Introduction xxi Assessment Test xxviii Chapter 1 Architectural Concepts 1 Cloud Characteristics 2 Business Requirements 4 Existing State 5 Quantifying Benefits and Opportunity Cost 6 Intended Impact 8 Cloud Evolution, Vernacular, and Models 9 New Technology, New Options 9 Cloud Computing Service Models 10 Cloud Deployment Models 12 Cloud Computing Roles and Responsibilities 13 Cloud Computing Definitions 14 Foundational Concepts of Cloud Computing 16 Sensitive Data 16 Virtualization 16 Encryption 16 Auditing and Compliance 17 Cloud Service Provider Contracts 17 Related and Emerging Technologies 18 Summary 19 Exam Essentials 19 Written Labs 20 Review Questions 21 Chapter 2 Design Requirements 25 Business Requirements Analysis 26 Inventory of Assets 26 Valuation of Assets 27 Determination of Criticality 27 Risk Appetite 29 Security Considerations for Different Cloud Categories 31 IaaS Considerations 32 PaaS Considerations 32 SaaS Considerations 32 General Considerations 33 Design Principles for Protecting Sensitive Data 33 Hardening Devices 33 Encryption 35 Layered Defenses 35 Summary 36 Exam Essentials 37 Written Labs 37 Review Questions 38 Chapter 3 Data Classification 43 Data Inventory and Discovery 45 Data Ownership 45 The Data Lifecycle 46 Data Discovery Methods 50 Jurisdictional Requirements 51 Information Rights Management (IRM) 53 Intellectual Property Protections 53 IRM Tool Traits 57 Data Control 59 Data Retention 60 Data Audit 61 Data Destruction/Disposal 63 Summary 65 Exam Essentials 65 Written Labs 66 Review Questions 67 Chapter 4 Cloud Data Security 71 Cloud Data Lifecycle 73 Create 74 Store 75 Use 75 Share 75 Archive 76 Destroy 77 Cloud Storage Architectures 78 Volume Storage: File-Based Storage and Block Storage 78 Object-Based Storage 78 Databases 79 Content Delivery Network (CDN) 79 Cloud Data Security Foundational Strategies 79 Encryption 79 Masking, Obfuscation, Anonymization, and Tokenization 81 Security Information and Event Management 84 Egress Monitoring (DLP) 85 Summary 86 Exam Essentials 86 Written Labs 87 Review Questions 88 Chapter 5 Security in the Cloud 93 Shared Cloud Platform Risks and Responsibilities 95 Cloud Computing Risks by Deployment Model 97 Private Cloud 98 Community Cloud 98 Public Cloud 100 Hybrid Cloud 104 Cloud Computing Risks by Service Model 104 Infrastructure as a Service (IaaS) 104 Platform as a Service (PaaS) 105 Software as a Service (SaaS) 106 Virtualization 106 Threats 107 Countermeasure Methodology 109 Disaster Recovery (DR) and Business Continuity (BC) 112 Cloud-Specific BIA Concerns 112 Customer/Provider Shared BC/DR Responsibilities 113 Summary 116 Exam Essentials 116 Written Labs 117 Review Questions 118 Chapter 6 Responsibilities in the Cloud 123 Foundations of Managed Services 126 Business Requirements 127 Business Requirements: The Cloud Provider Perspective 127 Shared Responsibilities by Service Type 133 IaaS 133 PaaS 133 SaaS 133 Shared Administration of OS, Middleware, or Applications 134 Operating System Baseline Configuration and Management 134 Shared Responsibilities: Data Access 136 Customer Directly Administers Access 137 Provider Administers Access on Behalf of the Customer 137 Third-Party (CASB) Administers Access on Behalf of the Customer 137 Lack of Physical Access 137 Audits 138 Shared Policy 142 Shared Monitoring and Testing 142 Summary 143 Exam Essentials 143 Written Labs 144 Review Questions 145 Chapter 7 Cloud Application Security 149 Training and Awareness 151 Common Cloud Application Deployment Pitfalls 154 Cloud-Secure Software Development Lifecycle (SDLC) 156 Configuration Management for the SDLC 157 ISO/IEC 27034-1 Standards for Secure Application Development 158 Identity and Access Management (IAM) 159 Identity Repositories and Directory Services 160 Single Sign-On (SSO) 161 Federated Identity Management 161 Federation Standards 162 Multifactor Authentication 162 Supplemental Security Components 163 Cloud Application Architecture 164 