Preparation Guide for ISC2 Certified Cloud Security Professional (CCSP) Certification
I just get my Certified Cloud Security Professional (CCSP) Certification and it is time now to share my preparation notes for those who are interested to pass this exam and get certified too. This article is just one another preparation guide to CCSP but I hope it will be useful 🙂
Before starting studying, you must know very well what this certification is about and what are the prerequisite
The topics included in the CCSP Common Body of Knowledge (CBK) ensure its relevancy across all disciplines
in the field of cloud security. Successful candidates are competent in the following 6 domains:
– Architectural Concepts & Design Requirements (19%)
– Cloud Data Security (20%)
– Cloud Platform & Infrastructure Security (19%)
– Cloud Application Security (15%)
– Operations (15%)
– Legal & Compliance (12%)
It is a 4 hours exam in front of a computer (and under video camera :))
There are 125 questions
The passing score is 700/1000
Depending on where you live, there are not so much people that have this certification. (ISC)2 issues counts of certificate holders every 6 months.
Mandatory to read before preparing and passing CCSP Exam : CCSP Exam Outline
Source : https://www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/CCSP-Exam-Outline.ashx
You will need between 40 to 60 hours to prepare correctly this exam (depending on your experience, knowledge…). Don’t underestimate the time necessary to study books, read white papers, search information and practice blank tests.
So if you spend 2 hours a day preparing, you can pass exam in one month.
I also strongly encourage to schedule your exam day before starting to study (because it will be easier to make a reverse planning)
There are 2 Official books that I think are mandatory to read :
- CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide : https://amzn.to/2uqQrQ5
- CCSP Official (ISC) 2 Practice Tests : https://amzn.to/2Jg7t8E
The second book must be used only after reading the first one (that contains also some practice questions but more easier than the practice tests book)
Next you will find all my preparation notes, there are a lot of URL with a lot of additional content to read because everything is not in the official books ! I put also a package of documents in my Onedrive (https://1drv.ms/f/s!ApyDK_-MHwLvisVDZH1fx4OSWNItFw) if you want to download quicker a “package of good papers to read”
======—– Domain 1 – Architectural Concepts & Design Requirements (19%)——-======
Cloud Computing Definitions (ISO/IEC 17788)
ISO/IEC 17788 Overview and vocabulary on Cloud computing
NIST 800-145 Cloud computing definition : https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
NIST 500-292 : Cloud Computing Reference Architecture
Reduction in Capital Expenditure (Capex)
Cloud = metered service model
Cloud = Elasticity, Simplicity, Scalability
Cloud Service models : IaaS, Paas, SaaS
Cloud deployment models : Public, Private, Community, Hybrid
CSP : Cloud Service Provider
Ex: Azure, AWS
CSB : Cloud Service Broker
CASB : Cloud Access Service Broker. 3d party offering IAM (Identity & Access Management) to CSP and Cloud customer
Offers services like : SSO, certificate management, cryptographic key escrow (=key recovery) cf. https://www.schneier.com/academic/archives/1997/04/the_risks_of_key_rec.html
Regulators : entities that ensure organization are in compliance with the regulatory framework for which they are responsible
ex: HIPAA, GLBA, PCI-DSS, ISO, SOX
Example of regulators : FTC (Federal Trade Commission), SEC (Security and Exchange Commission)
NaaS : Network as a Service https://en.wikipedia.org/wiki/Network_as_a_service
CompaaS : Compliance as a Service
DSaaS : Data Science as a service
Cloud portability : ability to move applications & associated data between 2 clouds or between cloud and on-premises
Pat-down : A pat-down is not standard procedure
FIPS 140-2 : NIST document that lists accredited and outmoded cryptosystems
— FIPS 140-2 Levels
FIPS-140-2 : The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2) is a U.S. government computer security standard used to approve cryptographic modules.
The title is Security Requirements for Cryptographic Modules.
FIPS 140-2 defines four levels of security, simply named “Level 1” to “Level 4”
– Security Level 1 provides the lowest level of security : No specific physical security mechanisms are required in a Security Level 1 cryptographic module beyond the basic requirement for production-grade components
– Security Level 2 improves upon the physical security mechanisms of a Security Level 1 cryptographic module by requiring features that show evidence of tampering
– Security Level 3 attempts to prevent the intruder from gaining access to CSPs (Critical Security Parameter) held within the cryptographic module.
– Security Level 4 provides the highest level of security. At this security level, the physical security mechanisms provide a complete envelope of protection around the cryptographic module with the intent of detecting and responding to all unauthorized attempts at physical access. Penetration of the cryptographic module enclosure from any direction has a very high probability of being detected, resulting in the immediate deletion of all plaintext CSPs
Source : https://en.wikipedia.org/wiki/FIPS_140-2
Due care versus Due diligence :
– Due diligence is the act of gathering the necessary information so the best decision-making activities can take place.
due diligence requires that an organization continually scrutinize their own practices to ensure that they are always meeting or exceeding the requirements for protection of assets and stakeholders
This is something a company does prior to buying a service i.e. check the service provider is compliant in the areas they claim to be i.e. Are ISO27001 Certified – not compliant.
Due Diligence is the assessment of the risks (identification, likelihood, consequences if realized)
– Due care pertains to acting responsibly and “doing the right thing.”
It is a legal term that defines the standards of performance that can be expected
due care intends to set a minimum necessary standard of care to be employed by an organization
The lack of due care is often considered negligence, and in most countries is actionable under law. If an organization is legally mandated to comply with regulations or information security requirements knowingly or unknowingly neglecting those requirements could lead to legal exposure from a due care perspective.
