CCSP: Overview of Domains
What Is the CCSP Exam?
The Certified Cloud Security Professional (CCSP) exam is a certification exam designed to test an applicant’s knowledge of the principles of securing cloud-based environments. It was developed by the International Information Systems Security Certification Consortium, Inc. or (ISC)2 and the Cloud Security Alliance (CSA).
In order to earn a CCSP certification, an applicant must pass the exam and meet certain eligibility requirements (five years in information technology, three years in information security and one year in cloud security).
CCSP Exam Details
The CCSP exam is a 125-question, multiple-choice exam with a four-hour time limit (consider bringing a snack). The exam has a total of 1000 possible points and passing requires a score of at least 700.
Questions are not equally distributed among the six domains of the exam. The breakdown of the exam is as follows:
- Domain 1: 19%
- Domain 2: 20%
- Domain 3: 19%
- Domain 4: 15%
- Domain 5: 15%
- Domain 6: 12%
What Is Covered By the CCSP Exam?
The CCSP exam is broken into six domains and numerous subdomains. This section provides a brief introduction to each of the subdomains included in the CCSP exam.
Domain 1: Architectural Concepts and Design Requirements
The first domain of the CCSP covers a lot of ground. Each of its five subdomains covers a very different aspect of cloud computing.
Understand Cloud Computing Concepts
This section of the exam is designed to evaluate the test-taker’s knowledge of fundamental cloud computing concepts. To prepare for this section, brush up on the cloud computing definitions in ISO/IEC 17788, role descriptions within cloud computing (Customer, Provider, Partner), cloud computing characteristics (multi-tenancy, resource pooling and so forth), and the technology used in cloud computing (virtualization, databases and more).
Describe Cloud Reference Architecture
The cloud reference architecture section of the CCSP exam focuses on the differentiating features of different cloud-based offerings. You should know the difference between Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS), what the difference is between public and community cloud models, and cloud service capabilities and aspects that transcend these classifications.
Understand Security Concepts Relevant to Cloud Computing
The security concepts section of the CCSP exam is a review of common cybersecurity concepts. Included are the basics of cryptography, access control, media sanitization, network security and virtualization security. You should also know about common security threats and how to apply these concepts to different cloud types.
Understand Design Principles of Secure Cloud Computing
The Design Principles section introduces the business aspects of cloud computing including cloud-based Business Continuity/Disaster Recovery (BC/DR) planning, cost-benefit analysis, and functional security considerations like portability and vendor lock-in. This section also covers the Cloud Secure Data Lifecycle.
Identify Trusted Cloud Services
The final section of Domain 1 discusses how to identify trusted cloud services. This includes certification against criteria and being familiar with product certifications for systems and subsystems.
Domain 2: Cloud Data Security
Understand Cloud Data Lifecycle
The Cloud Data Lifecycle is guidance provided by the Cloud Security Alliance (CSA), one of the two creators of the CCSP. CCSP takers should be familiar with the phases of the Cloud Data Lifecycle and the data security technologies used to implement it.
Design and Implement Cloud Data Storage Architectures
This section of the CCSP deals with everything storage in a cloud environment. To ready, you need to know the different types of storage (long-term, ephemeral and raw-disk), potential threats to the different types of storage (reference ISO/IEC 27040) and how to manage these threats using encryption and other technology.
Design and Apply Data Security Strategies
In this section, the CCSP tests knowledge of the different tools available for protecting data and how to use them. Most of these are cryptography-related, including encryption, masking, key management, tokenization and new and emerging technologies.
Understand and Implement Data Discovery and Classification Techniques
This section of the exam describes the ways to find data within a cloud environment and how to appropriately classify data.
Design and Implement Relevant Jurisdictional Data Protections for Personally Identifiable Information (PII)
Personally Identifiable Information (PII) is a commonly-regulated type of data. This section of the exam tests knowledge of major data privacy acts, how to perform data discovery and classify the data found, and the mapping, definition and application of security controls for protected data.
Design and Implement Data Rights Management
This section of the CCSP exam covers the theory, practice and technology for managing user access to various data.
