CCSP For Dummies E-Book

CCSP® for Dummies®

To view this book's Cheat Sheet, simply go to www.dummies.com and search for “CCSP for Dummies Cheat Sheet” in the Search box.

Table of Contents

Cover

Title Page

Copyright

Introduction

About this Book

Foolish Assumptions

Icons Used in This Book

Beyond the Book

Where to Go from Here

Part 1: Starting Your CCSP Journey

Chapter 1: Familiarizing Yourself with (ISC)2 and the CCSP Certification

Appreciating (ISC)

2

and the CCSP Certification

Knowing Why You Need to Get Certified

Studying the Prerequisites for the CCSP

Understanding the CCSP Domains

Preparing for the Exam

Registering for the Exam

Taking the Exam

Identifying What to Do After the Exam

Chapter 2: Identifying Information Security Fundamentals

Exploring the Pillars of Information Security

Threats, Vulnerabilities, and Risks … Oh My!

Understanding Identity and Access Management (IAM)

Deciphering Cryptography

Grasping Physical Security

Realizing the Importance of Business Continuity and Disaster Recovery

Understanding Logging and Monitoring

Implementing Incident Handling

Utilizing Defense-in-Depth

Part 2: Exploring the CCSP Certification Domains

Chapter 3: Domain 1: Cloud Concepts, Architecture, and Design, Part 1

Understanding Cloud Computing Concepts

Describing Cloud Reference Architecture

Chapter 4: Domain 1: Cloud Concepts, Architecture, and Design, Part 2

Identifying Security Concepts Relevant to Cloud Computing

Comprehending Design Principles of Secure Cloud Computing

Evaluating Cloud Service Providers

Chapter 5: Domain 2: Cloud Data Security, Part 1

Describing Cloud Data Concepts

Designing and Implementing Cloud Data Storage Architectures

Designing and Applying Data Security Technologies and Strategies

Implementing Data Discovery

Chapter 6: Domain 2: Cloud Data Security, Part 2

Planning and Implementing Data Classification

Designing and Implementing Information Rights Management (IRM)

Planning and Implementing Data Retention, Deletion, and Archiving Policies

Designing and Implementing Auditability, Traceability, and Accountability of Data Events

Chapter 7: Domain 3: Cloud Platform and Infrastructure Security, Part 1

Comprehending Cloud Infrastructure and Platform Components

Designing a Secure Data Center

Analyzing Risks Associated with Cloud Infrastructure and Platforms

Chapter 8: Domain 3: Cloud Platform and Infrastructure Security, Part 2

Planning and Implementing Security Controls

Planning Business Continuity (BC) and Disaster Recovery (DR)

Chapter 9: Domain 4: Cloud Application Security, Part 1

Advocating Training and Awareness for Application Security

Describing the Secure Software Development Lifecycle (SDLC) Process

Applying the SDLC Process

Chapter 10: Domain 4: Cloud Application Security, Part 2

Applying Cloud Software Assurance and Validation

Using Verified Secure Software

Comprehending the Specifics of Cloud Application Architecture

Designing Appropriate Identity and Access Management (IAM) Solutions

Chapter 11: Domain 5: Cloud Security Operations, Part 1

Building and Implementing a Physical and Logical Infrastructure for a Cloud Environment

Operating and Maintaining Physical and Logical Infrastructure for a Cloud Environment

Chapter 12: Domain 5: Cloud Security Operations, Part 2

Implementing Operational Controls and Standards

Supporting Digital Forensics

Managing Communication with Relevant Parties

Managing Security Operations

Chapter 13: Domain 6: Legal, Risk, and Compliance, Part 1

Articulating Legal Requirements and Unique Risks within the Cloud Environment

Understanding Privacy Issues

Chapter 14: Domain 6: Legal, Risk and Compliance, Part 2

Understanding the Audit Process, Methodologies, and Required Adaptations for a Cloud Environment

