CCSP Domains 5 & 6:
Cloud Security Operations + Legal, Risk & Compliance

• HSM (Hardware Security Module): Dedicated tamper-resistant cryptographic hardware. Generates, stores, and manages encryption keys in hardware — cannot be exported. Used for PKI root CAs, payment processing, cloud KMS backing.
• TPM (Trusted Platform Module): Chip embedded in hardware for secure boot verification, attestation, and key storage. Ensures the boot process hasn't been tampered with.
• Secure by default: Disable unnecessary services, change all default credentials, apply hardening baselines (CIS Benchmarks) before any deployment to production.
• Hypervisor Type 1 (bare metal): Runs directly on hardware — VMware ESXi, Microsoft Hyper-V, Xen. Higher performance, preferred in enterprise cloud.
• Hypervisor Type 2 (hosted): Runs on top of an OS — VirtualBox, VMware Workstation. Lower performance, used for dev/test.
• Virtual hardware security: SDN (software-defined networking) for network virtualization, storage virtualization, memory isolation between VMs, CPU pinning to prevent side-channel attacks.
• Guest OS toolsets: VMware Tools / Hyper-V Integration Services improve performance, enable snapshot coordination, and support secure guest-host communication.
• Management plane: Orchestration tools (Terraform, Ansible, cloud-native APIs) — must be secured; compromise of management plane = full cloud takeover.

• Access controls: RDP (Windows remote management), SSH (Unix/Linux), bastion hosts/jumpboxes (single hardened entry point), SSO (single sign-on for admin access), console access (out-of-band management).
• Secure network configuration: VLANs for traffic segmentation, TLS 1.2+ for encrypted transport, DHCP snooping to prevent rogue DHCP, DNSSEC for DNS integrity, VPN tunnels for secure remote access.
• Network security controls:

  Control	Function
  Stateful Firewall	Tracks connection state; blocks unsolicited traffic
  Next-Gen Firewall (NGFW)	Deep packet inspection, app awareness, IPS integration
  IDS	Detects and alerts on threats — passive monitoring
  IPS	Detects and blocks threats inline — active prevention
  Honeypot	Decoy system to lure and study attackers
  Network Security Groups	Cloud-native L3/L4 traffic filtering (AWS SG, Azure NSG)

• OS hardening: CIS Benchmark baselines for Windows/Linux/VMware; remove unnecessary packages, disable unused ports, configure audit logging, monitor for configuration drift.
• Patch management cycle: Vulnerability identified → assess severity (CVSS) → test patch in non-prod → deploy → verify remediation. Emergency patching bypasses test for critical CVEs.
• High availability: Clustered hosts with DRS (Dynamic Resource Scheduling), VMware HA, storage clusters (shared SAN/NAS). Maintenance mode migrates VMs before host downtime.
• Performance monitoring: Network throughput, CPU utilization, storage IOPS, response time, disk health (SMART data), CPU temperature, fan speed — holistic infrastructure health view.
• Backup and restore: Host-level and guest-OS-level backups, snapshot management (not a substitute for backups), regular restore testing to validate RTO/RPO.

Order of Volatility — collect most volatile evidence first:

1. CPU registers & cache (most volatile — lost instantly on shutdown)
2. RAM / main memory (process data, active connections, encryption keys)
3. Swap space / virtual memory
4. Local disk storage
5. Remote logs / network storage
6. Archives / backup media (least volatile)

• Write blockers: Hardware or software tools that prevent any writes to the evidence drive during forensic imaging — maintains integrity.
• Forensic imaging: Bit-for-bit copy of storage media (dd command, FTK Imager). Hash (MD5/SHA-256) taken before and after — must match to prove integrity.
• Chain of custody: Document every person who handles evidence — who, what, when, where, why. Break in chain = evidence potentially inadmissible.
• Cloud forensics challenges:
  • Multi-tenancy: Evidence co-mingled with other tenants' data — isolation and separation required
  • Jurisdiction: Data stored across multiple countries — legal authority to access varies
  • Ephemeral instances: Auto-scaling and serverless resources may terminate before forensics can be conducted
  • CSP cooperation: Cloud provider must be engaged; legal process (subpoena/warrant) may be required
• Cloud-specific tools: Cloud provider APIs for audit log/trail extraction, snapshot acquisition for VM forensics, VPC flow logs for network forensics.
• ISO standards: ISO/IEC 27037 (identification/collection), 27041 (assurance), 27042 (analysis), 27043 (investigation principles).

