Leslie Fife - The Official (ISC)2 CCSP CBK Reference

Здесь есть возможность читать онлайн «Leslie Fife - The Official (ISC)2 CCSP CBK Reference» — ознакомительный отрывок электронной книги совершенно бесплатно, а после прочтения отрывка купить полную версию. В некоторых случаях можно слушать аудио, скачать через торрент в формате fb2 и присутствует краткое содержание. Жанр: unrecognised, на английском языке. Описание произведения, (предисловие) а так же отзывы посетителей доступны на портале библиотеки ЛибКат.

The Official (ISC)2 CCSP CBK Reference: краткое содержание, описание и аннотация

Предлагаем к чтению аннотацию, описание, краткое содержание или предисловие (зависит от того, что написал сам автор книги «The Official (ISC)2 CCSP CBK Reference»). Если вы не нашли необходимую информацию о книге — напишите в комментариях, мы постараемся отыскать её.

The only official body of knowledge for CCSP—the most popular cloud security credential—fully revised and updated. Certified Cloud Security Professional (CCSP) certification validates the advanced technical skills needed to design, manage, and secure data, applications, and infrastructure in the cloud. This highly sought-after global credential has been updated with revised objectives. The new third edition of
is the authoritative, vendor-neutral common body of knowledge for cloud security professionals. 
This comprehensive resource provides cloud security professionals with an indispensable working reference to each of the six CCSP domains: Cloud Concepts, Architecture, and Design; Cloud Data Security; Cloud Platform and Infrastructure Security; Cloud Application Security; Cloud Security Operations; and Legal, Risk, and Compliance. Detailed, in-depth chapters contain the accurate information required to prepare for and achieve CCSP certification. Every essential area of cloud security is covered, including implementation, architecture, operations, controls, and immediate and long-term responses.
Developed by (ISC)2, the world leader in professional cybersecurity certification and training, this indispensable guide:
Covers the six CCSP domains and over 150 detailed objectives Provides guidance on real-world best practices and techniques Includes illustrated examples, tables, diagrams and sample questions
is a vital ongoing resource for IT and information security leaders responsible for applying best practices to cloud security architecture, design, operations and service orchestration.

The Official (ISC)2 CCSP CBK Reference — читать онлайн ознакомительный отрывок

Ниже представлен текст книги, разбитый по страницам. Система сохранения места последней прочитанной страницы, позволяет с удобством читать онлайн бесплатно книгу «The Official (ISC)2 CCSP CBK Reference», без необходимости каждый раз заново искать на чём Вы остановились. Поставьте закладку, и сможете в любой момент перейти на страницу, на которой закончили чтение.

Тёмная тема
Сбросить

Интервал:

Закладка:

Сделать

Administrative access control refers to the policies and procedures a company uses to regulate and monitor access. These policies include who can authorize access to a system, how system access is logged and monitored, and how frequently access is reviewed. The customer is responsible for determining policies and enforcing those policies as related to procedures for provisioning/deprovisioning user access and reviewing access approvals.

Technical access control is the primary area of shared responsibility. While the CSP is responsible for protecting the physical environment and the company is responsible for the creation and enforcement of policies, both the customer and the CSP share responsibilities for technical access controls.

For example, a CSP may be willing to federate with an organization's identity and access management (IAM) system. The CSP is then responsible for the integration of the IAM system, while the customer is responsible for the maintenance of the system. If a cloud IAM system is used (provided by the CSP or a third party), the customer is responsible for the provisioning and deprovisioning of users in the system and determining access levels and system authorizations while the CSP or third-party maintains the IAM system.

Logging system access and reviewing the logs for unusual activity can also be a shared responsibility, with the CSP or third-party IAM provider logging access and the customer reviewing the logs or with the CSP providing both services. Either choice requires coordination between the customer and the CSP. Access attempts can come from a variety of devices and locations throughout the world, making IAM an essential function.

Data and Media Sanitization

Internally, it is possible to sanitize storage media as you have physical access to the media. You determine the manner of sanitization to include physical destruction of the storage media. You also determine the schedule for data deletion and media sanitization.

In the cloud this becomes more challenging. The data storage is shared and distributed, and access to the physical media is not provided. The CSP will not allow you access to the physical disks and will certainly not allow their destruction. In addition, data in the cloud is regularly moved and backed up. It may be impossible to determine if all copies of a data item have been deleted. This is a security and privacy concern. The customer will never have the level of control for data and media sanitization that they had when they had physical access and ownership of the storage hardware.