Design and Implement Data Retention, Deletion and Archiving Policies
Most corporate and legally-protected data have strict policies on data retention, deletion, and archiving. Cloud environments can make these policies more difficult to enforce due to the lack of physical control of the hardware where the data is stored. This section covers policies, procedures and mechanisms for data retention, deletion and archiving.
Design and Implement Auditability, Traceability and Accountability of Data Events
This section discusses everything to do with event management including identification of event sources, logging events, event storage and continuous improvement to the process. The section also discusses chain of custody and ensuring non-repudiation of collected data.
Domain 3: Cloud Platform and Infrastructure Security
The third domain of the CCSP exam focuses on the infrastructure side of cloud computing. This includes the basics of infrastructure, analyzing and controlling risk and integrating cloud computing into the organizational business continuity/disaster recovery (BC/DR) strategy.
Comprehend Cloud Infrastructure Components
The first section of the third domain is focused on confirming that the test-taker has a clear understanding of the basic components of cloud infrastructure. This includes knowledge of the physical environment, network and communications, computational resources, virtualization technology, storage and the management plane.
Analyze Risks Associated to Cloud Infrastructure
The risk assessment section of the infrastructure domain focuses on identifying common cloud attack vectors and risks of virtualization. It also covers common countermeasures like access controls and proper design.
Design and Plan Security Controls
This section complements the previous one by exploring different security controls designed to manage cloud-related risk. This includes protection of physical assets, systems and communication and virtualization systems. Also covered are management of access control (identification, authentication and authorization) in the cloud and audit mechanisms.
Plan Disaster Recovery and Business Continuity Management
Cloud computing can be a valuable part of an organization’s business continuity/disaster recovery (BC/DR) strategy. This section involves developing and implementing a cloud BC/DR plan based on business requirements, risks and the organization’s overall BC/DR strategy.
Domain 4: Cloud Application Security
Data storage is not the only use of cloud computing. This domain of the exam evaluates the test-taker’s knowledge of application development for the cloud.
Recognize the Need for Training and Awareness in Application Security
Development for the cloud can be very different from development for on-premises systems. This section tests knowledge of some of the basics of cloud development and common pitfalls and vulnerabilities when developing cloud applications.
Understand Cloud Software Assurance and Validation
Once an application is on the cloud, it may be subject to reduced oversight since it is not running on systems controlled by the organization. In this section of the exam, the test-taker is expected to demonstrate knowledge of techniques for ensuring that applications are secure before they are uploaded to the cloud like functional testing, security testing and the Cloud Secure Development Life Cycle.
Use Verified Secure Software
Depending on the cloud computing environment used, a developer may not have control over the software packages and utilities available to their programs. This section discusses the principles of ensuring that developers only use approved APIs, appropriately manage the supply chain and take advantage of community knowledge.
Comprehend the Software Development Life-Cycle (SDLC) Process
The Software Development Life-Cycle is a formalized plan for the process of creating new software. A CCSP applicant should be familiar with its phases, how they relate to business requirements and relevant technology, including software configuration management and versioning tools.
Apply the Secure Software Development Life-Cycle
The Secure Software Development Life-Cycle focuses on identifying and mitigating potential security vulnerabilities in software. This section covers both common and cloud-specific software vulnerabilities, ensuring quality of service and how to perform threat modeling.
Comprehend the Specifics of Cloud Application Architecture
The architecture of the cloud environment can have a significant impact on cloud security. A CCSP is expected to have knowledge of security-related technology, cryptography, sandboxing and application virtualization.
Design Appropriate Identity and Access Management (IAM) Solutions
Managing access to data and resources is an important security measure in and out of the cloud. This section covers common IAM solutions including Federated Identity, Identity Providers, Single Sign-On and Multi-Factor Authentication.
Domain 5: Operations
The fifth domain of the CCSP exam is probably the most detail-oriented. It covers every aspect of the cloud’s physical and digital infrastructure as well as collecting digital evidence after an incident and communicating with partners.
Support the Planning Process for the Data Center Design
The first step of setting up a cloud data center is the design phase. This includes logical, physical, and environmental design considerations.
Implement and Build Physical Infrastructure for Cloud Environment
Implementation and construction of the physical infrastructure is the second phase of operations. The CCSP tests knowledge of the secure configuration of hardware-specific requirements (BIOS settings for virtualization and TPMs, storage controllers and network controllers) and installing and configuring virtualization management tools on the hosts.
