The CCSP (Certified Cloud Security Professional) certification was launched in April 2015 and last updated in August 2022.
(ISC)² developed CCSP to address the growing need for Cloud security professionals and the rapidly escalating use of Cloud services.
What are the 6 CCSP domains?
CCSP domainWeighting1. Cloud Concepts, Architecture and Design17%2. Cloud Data Security20%3. Cloud Platform & Infrastructure Security17%4. Cloud Application Security17%5. Cloud Security Operations16%6. Legal, Risk and Compliance13%
While the first domain doesn’t hold the highest weighting, it’s critical to understanding all other domains.
Although you could study domains 3–6 out of sequence, our expert instructors recommend studying each domain in sequence. This type of linear approach makes the content easier to absorb.
This blog summarises the contents of each domain, following the curriculum’s subsection structure.
You’ll notice how key concepts crop up throughout and how the domains overlap. The lists below may seem long, but you’ll quickly ‘synthesise’ the information once you grasp the core concepts and terminology for Cloud security.
CCSP Domain 1: Cloud Concepts, Architecture and Design
Cloud Concepts, Architecture and Design covers 17% of the exam.
The aim of this module is to understand the definitions and concepts used throughout Cloud computing to prepare you for all other domains.
The subsections are:
Cloud concepts, e.g. definitions, roles and responsibilities across the Cloud supply chain, characteristics like multi-tenancy, rapid elasticity, resource pooling, etc.
Reference architecture, including capabilities, service models (IaaS, PaaS, SaaS), deployment models (public, private, hybrid), shared considerations and related technologies including AI, blockchain, quantum computing and DevSecOps.
Security concepts ranging from cryptography to virtualisation security, data and media sanitisation, and network security.
Design principles, including the full Cloud secure life cycle and the role of business continuity and disaster recovery, design patterns and frameworks, and how these design principles relate to different Cloud categories such as IaaS and PaaS.
Supplier evaluation, with reference to the verification criteria set out in frameworks such as the PCI DSS (Payment Card Industry Data Security Standard), ISO 27017, etc., and evaluation of systems and subsystems exploring product certifications and standards like FIPS 140-2.
CCSP Domain 2: Cloud Data Security
Cloud Data Security covers 20% of the exam.
This domain examines how the concepts covered in Domain 1 are applied. It addresses the challenges of data privacy and compliance with regulations such as the GDPR (General Data Protection Regulation).
The subsections are:
Concepts such as life cycle phases, data dispersion and data flows.
Cloud storage architectures including storage types and the threats that apply to them.
Data security technologies and strategies, including hashing tokenisation, data loss prevention and data obfuscation.
Data discovery, looking at different types of data (structured, unstructured, semi-structured) and the location of that data.
Planning and data classification, including policies, data mapping and data labelling, and the value of these principles.
Information rights management, covering the key requirements and appropriate tools to deploy.
Planning and implementing data retention, deletion and archiving policies, focusing on the core task of putting in place policies and procedures, using common mechanisms and taking into account legal considerations.
Planning and implementing the auditing, traceability and accountability of data events. This reiterates the importance of logging, storage and analysis with respect to the chain of custody and non-repudiation considerations, using event attributes such as IP addresses and geolocation.
CCSP Domain 3: Cloud Platform & Infrastructure Security
Cloud Platform & Infrastructure Security covers 17% of the exam.
This domain takes a macro view of securing Cloud infrastructure, from the physical to the virtual components, to manage the vulnerabilities associated with Cloud environments.
The subsections are:
Cloud infrastructure platform components explores six key aspects: physical environment, network and communications, compute, virtualisation, storage and management plane.
Design a secure data centre –how the logical, physical and environmental design principles apply to data centre partition areas for matters like access control and creating the appropriate cooling and ventilation conditions for equipment.
Analyse risks associated with Cloud infrastructure and platforms. This provides insights into risk assessment and mitigation strategies specifically for Cloud infrastructures.
Planning and implementing security controls is one of the key responsibilities of a Cloud security specialist. This involves physical and environmental protection audit mechanisms, storage, and identification, authentication, authorisation and accountability management.
Plan business continuity and disaster recovery. Thislooks at the requirements and key metrics involved in business continuity and disaster recovery planning, such as RTOs (recovery time objectives), RPOs (recovery point objectives), SLAs (service level agreements) and OLAs (operational level agreements).
Finding this blog useful? To get notified of future
expert insight like this, subscribe to our free
weekly newsletter: the Security Spotlight.
Domain 4: Cloud Application Security
Cloud Application Security covers 17% of the exam.