This is something I would do for my company ensuring we follow the rules/regulations and best practices.
Due Care is doing what a reasonable person would do about those risks
TOGAF (The Open Group Architecture Framework)
TOGAF is a framework for enterprise architecture that provides an approach for designing, planning, implementing, and governing an enterprise information technology architecture.
TOGAF is a high level approach to design
It is typically modeled at four levels: Business, Application, Data, and Technology. It relies heavily on modularization, standardization, and already existing, proven technologies and products.
Virtualization sprawl (VM sprawl) :
Virtualization sprawl is a phenomenon that occurs when the number of virtual machines (VMs) on a network reaches a point where the administrator can no longer manage them effectively
To prevent virtualization sprawl, the administrator should define and enforce a process for the deployment of VMs and create a library of standardized VM image files
Erasure coding :
RAID with parity (like RAID 5) and erasure coding improve data availability and safety. They enrich the original with redundancy data and spread it across disks. A subset of this data is enough to regenerate the original data. RAID is used for redundant storage of entire disks within a server. Erasure coding is usually used in distributed storage systems. So you can think of erasure coding as generalized and distributed RAID
Erasure coding is a method of data protection in which data is broken into fragments that are expanded and encoded with a configurable number of redundant pieces of data and stored across different locations, such as disks, storage nodes or geographical locations.
Erasure coding allows for the failure of two or more elements of a storage array and so offers more protection than Raid as commonly deployed.
Erasure coding is also found in the context of object storage, with very large-volume cloud operators
Erasure coding is a good option for latency tolerant, large capacity stores
AONT-RS: Blending Security and Performance in Dispersed Storage Systems
In cryptography, an all-or-nothing transform (AONT), also known as an all-or-nothing protocol, is an encryption mode which allows the data to be understood only if all of it is known
======—– Domain 2 – Cloud Data Security (20%)——-======
Cloud Data Lifecycle (CSA Guidance) – 15 pages that is mandatory to read
Source : https://cloudsecurityalliance.org/wp-content/uploads/2011/09/Domain-5.docx
Data Controller, Data Owner, Cloud Customer : any entity collecting or creating data
Data Processor, Data Custodian, Cloud Provider : any entity acting on behalf or at the behest of the Data Controller
IaaS, for public or private cloud, generally includes the following storage options:
– Raw storage
– Volume storage : includes volumes attached to IaaS instances, typically as a virtual hard drive.
Volumes often use data dispersion to support resiliency and security.
– Object Storage (aka File Storage)
– CDN : Content Delivery Network
PaaS both provides and relies on a very wide range of storage options, including:
PaaS may provide :
– Database as a Service
– Hadoop/MapReduce/Big Data as a Service
– Application Storage
PaaS may consume :
– Object/File Storage
– Volume Storage
SaaS uses a very wide range of storage and consumption models.
SaaS storage is always accessed via a web-based user interface or client/server application
SaaS may provide :
– Information Storage and Management
– Content/File Storage
SaaS may consume :
– Object/File Storage
– Volume Storage
Data (Information) Dispersion : A technique that is commonly used to improve data security, but without the use of encryption mechanisms
Homomorphic encryption : able to process data while it’s encrypted
/!\ The Data Security Livecycle – 6 phases :
– destroy (ex: using crypto shredding)
DAM : Database Activity Monitoring
Database Activity Monitors capture and record, at a minimum, all Structured Query Language (SQL) activity in real time or near real time, including database administrator activity, across multiple database platforms; and can generate alerts on policy violations.
FAM : File Activity Monitoring
Products that monitor and record all activity within designated file repositories at the user level, and generate alerts on policy violations
Movement to the Cloud :
A combination of URL filtering (web content security gateways) and Data Loss Prevention (DLP) can detect data moving from the enterprise into the cloud.
Protecting Data Moving To (And Within) The Cloud, 3 options :
– Link/Network Encryption : SSL, VPN, SSH
– Client/Application Encryption
– Proxy-Based Encryption: Data is transmitted to a proxy appliance or server which encrypts before sending further on the network
Content discovery includes the tools and processes to identify sensitive information in storage.
Content discovery is normally a feature of Data Loss Prevention tools, and for databases is sometimes available in Database Activity Monitoring products.
Protecting Data in cloud
– Volume Storage Encryption
3 methods :
– Instance-managed encryption
– Externally managed encryption
– Proxy encryption
– Object Storage Encryption
– File/Folder encryption and Enterprise Digital Rights Management
– Client/Application encryption
– Proxy encryption
– PaaS Encryption
– Database encryption
– Client/Application encryption
– Proxy encryption
– SaaS encryption
– Provider-managed encryption: Data is encrypted in the SaaS application and generally managed by the provider.
– Proxy encryption
– Data Loss Prevention (DLP)
– Dedicated appliance/server
– Virtual appliance
– Endpoint agent
– Hypervisor agent
– Database and File Activity Monitoring
ISO/IEC 27040 is Information technology — Security techniques — Storage security. Was published 5th january 2015
ISO/IEC 27040 provides specific, detailed implementation guidance relevant to storage security for the general security controls described in ISO/IEC 27002.
