Domain 1: Cloud Concepts, Architecture and Design
1.1 Understand Cloud Computing Concepts
» Cloud Computing Definitions
» Cloud Computing Roles (e.g., cloud service customer, cloud service provider, cloud service partner, cloud service broker)
» Key Cloud Computing Characteristics (e.g., on-demand self-service, broad network access, multi-tenancy, rapid elasticity and scalability, resource pooling, measured service)
» Building Block Technologies (e.g., virtualization, storage, networking, databases, orchestration)
1.2 Describe Cloud Reference Architecture
» Cloud Computing Activities
» Cloud Service Capabilities (e.g., application capability types, platform capability types, infrastructure capability types)
» Cloud Service Categories (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
» Cloud Deployment Models (e.g., public, private, hybrid, community)
» Cloud Shared Considerations (e.g., interoperability, portability, reversibility, availability, security, privacy, resiliency, performance, governance, maintenance and versioning, service levels and Service Level Agreements (SLA), auditability, regulatory) » Impact of Related Technologies (e.g., machine learning, artificial intelligence, blockchain, Internet of Things (IoT), containers, quantum computing)
1.3 Understand Security Concepts Relevant to Cloud Computing
» Cryptography and Key Management
» Access Control
» Data and Media Sanitization (e.g., overwriting, cryptographic erase)
» Network Security (e.g., network security groups)
» Virtualization Security (e.g., hypervisor security, container security)
» Common Threat
1.4 Understand Design Principles of Secure Cloud Computing
» Cloud Secure Data Lifecycle
» Cloud based Disaster Recovery (DR) and Business Continuity (BC) planning
» Cost Benefit Analysis
» Functional Security Requirements (e.g., portability, interoperability, vendor lock-in)
» Security Considerations for Different Cloud Categories (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
1.5 Evaluate Cloud Service Providers
» Verification Against Criteria (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27017, Payment Card Industry Data Security Standard (PCI DSS))
» System/subsystem Product Certifications (e.g., Common Criteria (CC), Federal Information Processing Standard (FIPS) 140-2)
Domain 2: Cloud Data Security
2.1 Describe Cloud Data Concepts
» Cloud Data Life Cycle Phases
» Data Dispersion
2.2 Design and Implement Cloud Data Storage Architectures
» Storage Types (e.g. long term, ephemeral, raw-disk)
» Threats to Storage Types
2.3 Design and Apply Data Security Technologies and Strategies
» Encryption and Key Management
» Hashing
» Masking
» Tokenization
» Data Loss Prevention (DLP)
» Data Obfuscation
» Data De-identification (e.g., anonymization)
2.4 Implement Data Discovery
» Structured Data
» Unstructured Data
2.5 Implement Data Classification
» Mapping
» Labeling
» Sensitive data (e.g., Protected Health Information (PHI), Personally Identifiable Information (PII),card holder data)
2.6 Design and Implement Information Rights Management (IRM)
» Objectives (e.g., data rights, provisioning, access models)
» Appropriate Tools (e.g., issuing and revocation of certificates)
2.7 Plan and Implement Data Retention, Deletion and Archiving Policies
» Data Retention Policies
» Data Deletion Procedures and Mechanisms
» Data Archiving Procedures and Mechanisms
» Legal Hold
2.8 Design and Implement Auditability, Traceability and Accountability of Data Events
» Definition of Event Sources and Requirement of Identity Attribution
» Logging, Storage and Analysis of Data Events
» Chain of Custody and Non-repudiation
Domain 3: Cloud Platform and Infrastructure Security
3.1 Comprehend Cloud Infrastructure Components
» Physical Environment
» Network and Communications
» Compute
» Virtualization
» Storage
» Management Plane
3.2 Design a Secure Data Center
» Logical Design (e.g., tenant partitioning, access control)
» Physical Design (e.g. location, buy or build)
» Environmental Design (e.g., Heating, Ventilation and Air Conditioning (HVAC), multi-vendor pathwayconnectivity)
3.3 Analyze Risks Associated with Cloud Infrastructure
» Risk Assessment and Analysis
» Cloud Vulnerabilities, Threats and Attacks
» Virtualization Risks
