CCSP Domain 5: Cloud security operations [updated 2022]
This section covers the requirements for developing, planning, implementing, running and managing the physical and logical cloud infrastructure, as per the “Official (ISC)2 Guide to the CCSP CBK.” The CCSP covers six domains, and Domain 5 represents 16% of the CCSP certification exam.
Mastering this domain means you have the knowledge and skills to conduct and manage security operations in the cloud, collect digital evidence after an incident and communicate with partners.
Domain 5 — Cloud security operations
Each of the six subdomains covers a specific aspect of managing security operations in a cloud environment with proper controls and standards.
5.1 Build and implement physical and logical infrastructure for the cloud environment
Candidates must understand the requirements for implementing and building a physical and logical infrastructure with security in mind.
Hardware-specific security configuration requirements
Candidates need to know the various hardware components (and corresponding configuration requirements and settings) needed in a cloud data center infrastructure, such as basic input-output systems (BIOS), virtualization, hardware security module (HSM) and trusted platform module (TPM).
Installation and configuration of management tools
Candidates must know how to install and configure management tools required to secure a virtual and cloud-based installation.
Virtual hardware-specific security configuration requirements
Candidates need to understand the various configuration settings and requirements for maintaining virtual hardware security (e.g., network, storage, memory, central processing unit (CPU) and Hypervisor types 1 2).
Installation of guest operating system virtualization toolsets
Candidates need to understand the toolsets that enable installing operating systems in the virtualization environment.
5.2 Operate and maintain physical and logical infrastructure for cloud environment
Candidates need to understand access control mechanisms, physical and virtual network configurations and OS hardening baselines and how to ensure the availability of physical and virtual hosts and resources in a cloud environment.
Access control for local and remote access
Candidates need to understand protocols for supporting remote administration, such as secure shell (SSH), remote desktop protocol (RDP), virtual network computing (VPC), console-based access mechanisms, jump boxes, etc.
Secure network configuration
Candidates need to understand protocols, technologies, services and concepts for securing networks and the data transmitted, such as virtual local area network (VLAN), transport layer security (TLS), dynamic host configuration protocol (DHCP), domain name system security extensions (DNSSEC), a virtual private network (VPN), and so forth.
Network security controls
Candidates need to understand network security controls and technologies, such as firewalls, intrusion detection/prevent systems (IDS/IPS), honeypots, etc.
Operating system hardening through the application of baselines
Candidates need to understand baselines in hardening operating systems (e.g., Windows, Linux, VMware). The baseline and corresponding documentation may be achieved via customer-defined VM images, NIST checklists, CIS benchmarks, etc.
Candidates need to understand the patch management process for finding, testing and applying patches to a cloud environment.
Availability of clustered hosts
Candidates need to understand clustered hosts (e.g., distributed resource scheduling, dynamic optimization, storage clusters, maintenance mode, high availability) and their use.
Performance and capacity monitoring
Candidates must understand the tools and infrastructure elements (e.g., network, compute, response time, storage) that can be monitored.
Candidates need to understand the tools and hardware elements (e.g., CPU temperature and fan speed) that require monitoring because they can fluctuate.
Configuration of host and guest operating system backup and restore functions
Candidates need to understand the three main types of backup technologies (i.e., snapshots, agent-based and agentless).
Candidates need to understand the uses of a management plane in a cloud environment by the CSP. This includes knowing the activities related to scheduling and orchestration, as well as managing and maintaining the control plane.
5.3 Implement operational controls and standards (e.g., Information Technology Infrastructure Library (ITIL), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 20000-1)
Candidates need to understand the regulations and controls used to govern IT operations and processes in cloud environments. Such processes include:
- Change management
- Continuity management
- Information security management
- Continual service improvement management
- Incident management
- Problem management
- Release management
- Deployment management
- Configuration management
- Service level management
- Availability management
- Capacity management
5.4 Support digital forensics
Candidates need to understand how to conduct digital forensics in a cloud environment.
Forensics data collection methodologies
Candidates need to understand two standards (i.e., ISO 27050 and Cloud Security Alliance (CS) Security Guidance Domain 3 Legal Issues: Contracts and Electronic Discovery) related to e-discovery.
Candidates need to understand how to manage the chain of custody from evidence collection to trial during any digital forensics investigation.
Collect, acquire and preserve digital evidence
Candidates need to understand the phases of digital evidence handling and the challenges associated with evidence collection in a cloud environment.
5.5 Manage communication with relevant parties
Candidates need to understand how to communicate accurately, concisely and timely with vendors, customers (including the cloud shared responsibility model), partners, regulators and other stakeholders.
5.6 Manage security operations
Candidates need to understand how to manage security operations and provide continuous security support in a cloud environment.
Security operations center (SOC)
Candidates need to understand how a SOC works in a cloud environment and its responsibilities, such as threat prevention and detection, incident management, etc.
Intelligent monitoring of security controls
Candidates need to understand how to manage and monitor the security controls [e.g., firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), honeypots, network security groups, artificial intelligence (AI), etc.)] deployed to manage a cloud environment’s physical and logical components.
Log capture and analysis
Candidates need to understand the tools and processes required for log capture and analysis, such as the system information and event management (SIEM) tool and log management.
Candidates need to understand the incident management and response procedures in a cloud environment and the three key elements: incident response plan, incident response team and root cause analysis.
Candidates need to understand the importance of cloud vulnerability assessments of the network and IT infrastructure to give visibility into the environment’s attack surface.
How to prepare for the CCSP exam
Studying suitable material is recommended by (ISC)2 before taking the CCSP exam. The official preparation material includes:
- Official (ISC)² CCSP Study Guide, 2nd Edition
- Official (ISC)² CCSP CBK Reference, 3rd Edition
- Official (ISC)² CCSP Practice Tests, 2nd Edition
- Official (ISC)² CCSP Flash Cards
- Official (ISC)² CCSP Study App
Need training? Design a learning path that best fits your needs and requirements to prepare for the CCSP certification. Start validating your cloud security knowledge by reviewing all the essential elements found in the fifth domain of the CCSP common body of knowledge (CBK) — Cloud Security Operations.
For more on the CCSP certification, check out our CCSP certification hub.