Source : https://en.wikipedia.org/wiki/ISO/IEC_27040
SIEM : Security Information and Event Management
SEM : Security Event Management
SIM : System Information Management
The term security information event management (SIEM), coined by Mark Nicolett and Amrit Williams of Gartner in 2005 :
– the product capabilities of gathering, analyzing and presenting information from network and security devices
– identity and access-management applications
– vulnerability management and policy-compliance tools
– operating-system, database and application logs
– external threat data
Source : https://en.wikipedia.org/wiki/Security_information_and_event_management
Tokenization (data security) is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value.
The token is a reference (i.e. identifier) that maps back to the sensitive data through a tokenization system.
The tokenization system must be secured and validated using security best practices
Only the tokenization system can tokenize data to create tokens, or detokenize back to redeem sensitive data under strict security controls
Tokenization systems may be operated in-house within a secure isolated segment of the data center, or as a service from a secure service provider.
The choice of tokenization as an alternative to other techniques such as encryption will depend on varying regulatory requirements, interpretation, and acceptance by respective auditing or assessment entities
Example of use : The PCI Council defines tokenization as “a process by which the primary account number (PAN) is replaced with a surrogate value called a token
Source : https://en.wikipedia.org/wiki/Tokenization_(data_security)
Data Masking = Data obfuscation = Data anonymisation
Static Data Masking (SDM): permanently replaces sensitive data by altering data at rest.
SDM is primarily used to provide high quality (i.e., realistic) data for development and testing of applications without disclosing sensitive information.
Additional uses include protecting data for use in analytics and training as well as facilitating compliance with standards and regulations (such as GDPR, PCI, HIPAA) that require limits on the use of data that identifies individuals.
SDM also facilitates cloud adoption because DevOps workloads are among the first that organizations migrate to the cloud. Masking data on premises prior to uploading it to the cloud reduces risk for organizations concerned with cloud-based data disclosure.
Dynamic Data Masking (DDM) : aims to replace sensitive data in transit leaving the original at-rest data intact and unaltered
DDM is primarily used to apply role-based (object-level) security for databases/applications.
In practice, the complexities involved in preventing masked data from being written back to the database essentially mean DDM should only be applied in read-only contexts such as reporting or customer service inquiry functions.
Not well suited for use in a dynamic (read/write) environment such as an enterprise application because masked data could be written back to the database, corrupting the data.
Source : https://www.imperva.com/blog/2017/07/static-versus-dynamic-data-masking/
Technics for Datamasking :
– Substitution is one of the most effective methods of applying data masking and being able to preserve the authentic look and feel of the data records.
– Shuffling method is a very common form of data obfuscation. the data is randomly shuffled
– Numeric variance method is very useful for applying to financial and date driven information fields
– Encryption is often the most complex approach to solving the data masking problem
– Nulling out or deletion
– Masking out : Character scrambling or masking out of certain fields is also another simplistic yet very effective method. This system is not very effective for test systems but is very useful for the billing scenario detailed above. It is also commonly known as a dynamic data masking method
Data masking invariably becomes the part of these processes in SDLC as the development environments’ SLAs are usually not as stringent as the production environments’ SLAs regardless of whether application is hosted in the cloud or on-premises.
Source : https://en.wikipedia.org/wiki/Data_masking
Direct Identifiers / indirect Identifiers
Information that is sufficient on its own to identify an individual includes a person’s full name, social security number, email address containing the personal name, and biometric identifiers such as fingerprints, facial image, voice patterns, hand geometry, iris scan, or manual signature.
This type of data are often called direct identifiers.
Other information that may be used to fairly easily identify an individual include a person’s postal address, phone number, vehicle registration number, bibliographic citation to publications, email address not in the form of the personal name, web address to a web page containing personal data, unusual job title, rare disease, position held by only one person at a time (e.g. chairperson in an voluntary organization).
The Finnish Social Science Data Archive calls this type of data strong indirect identifiers.
The data archive also counts as strong indirect identifiers the types of codes that can be used to unequivocally identify an individual from among a group of individuals. These include, for instance, student ID number, insurance or bank account number, or IP address of a computer etc.
Source : http://www.fsd.uta.fi/aineistonhallinta/en/anonymisation-and-identifiers.html
Cryptographic Bit splitting (aka cryptographic data splitting)
The technique involves encrypting data, splitting the encrypted data into smaller data units, distributing those smaller units to different storage locations, and then further encrypting the data at its new location
One application of cryptographic splitting is to provide security for cloud computing. The encrypted data subsets can be stored on different clouds, with the information required to restore the data being held on a private cloud for additional security
Source : https://en.wikipedia.org/wiki/Cryptographic_splitting
Homomorphic encryption : you can perform useful operations on encrypted values without decrypting them first
Source : https://blog.cryptographyengineering.com/2012/01/02/very-casual-introduction-to-fully/
Key Management :
– Level of protection : encryption key must be secure at the same level of control or higher as the data they protect
– Key recovery
– Key Distribution : keys should never be passed in clear
– Key revocation
– Key escrow
– Outsourcing Key Management : example using a CASB (Cloud Access Security Broker)
Source : https://en.wikipedia.org/wiki/Key_management
Data Discovery techniques
Data discovery is not a tool. It is a business user oriented process for detecting patterns and outliers by visually navigating data or applying guided advanced analytics.
Automated data discovery methods like data loss prevention (DLP) tools can help, as can open source tools designed to find certain kinds of regulated data (for example, the open source ccsrch tool that finds and flags credit card information)
Application inventories are a required part of HIPAA and PCI DSS compliance activities and can be directly leveraged to find areas of regulated information at a service provider.
