Certified Cloud Security Officer (CCSO)

Map roles and activities from provider and customer to brokers, auditors, a backup service provider, and storage administrators, and emphasize separating provider and customer access across IaaS, SaaS, and PaaS.

Explore Apache Cloudstack and cloud app concepts, plus camp and the standard cloud pass management API by Oasis; understand eucalyptus for private and hybrid cloud portability.

Examine the cloud computing definition used by governments, and describe a model with on-demand access to a pool of resources, five essential characteristics, three service models, and four deployment models.

SaaS typically lowers costs while transferring governance, licensing, updates, security, and scalability to the provider, including encryption options. It may limit customization and control amid multi-tenancy.

Explore platform as a service pros like provider-managed updates and API-driven integration that streamline deployment and reduce upfront costs, with cons such as stack updates, version discontinuations, and vendor lock-in.

Explore the pros and cons of IaaS, from physical infrastructure to cloud, including virtual machines, pay-as-you-go costs, and governance. Understand how multi-tenancy, security, and licensing shape responsibility and cost.

Explain cloud computing characteristics such as multitenancy, segmentation, and policy-driven enforcement, and discuss governance, data isolation, traffic segmentation, and availability for scalable, secure cloud services.

Perform a cost benefit analysis for cloud migration by weighing business needs, technical and compliance impacts, and governance, and assess short-term and long-term costs to avoid vendor lock-in.

Identify business requirements and regulatory needs to guide cloud service decisions, then compare current costs with anticipated costs, including direct and indirect expenses, training, hardware, and future updates.

Assess the cost benefit of cloud adoption by weighing resource pooling, iaas and paas considerations, op ex shift, licensing costs, and sla negotiations, private cloud efficiencies and time to market.

Calculate the total cost of ownership (tco) by factoring everything related to the business decision, across departments and processes, whether owning a data center or transitioning to the cloud.

Explain how ease of deployment serves as a cloud benefit, while costs often exceed expectations and security and compliance risks must be managed.

Assess privacy risks and insider threats in cloud adoption, and ensure regulatory compliance governance and audits with cloud providers. Explore benefits like improved security visibility and data-based security models.

Analyze how layers and dependencies in cloud architectures transfer security risks across SaaS, platform, and IaaS offerings, and compare CSPs using standard reference models.

Identify common cloud security pitfalls and confusions, citing guidance from the certified cloud security professional and the Cloud Security Alliance on deployment, consumption, and erosion of trust.

Compare cloud deployment models by evaluating public, private community, and hybrid setups. Public clouds are off premise and untrusted, private communities are trusted, and hybrids blend trusted and untrusted locations.

Explore the Jericho cloud cube model, a simple tool that maps cloud assets from internal proprietary to external outsourced, highlighting how governance and security requirements change with ownership.

Identify where security is added in cloud architectures by contracting in controls higher in the stack and building in those lower in the stack.

Explore the cloud technology road map, examining inherent risks, potential benefits, and the need to balance them with well-considered acceptable risks that vary by company.

Explore how an architect aligns business needs with security and risk management, guided by the Cloud Security Alliance enterprise architecture across on premise and off premise perimeters.

Map ITIL and IT service management to cloud using customizable TOGAF (Open Group Architecture Framework) to align security with business needs, avoid vendor lock in, and measure return on investment.

Explore ENISA's cloud computing guidance, including benefits, risks, and information security recommendations, plus vulnerabilities and the information assurance framework.

Explore the end-to-end overview of cloud computing and architecture presented in chapter one. Access study guides and practice questions that prepare you for Mile2 CXO and ISC squared CCSP exams.

Discover the cloud risk domain as the foundation for cloud computing concepts, architectural basics, and governance, with emphasis on enterprise risk management and potential legal implications for in-house implementations.

Explore cloud migration security, evaluate products for security, and review risk evaluations by Anissa, plus the cloud controls matrix from the Cloud Security Alliance.

Identify the internal use data asset and separate data storage from processing to evaluate a cloud move, considering data classification, scope creep, and cost implications.

Map the asset to the cloud by choosing among public, private, community, and hybrid deployments for internal-use data, weighing costs and compliance to decide where data should reside.

Finalize your cloud strategy by evaluating each service model and provider, weighing control versus implementation, and considering vendor lock-in, risk assessment, encryption, and data flow.

Assess the ENISA cloud computing security risk assessment to understand the 35 risks across policy, technical, legal, and cloud-specific categories, including SaaS, PaaS, IaaS, and public, private, partner models.

Identify ENISA's top security risks and analyze common vulnerabilities and exposures and CVEs, including management interface compromise and web interface exposure, across platforms like vSphere, Azure, and AWS.

Identify loss of governance as a top cloud risk, where hundreds of policies are no longer fully enforceable and governance relies on SLAs and vendor agreements, which may conflict.

Navigate cloud compliance challenges by managing governance loss, validating compliance policies, and auditing environments across multi-jurisdiction data storage, with ISO 27,001 alignment and clear roles.

Assess isolation failures in cloud environments, focusing on data co-mingling risks between public and private clouds and the processor as a high-impact access risk.

Assess the risk of a malicious insider abusing high privileged cloud roles; segregation of duties and encryption at rest limit exposure, while hypervisor-level admins pose the highest impact threat.

Learn how to respond to subpoenas and e-discovery requests for data, including protecting employee PII across your organization and cloud vendors, with practical collaboration to navigate jurisdiction challenges.

Assess top jurisdiction risks for cloud security by examining how data residency affects compliance, including New York financial regulations and GDPR and PII considerations across regions.

Protecting your data remains critical as top risks show high impact and high probability; lack of information on jurisdictions and multi-jurisdiction data storage create ongoing concerns, despite vendors' improvements.

Explore how network management, congestion, and port throttling affect cloud workloads and performance SLAs across vendors, when selecting virtual machines and bandwidth expectations.

Identify major assets in cloud environments, including source code, credentials, management interface APIs, and customer trust, as highlighted by the NSA risk assessment.

Explore the 16 control domains for cloud security, covering application and interface security, interoperability and portability, supply chain, vulnerability management, encryption and key management, and governance and risk management.

Examine a change control and configuration management example, and show how policies and procedures ensure preauthorization of new data, applications, infrastructure, network and systems components.