CCSP Domain 1: Architectural Concepts & Design Requirements
The Certified Cloud Security Professional certification, or CCSP, is a certification hosted by the joint effort of (ISC)2 and the Cloud Security Alliance (CSA). This exciting credential is designed for cloud-based information security professionals and ensures that the certification holder has acquired the requisite skills, knowledge and abilities in cloud implementation, security design, controls, operations and compliance with applicable regulations.
The CCSP certification exam comprises six domains: Architectural Concepts and Design Requirements, Cloud Data Security, Cloud Platform and Infrastructure Security, Operations, Cloud Application Security and Legal and Compliance. This article will detail the Architectural Concepts and Design Requirements of the CCSP exam and what candidates preparing for the CCSP certification can expect on the exam with regard to this domain.
The Architectural Concepts and Design Requirements domain of CCSP currently accounts for 19% of the material covered by the CCSP certification exam.
Below, you will find an exploration of the different subsections of this domain and what information you can expect to be covered on the CCSP certification exam.
1.1 Understand Cloud Computing Concepts
For this subsection, you will be responsible for basic cloud computing concepts and definitions that can be found in the international standards laid out in ISO/IEC 17788:2014 cloud computing standards.
In ISO/IEC 17788:2014 you will find explanations of basic concepts and definitions of terms related to cloud computing. Below are some examples of what you can expect to find in the international standards:
“3.2.5 cloud computing: Paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand.”
“3.2.8 cloud service: One or more capabilities offered via cloud computing (3.2.5) invoked using a defined interface.”
“3.2.7 cloud deployment model: Way in which cloud computing (3.2.5) can be organized based on the control and sharing of physical or virtual resources.”
As you can see from above, the concepts and definitions that you are required to know are really the foundation for an understanding of cloud computing security.
There are three other types of information you will be expected to explain in this subsection. This information includes:
- Cloud Computing Roles: Cloud computing roles include cloud service partner, cloud service customer and cloud service provider
- Key Characteristics of Cloud Computing: Key characteristics include broad network access, on-demand self-service, multi-tenancy, resource pooling, rapid elasticity and scalability and measured service
- Building Block Technologies: Includes databases, storage, networking and virtualization
1.2 Describe Cloud Reference Architecture
For this subsection, you will be required to describe cloud reference architecture. This information can be divided thusly:
- Cloud Computing Activities: These activities can be found in ISO/IEC 17789, clause 9. Examination candidates will be expected to describe the activities found within the international standards referenced
- Cloud Service Capabilities: These cloud service capabilities include platform capability type, application capability type and infrastructure capability types
- Cloud Deployment Models: These deployment models include community, public, private and hybrid models
- Cloud Service Categories: Categories include SaaS, PaaS, IaaS, DSaaS, and CompaaS
- Cloud Cross-Cutting Aspects: These cross-cutting aspects include security, interoperability, portability, reversibility, privacy, availability, governance, performance, service levels, service level agreements, auditability and regulatory aspects
1.3 Understand Security Concepts Relevant to Cloud Computing
There are several security concepts relevant to cloud computing that CCSP exam candidates will be expected to explain for the CCSP certification exam. The following security concepts can be expected to be on the CCSP certification exam:
- Cryptography: Concepts related to cryptography include encryption, key management, in motion and at rest
- Access Control: For example, how access control protects cloud login credentials. In real-world practice, organizations tend to manage access control locally due to its importance to organizational information security
- Data and Media Sanitization: The ability to effectively and safely remove all data from data media or systems, and making the data inaccessible, is a crucial aspect to ensuring data confidentiality and effectively managing a secure data life cycle in the cloud. Examples include cryptographic erase and data overwriting
- Network Security
- Virtualization Security: Such as hypervisor-based security
- Common Threats: “Common Threats” is based off of CSA’s Notorious Nine designation of cloud common threats. These threats include data breach, data loss, insecure interfaces, account and service hijacking, DoS and DDoS attacks, malicious insiders, abuse of cloud-based services, shared technology vulnerabilities, insufficient due diligence and due care
- Security Considerations for Different Cloud Categories: These considerations include SaaS data segregation, protection against malware for PaaS, and other cloud categories with the suffix *aaS such as IaaS VM attacks
1.4 Understand Design Principles of Secure Cloud Computing
It is interesting to note that CCSP domain 1 includes design principles of secure cloud computing. Among the secure design principles that you will be responsible to describe on the exam include:
- Secure Cloud Data Lifecycle: You will be expected to know the six key stages in the data life cycle, which are Create, Store, Use, Share, Archive and Destroy
- Cloud-Based Disaster Recovery Planning/Continuity of Business: Certification candidates should be able to differentiate between Disaster Recovery Planning (DR) and Business Continuity (BC). Candidates will also need to be able to describe the two critical success factors for BC plans. These success factors are:
- Understanding what responsibilities are your and which are your cloud service provider’s responsibilities
- Clearly state and prove what the cloud service level agreement components are covered and the depth of their coverage
- Functional Security Requirements including interoperability, portability and vendor lock-in
- Cost-Benefit Analysis: Cost-benefit analysis is an important part of cloud design because designs which are too expensive to implement form the bounds of the possible tenable cloud implementations. As a matter of fact, cost has often been called the “key driver” for whether an organization will adopt cloud computing in some capacity. Along with cost, other related concepts you will responsible for are resource pooling, shifting from capital expenditure to operational expenditure, time and efficiency considerations and depreciation
1.5 Identify Trusted Cloud Services
The last subsection within Domain 1 of the CCSP certification exam is to identify trusted cloud services. This subsection is comprised of two parts as shown below:
- Certification Against Criteria: Exam candidates will need to know what role “certification against criteria” plays in identifying trusted cloud services
- System and Subsystem Product Certifications: Using standards, including common criteria and FIPS 140-2
CCSP is a great certification to earn for information security professionals that want to focus their career on cloud computing security. To pass this certification exam, you will have to master the six domains of CCSP. Domain 1 can be mastered relatively easily, and if you solidify your understanding of the subsections set out above you should have no problem mastering this domain of the CCSP certification exam.
CCSP Certification Exam Outline, (ISC)2
ISO/IEC 17788:2014, ISO
CCSP Module 4, Cybrary
Adam Gordon, “The Official (ISC)2 Guide to the CCSP CBK,” John Wiley & Sons, 2016