Source : https://bi-survey.com/data-discovery
– Data States : Data exists in one of three states : at rest, in process, or in transit
– Data Format : Data can be either structured or unstructured
– Data Discovery : Data discovery is a process for identifying and providing visibility into the location, volume, and context of structured and unstructured data stored in a variety of data repositories.
– Data Sensitivity. Data is classified according to its sensitivity level—high, medium, or low
– Compliance Requirements
Data Classification Process :
– Execute data discovery
– Define data classification policies
– Execute data classification process
– Implement enforcement technologies to protect classified data
Source : https://www.imperva.com/data-security/data-security-101/data-classification/
PII : Personally Identifiable Information
The Organization for Economic Co-operation and Development (OECD) Privacy Guidelines are the most widely-accepted privacy principles. The OECD identified the following Fair Information Practices :
– Collection Limitation
– Data quality
– Purpose Specification
– Use Limitation
– Security Safeguard
– Individual participation
– Minimize Collection, Use and Retention of PII
– Conducting Privacy Impact Assessments
– De-Identifying Information : records that have had enough PII removed or obscured, also referred to as masked or obfuscated
– Anonymizing Information :
– Generalizing the Data : Making information less precise
– Suppressing the Data : Deleting an entire record or certain parts of records
– Introducing Noise into the Data : Adding small amounts of variation into selected data
– Swapping the Data : Exchanging certain data fields of one record with the same data fields of
another similar record
– Replacing Data with the Average Value : Replacing a selected value of data with the average value
for the entire group of data
Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
DRM : Digital Right Management
Digital Rights Management (DRM) : 2 kinds
– Customer DRM (ex: to protect usage of music, video, eBook)
– Enterprise DRM (ex: Microsoft Information Right Protection): DRM is used to protect the content of an organization internally and with business partners
– Rudimentary reference checks
– Online reference checks
– Local Agent checks
– Presence of licensed media (ex: a CD/DVD)
– Support-based licensing
– Replication restrictions
– Jurisdictional Conflicts (ex: Netflix movies access depends on countries)
– Agent/Enterprise Conflicts
– Mapping Identity & Access Management (IAM) & DRM
– API Conflicts
– Persistent Protection
– Dynamic Control Access
– Automatic Expiration
– Continuous auditing
– Replication restrictions
– Remote Rights revocation
Data Retention policy (take place in the Archive phase of data life cycle) includes :
– Retention Period
– Applicable Regulation
– Retention Formats
– Data Classification
– Archiving and retrieval procedures
– Monitoring, Maintenance and enforcement
Data Audit policy includes :
– Audit periods
– Audit scope
– Audit responsibilities (internal and/or external)
– Audit processes & procedures
– Applicable regulations
– Monitoring, Maintenance and enforcement
Having the logs is one thing, reviewing the logs you have is something else
Log review : challenges :
– Log review and analysis is not often a priority
– Log review is mundane and repetitive
– Log review requires someone both new to the field and experienced
– The reviewer needs to have an understanding of the operation
Data destruction / Disposal (in the Destroy Phase of Data life cycle)
– Physical destruction of media or hardware
– cryptoshredding (aka Cryptographic Erasure)
Cryptoshredding is the only pragmatic option for data disposal in the cloud
NIST Released Special Publication 800-88 Revision 1, Guidelines for Media Sanitization
======—– Domain 3 – Cloud Platform and Infrastructure Security (19%)——-======
BIA : Business Impact Analysis
Assessment of the priorities given to each asset and process withing the organization
A proper analysis should consider the effect (=impact) any harm or loss of each asset might mean to the organization overall
Assets can be tangible or intangible
Criticality : denotes those aspects of the organization without which the organization could not operate or exist
— RISK Management
Risk appetite : level or amount or type of risk that the organization finds acceptable
Risk to health or human safety –> must be addressed
4 ways to address risk :
Remaining leftover risk is called Residual Risk
NIST 800-37 : “Guide for Applying the Risk Management Framework to Federal Information Systems”
The purpose of SP 800-37 Rev 1 is to provide guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring
Source : https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final
Risk Management Framework (cf. NIST 800-37)
– Step 1 : CATEGORIZE Information System
– Step 2 : SELECT security controls
– Step 3 : IMPLEMENT security controls
– Step 4 : ASSESS security controls
– Step 5 : AUTHORIZE Information System
– Step 6 : MONITOR security controls
Enterprise Risk Management (ERM) is the overall management of risk for an organization
Risk management in cloud is based on the shared responsibilities model
The cloud user is ultimately responsible for ownership of the risks; they only pass on some of the risk management to the cloud provider.
One of the core tenants of risk management is that you can manage, transfer, accept,
or avoid risks
SABSA is a proven framework and methodology used successfully around the globe to meet a wide variety of Enterprise needs including Risk Management, Information Assurance, Governance, and Continuity Management
Although copyright protected, SABSA is an open-use methodology, not a commercial product.
Managed by an Institute in UK
Under the current and legal regulatory regime, the cloud customer is ALWAYS ultimately legally liable for any loss of data
Risk with cloud providers :
– Vendor Lock-in
– Vendor Lock-out
======—– Domain 4 – Cloud Application Security (15%) ——-======
OWASP Top 10
Cloud Security Alliance – Notorious Nine
Software Development Life-Cycle (SDLC) Process
– Design (Risk analysis including threat modeling using methodology like Microsoft STRIDE)
ISC2 Book – SDLC, core stages
SAST : Static Application Security Testing (White Box testing)
ex: Source Code Analysis (SCA)
God for devops or CI/CD environment
SAST is becoming the go-to option due to the growing needs of the new development era.
