CCSP Domain 3: Cloud Platform and Infrastructure Security [updated 2022]
Candidates who study for the CCSP exam must know both the cloud infrastructure’s physical and virtual components, the associated risks, and how to implement security controls. The third domain of the CCSP common body of knowledge (CBK) — Cloud platform and infrastructure security — tests their understanding of cloud security strategies, risks and responsibilities, storage and business continuity programs.
The following topics are included in this domain, according to the “Official (ISC)2 Guide to the CCSP CBK.” This domain represents 17% of the CCSP certification exam.
Domain 3: Cloud platform and infrastructure security
Each of the five CCSP subdomains covers a different aspect of cloud infrastructure security.
3.1 Comprehend cloud infrastructure and platform components
Candidates need to recognize the various unique components of the cloud infrastructure (both physical and virtual) and their roles. In addition, it is essential to understand the roles of the cloud customer and the cloud service provider based on the shared responsibility model. A typical cloud infrastructure consists of the following components:
- Physical environment: This typically includes the server rooms, data centers and other physical locations of the cloud service provider. This is the sole responsibility of the cloud service provider.
- Network and communications: The physical network is the cloud service provider’s responsibility, while components housed at the cloud customer’s facility are their responsibility.
- Compute: This typically consists of the infrastructure components that deliver resources, such as the virtual machines, disk, processor, memory and network resources. The maintenance and security of the physical components are the cloud service provider’s responsibility.
- Virtualization: The security of the hypervisor (Type 1 or Type 2) is the sole responsibility of the cloud service provider.
- Storage: The cloud service provider is responsible for the physical protection of the data center. In contrast, the cloud customer is responsible for the security, privacy and customer data, as applicable.
- Management plane: This provides the tools (web interface and APIs) necessary to configure, monitor and control a cloud environment.
3.2 Design a secure data center
To scrutinize the physical and environmental controls for protecting assets (critical information and equipment), candidates need to understand the principles behind secure data center design and the logical, physical and environmental security controls to be implemented, as well as how to build resilience by design. These are the responsibility of the cloud service provider because they have physical control and ownership of the data center and the physical infrastructure. The following factors must be considered:
- Logical design (i.e., tenant partitioning and access control)
- Physical design (i.e., location, buy and hold)
- Environmental design (i.e., heating, ventilation and air conditioning (HVAC), multivendor pathway connectivity)
- Design resilience
3.3 Analyze risks associated with cloud infrastructure and platforms
Candidates must understand the various risks that may impact an organization when evaluating cloud infrastructures.
- Risk assessment (e.g., identification, analysis): Candidates need to understand risks for the cloud service provider and the cloud customer. These may include organizational, compliance, legal, cloud infrastructure and virtualization risks.
- Cloud vulnerabilities, threats and attacks: Candidates must understand the threats and vulnerabilities that may affect a cloud infrastructure, including attacks that malicious individuals may leverage.
- Risk mitigation strategies: Candidates need to understand the countermeasures and controls that can be implemented to mitigate the risks in a cloud infrastructure.
3.4 Plan and implement security controls
Candidates need to understand the security controls that can mitigate risks when designing and planning their cloud infrastructure and applications at scale.
- Physical and environmental protection: This covers the security of the data center, including the physical infrastructure (e.g., servers, networking equipment, HVAC systems etc.) and the buildings that host it.
- System, storage and communication protection: This involves the security of the system and communications. Controls may include:
- Policy and procedures
- Separation of system and user functionality
- Security function isolation
- Denial of service protection
- Boundary protection
- Identification, authentication and authorization in cloud environments: This focuses on identity and access management to meet policy or regulatory requirements.
- Audit mechanisms: This helps to ensure that IT systems in the cloud meet legal, regulatory and security requirements. Some audit mechanisms include log collection, correlation and packet capture.
3.5 Plan business continuity (BC) and disaster recovery (DR)
To ensure data availability, candidates must understand business continuity and disaster recovery in the cloud.
- BC/DR strategies: The importance of suitable cloud-based disaster recovery and business continuity solutions for any organization.
- Business requirements: The importance of these requirements during business continuity and disaster recovery planning:
- Recovery time objective (RTO): The maximum amount of time in which a business process must be restored to a specific service level.
- Recovery point objective (RPO): The amount of data that an organization is willing to lose if a disaster or other system stoppage occurs.
- Recovery service level: The measure of computing resources needed to keep production environments running during a disaster.
- Creation, implementation and testing: This deals with creating, implementing and testing a BC/DR plan to meet an organization’s predetermined RPO/RTO requirements.
How to prepare for the CCSP exam
Studying the right material is recommended by (ISC)2 to prepare for the CCSP exam. The official preparation materials include:
- Official (ISC)² CCSP Study Guide, 2nd Edition
- Official (ISC)² CCSP CBK Reference, 3rd Edition
- Official (ISC)² CCSP Practice Tests, 2nd Edition
- Official (ISC)² CCSP Flash Cards
- Official (ISC)² CCSP Study App
Need training? Design an individual learning path that fits your needs and requirements to prepare for the CCSP certification. Start validating your cloud security knowledge by reviewing all the key elements found in the third domain of the CCSP common body of knowledge (CBK) — Cloud Platform and Infrastructure Security.
For more on the CCSP certification, check out our CCSP certification hub.