Cloud computing has proved itself as a powerful means for organizations to grow their business in terms of cost and time efficiency, profitability and overall business growth. However, with the increase in adoption rate of cloud computing by organizations, one has to understand and study its security implications in order to successfully implement it for long term profitability of a business. For this, organizations need experienced and competent professionals who are equipped with adequate knowledge and skills of cloud security. Organizations need Certified Cloud Security Professionals (CCSPs).
Cloud security certification equips professionals with in-depth knowledge and competency resulting from hands-on experience in software, information, cloud computing and cyber security. It is supported by the Cloud Security Alliance (CSA) and the International Information System Security Certification Consortium (ISC)².
(ISC)² and CSA are renowned organizations in information security and cloud industries respectively and this combined step offers a vendor-neutral professional certification in cloud security. The certification is a demand of the global information security industry as cloud computing has evolved as an area of concern requiring security considerations. (ISC)² strives to address security within the cloud environment so that Information security and IT industry can continue to flourish. Cloud Security Alliance (CSA) gives subject matter experts, governments, associations, etc. a platform to provide education, research, certification, products to provide benefit to all stakeholders.
CCSP has been designed for information security professionals who are already experienced in the field and have at least five years of combined full-time experience in information security and cloud security. In this article we will provide a brief overview of the six domains of knowledge of the CCSP which focus specifically on cloud computing, assuming the familiarity with and experience of the candidate in information security as already mentioned above.
CCSP exam domains and weights are given in the table below:
|1. Architectural Concepts & Design Requirements||19%|
|2. Cloud Data Security||20%|
|3. Cloud Platform & Infrastructure Security||19%|
|4. Cloud Application Security||15%|
|5. Legal and Compliance||12%|
Domain 1 – Architectural Concepts and Design Requirements
This domain relates to fundamental cloud computing concepts. Candidates need to be familiar with cloud security issues such as encryption, network security, access control and hypervisor security. The domain focuses on securing cloud computing environments such as software, infrastructure and platform services. Candidates need to be able to demonstrate their understanding of cloud security design principles and cloud service certification programs.
Exam content includes concepts and definitions of cloud computing based upon ISO/IEC 17788 and secure cloud computing concepts and principles.
Main content includes:
- Cloud computing concepts – includes definitions, roles (customer, provider, etc.), characteristics (self-service on demand, multi-tenancy, etc.) and building block technologies (storage, networking)
- Cloud reference architecture – includes activities, deployment models, cloud service categories (SaaS, IaaS, etc.), cloud cross-cutting aspects such as portability, interoperability, reversibility, security, resiliency, privacy, availability, etc.)
- Security concepts related to cloud computing – cryptography, access control, data and media sanitization, network security, virtualization security, common threats and security considerations for various cloud categories
- Secure design principles of cloud computing – cloud secure data lifecycle, business continuity and disaster recovery planning in cloud, cost benefit analysis and functional security requirements.
- Identification of trusted cloud services – certification against criteria, system/subsystem product certification such as FIPS 140-2
Domain 2 – Cloud Data Security
It tests a candidate’s knowledge of technical security issues specific to the cloud. It includes cloud data storage architecture and controls used for securing them, e.g. encryption, data masking, tokenization and data life cycle management. This domain also covers Data Rights Management (DRM) technology, and the deletion, retention and archiving of policies. It encompasses all principles, concepts, standards and structures used for designing, implementing, monitoring and securing the networks, operating systems, equipment, applications, and controls that enforce confidentiality, integrity and availability in cloud.
Exam content from this domain is based upon:
- Cloud Data Lifecycle – phases, data security technologies
- Design and Implementation of Cloud Data Storage Architectures – storage types, threats to storage types and available technologies for addressing the threats, such as encryption
- Design and Application of Data Security Strategies – encryption, key management, masking, tokenization, application of technologies and emerging technologies
- Knowledge and Implementation of Data Discovery and Classification Technologies – data discovery, data classification
- Design and Implementation of related Jurisdictional Data Security for Personally Identifiable Information (PII) – Data privacy acts, data discovery implementation, sensitive data classification, definition and mapping of controls, application of PII defined controls.
- Design and Implementation of Data Rights Management – data rights objectives (users and roles, provisioning), appropriate tools (e.g. issuing and replicating certificates)
- Planning and Implementation of Data Retention, Removal, and Archiving Policies – data retention policies, data deletion and data archiving mechanisms and procedures
- Design and Implementation of Auditability, Detection and Accountability of Data Events – data even logging, storage and analysis of data events, continuous optimization, and chain of custody.