DAST : Dynamic Application Security Testing (Black Box testing)
ideally suited for Waterfall environments
not ideal for Continuous Integration scenarios
Fuzzing or fuzz testing : automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks.
Treat Modeling : Microsoft STRIDE
S : Spoofing
T : tampering
R : Repudiation
I : Information disclosure
D : Denial of Service
E : Elevation of privilege
The Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim’s spoofed source IP are broadcast to a computer network using an IP broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim’s computer will be flooded with traffic.
source : https://en.wikipedia.org/wiki/Smurf_attack
A variation to the Smurf attack is the Fraggle attack. The attack is essentially the same as the Smurf attack but instead of sending an ICMP echo request to the direct broadcast address, it sends UDP packets.
“Snarfing” is the action of grabbing data and using it without the owner’s consent
OWASP Top 10 2017
Cross-Site Request Forgery (CSRF) Attack
3 types of XSS Attacks :
– Reflected XSS
– Stored XSS
– DOM XSS
WAF : Web Application firewall
DAM : Database Activity Monitoring
RASP (Runtime Application Self-Protection)
ISO/IEC 27034-5:2017 : Information technology — Security techniques — Application security
ISO/IEC 27034-5 outlines and explains the minimal set of essential attributes of ASCs and details the activities and roles of the Application Security Life Cycle Reference Model (ASLCRM).
======—— Domain 5 – Operations (15%) ———==========
ASHRAE (American Society of Heating, Refrigerating and Air-Conditioning Engineers)
is a global professional association seeking to advance heating, ventilation, air conditioning and refrigeration systems design and construction
HVAC : Heating, Ventilation, Air Conditioning
FM200 Fire Suppression (aka HFC227ea)
is a water-less fire protection system, it is discharged into the risk within 10 seconds and suppresses the fire immediately.
FM200 gas is extremely safe for occupied spaces with the correct fire suppression design.
FM200 is classed as a clean agent which means that it is safe to use within occupied spaces
FM200 fire suppressant does not deplete stratospheric ozone, and has minimal impact on the environment relative to the impact a catastrophic fire would have
leaves no residue on valuable equipment after discharge
It is considered good practice to avoid all unnecessary exposure to Halon 1301
Is an effective gaseous fire suppression fixed systems agent
Is an ozone depleter
Spot-type Smoke detector
– ionization-based : using a small amount of radioactive material
– photoelectric : using a light source and a photosensitive sensor
Air aspiring / Air Sampling Smoke Detector (ASSD)
Codes require detectors under the floor or above the ceiling where HVAC piping, electrical feeders, or IT cables are placed within these plenum spaces
sources : https://www.facilitiesnet.com/datacenters/article/Evaluating-Fire-Detection-Options-For-Data-Centers-Facilities-Management-Data-Centers-Feature–14594
Plenum : in building construction, a plenum (pronounced PLEH-nuhm, from Latin meaning full) is a separate space provided for air circulation for heating, ventilation, and air-conditioning (sometimes referred to as HVAC) and typically provided in the space between the structural ceiling and a drop-down ceiling
Temperature and humidity levels in accordance with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) guidelines
Temperature range is typically between 18 degrees Celsius to 27 degrees
(64.4 degrees to 80.6 degrees Fahrenheit); (ASHRAE 67 -> 82)
Humidity is measured by Relative Humidity Percentage Non-Condensing
with the current range between 40% and 55% (60% in ISC2 book) (ASHRAE 65%)
Source : https://www.ashrae.org/File%20Library/Technical%20Resources/Technical%20FAQs/TC-02.01-FAQ-92.pdf
Raised floors :
The height of the legs/pedestals is dictated by the volume of cables and other services provided beneath, but typically arranged for a clearance of at least six inches or 15 cm with typical heights between 24 inches to 48 inches
Deterrent : a thing that discourages or is intended to discourage someone from doing something.
“cameras are a major deterrent to crime”
TPM : Trusted Platform Module
Secure KVM :
– Isolated Data Channels
– Housing Intrusion Detection
– Tamper-Proof Labels
– “No-Buffer” Design
– Restricted USB function
– Push-Button Control
DRS : Distributed Resource Scheduling
DO : Dynamic Optimization
ITIL, ISO/IEC 20000-1
ISMS : Information Security Management System
ex: ISO/IEC 27001 specifies a management system that is intended to bring information security under management control and gives specific requirements
CMDB : Configuration Management Database
COBIT stands for Control Objectives for Information and Related Technology.
It is a framework created by the ISACA (Information Systems Audit and Control Association) for IT governance and management. It was designed to be a supportive tool for managers—and allows bridging the crucial gap between technical issues, business risks, and control requirements
Compartmentalization (information security)
is the limiting of access to information to persons or other entities who need to know it in order to perform certain tasks.
Understand the Collection, Acquisition and Preservation of Digital Evidence Forensic
Uptime Institute’s Tier Classification System for data centers
Tier I : Basic capacity -> UPS, generator, dedicated cooling equipment
Tier II : Redundant capacity components -> includes redundant critical power and cooling components. The redundant components include power and cooling equipment such as UPS modules, chillers or pumps, and engine generators.