Understanding the Implications of Cloud to Enterprise Risk Management

Understanding Outsourcing and Cloud Contract Design

Part 3: The Part of Tens

Chapter 15: Ten (or So) Tips to Help You Prepare for the CCSP Exam

Brush Up on the Prerequisites

Register for the Exam

Create a Study Plan

Find a Study Buddy

Take Practice Exams

Get Hands-On

Attend a CCSP Training Seminar

Plan Your Exam Strategy

Get Some Rest and Relaxation

Chapter 16: Ten Keys to Success on Exam Day

Make Sure You Wake Up

Dress for the Occasion

Eat a Great Meal

Warm Up Your Brain

Bring Snacks and Drinks

Plan Your Route

Arrive Early

Take Breaks

Stay Calm

Remember Your Strategy

Part 4: Appendixes

Appendix A: Glossary

Appendix B: Helpful Resources

(ISC)

2

and CCSP Exam Resources

Standards and Guidelines

Technical References

Index

About the Author

Connect with Dummies

End User License Agreement

List of Tables

Chapter 3

TABLE 3-1 Primary Cloud Service Categories

TABLE 3-2 Overview of the Cloud Deployment Models

List of Illustrations

Chapter 2

FIGURE 2-1: The CIA triad is the foundation of information security.

FIGURE 2-2: Using a symmetric-key for both encryption and decryption.

FIGURE 2-3: Utilizing asymmetric-key (or public key) encryption and decryption.

FIGURE 2-4: The Incident Response (IR) lifecycle.

Chapter 4

FIGURE 4-1: Cloud secure data lifecycle.

Chapter 5

FIGURE 5-1: Structured versus unstructured data.

FIGURE 5-2: Hashing.

FIGURE 5-3: Data loss prevention (DLP).

FIGURE 5-4: Data de-identification.

FIGURE 5-5: Data masking.

Chapter 7

FIGURE 7-1: Overview of cloud infrastructure components.

FIGURE 7-2: Software-Defined Networking (SDN) architecture.

FIGURE 7-3: Hypervisor overview.

FIGURE 7-4: Type 1 versus Type 2 hypervisors.

FIGURE 7-5: Zero trust architecture overview.

Chapter 8

FIGURE 8-1: Example trust zone architecture.

FIGURE 8-2: Federated identity overview.

Chapter 9

FIGURE 9-1: Software development lifecycle overview.

Chapter 10

FIGURE 10-1: Cloud access security broker (CASB).

Chapter 14

FIGURE 14-1: Relationship between risk, likelihood, and impact.

Guide

Cover

Table of Contents

Title Page

Begin Reading

Index

About the Author

Pages

i

iii

iv

1

2

3

4

5

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

373

374

375

376

377

378

379

380

381

382

383

384

385

CCSP®For Dummies®,2nd Edition, with Online Practice

Published by: John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, www.wiley.com

Copyright © 2024 by John Wiley & Sons, Inc., Hoboken, New Jersey

Media and software compilation copyright © 2021 by John Wiley & Sons, Inc. All rights reserved.

Published simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, For Dummies, the Dummies Man logo, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and may not be used without written permission. CCSP is a registered trademark of (ISC)2, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHORS HAVE USED THEIR BEST EFFORTS IN PREPARING THIS WORK, THEY MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTATIVES, WRITTEN SALES MATERIALS OR PROMOTIONAL STATEMENTS FOR THIS WORK. THE FACT THAT AN ORGANIZATION, WEBSITE, OR PRODUCT IS REFERRED TO IN THIS WORK AS A CITATION AND/OR POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE PUBLISHER AND AUTHORS ENDORSE THE INFORMATION OR SERVICES THE ORGANIZATION, WEBSITE, OR PRODUCT MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING PROFESSIONAL SERVICES. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR YOUR SITUATION. YOU SHOULD CONSULT WITH A SPECIALIST WHERE APPROPRIATE. FURTHER, READERS SHOULD BE AWARE THAT WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. NEITHER THE PUBLISHER NOR AUTHORS SHALL BE LIABLE FOR ANY LOSS OF PROFIT OR ANY OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER DAMAGES.

