Copyright © 2023 by John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada and the United Kingdom. ISBN: 978 - 1 - 119 - 90937 - 8 ISBN: 978 - 1 - 119 - 90938 - 5 (ebk.) ISBN: 978 - 1 - 119 - 90939 - 2 (ebk.) No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authoriza tion through payment of the appropriate per - c opy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750 - 8 400, fax (978) 750 - 4470 , or on the web at www .copyright.com . Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748 - 6 011, fax (201) 748 - 6008 , or online at www.wiley.com/go/permission Trademarks: WILEY, the Wiley logo, Sybex and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. (ISCP)2 and CCSP are registered trademarks or certification marks of International Information Systems Security Certification Consortium, Inc. All other trademarks are the property of the ir respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no r epresentations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, o r other damages. For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762 - 2974, outside the United States at (317) 572 - 3993 or fax (317) 572 - 40 02. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our website at w ww.wiley.com Library of Congress Control Number: 2022942264 Cover image: © Jeremy Woodhouse/Getty Images Cover design: Wiley Acknowledgments The authors would like to thank the many people who made this book possib le. Thanks to Jim Minatel at Wiley Publishing, who helped us extend the Sybex certification preparation franchise to include this title and has continued to champion our work with the International Information Systems Security Certification Consortium (ISC ) 2 . Thanks also to Carole Jelen, our agent, who tackles all the back - end magic for our writing efforts and worked on both the logistical details and the business side of the book with her usual grace and commitment to excellence. Sharif Nijim and Charles Gaughf, our technical editors, pointed out many opportunities to improve our work and deliver a high - quality final product. John Whiteman, our technical proofreader, and Judy Flynn, our copy editor, ensured a polished product. John Sleeva served as our pr oject manager and made sure everything fit together. Many other people we’ll never meet worked behind the scenes to make this book a success, and we really appreciate their time and talents to make this next edition come together. The publisher and (ISC) 2 would like to acknowledge and thank the previous edition author Ben Malisow for his dedicated effort to advance the cause of CCSP and cloud security education. About the Authors Mike Chapple , Ph.D. CCSP, CISSP, is a n author of the best - s elling CISSP (ISC) 2 Certified Information Systems Security Professional Official Study Guide (Sybex, 2021), now in its ninth edition. He is an information security professional with two decades of experience in higher education, the private sector, and government. Mike currently serves as teaching professor of IT, Analytics, and Operations at the University of Notre Dame’s Mendoza College of Business. He previously served as senior director for IT Service Delivery at Notre Dame, where he oversaw the information security, data governance, IT architecture, project management, strategic planning, and product management functions for the University. Before returning to Notre Dame, Mike served as executive vice president and chief informati on officer of the Brand Institute, a Miami - based marketing consultancy. Mike also spent four years in the information security research group at the National Security Agency and served as an active duty intelligence officer in the U.S. Air Force. Mike has written more than 30 books, including Cyberwarfare: Information Operations in a Connected World (Jones & Bartlett, 2021), CompTIA Security+ SY0 - 601 Study Guide (Wiley, 2021), and the CompTIA Cybersecurity Analyst+ (CySA+) Study Guide (Wiley, 2020) and Practice Tests (Wiley, 2020). Mike earned both his BS and PhD degrees from Notre Dame in computer science and engineering. He also holds an MS in computer science from the University of Idaho and an MBA from Auburn University. His IT cer tifications include the CISSP, Security+, CySA+, CISA, PenTest+, CIPP/US, CISM, CCSP, and PMP credentials. Mike provides books, video - b ased training, and free study groups for a wide variety of IT certifications at his website, CertMike.com David Seidl , CISSP, is vice president for information technology and CIO at Miami University. During his IT career, he has served in a variety of technical and information security roles, including senior director for Campus Tech nology Services at the University of Notre Dame, where he co - led Notre Dame’s move to the cloud and oversaw cloud operations, ERP, databases, identity management, and a broad range of other technologies and services. He also served as Notre Dame’s directo r of information security and led Notre Dame’s information security program. He has taught information security and networking undergraduate courses as an instructor for Notre Dame’s Mendoza College of Business and has written books on security certificati on and cyberwarfare, including coauthoring the previous editions of CISSP (ISC) 2 Official Practice Tests (Sybex, 2021) and CompTIA CySA+ Study Guide: Exam CS0 - 002 , CompTIA CySA+ Practice Tests: Exam CS0 - 002 , CompTIA Security+ Study Guide: Exam SY0 - 6 01 , and CompTIA Security+ Practice Tests: Exam SY0 - 601 , as well as other certification guides and books on information security. David holds a bachelor’s degree in communication technology and a master’s degree in information security from Eastern Michigan Un iversity, as well as CISSP, CySA+, Pentest+, GPEN, and GCIH certifications. About the Technical Editor Sharif Nijim is an associate teaching professor of IT, Analytics, and Operations in the Mendoza College of Business at the University of Notre Dame, where he teaches undergraduate and graduate business analytics and information technology courses. Before becoming part of the Mendoza faculty, Sharif served as the senior director for IT service delivery in the University of Notre Dame’s Office of Information Technologies. In this role, he was part of the senior leadership team for the Office of Information Technologies, overseeing data stewardship, information security and compliance, learning platforms, product services, project management, and enterprise architecture. Prior to Notre Dame, Sharif co - founded and was a board member of a customer data integration company c atering to the airline industry. He also spent more than a decade building and performance - o ptimizing enterprise - class transactional and analytical systems for clients in the logistics, telecommunications, energy, manufacturing, insurance, real estate, h ealthcare, travel and transportation, and hospitality sectors. About the Technical Proofreader John L. Whiteman is a security researcher for Intel Corporation with over 20 years experience. He is a part - time adjunct cybersecurity instructor for the University of Portland and also teaches the UC Berkeley Extension’s Cybersecurity Boot Camp. He holds multiple securit y certifications including CISSP and CCSP. John holds a MSCS from Georgia Institute of Technology and a BSCS from Portland State University. Contents at a Glance Introduction xxiii Assessment Test xxxii Chapter 1 Architectural Concepts 1 Chapter 2 Data Classification 35 Chapter 3 Cloud Data Security 63 Chapter 4 Security in the Cloud 91 Chapter 5 Cloud Platform, Infrastructure, and Operational Security 121 Chapter 6 Cloud Application Security 151 Chapter 7 Operations Elements 191 Chapter 8 Operations Management 215 Chapter 9 Legal and Compliance Issues 245 Chapter 10 Cloud Vendor Management 295 Appendix Answers to the Review Questions 335 Index 355 Contents Introduction xxiii Assessment Test xxxii Chapter 1 Architectural Concepts 1 Cloud Characteristics 3 Business Requirements 5 Understanding the Existing State 6 Cost/Benefit Analysis 7 Intended Impact 10 Cloud Computing Service Categories 11 Software as a Service 11 Infrastructure as a Service 12 Platform as a Service 12 Cloud Deployment Models 13 Private Cloud 13 Public Cloud 13 Hybrid Cloud 13 Multi - Cloud 13 Community Cloud 13 Multitenancy 14 Cloud Computing Roles and Responsibilities 15 Cloud Computing Reference Architecture 16 Virtualization 18 Hypervisors 18 Virtualization Security 19 Cloud Shared Considerations 20 xvi Security and Privacy Considerations 20 Operational Considerations 21 Emerging Technologies 22 Machine Learning and Artificial Intelligence 22 Blockchain 23 Internet of Things 24 Containers 24 Quantum Computing 25 Edge and Fog Computing 26 Confidential Computing 26 DevOps and DevSecOps 27 Summary 28 Contents Exam Essentials 28 Review Questions 30 Chapter 2 Data Classification 35 Data Inventory and Discovery 37 Data Ownership 37 Data Flows 42 Data Discovery Methods 43 Information Rights Management 46 Certificates and IRM 47 IRM in the Cloud 47 IRM Tool Traits 47 Data Control 49 Data Retention 50 Contents xvii Data Audit and Audit Mechanisms 53 Data Destruction/Disposal 55 Summary 57 Exam Essentials 57 Review Questions 59 Chapter 3 Cloud Data Security 63 Cloud Data Lifecycle 65 Create 66 Store 66 Use 67 Share 67 Archive 69 Destroy 70 Cloud Storage Architectures 71 Storage Types 71 Volume Storage: File - Based Storage and Block Storage 72 Object - Based Storage 72 Databases 73 Threats to Cloud Storage 73 Designing and Applying Security Strategies for Storage 74 Encryption 74 Certificate Management 77 Hashing 77 Masking, Obfuscation, Anonymization, and Tokenization 78 Data Loss Prevention 81 Log Capture and Analysis 82 Summary 85 xviii Exam Essentials 85 Review Questions 86 Chapter 4 Security in the Cloud 91 Shared Cloud Platform Risks and Responsibilities 92 Cloud Computing Risks by Deployment Model 94 Private Cloud 95 Community Cloud 95 Public Cloud 97 Hybrid Cloud 101 Cloud Computing Risks by Service Model 102 Infrastructure as a Service (IaaS) 102 Platform as a Service (PaaS) 102 Software as a Service (SaaS) 103 Virtualization 103 Threats 105 Risk Mitigation Strategies 107 Disaster Recovery (DR) and Business Continuity (BC) 110 Cloud - Specific BIA Concerns 110 Customer/Provider Shared BC/DR Responsibilities 111 Cloud Design Patterns 114 Summary 115 Exam Essentials 115 Review Questions 116 Chapter 5 Cloud Platform, Infrastructure, and Operational Security 121 Foundations of Managed Services 123