» Counter-measure Strategies
3.4 Design and Plan Security Controls
» Physical and Environmental Protection (e.g.,on-premise)
» System and Communication Protection
» Virtualization Systems Protection
» Identification, Authentication and Authorizationin Cloud Infrastructure
» Audit Mechanisms (e.g., log collection, packetcapture)
3.5 Plan Disaster Recovery (DR) and Business Continuity (BC)
» Risks Related to the Cloud Environment
» Business Requirements (e.g., RecoveryTime Objective (RTO), Recovery PointObjective (RPO), Recovery Service Level(RSL))
» Business Continuity/Disaster RecoveryStrategy
» Creation, Implementation and Testingof Plan
Domain 4:Cloud Application
Security4.1 Advocate Training and Awareness for Application Security
» Cloud Development Basics
» Common Pitfalls
» Common Cloud Vulnerabilities
4.2 Describe the Secure Software Development Life Cycle (SDLC) Process
» Business Requirements
» Phases and Methodologies
4.3 Apply the Secure Software Development Life Cycle (SDLC)
» Avoid Common Vulnerabilities DuringDevelopment
» Cloud-specific Risks
» Quality Assurance
» Threat Modeling
» Software Configuration Management andVersioning
4.4 Apply Cloud Software Assurance and Validation
» Functional Testing
» Security Testing Methodologies
4.5 Use Verified Secure Software
» Approved Application Programming Interfaces (API)
» Supply-chain Management
» Third Party Software Management
» Validated Open Source Software
4.6 Comprehend the Specifics of Cloud Application Architecture
» Supplemental Security components (e.g., Web Application Firewall (WAF), Database Activity Monitoring(DAM), Extensible Markup Language (XML) firewalls, Application Programming Interface (API) gateway)
» Cryptography
» Sandboxing
» Application Virtualization and Orchestration
4.7 Design Appropriate Identity and Access Management (IAM) Solutions
» Federated Identity
» Identity Providers
» Single Sign-On (SSO)
» Multi-factor Authentication
» Cloud Access Security Broker (CASB)
Domain 5:Cloud Security Operations
5.1 Implement and Build Physical and Logical Infrastructure for Cloud Environment
» Hardware Specific Security Configuration Requirements (e.g., Basic Input Output System (BIOS), settings forvirtualization and Trusted Platform Module (TPM), storage controllers, network controllers)
» Installation and Configuration of Virtualization Management Tools
» Virtual Hardware Specific Security Configuration Requirements (e.g., network, storage, memory, CentralProcessing Unit (CPU))
» Installation of Guest Operating System (OS) Virtualization Toolsets
5.2 Operate Physical and Logical Infrastructure for Cloud Environment
» Configure Access Control for Local and RemoteAccess (e.g., Secure Keyboard Video Mouse(KVM), console-based access mechanisms,Remote Desktop Protocol (RDP))
» Secure Network Configuration (e.g., Virtual LocalArea Networks (VLAN), Transport Layer Security(TLS), Dynamic Host Configuration Protocol(DHCP), Domain Name System (DNS), VirtualPrivate Network (VPN))
» Operating System (OS) Hardening Through theApplication of Baselines (e.g., Windows, Linux,VMware)
» Availability of Stand-Alone Hosts
» Availability of Clustered Hosts (e.g., DistributedResource Scheduling (DRS), DynamicOptimization (DO), storage clusters, maintenancemode, High Availability)
» Availability of Guest Operating System (OS)
5.3 Manage Physical and Logical Infrastructure for Cloud Environment
» Access Controls for Remote Access (e.g., RemoteDesktop Protocol (RDP), Secure Terminal Access,Secure Shell (SSH))
» Operating System (OS) Baseline ComplianceMonitoring and Remediation
» Patch Management
» Performance and Capacity Monitoring (e.g.,network, compute, storage, response time)
» Hardware Monitoring (e.g., Disk, CentralProcessing Unit (CPU), fan speed, temperature)
» Configuration of Host and Guest OperatingSystem (OS) Backup and Restore Functions
» Network Security Controls (e.g., firewalls,Intrusion Detection Systems (IDS), IntrusionPrevention Systems (IPS), honeypots,vulnerability assessments, network securitygroups)
» Management Plane (e.g., scheduling,orchestration, maintenance)
5.4 Implement Operational Controls and Standards (e.g., Information TechnologyInfrastructure Library (ITIL), International Organization for Standardization/InternationalElectrotechnical Commission (ISO/IEC) 20000-1)
