Certified Cloud Security Professional (CCSP) (CS8527)

Module 1: Cloud Concepts, Architecture, and Design

• Understand Cloud Computing Concepts
• Cloud Computing Definitions
• Cloud Computing Roles and Responsibilities
• Key Cloud Computing Characteristics
• Building Block Technologies
• Describe Cloud Reference Architecture
• Cloud Computing Activities
• Cloud Service Capabilities
• Cloud Service Categories
• Cloud Deployment Models
• Cloud Shared Considerations
• Impact of Related Technologies
• Understand Security Concepts Relevant to Cloud Computing
• Cryptography and Key Management
• Identity and Access Control
• Data and Media Sanitization
• Network Security
• Virtualization Security
• Common Threats
• Security Hygiene
• Understand Design Principles of Secure Cloud Computing
• Cloud Secure Data Lifecycle
• Cloud-Based
• Business Continuity and Disaster Recovery Plan
• Business Impact Analysis
• Functional Security Requirements
• Security Considerations for Different Cloud Categories
• Cloud Design Patterns
• DevOps Security
• Evaluate Cloud Service Providers
• Verification against Criteria
• System/Subsystem Product Certifications

Module 2: Cloud Data Security

• Describe Cloud Data Concepts
• Cloud Data Lifecycle Phases
• Data Dispersion
• Data Flows
• Design and Implement Cloud Data Storage Architectures
• Storage Types
• Threats to Storage Types
• Design and Apply Data Security Technologies and Strategies
• Encryption and Key Management
• Hashing
• Data Obfuscation
• Tokenization
• Data Loss Prevention
• Keys, Secrets, and Certificates Management
• Implement Data Discovery
• Structured Data
• Unstructured Data
• Semi-structured
• Data
• Data Location
• Implement Data Classification
• Data Classification Policies
• Mapping
• Labeling
• Design and Implement Information Rights Management
• Objectives
• Appropriate Tools
• Plan and Implement Data Retention, Deletion, and Archiving Policies
• Data Retention Policies
• Data Deletion Procedures and Mechanisms
• Data Archiving Procedures and Mechanisms
• Legal Hold
• Design and Implement Auditability, Traceability, and Accountability of Data Events
• Definition of Event Sources and Requirement of Event Attribution
• Logging, Storage, and Analysis of Data Events
• Chain of Custody and Nonrepudiation

Module 3: Cloud Platform and Infrastructure Security

• Comprehend Cloud Infrastructure and Platform Components
• Physical Environment
• Network and Communications
• Compute
• Virtualization
• Storage
• Management Plane
• Design a Secure Data Center
• Logical Design
• Physical Design
• Environmental Design
• Analyze Risks Associated with Cloud Infrastructure and Platforms
• Risk Assessment
• Cloud Vulnerabilities, Threats, and Attacks
• Risk Mitigation Strategies
• Plan and Implementation of Security Controls
• Physical and Environmental Protection
• System, Storage, and Communication Protection
• Identification, Authentication, and Authorization in Cloud Environments
• Audit Mechanisms
• Plan Disaster Recovery and Business Continuity
• Business Continuity/Disaster Recovery Strategy
• Business Requirements
• Creation, Implementation, and Testing of Plan

Module 4: Cloud Application Security

• Advocate Training and Awareness for Application Security
• Cloud Development Basics
• Common Pitfalls
• Common Cloud Vulnerabilities
• Describe the Secure Software Development Life Cycle Process
• NIST Secure Software Development Framework
• OWASP Software Assurance Maturity Model
• Business Requirements
• Phases and Methodologies
• Apply the Secure Software Development Life Cycle
• Cloud-Specific Risks
• Threat Modeling
• Avoid Common Vulnerabilities during Development
• Secure Coding
• Software Configuration Management and Versioning
• Apply Cloud Software Assurance and Validation
• Functional and Non-functional Testing
• Security Testing Methodologies
• Quality Assurance
• Abuse Case Testing
• Use Verified Secure Software
• Securing Application Programming Interfaces
• Supply-Chain Management
• Third-Party Software Management
• Validated Open-Source Software
• Comprehend the Specifics of Cloud Application Architecture
• Supplemental Security Components
• Cryptography
• Sandboxing
• Application Virtualization and Orchestration
• Design Appropriate Identity and Access Management Solutions
• Federated Identity
• Identity Providers
• Single Sign-on
• Multifactor Authentication
• Cloud Access Security Broker

Module 5: Cloud Security Operations

• Build and Implement Physical and Logical Infrastructure for Cloud Environment
• Hardware-Specific Security Configuration Requirements
• Installation and Configuration of Virtualization Management Tools
• Virtual Hardware–Specific Security Configuration Requirements
• Installation of Guest Operating System Virtualization Toolsets
• Operate Physical and Logical Infrastructure for Cloud Environment
• Configure Access Control for Local and Remote Access
• Secure Network Configuration
• Operating System Hardening through the Application of Baselines
• Availability of Stand-Alone Hosts
• Availability of Clustered Hosts
• Availability of Guest Operating Systems
• Manage Physical and Logical Infrastructure for Cloud Environment
• Access Controls for Remote Access
• Operating System Baseline Compliance Monitoring and Remediation
• Patch Management
• Performance and Capacity Monitoring
• Hardware Monitoring
• Configuration of Host and Guest Operating System Backup and Restore Functions
• Network Security Controls
• Management Plane
• Implement Operational Controls and Standards
• Change Management
• Continuity Management
• Information Security Management
• Continual Service Improvement Management
• Incident Management
• Problem Management
• Release Management
• Deployment Management
• Configuration Management
• Service Level Management
• Availability Management
• Capacity Management
• Support Digital Forensics
• Forensic Data Collection Methodologies
• Evidence Management
• Collect, Acquire, and Preserve Digital Evidence
• Manage Communication with Relevant Parties
• Vendors
• Customers
• Partners
• Regulators
• Other Stakeholders
• Manage Security Operations
• Security Operations Center
• Monitoring of Security Controls
• Log Capture and Analysis
• Incident Management

Module 6: Legal, Risk, and Compliance

• Articulating Legal Requirements and Unique Risks within the Cloud Environment
• Conflicting International Legislation
• Evaluation of Legal Risks Specific to Cloud Computing
• Legal Frameworks and Guidelines
• eDiscovery
• Forensics Requirements
• Understand Privacy Issues
• Difference between Contractual and Regulated Private Data
• Country-Specific Legislation Related to Private Data
• Jurisdictional Differences in Data Privacy
• Standard Privacy Requirements
• Privacy Impact Assessments
• Understanding Audit Process, Methodologies, and Required Adaptations for a Cloud Environment
• Internal and External Audit Controls
• Impact of Audit Requirements
• Identify Assurance Challenges of Virtualization and Cloud
• Types of Audit Reports
• Restrictions of Audit Scope Statements
• Gap Analysis
• Audit Planning
• Internal Information Security Management System
• Internal Information Security Controls System
• Policies
• Identification and Involvement of Relevant Stakeholders
• Specialized Compliance Requirements for Highly Regulated Industries
• Impact of Distributed Information Technology Model
• Understand Implications of Cloud to Enterprise Risk Management
• Assess Providers Risk Management Programs
• Differences between Data Owner/Controller vs. Data Custodian/Processor
• Regulatory Transparency Requirements
• Risk Treatment
• Risk Frameworks
• Metrics for Risk Management
• Assessment of Risk Environment
• Understand Outsourcing and Cloud Contract Design
• Business Requirements
• Vendor Management
• Contract Management
• Supply Chain Management