Chiller : machine that removes heat from a liquid via a vapor-compression or absorption refrigeration cycle. This liquid can then be circulated through a heat exchanger to cool equipment, or another process stream
Tier III : Concurrently Maintainable -> requires no shutdowns for equipment replacement and maintenance. A redundant delivery path for power and cooling is added to the redundant critical components of Tier II
Tier IV: Fault Tolerance -> adding the concept of Fault Tolerance to the site infrastructure topology
The Tier Classification System does not prescribe specific technology or design criteria beyond those stated above
Tier Certification is a performance based evaluation of a data center’s specific infrastructure, and not a checklist or cookbook
CM (Configuration Management)
BCDR (Business Continuity / Disaster Recovery)
Event : any unscheduled adverse impact to the operating environment
An event is distinguished from a disaster by the duration of impact
we consider an event’s impact to last 3 days or less. A disaster’s impact lasts longer
The paramount importance in BC/DR planning and efforts should be health and human safety, as in all security matters
MAD : Maximum Allowable Downtime
RTO : Recovery Time Objective
RPO : Recovery Point Objective
For all datacenters, a minimum of at least 12 hours of fuel for all generators
For BCDR purposes, the plan should anticipate at least 72 hours of generator operation before other alternative are available
BCDR testing methodology
– Tabletop testing : essential participants, a sort of role-playing game
No impact on production
– Dry Run : whole organization take part in a scenario at a scheduled time but without performing the tasks in real
More impact on productivity than Tabletop
– Full Test : Entire organization takes part in an unscheduled, unannounced practice scenario
======—– Domain 6 – Legal & Compliance (12%) ——-======
ISO/IEC 27050-1:2016 : Information technology — Security techniques — Electronic discovery
HIPAA : Health Information Portability and Accountability Accountability
GLBA : Graham-Leach-Bliley Accountability
PCI-DSS : Payment Card Industry Data Security Standard
PCI PA-DSS : PCI Payment Application DSS
SOX : Sarbanes Oxley Act
PII : Personally Identifiable Information
PLA : Privacy Level Agreement
ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud
the data controller (typically the entity that has the primary relationship with an
individual) is prohibited from collecting and processing personal data unless certain criteria are met.
These laws define numerous obligations, such as confidentiality and security obligations, for theentities that access personal data.
Many countries prohibit or restrict the transfer of information out of their borders. In most cases, the transfer is permitted only if the country to which the data is transferred offers an “adequate level of protection” (as defined in the relevant national law) of personal information and privacy rights of affected individuals.
PII : Personally Identifiable Information
Data Subject : individual who the PII refers to
Data Controller, Cloud Customer, Data Owner : any entity collecting or creating PII
Data Processor, Cloud Provider, Data Custodian: any entity acting on behalf or at the behest of the Data Controller
Data Controller is ultimately responsible for any unauthorized disclosure of PII
EU Network Information Security Directive (NIS Directive) :
The NIS Directive entered into force in August 2016, requiring each EU/EEA member state to implement the Directive into its national legislation by May 2018.
Difference between a Regulation, Directive and Decision in Europe:
– Regulations have binding legal force throughout every Member State and enter into force on a set date in all the Member States
– Directives lay down certain results that must be achieved but each Member State is free to decide how to transpose directives into national laws
– Decisions are EU laws relating to specific cases and directed to individual or several Member States, companies or private individuals. They are binding upon those to whom they are directed.
— GDPR (General Data Protection Regulation)
The European Union (EU) adopted the General Data Protection Regulation (GDPR) in 2016, which is binding on all EU member states, as well as members of the European Economic Area (EEA).
The GDPR will become enforceable as of May 25, 2018. On that date, Directive 95/46/EC on the Protection of Personal Data, which had been the legal basis of the provisions of the national data protection laws of all EU and EEA member states, will be repealed.
From a security standpoint, the Network Information Security Directive (NIS Directive) is paving the way to more stringent security requirements. Adopted in 2016, the NIS Directive requires EU/EEA member states to implement new information security laws for the protection of critical infrastructure and essential services by May 2018
General Data Protection Regulation (GDPR)
The new GDPR is directly binding on any corporation that processes the data of EU citizens
Breaches of Security: The GDPR requires companies to report that they have suffered a breach of security. The reporting requirements are risk-based, and there are different requirements for reporting the breach to the Supervisory Authority and to the affected data subjects. Breaches must be reported within 72 hours of the company becoming aware of the incident.
Sanctions: Violations of the GDPR expose a company to significant sanctions. These sanctions may reach up to the greater of 4% of their global turnover or gross income, or up to EUR 20 million.
To be able to demonstrate compliance with the GDPR, the data controller should implement measures, which meet the principles of data protection by design and data protection by default. Privacy by design and by default (Article 25) require data protection measures to be designed into the development of business processes for products and services. Such measures include pseudonymising personal data, by the controller, as soon as possible (Recital 78).
Each member state will establish an independent supervisory authority (SA) to hear and investigate complaints, sanction administrative offenses, etc
GDPR : severe penalties of up to 4% of worldwide turnover or €20 million
Pseudonymisation : The GDPR refers to pseudonymisation as a process that is required when data are stored (as an alternative to the other option of complete data anonymization) to transform personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information
A right to be forgotten was replaced by a more limited right of erasure in the version of the GDPR that was adopted by the European Parliament in March 2014.
More info on GDPR : https://www.imperva.com/data-security/regulation-glossary/gdpr/
EFTA (European Free Trade Association) is a regional trade organization and free trade area consisting of four European states: Iceland, Liechtenstein, Norway, and Switzerland
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
The EU–US Privacy Shield is a replacement for the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in October 2015
— PIPEDA (Personal Information Protection and Electronic Documents Act)
Is a Canadian law relating to data privacy.
