Certified Cloud Security Professional (CCSP) (CS8527)

Module 1: Architectural Concepts and Design Requirements

• Cloud Computing Definitions
• Cloud Computing Roles
• Key Cloud Computing Characteristics
• Cloud Transition Scenario
• Building Blocks
• Cloud Computing Functions
• Cloud Service Categories
• Cloud Deployment Models
• Cloud Cross-Cutting Aspects
• Network Security and Perimeter
• Cryptography
• IAM and Access Control
• Data and Media Sanitization
• Virtualization Security
• Common Threats
• Security Considerations for Different Cloud Categories
• Open Web Application Security Project Top Ten Security Threats
• Cloud Secure Data Lifecycle
• Information and Data Governance Types
• Business Continuity and Disaster Recovery Planning
• Cost-Benefit Analysis
• Certification Against Criteria
• System and Subsystem Product Certification

Module 2: Cloud Data Security

• The Cloud Data Lifecycle Phases
• Location and Access of Data
• Functions, Actors, and Controls of the Data
• Cloud Services, Products, and Solutions
• Data Storage
• Relevant Data Security Technologies
• Application of Security Strategy Technologies
• Emerging Technologies
• Data Discovery
• Data Classification
• Data Privacy Acts
• Typical Meanings for Common Privacy Terms
• Privacy Roles for Customers and Service Providers
• Responsibility Depending on the Type of Cloud Services
• Implementation of Data Discovery
• Classification of Discovered Sensitive Data
• Mapping and Definition of Controls
• Privacy Level Agreement
• PLA Versus Essential P&DP Requirements Activity
• Application of Defined Controls for PII
• Data Rights Management Objectives
• Data-Protection Policies
• Events
• Supporting Continuous Operations
• Chain of Custody and Nonrepudiation

Module 3: Cloud Platform and Infrastructure Security

• Network and Communications in the Cloud
• The Compute Parameters of a Cloud Server
• Storage Issues in the Cloud
• Management of Cloud Computing Risks
• Countermeasure Strategies Across the Cloud
• Physical and Environmental Protections
• System and Communication Protections
• Virtualization Systems Controls
• Managing Identification, Authentication, and Authorization in the Cloud Infrastructure
• Risk Audit Mechanisms
• Understanding the Cloud Environment Related to BCDR
• Understanding the Business Requirements Related to BCDR
• BCDR Strategies
• Creating the BCDR Plan

Module 4: Cloud Application Security

• Determining Data Sensitivity and Importance
• Understanding the API Formats
• Common Pitfalls of Cloud Security Application Deployment
• Awareness of Encryption Dependencies
• Understanding the Software Development Lifecycle Process for a Cloud Environment
• Assessing Common Vulnerabilities
• Cloud-Specific Risks
• Threat Modeling
• Identity and Access Management
• Federated Identity Management
• Multifactor Authentication
• Supplemental Security Devices
• Cryptography
• Tokenization
• Data Masking
• Sandboxing
• Application Virtualization
• Cloud-Based Functional Data
• Cloud-Secure Development Lifecycle
• Application Security Testing

Module 5: Operations

• Modern Data Centers and Cloud Service Offerings
• Factors That Affect Data Center Design
• Enterprise Operations
• Secure Configuration of Hardware: Specific Requirements
• Installation and Configuration of Virtualization Management Tools for the Host
• Securing the Network Configuration
• Identifying and Understanding Server Threats
• Using Standalone Hosts
• Using Clustered Hosts 
• Accounting for Dynamic Operation
• Using Storage Clusters
• Using Maintenance Mode
• Providing HA on the Cloud
• The Physical Infrastructure for Cloud Environments
• Configuring Access Control for Remote Access
• Performing Patch Management
• Performance Monitoring
• Backing Up and Restoring the Host Configuration
• Implementing Network Security Controls: Defense in Depth
• Developing a Management Plan
• Building a Logical Infrastructure for Cloud Environments
• Running a Logical Infrastructure for Cloud Environments
• Managing the Logical Infrastructure for Cloud Environments
• Implementation of Network Security Controls
• Using an ITSM Solution
• Considerations for Shadow IT
• Operations Management
• Managing Risk in Logical and Physical Infrastructures
• The Risk-Management Process Overview
• Understanding the Collection and Preservation of Digital Evidence
• Managing Communications with Relevant Parties
• Wrap-Up: Data Breach Example

Module 6: Legal and Compilance

• International Legislation Conflicts
• Legislative Concepts
• Frameworks and Guidelines Relevant to Cloud Computing
• Common Legal Requirements
• Legal Controls and Cloud Service Providers
• e-Discovery 
• Cloud Forensics and ISO/IEC 27050-1
• Protecting Personal Information in the Cloud
• Auditing in the Cloud
• Standard Privacy Requirements (ISO/IEC 27018)
• GAPP
• Internal ISMS
• Implementing Policies
• Identifying and Involving the Relevant Stakeholders
• Impact of Distributed IT Models
• Understanding the Implications of the Cloud to Enterprise Risk Management
• Risk Mitigation
• Understanding Outsourcing and Contract Design
• Business Requirements
• Vendor Management
• Cloud Computing Certification
• Contract Management
• Supply Chain Management
• Supply Chain Risk

APPENDIX A: Answers to Review Questions

• Module 1: Architectural Concepts and Design Requirements
• Module 2: Cloud Data Security
• Module 3: Cloud Platform and Infrastructure Security
• Module 4: Cloud Application Security
• Module 5: Operations
• Module 6: Legal and Compilance Issues

APPENDIX B: GLOSSARY

APPENDIX C: HELPFUL RESOURCES AND LINKS