CCSP Domain #2: Cloud data security [updated 2022]
Earning the CCSP credential means you have the knowledge and skills to secure a cloud environment. Successful candidates must understand the activities, risks and storage architectures required to ensure data security in the cloud.
The CCSP is comprised of six domains. This article explores the information you need to know and understand for the Domain 2 portion of the test, which contains eight subsections representing 20% of the exam. It assesses your level of mastery of the most critical aspects of cloud data security, as outlined in the CCSP Certification Exam Outline (effective date: August 1, 2022).
Domain 2: Cloud data security
2.1 Describe cloud data concepts
Candidates need to understand the following:
- Cloud data lifecycle phases from creation to storage, usage, sharing, archiving and destruction
- Data flows
- Data dispersion and its importance for data resiliency and availability
2.2 Design and implement cloud data storage architectures
Candidates need to understand the storage types and options and the threats and countermeasures applicable to the various cloud service models.
- Infrastructure as a service (IaaS): ephemeral, raw, long-term, volume and object
- Platform as a service (PaaS): disk, databases, binary large object (blob)
- Software as a service (SaaS): information storage and management, content and file storage and content delivery network (CDN)
Threats to storage types
Candidates need to understand threats to cloud storage and appropriate countermeasures, such as unauthorized access, regulatory noncompliance, jurisdictional issues, malware and ransomware.
2.3 Design and apply data security technologies and strategies
Candidates need to understand various security technologies and strategies that consumers can use to protect data stored in a cloud environment.
- Encryption and key management
- Data loss prevention
- Data obfuscation
- Keys, secrets and certificates management
2.4 Implement data discovery
Candidates need to know how to find data in the cloud environment before it can be classified and protected. Having data distributed at more locations increases the attack surface area.
- Structured data
- Unstructured data
- Semi-structured data
- Data location
2.5 Plan and implement data classification
Candidates need to understand how to map, label and classify data to indicate the value or sensitivity of the content. This process helps determine appropriate policies and controls to ensure compliance and determine encryption needs, approved use of data, authorized access and proper retention and disposal.
- Data classification policies
- Data mapping
- Data labeling
2.6 Design and implement information rights management (IRM)
Candidates need to understand how IRM works, its importance and its pitfalls in cloud environments, especially involving the security and privacy of an organization’s sensitive data. The two categories of IRM are consumer-grade IRM, also known as digital rights management (DRM), and enterprise-grade IRM.
Objectives (e.g., data rights, provisioning, access models)
Candidates need to understand the various attributes of an IRM system, such as persistence, dynamic policy control, expiration and continuous audit trail.
Appropriate tools (e.g., issuing and revocation of certificates)
Candidates need to understand the critical capabilities of IRM tools and solutions and features to look out for when incorporating IRM into a cloud security architecture.
2.7 Plan and implement data retention, deletion and archiving policies
Candidates need to understand data protection strategies (retention, deletion and archiving) and compliance obligations (i.e., legal, regulatory and contractual).
Data retention policies
Candidates need to understand data retention policies and features required to ensure the cloud consumers meet internal and compliance requirements (e.g., storage costs and access requirements, specified legal and regulatory retention periods and data retention practices).
Data deletion procedures and mechanisms
Candidates need to understand the data deletion procedures required to securely remove data from information systems when they are no longer required. There are three categories of deletion actions for various media types to achieve defensible destruction — clear, purge and destroy.
Data archiving procedures and mechanisms
Candidates must understand the data archiving procedures required to meet an organization’s retention requirements and optimize storage resources in a live production cloud environment.
Candidates need to understand legal holds, electronic discovery and their importance during a legal investigation, along with legal hold roles and responsibilities when negotiating cloud contracts and SLAs.
2.8 Design and implement auditability, traceability and accountability of data events
Candidates must understand the various stages of data moving in cloud environments and the critical methods used to protect data throughout the entire lifecycle. In addition, you should know how to identify, track and analyze data events to ensure security in the cloud environment.
Defining event sources and requirements of identity attribution (Identity, Internet Protocol, address, geolocation)
Candidates must understand the various key event sources, event data and event attributes available for the cloud service models — IaaS, PaaS and SaaS.
Logging, storing and analyzing data events
Candidates need to understand how to collect, verify, store and analyze data collected in a cloud environment.
Chain of custody and nonrepudiation
Candidates need to understand the process of maintaining the chain of custody to ensure data integrity while conducting forensic analysis and incident response.
How to prepare for the CCSP exam
The CCSP includes six domains. Studying suitable material is essential for passing the CCSP exam. The official preparation material includes:
- Official (ISC)² CCSP Study Guide, 2nd Edition
- Official (ISC)² CCSP CBK Reference, 3rd Edition
- Official (ISC)² CCSP Practice Tests, 2nd Edition
- Official (ISC)² CCSP Flash Cards
- Official (ISC)² CCSP Study App
Need training? Design an individual CCSP learning path that fits your needs and requirements to prepare for the CCSP certification. Start validating your cloud security knowledge by reviewing all the key elements in the second domain of the CCSP common body of knowledge (CBK) — Cloud Data Security.
For more on the CCSP certification, check out our CCSP certification hub.
- CCSP, (ISC)²
- CCSP: Certification Exam Outline, (ISC)²
- CCSP Domain Refresh FAQ, (ISC)²