(ISC)² CCSP

CCSP Domain #3: Cloud Platform and Infrastructure Security [updated 2021]

December 8, 2021 by Mosimilolu Odusanya

Earning the CCSP means the candidate has the right knowledge and skills to secure a cloud environment. Successful candidates must understand the types of activities, risks, appropriate security controls and storage architectures required to ensure data security in a cloud environment. The following topics are included in this domain, as per the “Official (ISC)2 Guide to the CCSP CBK.” This domain represents 17% of the CCSP certification exam.

Domain 3: Cloud platform and infrastructure security

Comprehend cloud infrastructure components

Candidates will need to understand the various unique components of the cloud infrastructure and their roles. In addition, it is important to understand the roles of the cloud customer and the cloud service provider per the shared responsibility model. A typical cloud infrastructure consists of the following components:

  • Physical Environment: this typically consists of the server rooms, data centers and other physical locations of the cloud service provider. This is the sole responsibility of the cloud service provider.
  • Network and communications: the physical network is the cloud service provider’s responsibility, while components housed at the cloud customer’s facility are their responsibility.
  • Compute: this typically consists of the infrastructure components which deliver resources such as the virtual machines, disk, processor, memory and network resources. The maintenance and security of the physical components are the cloud service provider’s responsibility.
  • Virtualization: the security of the hypervisor (Type-1 or Type 2) is the sole responsibility of the cloud service provider.
  • Storage: the cloud service provider is responsible for the physical protection of the data center. In contrast, the cloud customer is responsible for the security and privacy (and customer data, as applicable).
  • Management plane: This provides the tools (web interface and APIs) necessary to configure, monitor and control a cloud environment.

Design a secure datacenter

Candidates will need to understand the principles behind a secure data center design and the logical, physical and environmental security controls to be implemented. These are the responsibility of the cloud service provider as they have physical control and ownership of the data center and the physical infrastructure. The following factors must be considered:

  • Logical design (i.e., tenant partitioning, access control)
  • Physical design (i.e., location, buy and hold)
  • Environmental design (i.e., heating, ventilation and air conditioning (HVAC), multivendor pathway connectivity)

Analyze risks associated with cloud infrastructure

Candidates will need to understand the various categories of risks that may exist and impact an organization when evaluating cloud infrastructures.

Risk assessment and analysis

Candidates will need to understand some risks for the cloud service provider and the cloud customer. These may include organizational, compliance, legal, cloud infrastructure and virtualization risks.

Cloud vulnerabilities, threats and attacks

Candidates must understand the threats and vulnerabilities that may affect a cloud infrastructure, including attacks that malicious individuals may leverage.

Virtualization risks

Candidates will need to understand the risks that exist related to virtualized environments. Such risks may include architectural risks, configuration risks and hypervisor software risks.

Countermeasure strategies

Candidates will need to understand the countermeasures and controls that can be implemented to mitigate the risks in a cloud infrastructure.

Design and plan security controls

Candidates will need to understand the controls that can be implemented to mitigate risks when designing and planning their security controls.

  • Physical and environmental protection: this covers the security of the data center, the physical infrastructure (e.g., servers, networking equipment, HVAC systems etc.) within them and its buildings.
  • System and communication protection: this covers the security of the system and communications. Controls may include:
    • Policy and procedures
    • Separation of system and user functionality
    • Security function isolation
    • Denial of service protection
    • Boundary protection
  • Virtualization systems protection: this covers the security of the virtualization systems (including the hypervisor).
  • Identification, authentication and authorization in cloud infrastructure cover identity and access management in the cloud.
  • Audit mechanisms: this helps ensure that IT systems in the cloud meet legal, regulatory and security requirements. Some audit mechanisms include: log collection and packet capture.

Plan disaster recovery and business continuity

Candidates will need to understand business continuity and disaster recovery in the cloud to ensure data availability.

  • Risks related to the cloud environment: risks include cost and effort to maintain redundancy, geographic dispersion of the data centers, compliance risks, performance hit due to location change, decreased operations during/after failover etc.
  • Business requirements: the importance of these requirements during business continuity and disaster recovery planning:
    • Recovery time objective: the amount of time a business process must be restored to a specific service level.
    • Recovery point objective: the measure of the amount of data that an organization is willing to lose if a disaster or other system stoppage occurs.
    • Recovery service level: the measure of computing resources needed to keep production environments running during a disaster.
  • Business continuity/disaster recovery strategy 
  • Creation, implementation and testing of plan: this covers creating, implementing and testing a business continuity/disaster recovery plan.

How to prepare for the CCSP exam

Studying the suitable material is very he official books and material recommended by the (ISC)2 to take the CCSP exam, include:

  • Official (ISC)² CCSP CBK Reference, Third Edition
  • Official (ISC)² CCSP Study Guide
  • Official (ISC)² CCSP practice tests
  • Official CCSP study and practice tests apps
  • Official (ISC)² CCSP flashcards 

 

Sources:

Posted: December 8, 2021
Author
Mosimilolu Odusanya
View Profile

Mosimilolu (or 'Simi') works as a full-time cybersecurity consultant, specializing in privacy and infrastructure security. Outside of work, her passions includes watching anime and TV shows and travelling.

Leave a Reply

Your email address will not be published.