Run Physical Infrastructure for Cloud Environment
The third section of the operations domain focuses on the steps necessary to start running the physical infrastructure of the cloud environment. Tested topics include configuring local access controls, securing communications, applying hardened OS baselines and ensuring standalone and clustered host availability.
Manage Physical Infrastructure for Cloud Environment
Management of the physical infrastructure is one of the most detail-rich subdomains in the CCSP exam. This section could test knowledge on configuring remote access controls, monitoring and remediating deviations from OS baselines, patch management, performance and hardware monitoring, host configuration backup and restoration, network security control implementation, capture and analysis of logs, and anything to do with the management plane.
Build Logical Infrastructure for Cloud Environment
Building the logical infrastructure of the cloud environment focuses on virtualization technology. Test-takers should know how to securely configure virtual hardware and install guest OS virtualization toolsets.
Run Logical Infrastructure for Cloud Environment
The required knowledge for running the cloud infrastructure’s logical environment is less than that of the physical infrastructure. Covered topics include securing network configurations, applying a hardened baseline image to guest OSs and ensuring availability of the guest OS.
Manage Logical Infrastructure for Cloud Environment
Management of the logical infrastructure mirrors the topics covered in the physical infrastructure management subdomain but applies them to the guest OS instead of the host.
Ensure Compliance with Regulations and Controls
The CCSP’s topics regarding regulations and controls draw heavily from ITIL and ISO/IEC 20000-1. The required knowledge includes management of change, continuity, information security, continual service improvement, incidents, problems, releases, deployment, configuration, service levels, availability and capacity.
Conduct Risk Assessment to Logical and Physical Infrastructure
This section of the operations domain is exactly what it sounds like. After the infrastructure is designed and built, it’s necessary to identify and manage potential sources of risk.
Understand the Collection, Acquisition and Preservation of Digital Evidence
In the event of an incident, a cloud security practitioner should know how to properly collect and manage forensic evidence from a cloud environment.
Manage Communication With Relevant Parties
Communication is key when operating in a cloud environment. The CCSP exam focuses on keeping lines of communication open with vendors, customers, partners, regulators and other stakeholders in the system.
Domain 6: Legal and Compliance
The last domain of the CCSP exam tests an applicant’s knowledge of the laws and regulations that may be applicable to the data stored in their cloud environment and how cloud computing may require a distinct set of policies and procedures from on-premises systems.
Understand Legal Requirements and Unique Risks Within the Cloud Environment
An aspect of cloud computing significant to legal and regulatory compliance is the fact that an organization’s data is not under their control and that they may not know its physical location at any time. The CCSP tests knowledge of international legislation conflicts, cloud-specific risks, legal controls, the eDiscovery process and requirements for forensic analysis.
Understand Privacy Issues, Including Jurisdictional Variation
This section of the exam focuses on the details and regulations regarding protection of Personally Identifiable Information (PII). A test-taker should know the difference between contractual and regulated PII, be familiar with major country-specific privacy regulations and be able to define confidentiality, integrity, availability and privacy.
Understand Audit Process, Methodologies and Required Adaptations for a Cloud Environment
This section of the exam tests knowledge of all aspects of the audit process and the differences caused by the use of cloud computing.
Understand Implications of Cloud to Enterprise Risk Management
The use of cloud computing causes some traditional risk management procedures to be inapplicable (like controlling physical access to a device). A CCSP applicant should be familiar with cloud-specific risk terminology, regulatory impacts and risk mitigations, frameworks, metrics and assessments.
Understand Outsourcing and Cloud Contract Design
The use of cloud technology makes outsourcing business functions essential. This section tests knowledge of outsourcing business requirements, vendor management, and contract management.
Execute Vendor Management
The final subdomain of the CCSP exam focuses on managing the cloud supply chain. One useful reference is ISO/IEC 27036.
Preparing for the CCSP Exam
(ISC)2 has endorsed an official study guide for the CCSP exam; however, the number of topics that it covers means that working through it might seem like a daunting task. If you prefer a more hands-on approach to learning, training is available to help you prepare for and pass your CCSP exam.
The Ultimate Guide to the CCSP, (ISC)2
Certification Exam Outline, (ISC)2