For general information on our other products and services, please contact our Customer Care Department within the US at 877-762-2974, outside the US at 317-572-3993, or fax 317-572-4002. For technical support, please visit https://hub.wiley.com/community/support/dummies.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2023949196

ISBN 978-1-394-21281-1 (pbk); ISBN 978-1-394-21280-4 (ePDF); ISBN 978-1-394-21284-2 (epub)

Introduction

As cloud computing has exploded over the last two decades, so has the need for security professionals who understand how the cloud works. Enter the Certified Cloud Security Professional (CCSP) certification. The CCSP was introduced in 2015 and has quickly become the de facto standard for cloud security certifications around the globe. Today, more than 10,000 security professionals have earned the coveted CCSP designation worldwide, and that number is quickly growing!

Cloud computing, as we know it, first became widely available circa 2006 when Amazon created the first enterprise cloud service offering, Amazon Web Services (AWS). Since then, Google, Microsoft, and a host of other companies have burst on the scene with their very own cloud services. Today, cloud computing is more mainstream than ever, with most research firms estimating the public cloud market to top $1 trillion worldwide by 2028. With most estimates putting cloud spend above 60 percent of all tech spend, the need for informed cloud professionals has never been greater.

While we continue to experience this massive cloud boom, cloud security has not so quietly become front-and-center for most organizations. Companies want to ensure that their most important business and customer data remain safe when moved to the cloud, and they need skilled and qualified practitioners to make that happen. That’s where you (and the CCSP) come in!

You may be familiar with the CCSP’s bigger sibling: the Certified Information Systems Security Professional (CISSP). The CISSP certification has been around since 1994 and has amassed quite a following in information security circles. (As of this writing, there are more than 160,000 CISSPs worldwide.) The CCSP serves the same purpose for one of the fastest growing information security subareas — cloud security. It’s all but inevitable that the CCSP will continue its ascent among the most essential industry certifications around the world.

About this Book

Information security is one of the broadest domains of Information Technology. Add to that the complexities of cloud computing, and it’s easy to see why many people are scared off by the field of cloud security. A true cloud security professional is a Jack (or Jill) of all trades — they know the ins and outs of data security and protection and also understand how cloud architectures are designed, managed, and operated. The CCSP credential seeks to validate that the holder has mastered the sweet spot between the two worlds. This task may sound daunting, but don’t fret! CCSP For Dummies breaks these topics down into bite-sized chunks to help you digest the material, pass the exam, and apply your knowledge in the real world.

While you can find tons of books and resources available to study information security, cloud security resources are a bit harder to come by. Perhaps the field is still too young, or maybe it really is too daunting for some authors and publishers to assemble. Many of the books that do exist either don’t cover all of the necessary facets of cloud security or are overly complex encyclopedic volumes.

In CCSP For Dummies, Wiley and I have put together a book that covers all of the topics within the CCSP Common Body of Knowledge (CBK) in a straightforward, easy-to-read manner. And this second edition has been updated to address the latest and greatest topics from the CCSP Exam Outline and beyond. You’ll find this book to be overflowing with useful information, but written with the battle-tested For Dummies approach and styling that helps countless readers learn new topics. In addition, I try to inject many of my own experiences working in cloud security to give you practical views on some otherwise abstract topics.

As wonderful as I think this book is — and I hope you feel the same way after reading it — you shouldn’t consider any single resource to be the Holy Grail of cloud security. CCSP For Dummies creates a framework for your CCSP studies and includes the information you need to pass the CCSP exam, but will not single-handedly make you a cloud security know-it-all. Reaching the top of the cloud security mountain requires knowledge, skills, and practical experience. This book is a great start, but not the end of your cloud security journey.