It governs how private sector organizations collect, use and disclose personal information in the course of commercial business.
In addition, the Act contains various provisions to facilitate the use of electronic documents.
The act was also intended to reassure the European Union that the Canadian privacy law was adequate to protect the personal information of European citizens
— FERPA (Family Educational Rights and Privacy Act)
Is a Federal law that protects the privacy of student education records.
FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are “eligible students.”
— ISO 27018
ISO/IEC 27018:2014 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services
Numerous federal laws and their related regulations—such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Children’s OnlinePrivacy Protection Act of 1998 (COPPA)—contain provisions that pertain to the privacy and the security of personal information
Companies are the custodians of data entrusted to them
——– PCI DSS
PCI : Payment Card Industry
PCI DSS : applies if you store, process or transmit Cardholder information
PCI DSS is a contractual requirement
QSA : Qualified Security Assessor
RoC : Report of compliance
SAQ : Self Assessment Questionnaire
PCI DSS –> Report of Compliance (RoC) if merchant is doing more than 6 millions of transactions a year
PCI DSS –> Self Assessment Question (SAQ) if merchant is doing less than 6 millions of transactions a year
SAD : Sensitive Authentication Data
If merchant suffer a data breach –> Report of Compliance
12 requirements, >280 sub-requirements
1- Install and maintain firewalls + personal firewall on device + written policies
2- Do not use vendors default password or security settings
3- Protect Stored Cardholder Data : retain minimum cardholder data, encrypt properly, never store track data CVV2 or PIN
4- Encrypt transmission of cardholder data across Open network : TLS (instead of SSL) + documented policies + no cardholder data send with email or Impact
5- Use anti-malware up to date + AV logs
6- Develop and maintain system : patch regularly, have secure SDLC, use WAF
7- Restrict access to cardholder data : use access control system
8- Identify and Authenticate access to system component :s strong password, MFA, documented policies
9- Restrict physical access to cardholder data
10- Track and monitor all access. retain logs at least one year : review logs every days
11- Regularly test security systems and process : have IDS, IPS, pen test..
12- maintain a policy that addresses Information Security for All personnel : risk assessment, people screening…
PAN :Primary Account Number
SAD : Sensitive Authentication Data (ex: CVV2 on the card, PIN, )
Assessment every year
ASV : Approved Scanning Vendor (they are approved by PCI SCC)
a quarterly ASV Scan is a PCI DSS requirement
PFI : PCI Forensic Investigator
—— SOC, SSAE16
AICPA : American Institute of Certified Public Accountants
Cloud provider generally don’t want to share a detailed audit of security controls for the same reason they don’t want to allow physical access.
Instead the provider is likely to publish an audit assurance statement. A kind of seal of approval
Currently this usually takes the form of an SOC 3 Audit report.
SOC : Service Organization Control
Example : Microsoft has achieved SOC 1 Type 2, SOC 2 Type 2, and SOC 3 reports. In
general, the availability of SOC 1 and SOC 2 reports is restricted to customers
who have signed nondisclosure agreements with Microsoft; the SOC 3 report is
publicly available (http://aka.ms/soc3)
SOC reports are a part of the SSAE reporting format created by the AICPA
SSAE 16 : Statement on Standards for Attestation Engagements
SOC 1 report are strictly for auditing the financial reporting instruments of a corporation
SOC 2 report are intended to report audit of any controls on an organization security
SOC 2 Type 1 : review the design of controls not how they are implemented and maintained or their function
SOC 2 Type 2 : is extremely detailed and provides information about configuration and implementation
Cloud provider are trying to restrict this document from wide dissemination
SOC 3 is the seal of approval : it contains no actual data about the security controls of the audit target and is just an assertion that the audit was conduct and that the target company passed
—- Cloud Security Alliance (CSA) Certifications
CSA STAR Program
CSA STAR is the industry’s most powerful program for security assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, and harmonization of standards.
STAR consists of three levels of assurance, which currently cover four unique offerings all based upon a succinct yet comprehensive list of cloud-centric control objectives in the CSA’s Cloud Controls Matrix (CCM)
LEVEL 3 (Continuous Monitoring based certification)
CSA STAR Continuous Monitoring
LEVEL 2 (3rd party assessment based Certification) :
CSA STAR Certification : rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2005 management system standard together with the CSA Cloud Controls Matrix.
CSA STAR Attestation : is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. STAR Attestation provides for rigorous third party independent assessments of cloud providers.
CSA C-START Assessment : robust third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards.
LEVEL 1 : CSA STAR Self-Assessment
Example : Microsoft Azure
— Common Criteria Evaluation
EAL : Evaluation Assurance Level
The Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to achieve Common Criteria certification
The EAL level does not measure the security of the system itself, it simply states at what level the system was tested.
To achieve a particular EAL, the computer system must meet specific assurance requirements. Most of these requirements involve design documentation, design analysis, functional testing, or penetration testing.
TOE : Target of Evaluation
Assurance levels :
– EAL1: Functionally Tested
– EAL2: Structurally Tested
– EAL3: Methodically Tested and Checked
– EAL4: Methodically Designed, Tested and Reviewed –> EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line
– EAL5: Semi formally Designed and Tested
– EAL6: Semi formally Verified Design and Tested
– EAL7: Formally Verified Design and Tested –> applicable to the development of security TOEs for application in extremely high risk situations and/or where the high value of the assets justifies the higher costs.