Application Programming Interfaces 164 Tenancy Separation 165 Cryptography 165 Sandboxing 166 Application Virtualization 167 Cloud Application Assurance and Validation 167 Threat Modeling 167 Quality of Service 169 Software Security Testing 170 Approved APIs 172 Software Supply Chain (API) Management 172 Securing Open-Source Software 172 Application Orchestration 173 The Secure Network Environment 174 Summary 175 Exam Essentials 175 Written Labs 176 Review Questions 177 Chapter 8 Operations Elements 181 Physical/Logical Operations 183 Facilities and Redundancy 184 Virtualization Operations 194 Storage Operations 196 Physical and Logical Isolation 199 Application Testing Methods 200 Security Operations Center 201 Continuous Monitoring 201 Incident Management 202 Summary 203 Exam Essentials 204 Written Labs 204 Review Questions 205 Chapter 9 Operations Management 209 Monitoring, Capacity, and Maintenance 211 Monitoring 211 Maintenance 213 Change and Configuration Management (CM) 217 Baselines 218 Deviations and Exceptions 218 Roles and Process 219 Release Management 221 IT Service Management and Continual Service Improvement 222 Business Continuity and Disaster Recovery (BC/DR) 223 Primary Focus 224 Continuity of Operations 225 The BC/DR Plan 225 The BC/DR Kit 227 Relocation 228 Power 229 Testing 230 Summary 231 Exam Essentials 231 Written Labs 232 Review Questions 233 Chapter 10 Legal and Compliance Part 1 237 Legal Requirements and Unique Risks in the Cloud Environment 239 Legal Concepts 239 US Laws 242 International Laws 246 Laws, Frameworks, and Standards Around the World 246 Information Security Management Systems (ISMSs) 252 The Difference between Laws, Regulations, and Standards 254 Potential Personal and Data Privacy Issues in the Cloud Environment 254 eDiscovery 255 Forensic Requirements 256 Conflicting International Legislation 256 Cloud Forensic Challenges 257 Direct and Indirect Identifiers 258 Forensic Data Collection Methodologies 258 Audit Processes, Methodologies, and Cloud Adaptations 259 Virtualization 259 Scope 259 Gap Analysis 260 Restrictions of Audit Scope Statements 260 Policies 261 Different Types of Audit Reports 261 Auditor Independence 262 AICPA Reports and Standards 262 Summary 263 Exam Essentials 264 Written Labs 264 Review Questions 265 Chapter 11 Legal and Compliance Part 2 269 The Impact of Diverse Geographical Locations and Legal Jurisdictions 271 Policies 272 Implications of the Cloud for Enterprise Risk Management 276 Choices Involved in Managing Risk 276 Risk Management Frameworks 279 Risk Management Metrics 281 Contracts and Service-Level Agreements (SLAs) 281 Business Requirements 284 Cloud Contract Design and Management for Outsourcing 284 Identifying Appropriate Supply Chain and Vendor Management Processes 285 Common Criteria Assurance Framework (ISO/IEC 15408-1:2009) 285 CSA Security, Trust, and Assurance Registry (STAR) 286 Supply Chain Risk 287 Manage Communication with Relevant Parties 288 Summary 289 Exam Essentials 289 Written Labs 289 Review Questions 290 Appendix A Answers to Written Labs 295 Chapter 1: Architectural Concepts 296 Chapter 2: Design Requirements 296 Chapter 3: Data Classification 297 Chapter 4: Cloud Data Security 298 Chapter 5: Security in the Cloud 299 Chapter 6: Responsibilities in the Cloud 299 Chapter 7: Cloud Application Security 300 Chapter 8: Operations Elements 300 Chapter 9: Operations Management 301 Chapter 10: Legal and Compliance Part 1 302 Chapter 11: Legal and Compliance Part 2 302 Appendix B Answers to Review Questions 303 Chapter 1: Architectural Concepts 304 Chapter 2: Design Requirements 305 Chapter 3: Data Classification 307 Chapter 4: Cloud Data Security 308 Chapter 5: Security in the Cloud 310 Chapter 6: Responsibilities in the Cloud 311 Chapter 7: Cloud Application Security 313 Chapter 8: Operations Elements 314 Chapter 9: Operations Management 316 Chapter 10: Legal and Compliance Part 1 317 Chapter 11: Legal and Compliance Part 2 319 Index 321.