Foolish Assumptions

I’ve been told that assumptions are dangerous to make, but here I am making them anyway! At a minimum, I assume the following:

You have at least five years of general IT experience, at a minimum — preferably more. In order to follow the topics in this book and pass the CCSP exam, you need to have a great deal of knowledge of the technologies that form the foundation of cloud computing. This assumption means that you’re comfortable referring to basic computing terms like CPU and RAM and also have experience with things like databases, networks, and operating systems.

You have at least a high-level understanding of information security concepts and technologies. You should be familiar with things like access control and encryption, and you should understand the concepts of confidentiality, integrity, and availability. I expect that many readers have already achieved the prestigious CISSP certification. If you’re among this group, then you’re not only ready for this book, but you also satisfy all of the CCSP’s experience requirements (which I discuss in

Chapter 1

). If you don’t have sufficient information security knowledge or if you need to brush up on some basic security concepts, then you’re in luck — I’ve written

Chapter 2

just for you!

You have a minimum of one year paid work experience in one or more of the six domains of the CCSP CBK (that make up

Chapters 3

through

14

of this book). This expectation is not just an assumption, but an explicit requirement of the CCSP exam. Certain educational and certification achievements (such as earning CSA’s CCSK) can be substituted for this experience requirement.

You will use what you know and what you learn in this book for good, not evil. You’ll be a responsible security professional and abide by the (ISC)

2

Code of Ethics (which is a requirement for CCSP certification).

Icons Used in This Book

This book is full of useful information, but every once in a while, something extra useful or important pops up and deserves some extra attention. Keep an eye out for the following icons throughout this book. Each has its own specific meaning, and identifies something you should take note of.

The Tip icon marks tips (duh!) and extra tidbits of information that can help you grasp some of the more challenging concepts in the text. When I use this icon, I’m trying to point out some extra information that can help you on your exam.

These icons may not help you remember your spouse’s birthday, but they’ll surely come in handy for the CCSP exam. I use the Remember icon to point out stuff that’s especially important to know for the exam. These are the things that might trip you up on the exam if you don’t commit them to your long-term memory. Consider these your CCSP lifesavers.

The Technical Stuff icon marks information of a highly technical nature that may not necessarily be needed for the CCSP exam, but gives you deeper insight, if you want it. If you’re a fan of tech jargon, then keep an eye out for this icon.

The Warning icon is the closest I can get to flashing red lights and sirens. I use this icon to tell you to watch out! It marks important information that may save you headaches — or missed points on the exam. Keep an eye out for Warning icons, as they point out those silly mistakes that are otherwise easy to avoid.

Beyond the Book

CCSP For Dummies comes with a few extra goodies to help you prepare for the CCSP exam. My hope is that the book gives you the foundation you need to pass the test, but these extra resources can help put you over the top.

In addition to the book you’re reading right now, you have access to some helpful Cheat Sheets that you can use to quickly reference things like common cloud security risks and the shared responsibility model. Keep these Cheat Sheets handy to reference whenever you may not have this book at your fingertips. To access your Cheat Sheets, head over to www.dummies.com and type CCSP For Dummies Cheat Sheet in the Search bar.

To help you assess your knowledge, you also have access to 100 flashcards and 200 online practice questions (two sets of 100 questions). You can use the flashcards to reinforce some key CCSP terms, topics, and concepts. I reference the relevant chapter that each flashcard comes from so that you can revisit specific subjects, if necessary. I’ve written the practice questions to mimic the multiple-choice style of questions you’ll see on the CCSP exam. Use these practice sets to verify your mastery of important topics, and identify topics or domains that you may need to brush up on.

To access your flashcards and online practice questions, simply follow these steps to register your book and activate your account:

Register your book or ebook at

Dummies.com

to get your PIN. Go to

www.dummies.com/go/getaccess

.

Select your product (in this case, it’s

CCSP For Dummies

) from the dropdown list on that page.

Follow the prompts to validate your product, and then check your email for a confirmation message that includes your PIN and instructions for logging in.

If you do not receive this email within two hours, please check your spam folder before contacting us through our Technical Support website at http://support.wiley.com or by phone at 877-762-2974.

