###### tags: `CCSE` `證照` `雲端安全` # EC-Council CCSE (Certified Cloud Security Engineer) * Exam Code:312-40 * Duration: 4 hrs * Questions: 125 **Author:陳詰昌 Email: power.shell@gmail.com**  # Module 1: 簡介 ## 雲計算基礎知識 ### 雲端特性: * 隨需應變自助服務 On demand self service * 隨時隨地用任何網路裝置存取 Broad network access * 多人共享資源池 Resource pooling * 快速重新部署靈活度 Rapid elasticity * 可被監控與量測的服務 Measured service ### 雲端服務模式 * IaaS: 透過服務API提供虛擬機及抽象化硬體、作業系統，如Amazon EC2 * PaaS: 提供開發工具、組態管理及開發平台去開發客製化應用程式，如Google App Engine * SaaS: 透過網路提供軟體，如Google Doc、Calendar ### 責任分擔  ### 部署方式：依照企業需求 * 公有雲:服務在公用網路上提供 * 私有雲:雲基礎設施專屬於某一組織 * 社群雲:專屬於特定社群中數個組織共享 * 混合雲:結合2個或以上的雲端部署 ### 雲端角色 * cloud consumer：消費者使用雲服務 * cloud provider：提供者提供雲服務給有興趣者 * cloud carrier：消費者與提供者間提供連結與傳輸服務之中間商，如電信業者 * cloud auditor：獨立評鑑雲服務控制措施並給出意見（安全、隱私、效能） * cloud broker：依照使用、效能及遞送等進行管理，維持雲服務提供者與消費者間關係 ## 雲計算目標及議題 ### 安全目標 * 資料安全 * 符合法規 * 支出經費 * 可擴展性 ### 雲安全議題 * 安全分類 * 供應商要面對(負責)安全議題 * 消費者要面對（負責）安全議題 * 安全模型 * SaaS安全議題 * PaaS安全議題 * IaaS安全議題 * 安全面向 * 資安漏洞 * 資安風險 * 資安威脅 ### 雲資安風險、威脅與漏洞 * 未知風險剖析 * 不安全的API * 資料喪失外洩 * 不適當存取控制 * 缺乏多因子驗證 * 帳號或服務挾持 ## 洞察雲安全 傳統地端安全量測方法未因採用雲端後改變，而改變注重焦點; 雲服務採用並未改變地端安全協定，而改變雲消費者安全注重點。 ### 雲安全與地端安全差異 | 雲安全 | 傳統安全 | | -------- | -------- | | 快速彈性 | 彈性差 | | 資源利用佳 | 較低效率 | | 前期設施投入低 | 高前期花費 | | 用多少花多少 | 高花費 | | 第三方資料中心 | 自建資料中心 | ### 共擔責任 * 依據責任模型雲服務提供者與消費者各自負責所要承擔資安責任  ### 消費者與雲提供者 * 消費者： * 使用者安全與監控（IAM） * 使用者數位憑證及存取雲資源權限 * 數位身分的管理(建立、修改及移除)及授權 * 資安資料（加密與金鑰管理） * 資料加密 * 金鑰管理 * 密碼政策管理 * 定期評估安全控制 * 雲資料備份 * 應用程式等級安全 * 資料儲存安全 * 監控、記錄與合規 * 範圍：雲服務、應用程式及基礎服務 * 監控以下活動是否為非經授權 * 資料複製 * 資料檔案變更 * 資料檔案分類改變 * 資料檔案所有權變更 * 記錄 * 合併所有紀錄 * 擷取適當資料（夠重建事件） * 控制紀錄蒐集及分散頻率 * 確認系統彈性 * 提供者： * 共享基礎設施安全 * 防火牆 * 路由器 * hypervisor * 儲存 * 網路 * DNS * 目錄服務 * API ### 合規 * 組織清楚瞭解法規要求，使業務在快速推展時受益 ### CSP業者評估 * 評估項目 * 安全政策、合規及實踐揭露 * 必要揭露 * 安全架構 * 安全自動化 * 治理與安全責任 # Module 2: 雲端的平台及架構安全 * Understand Cloud Platform and Infrastructure * Understand the Risks and Threats Associated with Cloud Platform and Infrastructure * Learn how to Secure the Key Components of Cloud Platform and Infrastructure * Learn how to Design a Secure Data Center in Cloud * Understand Cloud Platform and Infrastructure Security in AWS * Learn how to Implement Cloud Platform and Infrastructure Security in AWS * Understand Cloud Platform and Infrastructure Security in GCP * Learn how to Implement Cloud Platform and Infrastructure Security in Google * Understand Cloud Platform and Infrastructure Security in Microsoft Azure * Learn to Implement Cloud Platform and Infrastructure Security in Microsoft Azure ## 雲架構 ### 什麼是雲基礎設施? * 所有用來提供雲服務所需要的軟硬體 * 計算、儲存、網路硬體、虛擬化軟體及管理層 ### 雲平台與架構元件 * 實體與環境元件:資料中心 * 計算元件:配置與管理雲資源 * 虛擬化元件:提供計算、儲存、記憶體及網路等虛擬化 * 網路元件:提供電腦間管制性溝通 * 服務網路:網際網路與虛擬機器間通訊，並計練網路資源池 * 儲存網路:連接虛擬儲存與虛擬機 * 管理網路:管理與API流量 * 儲存元件:儲存與管理資料 * 管理元件:用 來設定與維護平台、基礎設施與應用程式之工具與介面 ### 微分割與網路定義邊界(SDP) ## 雲平台與基礎設施風險與威脅 * 政策與組織風險 * 一般性風險 * 虛擬化風險 * 非雲端特有風險 * 雲端特有風險 * 管理平面違規 * 資源耗盡 * 隔離措施失效 * 不安全資料刪除 * 控制衝突風險 * 法規風險 ### 虛擬設備 ## Module 3: 雲端的應用程式安全 * Understand Cloud Application Security * Discuss cloud application security risks * Understand Secure Software Development Lifecycle (SSDLC) of Cloud Applications * Understand DevOps and Continuous Integration/ Continuous Deployment (CI/CD) * Discuss cloud application security controls * Understand Application Security Features in AWS * Learn How to Implement Application Security in AWS * Understand Application Security Features in Azure * Learn How to Implement Application Security in Azure * Understand Application Security Features in GCP * Learn How to Implement Application Security in GCP ## Module 4: 雲端的資料安全 * Understand Data Security in Cloud * Discuss cloud data storage fundamentals * Understand the cloud storage architecture and life cycle phases * Evaluate the risks, attacks, and issues in cloud data storage * Understand data security strategies and technologies in the cloud * Discuss Information Rights management Systems * Discuss Data retention and archiving strategies * Discuss Storage and Analysis of Data events * Understand storage