Key: GDPR requires breach notification to supervisory authority within 72 hours of becoming aware. Notification to affected individuals required if likely to result in high risk.

• SOC structure: Tier-based analyst model — L1 (triage/alert screening) → L2 (investigation/correlation) → L3 (threat hunting/forensics). 24/7 monitoring with documented playbooks.
• AI/ML in SOC (2026 explicit): Artificial intelligence for anomaly detection, UEBA (User and Entity Behavior Analytics) to baseline normal behavior and flag deviations, ML-powered threat detection in SIEM/SOAR.
• SIEM: Centralized log aggregation, correlation across systems, real-time alerting, threat intelligence integration (IOCs, TTPs). Examples: Splunk, Microsoft Sentinel, IBM QRadar.
• SOAR: Security Orchestration, Automation and Response — automates repetitive SOC tasks, orchestrates response playbooks, integrates with SIEM and other tools. Reduces MTTR (mean time to respond).
• Incident Response (PICERL):
  1. Preparation — policies, playbooks, tools, training
  2. Identification — detect and confirm incident exists
  3. Containment — limit spread (short-term: isolate; long-term: rebuild)
  4. Eradication — remove root cause (malware, backdoors, vulnerabilities)
  5. Recovery — restore and verify systems back to normal
  6. Lessons Learned — post-incident review, update procedures
• Vulnerability assessments: Scheduled scanning, authenticated (inside view) vs. unauthenticated (attacker view), cloud-native tools (AWS Inspector, Azure Defender for Cloud, GCP Security Command Center).
• Penetration testing: Black box (no knowledge), gray box (partial), white box (full knowledge). Cloud-specific: must notify CSP before testing — cloud providers have rules of engagement; unauthorized pentesting violates ToS.
• ITSM processes tested in this domain: Change management, Incident management, Problem management (root cause analysis), Configuration management (CMDB), Release management, Service-level management, Availability management, Capacity management, Continual Service Improvement (CSI).

• Conflicting international legislation: Data stored in Country A is subject to Country A's laws — even if the data belongs to a citizen of Country B. US CLOUD Act allows US authorities to demand data from US companies regardless of where stored, potentially conflicting with GDPR.
• Jurisdiction analysis: Where is the data physically stored? Which country's law applies to disputes? What are the legal remedies available? Critical in multi-cloud, multi-region deployments.
• Legal holds: When litigation is anticipated, automatic deletion and retention policies must be suspended to preserve potentially relevant data (litigation hold). Cloud automation can inadvertently destroy evidence.
• Privacy laws by geography:

  Law	Jurisdiction	Key Feature
  GDPR	EU/EEA	72-hr notification, right to erasure, data portability
  CCPA/CPRA	California, USA	Right to know, opt-out of sale, non-discrimination
  LGPD	Brazil	Similar to GDPR; ANPD enforcement authority
  PIPL	China	Data localization requirements; consent-heavy
  PDPA	Singapore	Consent model, breach notification within 3 days

• eDiscovery in cloud: ISO/IEC 27050 governs eDiscovery guidance. Challenges: distributed storage across regions, encrypted data (must preserve keys), third-party holds, API-based data retrieval.
• Forensics ISO standards: 27037 (identification/collection), 27041 (assurance/investigation), 27042 (analysis/interpretation), 27043 (incident investigation principles).