While some CSPs provide access to wipeable volumes, there is no guarantee that the wipe will be done to the level possible with physical access. Encrypted storage of data and crypto-shredding are discussed in the following sections. While not the same as physical access and secure wipe, they provide a reasonable level of security. If, after review, this level of security is not adequate for an organization's most sensitive data, this data should be retained on-premise in customer data centers or on storage media under the direct physical control of the customer.

Overwriting

Overwriting of deleted data occurs in cloud storage over time. Deleted data areas are marked for reuse, and eventually this area will be allocated to and used by the same or another customer, overwriting the data that is there. There is no specific timetable for overwriting, and the data or fragments may continue to exist for some time. Encryption is key in keeping your data secure and the information private. Encrypting all data stored in the cloud works only if the cryptographic keys are inaccessible or securely deleted.

Cryptographic Erase

Cryptographic erasure is an additional way to prevent the disclosure of data. In this process, the cryptographic keys are destroyed (crypto-shredding), eliminating the key necessary for decryption of the data. Like data and media sanitization and overwriting, encryption is an essential step in keeping your data private and secure. Secure deletion of cryptographic keys makes data retrieval nearly impossible.

Network Security

Broad network access is a key component of cloud computing. However, if you have access to cloud resources over the network, bad actors can also have access. Bad actors threaten the security of the cloud service you are using and can threaten the privacy and security of your data.

There are a number of ways to provide network security. This list is not exhaustive, and the concepts are not mutually exclusive. Network security starts with controlling access to cloud resources through IAM, discussed previously. By controlling access to the cloud resources, we limit their exposure. We may also limit their exposure to the public Internet through VPNs and cloud gateways. The use of VPNs for Internet security is common. Cloud gateways, ingress and egress monitoring, network security groups, and contextual-based security are discussed next. These are major topics within cloud network security, but are not exhaustive in their coverage. New methods are regularly developed to improve network security as vulnerabilities and threats are constantly changing.

Network Security Groups

Security remains an important concern in cloud computing. A network security group (NSG) is one way of protecting a group of cloud resources. The NSG provides a set of security rules or virtual firewall for those resources. The NSG can apply to an individual VM, a network interface card (NIC) for that VM, or even a subnet. The NSG is essentially a layer around the VM, subnet, or other cloud resource, as part of a layered defense strategy. This gives the customer some additional control over security.

Cloud Gateways

A cloud gateway provides a level of security by keeping communication between the customer and the CSP off the public Internet. AWS regions can be connected and the traffic can be routed to any region while staying within the CSP environment.

Contextual-Based Security

Contextual-based security uses context to help secure the enterprise and, in the case of cloud computing, the cloud resources. Context includes things such as identity, determined through the IAM system, location, time of days, or endpoint type. This is more than the heuristics used to determine if unusual behavior is occurring. The context can determine the level of access and what resources may be accessed. For example, connecting from the corporate network, through a VPN or from public WiFi may provided different levels of access. If a user attempts to access with an endpoint device that is not registered to that use, access may be blocked entirely.

Ingress and Egress Monitoring

Cloud ingress and egress must be carefully monitored. Security is provided by limiting the number of ingress/egress points available to access resources and then monitoring them. This is similar to a castle with a single entrance. It is easier to control access and prevent access by bad actors when the way in and out is carefully defined and controlled.

Ingress controls can block all or some external access attempts from the public Internet. Inbound connections can be limited to those that are in response to a request initiated from within the cloud resource. This limits connections to the Internet to only those requests initiated in the cloud environment or wanted by the cloud environment.

Egress controls are a way to prevent internal resources from connecting to unapproved and potentially dangerous locations on the Internet. If infected, egress monitoring may prevent malware for contacting their command and control locations. Monitoring what data leaves the environment can assist only in data loss prevention.

Читать дальше
Тёмная тема
Сбросить

Интервал:

Закладка:

Сделать

Похожие книги на «The Official (ISC)2 CCSP CBK Reference»

Представляем Вашему вниманию похожие книги на «The Official (ISC)2 CCSP CBK Reference» списком для выбора. Мы отобрали схожую по названию и смыслу литературу в надежде предоставить читателям больше вариантов отыскать новые, интересные, ещё непрочитанные произведения.


Отзывы о книге «The Official (ISC)2 CCSP CBK Reference»

Обсуждение, отзывы о книге «The Official (ISC)2 CCSP CBK Reference» и просто собственные мнения читателей. Оставьте ваши комментарии, напишите, что Вы думаете о произведении, его смысле или главных героях. Укажите что конкретно понравилось, а что нет, и почему Вы так считаете.

x