Domain 3 – Cloud Platform Infrastructure Security
It covers virtual and physical security risks related to cloud infrastructure. This comprises communication between the cloud services, safeguard of virtualization platforms and execution of audit mechanisms. A candidate should hold the ability to carry out cloud risk assessment and develop required security controls as a solution to the identified security risks. The domain also covers how business continuity and disaster recovery plans for cloud services can be developed and implemented.
Exam content from this domain is based upon:
- Cloud Infrastructure components – physical environment, network and communications, compute, virtualization, storage, management plane
- Cloud infrastructure risk assessment – risk assessment analysis, cloud attack vectors, virtualization risks, countermeasure strategies
- Designing and planning of security controls – physical and environmental protection, system and communication protection, protection of virtualization systems, audit mechanisms, identification management
- Disaster Recovery and Business Continuity Management Plans – understanding cloud environment, business requirements, risks, business continuity, plan creation, plan implementation
Domain 4 – Cloud Application Security
This domain explores all application security issues that exist in cloud computing. A candidate will be tested on his ability to comprehend software development life cycle (SDLC), cloud software assurance, and optimum amalgamation of cloud computing services and identity and access management solutions.
Exam content includes:
- Application security training and awareness – cloud development basics, pitfalls, vulnerabilities
- Cloud software validation and assurance – functional testing, cloud based security testing (e.g. DAST, SAST, Pentesting)
- Usage of verified software – approved API, supply chain management, community knowledge
- Understanding of Software Development Life Cycle (SDLS) – phases and methodologies, business requirements, software configuration management
- Application of Security Software Development Lifecycle – common vulnerabilities, cloud-specific risks, service quality, threat modeling
- Cloud application architecture – cryptography, additional security services, sandboxing, application virtualization
- Designing of IAM (Identity and Access Management) solutions – federated identity, single sign-on, identity providers, multi-factor authentication
Domain 5 – Operations
The operations domain covers operational issues arising out of using cloud computing services. It focuses on cloud infrastructure management and security professionals who work for cloud service providers. It mostly concerns technical issues such as the design, execution and management of logical and physical cloud infrastructure. It also defines media, hardware and operator controls and the tools and facilities for audit and monitoring.
Exam questions from this domain will include questions related to:
- Planning process of the Data Center Design – logical design, physical design, environmental design
- Development and implementation of Physical infrastructure of Cloud – secure configuration of hardware, configuration and installation of Virtualization Management Tools
- Running and management of physical infrastructure for Cloud – access control configuration for local access, secure network configuration, OS hardening, stand-alone host availability, clustered hosts availability, patch management, performance monitoring, hardware monitoring, log capture and analysis, etc.
- Building, running and managing logical infrastructure for cloud – secure configuration of virtual hardware-specific requirements, secure network configuration, OS hardening via baseline application, Guest OS availability, remote access control, network security implementation, log capture and analysis, management plane, performance monitoring, OS baseline remediation and compliance monitoring
- Complying with frameworks and regulations such as ISO/IEC 20000-1, ITIL. – change management, information security management, continuity management, continual service improvement, problem management, incident management, release management, configuration management, deployment management, service level management, capacity management, availability management.
- Carrying out physical and logical infrastructure risk assessment
- Understanding of collection and preservation of digital evidence – forensic data collection methodologies, evidence management
- Managing communication with concerned parties – vendors, customers, regulators, partners, other stakeholders
Domain 6 – Legal and Compliance
This domain tests a candidate’s knowledge in legal and regulatory issues arising as a result of adopting cloud computing services. It covers how enterprise risk management can be impacted by cloud computing and how cloud security controls are audited. It also includes security issues of outsourcing, cloud contract design, cloud computing vendor management, investigative techniques, evidence collection such as forensics, legal controls, etc., and privacy issues.
Exam content includes questions related to a candidate’s knowledge of:
- Unique risks and legal requirements of cloud environment – international legislation conflicts, legal controls, appraisal of legal risks, eDiscovery, forensics requirements
- Privacy issues, that also include jurisdictional variation – contractual and regulated PII differences, country-specific PII related legislation, difference amongst confidentiality, integrity and availability
- Audit process and methodologies of cloud computing environment – external and internal audit controls, audit report types, gap analysis, audit plan, internal information security management system, policies, internal information security controls system, impact of distributed IT model
- Enterprise Risk Management of cloud – risk mitigation, access providers risk management, difference between data controller, custodian, etc., regulatory transparency requirements, risk frameworks, risk management metrics
- Cloud Contract Design and Outsourcing – business requirement (e.g. SLA), vendor management, contract management
- Vendor management – supply-chain management
The exam is not meant for novice learners and can only be attempted by experienced security professionals familiar with cloud computing.