• PHI (Protected Health Information): Regulated by HIPAA — 18 identifiers, de-identification standards, BAA (Business Associate Agreement) required for cloud processors.
• PII (Personally Identifiable Information): Regulated by GDPR, CCPA, and others — any information that identifies or can identify an individual.
• FERPA: Family Educational Rights and Privacy Act — US student education records; schools must have written consent before disclosing records.
• PIPEDA: Canada's Personal Information Protection and Electronic Documents Act — consent-based, breach notification requirements.
• GDPR key obligations: Lawful basis for processing, data minimization, purpose limitation, storage limitation, 72-hour breach notification to supervisory authority, data subject rights (access, erasure, portability, rectification).
• DPDPA (Digital Personal Data Protection Act) New 2026: India's comprehensive privacy law — data fiduciaries (controllers), data principals (individuals), consent framework, data localization considerations, significant data fiduciary designation.
• Cross-border transfer mechanisms: GDPR Standard Contractual Clauses (SCCs), adequacy decisions, Binding Corporate Rules (BCRs) for intra-group transfers.
• Privacy Impact Assessment (PIA) / DPIA: GDPR mandates Data Protection Impact Assessments for high-risk processing activities (large-scale, sensitive data, systematic monitoring). Must be completed before processing begins.
• ISO/IEC 27018: Code of practice for PII protection in public cloud — controls for cloud processors acting as PII processors.
• GAPP: Generally Accepted Privacy Principles — 10 principles from AICPA/CPA Canada used as privacy framework baseline.

Trust Service Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, Privacy — all or subset can be in scope for SOC 2.

• Cloud audit challenges: Multi-tenancy prevents physical inspection of infrastructure; CSPs restrict scope of penetration testing; shared responsibility means audit scope is split.
• Right-to-audit clause: Contract provision giving the customer the right to audit the CSP's security controls — critical in cloud contracts. Without it, customers must rely solely on third-party audit reports.
• Gap analysis: Compare current control posture against target framework — identifies missing or deficient controls. Risk and Control Self-Assessment (RCSA) is the internal version.
• ISO 27001 ISMS: Plan (scope, risk assessment) → Do (implement controls) → Check (monitor, audit) → Act (correct, improve) — continuous PDCA cycle.

Data Roles:

Risk Treatment Options (AMSTA):

• Avoid: Don't perform the risky activity at all
• Mitigate: Implement controls to reduce likelihood or impact
• Share: Distribute risk across parties (shared responsibility model)
• Transfer: Shift financial risk to a third party — cyber insurance, contractual liability
• Accept: Tolerate the residual risk; document the decision

• Risk frameworks: ISO 31000 (risk management principles), NIST RMF (federal), FAIR (quantitative risk analysis), OCTAVE (asset-centric, operationally focused).
• KRIs (Key Risk Indicators): Metrics that signal increasing risk — patch lag time, open critical vulnerabilities, failed access attempts. Different from KPIs (performance) and KCIs (control effectiveness).
• Risk appetite vs. tolerance: Appetite = how much risk the organization is willing to accept strategically. Tolerance = the acceptable deviation from risk appetite before action is required.
• Regulatory transparency: GDPR 72-hour breach notification; HIPAA 60-day notification to HHS; SOX financial controls disclosure; state breach notification laws vary widely.

Critical contract clauses for cloud security:

• Right-to-audit: Customer may audit or commission audit of CSP controls
• Data ownership & portability: Who owns the data; export formats; data return on termination
• Termination clauses: Notice periods, data deletion timelines, transition assistance
• Breach notification: CSP obligations to notify customer within defined timeframes
• Escrow agreements: Source code or data in escrow in case CSP goes bankrupt
• Cyber risk insurance: Coverage requirements, incident response coverage
• Litigation support: CSP obligations to preserve evidence for legal holds
• Vendor lock-in risk: Proprietary APIs, data formats — mitigate with portability requirements and open standards
• ISO/IEC 27036: Standard for information security in supplier relationships — governs the risk management approach for outsourcing and cloud procurement.