This domain drills down to the application level, whether that of a third-party vendor or the organisation’s own intellectual property. It covers the design, development and assurance of software applications, and the specifics of Cloud application architecture and access control.
The subsections are:
Advocating for training and awareness, not just for application users but for those involved in software development.
Describing the secure SDLC (software development life cycle) process. Thistakes a high-level view of the steps involved in defining business requirements, and various phases of development and project management methodologies such as Waterfall and Agile.
Applying the SDLC. This large subsection references design frameworks such as STRIDE, DREAD, PASTA and ATASM, and the principles involved in secure coding.
Applying software assurance and validation,including testing and QA (quality assurance) methodologies.
Using verified secure software, which covers vendor assessment, licensing, and other considerations involved in third-party software management and the use of APIs and open-source software.
The specifics of Cloud application architecture looks at using supplemental security components such as firewalls and API gateways.
IAM (identity and access management) solutions, whichlooks at the full spectrum of IAM options currently available for Cloud infrastructures.
Domain 5: Cloud Security Operations
Cloud Security Operations covers 16% of the exam.
This domain looks at the hardware, software and controls commonly used in Cloud security and how they interrelate with incident response, disaster recovery and business continuity planning.
The subsections are:
Building the physical and logical infrastructure looks atwhat it takes to install hardware (such as HSMs (hardware security modules)) and supporting management tools on physical and virtual machines.
Operating and maintaining logical and physical infrastructure, which goes through everything from access controls, configuration, network security controls, and the hardening of operating systems, and all aspects of configuration and monitoring.
Implementing controls and standards. This draws heavily on management systems and standards such as ITIL and the ISO 20000 series.
Digital forensics, whichdrills into forensic data collection and evidence management techniques.
Managing communication explores the nature of communication between various stakeholders, including vendors, customers and regulators.
Managing security operations looks at how SOCs (security operations centres) are managed, and how incidents and vulnerabilities are assessed and handled.
Domain 6: Legal, Risk and Compliance
Legal, Risk and Compliance covers 13% of the exam.
This domain covers the legal and regulatory aspects of Cloud security. It includes understanding the legal implications of Cloud computing, managing risks, and ensuring compliance with various standards and regulations.
The subsections are:
Articulating legal requirements and risks delves into the day-to-day challenges of managing compliance with conflicting regulations and guidance on eDiscovery from bodies such as the CSA (Cloud Security Alliance) and ISO 27050.
Understanding privacy issues distinguishes between contractually regulated private data and personal data (or ‘PII’ – personally identifiable information), and the standard privacy requirements referenced in frameworks like ISO 27018, GAPP (Generally Accepted Privacy Principles) and the GDPR.
Auditing and adaptations for Cloud environments explores a range of audit processes, methods and requirements for those under audit, and the specific adaptations needed for Cloud environments, with reference to standards applied in highly regulated sectors like finance and healthcare.
The implications of Cloud enterprise risk management covers the crossover between data protection and risk management in the context of ERM (enterprise risk management). This includes the transparency requirements and breach notification duties imposed by the likes of SOX (Sarbanes–Oxley Act) and the GDPR.
Outsourcing and contract design provides an understanding of how contracts are designed and managed by suppliers and customers, including the essential components and tasks involved in contract management.
CCSP training and revision materials
There are 150 multiple-choice questions in the 4-hour CCSP exam.
Our training courses come with a range of practice exams and insights into exam policies, strategies and techniques, including timekeeping.
Our trainers will point you to useful resources on each topic to help you think around the subject areas, and consolidate your understanding by considering how it applies in context.
Earn your credentials
You can earn your CCSP certification in various ways, but most involve a large component of self-directed study and some element of classroom or video-based training.
The curriculum is broad, and while it may seem exhaustive, you’ll be looking at it from a management standpoint without drilling into minor details in any single area.
You must be able to categorise, name and evaluate all areas of Cloud security appropriately, while appreciating how the various terms and concepts weave together, overlapping in many ways.
As a senior manager or a Cloud security professional, you’ll be solving the problems of reconciling seemingly conflicting requirements.
CCSP training with IT Governance
Like many others, we offer self-paced training and instructor-led ‘bootcamp’-style five-day exam preparation courses. However, our courses have more flexibility built in for learners, and come with access to additional one-to-one mentoring with a qualified instructor.
IT Governance is the first to launch a CCSP training course using blended learning. That means we combine regular group sessions live online with the instructor and a carefully crafted programme of study consisting of 1 hour per day for 13 weeks, building towards the CCSP exam.
The blended approach is proving hugely successful for the CISSP course, another senior-level certification from (ISC)².
The post The 6 CCSP Domains Explained appeared first on IT Governance UK Blog.
