CCSP Domain 2: Cloud Data Security

Introduction

The Certified Cloud Security Professional certification, or CCSP, is a certification hosted by the joint effort of (ISC)2 and the Cloud Security Alliance (CSA). This exciting credential is designed for cloud-based information security professionals and ensures that the certification holder has acquired the requisite skills, knowledge and abilities in cloud implementation, security design, controls, operations and compliance with applicable regulations.

The CCSP certification exam comprises six domains: Architectural Concepts and Design Requirements, Cloud Data Security, Cloud Platform and Infrastructure Security, Operations, Cloud Application Security and Legal and Compliance. This article will detail the Cloud Data Security domain of the CCSP exam and what candidates preparing for the CCSP certification can expect on the exam.

The Cloud Data Security domain of CCSP currently accounts for 20% of the material covered by the CCSP certification exam.

Below you will find an exploration of the different subsections of this domain and what information you can expect to be covered on the CCSP certification exam.

2.1 Understand Cloud Data Lifecycle (CSA Guidance)

The first subsection of Domain 2 of the CCSP certification exam is all about understanding the cloud data life cycle as introduced in the Securosis Blog and later assimilated into the CSA guidance. What this accomplishes is it enables the organization to map all the different phases of the cloud data life cycle as against required controls for each phase of the life cycle.

It is important to note that the data life cycle serves as a framework to map use cases, with regard to data access and assisting in the development of relevant controls for each state of the life cycle. It is also important to note that the life cycle referenced is intended to serve as a standardized approach to data life cycle and security.

Phases

The phases of the cloud data life cycle, as laid out in CSA Guidance, are the following:

1. Create
2. Store
3. Use
4. Share
5. Archive
6. Destroy

Aside from the life cycle phases, successful exam candidates will also need to be able to describe the steps of the life cycle. These steps are:

1. Map the different cloud data life cycle phases
2. Integrating the different access types and data locations
3. Map into the different functions, controls and actors

Relevant Data Security Technologies

This subsection of Domain 2 also covers relevant data security technologies that you may need to use in order to safeguard the confidentiality, integrity and availability of cloud-based data. The controls and technologies covered include:

• Data leakage prevention
• Encryption
• Obfuscation, anonymization, masking, and tokenization

2.2 Design and Implement Cloud Data Storage Architectures

Cloud data security often depends upon cloud data storage architectures, making their design and implementation critical.

Storage Types

There are three main types of storage you will be responsible to describe thoroughly: IaaS, PaaS and SaaS.

IaaS

Infrastructure-as-a-service, or IaaS, cloud services can be best described as self-service models of accessing, managing and monitoring remote infrastructures (often data centers). The storage types associated with IaaS are:

• Volume storage: Most often a virtual hard drive that is attached to a virtual machine or host
• Object storage: File share accessed via web interface or API. Real-world examples include Rackspace and Amazon S3

PaaS

PaaS or platform-as-a-service, sometimes referred to as cloud platform services, is used in development environments and particularly with application development. This storage type is used as a framework to build upon, allowing for customized applications. The storage types used by PaaS can be found below:

• Structured: Defined as information displaying a high degree of organization, where relational database inclusion is seamless and readily searchable using simple search engine algorithms or search operations
• Unstructured: Information that is not presented in the traditional row-column database orientation

SaaS

Cloud application software-as-a-service, or SaaS, is a very popular choice for some organizations. This storage type offers web-based application delivery while being managed by the vendor with interfaces that are accessed via one or multiple APIs on the client side. SaaS uses the following:

• Information storage and management: This storage type stores data within the SaaS application. Physically speaking, the data storage uses databases with either volume or object storage
• Content and file storage
• Ephemeral storage: Often used to swap files and other temporary storage needs, this storage type is used with IaaS instances and is terminated when the instance is closed
• Content delivery network (CDN)
• Raw storage
• Long-term storage

Threats to Storage Types

This subsection will also cover threats to storage types. Some of these threats include:

• ISO\IEC 27040
• Unauthorized access
• Unauthorized usage
• Regulatory noncompliance-based liability
• DoS and DDoS
• Modification, corruption and destruction of data
• Data breaches/leakages
• Theft or accidental loss
• Malware attack
• Improper sanitization or treatment of data after end of use

Technologies Available to Address Threats

Covered technologies include:

• Encryption
• DLP

2.3 Design and Apply Data Security Strategies

• Encryption: In real-world practice, it would be practically impossible to secure cloud storage without the use of encryption
• Key management: “Key” (pun intended) considerations include level of protection, key recovery, key distribution, key revocation, key escrow, key management (and the outsourcing thereof)
• Masking
• Tokenization
• Application of technologies: Includes considerations such as the time/length of storage versus the organization’s encryption needs, compliance and so on.
• Emerging technologies: Including data obfuscation, bit splitting, homomorphic encryption

2.4 Understand and Implement Data Discovery and Classification Technologies

Successful CCSP certification candidates will be responsible for explaining and implementing data discovery and classification technologies regarding cloud data security.

Data Discovery

There are several areas of data discovery covered in this subsection of Domain 2. Below, you will find the different areas of data discovery covered and what considerations you will be required to describe:

Data Discovery Approaches

• Big data
• Real-time analytics
• Agile analytics and business intelligence

Different Data Discovery Techniques

• Metadata
• Labels
• Content analysis

Data Discovery Issues

• Poor data quality
• Dashboards
• Hidden costs

Challenges With Data Discovery in the Cloud

• Identifying where the data is
• Accessing the data
• Performing preservation and maintenance

Classification

It is recommended to use data classification when implementing data controls, including encryption and DLP. Certain regulations also require data classification. These data classification categories need to match the control used by the organization. Below are some of the different data classification categories that will be covered:

• Data type (structure, format)
• Context
• Jurisdictional and other legal constraints
• Ownership
• Trust levels
• Source of origin
• Contractual constraints
• Business constraints
• Data retention and preservation obligations
• Data value, sensitivity and criticality

2.5 Design and Implement Relevant Jurisdictional Data Protections for Personally Identifiable Information (PII)

CCSP exam candidates are expected to explain the following with regard to this subsection:

• Data privacy acts
• Classification of discovered data (sensitive)
• Data discovery implementation
• Definition and mapping of controls
• Application of defined PII controls

2.6 Design and Implement Data Rights Management

• Data rights objectives: Including provisioning, role-based access, users and roles
• Appropriate tools: Including issuing certificates and certificate replication

2.7 Plan and Implement Data Retention, Deletion and Archiving Policies

• Data retention policies
• Data deletion procedures and mechanisms
• Data archiving procedures and mechanisms

2.8 Design and Implement Auditability, Traceability and Accountability of Data Events

• Definition of event identity and sources attribution requirement
• Data event storage and analysis: Including event management and security information
• Data event logging
• Continuous optimizations: Including add new rules, new events detected, reduction of false positives
• Non-repudiation and chain of custody

Conclusion

Without a doubt, CCSP Domain 2 is one of the more rigorous and content-rich domains of the CCSP certification exam. If you are a CCSP exam candidate, use the above article as guidance for your study and you will be on track to a passing score on the CCSP certification exam.

Sources

CCSP, (ISC)2

CCSP Certification Exam Outline, (ISC)2

Brian T. O’Hara and Ben Malisow, “CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide,” John Wiley & Sons, 2017

Adam Gordon, “The Official (ISC)2 Guide to the CCSP CBK,” John Wiley & Sons, 2016

Be Safe

Section Guide

Greg
Belding

View more articles from Greg

Earn your CCSP the first time with Infosec and pass your exam, GUARANTEED!

Learn more