services in Amazon Webservices (AWS) * Learn how to implement data security in Amazon Webservices (AWS) * Understand storage services in Google Cloud Platform (GCP) * Learn how to implement data security in Google Cloud Platform (GCP) * Understand storage services in Microsoft Azure * Learn how to implement data security in Microsoft Azure ## Module 5: 雲端的安全運營 * Discuss cloud security operations * Understand elements (standards and methods) in cloud data center physical/logical Operations * Learn Security Operations to Build Cloud Infrastructure * Learn How to Perform Security Operations for Cloud Infrastructures * Learn Security Operations to Manage Cloud Infrastructure * Discuss Security Configurations Management for Cloud Infrastructure * Learn to Monitor Security Operations for Cloud Infrastructure * Understand security operations in Microsoft Azure * Learn to implement security operations in Microsoft Azure * Understand security operations in Amazon Webservices (AWS) * Learn to implement security operations in Amazon Webservices (AWS) * Understand security operations in Google Cloud Platform (GCP) * Learn to implement security operations in Google Cloud Platform (GCP) ## Module 6: 雲端的滲透測試 * Understand the scope of cloud penetration testing * Learn generic penetration testing steps in the cloud * Learn AWS-specific penetration testing steps * Learn Azure-specific penetration testing steps * Learn GCP-specific penetration testing steps ## Module 7: 雲端的事故應變 * Understand Cloud Incident Response * Understand Cloud Incident Response Lifecycle * Understand How SOAR Accelerates Incident Response * Discuss Security Incident Response in AWS * Discuss AWS Investigation and Detection Tools * Discuss Security Incident Response in Microsoft Azure Cloud * Discuss Security Incident Response in Google Cloud Platform (GCP) ## Module 8: 雲端的鑑識調查 * Discuss cloud forensics * Learn how to investigate security incidents in Amazon Web Services (AWS) * Learn how to investigate security incidents in Microsoft Azure * Learn how to investigate security incidents in Google Cloud Platform (GCP) ## Module 9: 雲端的營運持續與災難復原 * Discuss Cloud Disaster Recovery and Business Continuity * Learn to Design Disaster Recovery and Business Continuity in Cloud * Learn to Architect Recovery and Resilience in AWS * Learn to Implement Recovery and Resilience in AWS * Understand Business Continuity and Disaster Recovery in Microsoft Azure * Learn Disaster Recovery Configurations in Azure * Learn to Implement BC/DR with Azure SQL Database * Learn to Configure BCDR for Azure Stack Edge VPN * Understand Various Disaster Recovery Scenarios in Azure * Learn to Implement BCDR in Azure * Discuss Azure Partner Solutions for BCDR * Discuss BC/DR in Google Cloud Platform (GCP) * Discuss GCP Resources for Disaster Recovery (DR) and Business Continuity Plan (BCP) * Understand Disaster Recovery for Data in GCP * Understand Disaster Recovery for Applications in GCP * Learn to Architect DR for Cloud Infrastructure Outages * Learn to Implement BCDR in Google Cloud Platform (GCP) * Discuss Partners Solutions for Implementing BCDR in GCP ## Module 10: 雲端的治理、風險管理及合規 * Understand GRC in the Cloud * Discuss Cloud Governance * Learn to Implement and Maintain Governance for Cloud Computing * Discuss Risk management in the Cloud * Discuss Risk Management Framework and Process in the Cloud * Understand Cloud Compliance * Learn to Implement GRC in the cloud * Understand GRC in Amazon Web Services (AWS) * Understand GRC in Azure * Understand GRC in Google Cloud Platform (GCP) ## Module 11: 雲端的標準、政策及法規議題 * Understand Laws Impacting Cloud Computing * Learn the Cloud Computing Standards * Describe the Legal Frameworks for Data Protection and Privacy * Learn Audit Planning and Reporting in the Cloud * Describe Outsourcing and Vendor Management * Understand Standards, Policies, and Auditing in AWS * Understand Standards, Policies, and Auditing in Azure * Understand Standards, Policies, and Auditing in GCP