.6 CCSP CBK Domain converage
10. Legal and Compliance
10.1 Legal Requirements and Unique Risks in the Cloud Environment
10.1.1 Legal Concepts
10.1.2 US Laws
10.1.3 International Laws
10.1.4 Laws, Frameworks, and Standards Around the World
10.1.5 EU General Data Protection Regulation
10.1.6 Australian Privacy Act of 1988
10.1.7 Canada¡¦s Personal Information Protection and Electronic Documents Act (PIPEDA)
10.1.8 Argentina¡¦s Personal Data Protection Act
10.1.9 The EFTA and Switzerland
10.1.10 Asia-Pacific Economic Cooperation (APEC) Privacy Framework
10.2 Information Security Management Systems (ISMSs)
10.2.1 The Difference between Laws, Regulations, and Standards
10.3 Potential Personal and Data Privacy Issues in the Cloud Environment
10.3.1 eDiscovery
10.3.2 Chain of Custody and Nonrepudiation
10.3.3 Forensic Requirements
10.3.4 Conflicting International Legislation
10.3.5 Cloud Forensic Challenges
10.3.6 Direct and Indirect Identifiers
10.3.7 Forensic Data Collection Methodologies
10.4 Audit Processes, Methodologies, and Cloud Adaptations
10.4.1 Virtualization
10.4.2 Scope
10.4.3 Gap Analysis
10.4.4 Restrictions of Audit Scope Statements
10.4.5 Policies
10.4.6 Different Types of Audit Reports
10.4.7 Auditor Independence
10.4.8 AICPA Reports and Standards
10.5 The Impact of Diverse Geographical Locations and Legal Jurisdictions
10.5.1 Policies
10.5.2 Implications of the Cloud for Enterprise Risk Management
10.5.3 Choices Involved in Managing Risk
10.5.4 Risk Management Frameworks
10.5.5 Risk Management Metrics
10.5.6 Contracts and Service-Level Agreements (SLAs)
10.6 Business Requirements
10.7 Cloud Contract Design and Management for Outsourcing
10.8 Identifying Appropriate Supply Chain and Vendor Management Processes
10.8.1 Common Criteria Assurance Framework (ISO/IEC 15408-1:2022)
10.8.2 CSA Security, Trust, and Assurance Registry (STAR)
10.8.3 Supply Chain Risk
10.8.4 Manage Communication with Relevant Parties
10.9 Summary of Legal and Compliance
ú¥I¾Ç¶O¡A¹Lµ{²«K¡I