» Change Management
» Continuity Management
» Information Security Management
» Continual Service Improvement Management
» Incident Management
» Problem Management
» Release Management
» Deployment Management
» Configuration Management
» Service level Management
» Availability Management
» Capacity Management
5.5 Support Digital Forensics
» Forensic Data Collection Methodologies
» Evidence Management
» Collect, Acquire and Preserve Digital Evidence
5.6 Manage Communication with Relevant Parties
» Vendors
» Customers
» Partners
» Regulators
» Other Stakeholders
5.7 Manage Security Operations
» Security Operations Center (SOC)
» Monitoring of Security Controls (e.g.,firewalls, Intrusion Detection Systems (IDS),Intrusion Prevention Systems (IPS), honeypots,vulnerability assessments, network securitygroups)
» Log Capture and Analysis (e.g., SecurityInformation and Event Management (SIEM), logmanagement)
» Incident Management
Domain 6:Legal, Risk and Compliance
6.1 Articulate Legal Requirements and Unique Risks within the Cloud Environment
» Conflicting International Legislation
» Evaluation of Legal Risks Specific to Cloud Computing
» Legal Framework and Guidelines
» eDiscovery (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27050, Cloud Security Alliance (CSA) Guidance)
» Forensics Requirements
6.2 Understand Privacy Issues
» Difference Between Contractual and Regulated Private Data (e.g., Protected Health Information (PHI),Personally Identifiable Information (PII))
» Country-Specific Legislation Related to Private Data (e.g., Protected Health Information (PHI), PersonallyIdentifiable Information (PII))
» Jurisdictional Differences in Data Privacy
» Standard Privacy Requirements (e.g., International Organization for Standardization/InternationalElectrotechnical Commission (ISO/IEC) 27018, Generally Accepted Privacy Principles (GAPP), General DataProtection Regulation (GDPR))
6.3 Understand Audit Process, Methodologies, and Required Adaptations for aCloud Environment
» Internal and External Audit Controls
» Impact of Audit Requirements
» Identify Assurance Challenges of Virtualizationand Cloud
» Types of Audit Reports (e.g., Statementon Standards for Attestation Engagements(SSAE), Service Organization Control(SOC), International Standard on AssuranceEngagements (ISAE))
» Restrictions of Audit Scope Statements (e.g.,Statement on Standards for AttestationEngagements (SSAE), International Standard onAssurance Engagements (ISAE))
» Gap Analysis
» Audit Planning
» Internal Information Security ManagementSystem (ISMS)
» Internal Information Security Controls System
» Policies (e.g., organizational, functional, cloudcomputing)
» Identification and Involvement of RelevantStakeholders
» Specialized Compliance Requirements forHighly-Regulated Industries (e.g., NorthAmerican Electric Reliability Corporation/Critical Infrastructure Protection (NERC/CIP),Health Insurance Portability and AccountabilityAct (HIPAA), Payment Card Industry (PCI))
» Impact of Distributed Information Technology(IT) Model (e.g., diverse geographical locationsand crossing over legal jurisdictions)
6.4 Understand Implications of Cloud to Enterprise Risk Management
» Assess Providers Risk Management Programs(e.g., controls, methodologies, policies)» Difference Between Data Owner/Controller vs.Data Custodian/Processor (e.g., risk profile, riskappetite, responsibility)
» Regulatory Transparency Requirements (e.g.,breach notification, Sarbanes-Oxley (SOX),General Data Protection Regulation (GDPR))
» Risk Treatment (i.e., avoid, modify, share, retain)
» Different Risk Frameworks
» Metrics for Risk Management
» Assessment of Risk Environment (e.g., service,vendor, infrastructure)
6.5 Understand Outsourcing and Cloud Contract Design
» Business Requirements (e.g., Service Level Agreement (SLA), Master Service Agreement (MSA), Statementof Work (SOW))
» Vendor Management
» Contract Management (e.g., right to audit, metrics, definitions, termination, litigation, assurance,compliance, access to cloud/data, cyber risk insurance)
» Supply-Chain Management (e.g., International Organization for Standardization/InternationalElectrotechnical Commission (ISO/IEC) 27036)