CCSP Domain #2: Cloud data security [updated 2021]

December 7, 2021 by Mosimilolu Odusanya

Earning the CCSP means the candidate has the right knowledge and skills to secure a cloud environment. Successful candidates must understand the types of activities, risks, appropriate security controls and storage architectures required to ensure data security in a cloud environment. The following topics are included in this domain, as per the “Official (ISC)2 Guide to the CCSP CBK.” This domain represents 19% of the CCSP certification exam.

This article will explore the various subsections in Domain 2 of the CCSP exam and what information a candidate is expected to know and understand before sitting for the CCSP exam.

Domain 2: Cloud data security

Describe cloud data concepts

Candidates will need to understand the following:

  • The data lifecycle (i.e., from creation to storage to usage to sharing, archival to destruction) in a cloud environment.
  • How data privacy laws (e.g., the European Union (EU) General Data Protection Regulation (GDPR)) and data residency requirements affect the storage and location of data in the cloud.
  • The dispersion of data to ensure availability.

Design and implement cloud data storage architectures

Candidates will need to understand the storage types and options, the threats and countermeasures applicable to the different cloud service models.

Storage types

  • Infrastructure as a Service (IaaS): ephemeral, raw, long-term, volume and object
  • Platform as a Service (PaaS): disk, databases, binary large object (blob)
  • Software as a Service (SaaS): information storage and management, content and file storage and content delivery network (CDN)

Threats to storage types

Candidates will need to understand threats to cloud storage and appropriate countermeasures such as unauthorized access, regulatory noncompliance, jurisdictional issues, malware and ransomware.

Design and apply data security technologies and strategies

Candidates will need to understand various data security technologies and strategies that a cloud consumer can apply in protecting the data stored in a cloud environment.

  • Encryption (e.g. storage level encryption, file-level encryption etc.) and dey management
  • Hashing
  • Masking
  • Tokenization
  • Data loss prevention (DLP) for data in use, in transit and data at rest
  • Data obfuscation
  • Data de-identification

Implement data discovery

Candidates will need to understand how to locate data (both structured and instructed data) residing in the cloud environment before the data can be classified and protected. In addition, key terms such as data lake and warehouse, data mart, data mining, online analytical processing (OLAP) and machine learning/artificial intelligence (ML/AI).

Implement data classification

Candidates will need to understand how to identify, map, label and classify data to determine the policies and controls required based on their sensitivity. Other factors include:

  • Data types: protected health information (PHI), personally identifiable information (PII) and cardholder data
  • Legal constraints
  • Ownership
  • Value/criticality

Keys to be considered in data classification

  • Compliance requirements
  • Data retention and disposal requirements
  • Sensitive vs. regulated data
  • Appropriate/approved uses of data
  • Access control and authorization
  • Encryption needs

Designing and implementing information rights management (IRM)

Candidates will need to understand how IRM works, its importance and its pitfalls in cloud environments, especially on the security and privacy of an organization’s sensitive data. There are two categories of IRM: consumer-grade IRM, also known as digital rights management (DRM), and enterprise-grade IRM


Candidates will need to understand the various attributes of an IRM system such as persistence, dynamic policy control, expiration and continuous audit trail.

Appropriate tools

Candidates will need to understand the critical capabilities of IRM tools and solutions and features to look out for when incorporating IRM into a cloud security architecture.

Planning and implementing data retention, deletion and archiving policies

Candidates will need to understand data protection strategies (retention, deletion and archiving) and compliance obligations (i.e., legal, regulatory and contractual).

Data retention policies

Candidates will need to understand data retention policies and features required to ensure the cloud consumers meet internal and compliance requirements (e.g., storage costs and access requirements, specified legal and regulatory retention periods and data retention practices).

Data deletion procedures and mechanisms

Candidates will need to understand data deletion procedures required to securely remove data from information systems when they are no longer required. There are three (3) categories of deletion actions for various media types to achieve defensible destruction — clear, purge and destroy.

Data archiving procedures and mechanisms

Candidates will need to understand data archiving procedures required to meet an organization’s retention requirements and optimize storage resources in a live production cloud environment.

Legal hold

Candidates will need to understand legal holds, electronic discovery and their importance during a legal investigation. In addition, legal hold roles and responsibilities when negotiating cloud contracts and SLAs.

Designing and implementing auditability, traceability and accountability of data events

Candidates will need to understand the various stages of data moving in cloud environments and the key methods used to protect data throughout the entire data lifecycle. In addition, identify, track and analyze data events to ensure security in the cloud environment.

Defining event sources and requirements of identity attribution

Candidates must understand the various key event sources, event data and event attributes available for the cloud service models — IaaS, PaaS and SaaS.

Logging, storing and analyzing data events

Candidates will need to understand the collection, verification, storage and analysis of data collected in a cloud environment.

Chain of custody and nonrepudiation

Candidates will need to understand the process of maintaining chain of custody to ensure data integrity while conducting forensic analysis and incident response.

How to prepare for the CCSP exam

Studying the right material is very he official books and material recommended by the (ISC)² to take the CCSP exam, include:

  • Official (ISC)² CCSP CBK Reference, Third Edition
  • Official (ISC)² CCSP Study Guide
  • Official (ISC)² CCSP practice tests
  • Official CCSP study and practice tests apps
  • Official (ISC)² CCSP flashcards 



Posted: December 7, 2021
Mosimilolu Odusanya
View Profile

Mosimilolu (or 'Simi') works as a full-time cybersecurity consultant, specializing in privacy and infrastructure security. Outside of work, her passions includes watching anime and TV shows and travelling.

Leave a Reply

Your email address will not be published.