Module 01: Cloud Concepts, Architecture & Design
Understanding cloud computing concepts
- Cloud computing definitions
- Cloud computing roles and responsibilities
- Key cloud computing characteristics
- Building block technologies
Describe cloud computing architecture
- Cloud computing activities
- Cloud service capabilities
- Cloud service categories
- Cloud deployment models
- Cloud shared considerations
- Impact of related technologies
Understanding security concepts relevant to cloud computing
- Cryptography and key management
- Identity and access control
- Data and media sanitization
- Network security
- Virtualization security
- Common threats
- Security hygiene
Understanding design principles of secure cloud computing
- Cloud secure data lifecycle
- Cloud-based business continuity (BC) and disaster recovery (DR) plan
- Business impact analysis (BIA)
- Functional security requirements
- Security considerations and responsibilities for different cloud categories
- Cloud design patterns
- DevOps security
Evaluate cloud services providers
- Verification against criteria
- System/subsystem product certifications
Module 02: Cloud Data Security
Describe cloud data concepts
- Cloud data life cycle phases
- Data dispersion
- Data flows
Design & implement cloud data storage architectures
- Storage types
- Threats to storage types
Design & apply data security technologies & strategies
- Encryption and key management
- Hashing
- Data obfuscation
- Tokenization
- Data loss prevention (DLP)
- Keys, secrets and certificates management
Implement data discovery
- Structured data
- Unstructured data
- Semi-structured data
- Data location
Plan & implement data classification
- Data classification policies
- Data mapping
- Data labeling
Design & implement information rights management (IRM)
- Objectives
- Appropriate tools
Plan & implement data retention, deletion & archiving policies
- Data retention policies
- Data deletion procedures and mechanisms
- Data archiving procedures and mechanisms
- Legal hold
Design & implement auditability, traceability & accountability of data events
- Definition of event sources and requirement of event attributes
- Logging, storage and analysis of data events
- Chain of custody and non-repudiation
Module 03: Cloud Platform & Infrastructure Security
Comprehend cloud infrastructure & platform components
- Physical environment
- Network and communications
- Compute
- Virtualization
- Storage
- Management plane
Design a secure data center
- Logical design
- Physical design
- Environmental design
- Design resilient
Analyze risks associated with cloud infrastructure & platform
Risk assessment
Cloud vulnerabilities, threats and attacks
Risk mitigation strategies
Plan & implementation of security controls
Physical and environmental protection
System, storage and communication protection
Identification, authentication and authorization in cloud environments
Audit mechanisms
Plan business continuity (BC) & disaster recovery (DR)
- Business continuity (BC) / disaster recovery (DR) strategy
- Business requirements
- Creation, implementation and testing of plan
Module 04: Cloud Application Security
Advocate training & awareness for application security
- Cloud development basics
- Common pitfalls
- Common cloud vulnerabilities
Describe the security software development life cycle (SDLC) process
- Business requirements
- Phases and methodologies
Apply the secure software development life cycle (SDLC) process
- Cloud-specific risks
- Threat modeling
- Avoid common vulnerabilities during development
- Secure coding
- Software configuration management and versioning
Apply cloud software assurance & validation
- Functional and non-functional testing
- Security testing methodologies
- Quality assurance
- Abuse case testing
Use verified secure software
- Securing application programming interfaces (API)
- Supply-chain management
- Third-party software management
- Validated open-source software
Comprehend the specifics of cloud application architecture
- Supplemental security components
- Cryptography
- Sandboxing
- Application virtualization and orchestration
Design appropriate identity & access management (IAM) solutions
- Federated identity
- Identity providers (IdP)
- Single sign-on (SSO)
- Multi-factor authentication (MFA)
- Cloud access security broker (CASB)
- Secrets management
Module 05: Cloud Security Operations
Build & implement physical & logical infrastructure for cloud environment
- Hardware specific security configuration requirements
- Installation and configuration of management tools
- Virtual hardware specific security configuration requirements
- Installation of guest operating system (OS) virtualization toolsets
Operate & maintain physical & logical infrastructure for cloud environment
- Access controls for local and remote access
- Secure network configuration
- Network security controls
- Operating system (OS) hardening through the application of baselines, monitoring and remediation
- Patch management
- Infrastructure as Code (IaC) strategy
- Availability of clustered hosts
- Availability of guest operating system (OS)
- Performance and capacity monitoring
- Hardware monitoring
- Configuration of host and guest operating system (OS) backup and restore functions
- Management plane
Implement operational controls & standards
- Change management
- Continuity management
- Information security management
- Continual service improvement management
- Incident management
- Problem management
- Release management
- Deployment management
- Configuration management
- Service level management
- Availability management
- Capacity management
Support digital forensics
- Forensic data collection methodologies
- Evidence management
- Collect, acquire, and preserve digital evidence
Manage communication with relevant parties
- Vendors
- Customers
- Partners
- Regulators
- Other stakeholders
Manage security operations
- Security operations center (SOC)
- Intelligent monitoring of security controls
- Log capture and analysis
- Incident management
- Vulnerability assessments
Module 06: Legal, Risk & Compliance
Articulate legal requirements & unique risks within the cloud environment
- Conflicting international legislation
- Evaluation of legal risks specific to cloud computing
- Legal framework and guidelines
- eDiscovery
- Forensics requirements
Understand privacy issues
- Difference between contractual and regulated private data
- Country-specific legislation related to private data
- Jurisdictional differences in data privacy
- Standard privacy requirements
- Privacy Impact Assessments (PIA)
Understand audit process, methodologies & required adaptions for a cloud environment
- Internal and external audit controls
- Impact of audit requirements
- Identify assurance challenges of virtualization and cloud
- Types of audit reports
- Restrictions of audit scope statements
- Gap analysis
- Audit planning
- Internal information security management system
- Internal information security controls system
- Policies
- Identification and involvement of relevant stakeholders
- Specialized compliance requirements for highly-regulated industries
- Impact of distributed information technology (IT) model
Understand implications of cloud to enterprise risk management
- Assess providers risk management programs
- Difference between data owner/controller vs. data custodian/processor
- Regulatory transparency requirements
- Risk treatment
- Different risk frameworks
- Metrics for risk management
- Assessment of risk environment
Understand outsourcing & cloud contract design
- Business requirements
- Vendor management
- Contract management
- Supply-chain management