Source : https://en.wikipedia.org/wiki/Evaluation_Assurance_Level
— EuroCloud Star Audit Certification (ECSA)
The StarAudit scheme evaluates cloud services according to a well-defined and transparent catalogue of criteria. The result of this audit process shows the respective maturity and compliance levels of a service.
The certification procedure is based on best practices and provides answers to the fundamental questions managers are likely to ask when looking for a suitable cloud service provider. Unlike pure security or data protection audits, it covers the entire range of cloud service functions and validates compliance against the requirements in clearly understandable terms.
Sarbanes-Oxley Act (SOX)
Federal Information Security Management Act (FISMA) : is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats
FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to strengthen information security systems
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost effective cloud-based IT.
FedRAMP created and manages a core set of processes to ensure effective, repeatable cloud security for the government
— HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009
The HITECH is a legislation that was created to stimulate the adoption of electronic health records (EHR) and the supporting technology in the United States.
— Personal Data Privacy and Security Act of 2009
This bill did not come up for debate during the 111th United States Congress and at the end of the 2009-2010 session and never became law
SLA : Service Level agreement
GAAP : Generally Accepted Accounting Principles -> a standard framework of guidelines for financial accounting
ISO/IEC 27036 : The ISO 27036-1 standard provides detailed guidance on implementing the ISO 27002 information security controls that deal with supplier relationships. It addresses the supplier relationship from both the suppliers’ and the acquirers’ points of view.
CSA CCM (Cloud Control Matrix) includes :
– AICPA Trust Service Criteria
_ BITS Shared Assessments
– BSI Germany
– Canada PIPEDA
– COBIT ==> (Control Objectives for Information and Related Technologies) is a good-practice framework created by international professional association ISACA for information technology (IT) management and IT governance.
– COPPA ==> Children’s Online Privacy Protection Act
– CSA Enterprise Architecture (formely Trusted Cloud Initiative)
– ENISA IAF ===> Cloud Computing Information Assurance Framework
– EU Data Protection Directive
– GAPP ==========> Generally Accepted Privacy Principles is a framework (Canada & USA) https://en.wikipedia.org/wiki/Generally_Accepted_Privacy_Principles
– ISO/IEC 27002
– ISO/IEC 27017
– ISO/IEC 27018
– ITAR =====> International Traffic in Arms Regulations (ITAR) is a United States regulatory regime to restrict and control the export of defense and military related technologies to safeguard U.S. national security and further U.S. foreign policy objectives.
– Jericho Forum ==> international group working to define and promote de-perimeterisation
– NIST SP800-53
– NZISM ===> New Zealand Information Security Manual (NZISM) https://www.gcsb.govt.nz/publications/the-nz-information-security-manual/
Intellectual property Protections :
– Copyright : protect expression of an idea.
A copyright protects original works of authorship including literary, dramatic, musical, and artistic works, such as poetry, novels, movies, songs, computer software, and architecture
Lasts 70 years after author’s death
or 120 years after first publication of a work for hire
Fair use for : Academic Fair Use, Critique, News Reporting, Scholarly Research…
U.S Copyright Office
– Trademark : protection of representations of an organization (brand, logo…)
US Patent and Trademark Office (USPTO) (R)
Last into perpetuity until trademark owner use it for commercial purpose
– Patents : protect intellectual property in the form of invention, process, material
Patent and Trademark Office (USPTO) (R)
Last for 20 years from the time of the patent application
– Trade Secret
Last into perpetuity until trademark owner use it for commercial purpose
ISO/IEC 27036 Security techniques — Information security for supplier relationships
TCI Reference Model : Trusted Cloud Initiative
ISO/IEC 27001:2013 (Information technology – Security techniques – Information security management systems – Requirements)
ISO/IEC 27002 (Information technology – Security techniques – Code of practice for information security controls)
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information technology – Security techniques – Code of practice for information security controls.
source : https://en.wikipedia.org/wiki/ISO/IEC_27002
The official name of ISO/IEC 27017 is Code of practice for information security controls based on ISO/IEC 27002 for cloud services, which means this standard is built upon the existing security controls of ISO 27002.
NIST SP 800-37 : Guide for Applying the Risk Management Framework to Federal Information Systems
NIST SP 800-53 : Security and Privacy Controls for Federal Information Systems and Organizations
NIST SP 800-53 is a publication that recommends security requirements & controls for federal information systems and organizations and documents security controls for all US federal information systems, except those designed for national security.
12 thoughts on “Preparation Guide for ISC2 Certified Cloud Security Professional (CCSP) Certification”
Awesome thanks for this!, busy prepping for the exam, giving myself enough time because it is difficult juggling work and family already
Thanks. Be strong 🙂
Can you share your preparation schedule for the exam ( family and work are included for me as well). Assume I have 3 months until the exam. What schedule would be the best?
thanks for this, i will take mine in 2 weeks
Awesome distillation and amazing write-up! Hope you don’t mind, but I linked to this entry on my blog (https://www.securityzed.com/). Thanks for all your effort and insight on this, and congrats on passing the exam!
this is so great! you even got props from the guy who wrote the study guide… thank you!
thank you so much for sharing. amazing study material.
Great effort. Thank you.
Thank you for this content. Can you share your preparation schedule for the exam ( family and work are included for me as well). Assume I have 3 months until the exam. What schedule would be the best?
I have been browsing online more than three hours lately, but I by no means found any
interesting article like yours. It’s beautiful worth enough
for me. In my view, if all website owners and bloggers made excellent content as you probably did, the internet will be a
lot more helpful than ever before