Now you’re ready to go! You can come back to the practice material as often as you want — simply log on with the username and password you created during your initial login. No need to enter the access code a second time.

Your registration is good for one year from the day you activate your PIN.

Where to Go from Here

So, what’s next? While you can certainly read this book from cover to cover, you don’t have to! CCSP For Dummies is broken into several parts, each with chapters that stand on their own. If a particular topic interests you, visit Part 2 and explore any (or all) of the CCSP domains.

If you need a primer on information security, then you may want to head over to Chapter 2 before diving into the CCSP domains.

If you still have no idea where to go from here, you can’t go wrong with Chapter 1!

Part 1

Starting Your CCSP Journey

IN THIS PART …

Meet (ISC)

2

and the CCSP exam.

Learn or refresh your information security knowledge.

Chapter 1

Familiarizing Yourself with (ISC)2 and the CCSP Certification

IN THIS CHAPTER

Learning about the (ISC)2 and the CCSP certification

Understanding the benefits of getting certified

Exploring the CCSP certification domains

Creating a study plan

Registering for the CCSP exam

Taking the CCSP exam

In this chapter, you develop an understanding of the (ISC)2 organization and CCSP certification, including what you need to know before the exam, what to expect during the exam, and what to do after you pass the exam!

Appreciating (ISC)2 and the CCSP Certification

The International Information System Security Certification Consortium — more easily referred to as (ISC)2 — is a nonprofit organization that has been training and certifying cybersecurity professionals since 1989. With more than 190,000 certified members and associates worldwide, (ISC)2 is widely regarded as the world’s leading cybersecurity professional organization. Its flagship certification, launched in 1994, is the Certified Information System Security Professional (CISSP). Since then, the organization has launched other certifications, including three CISSP concentrations. As of today, (ISC)2 offers the following ten professional certifications and concentrations:

Certified in Cybersecurity (CC)

Certified Information Systems Security Professional (CISSP)

Information Systems Security Architecture Professional (CISSP-ISSAP)

Information Systems Security Engineering Professional (CISSP-ISSEP)

Information Systems Security Management Professional (CISSP-ISSMP)

Systems Security Certified Practitioner (SSCP)

Certified Cloud Security Professional (CCSP)

Certified Authorization Professional (CAP)

Certified Secure Software Lifecycle Professional (CSSLP)

HealthCare Information Security and Privacy Practitioner (HCISSP)

In addition to managing a broad assortment of cybersecurity certifications, (ISC)2 also organizes the annual (ISC)2 Security Congress conference, which provides continuing education, networking, and career advancement opportunities for thousands of security professionals every year.

In 2015, (ISC)2 and the Cloud Security Alliance (CSA) introduced the Certified Cloud Security Professional (CCSP) certification to the world. The CCSP is a standalone credential, but builds on certifications like the CISSP and CSA’s Certificate of Cloud Security Knowledge (CCSK). The main objective of the CCSP is to certify that the credential holder has the knowledge, skills, and experience required to design, manage, and secure data in cloud-based applications and infrastructures.

Knowing Why You Need to Get Certified

According to (ISC)2, a CCSP applies information security expertise to a cloud computing environment and demonstrates competence in cloud security architecture, design, operations, and service orchestration. In preparing for the CCSP exam, you expand your knowledge of information security and cloud computing concepts, making you a more well-rounded professional, while also improving your job security. Achieving the CCSP credential is a great way to strut your stuff in front of employers who seek verified cloud security expertise — say hello to increased visibility and new career opportunities!

While the CCSP isn’t generally a strict requirement for most cloud security positions, it does differentiate you to potential employers. It shows that you have the technical skills and experience they need as they seek to securely build and manage their cloud environments. The CCSP is a vendor-neutral certification, meaning the knowledge and skills it certifies can be applied to various technologies and methodologies. By not being limited to a single vendor, the CCSP designation is as versatile as it is valuable and can help you start or build a long-lasting career in cloud security.

Studying the Prerequisites for the CCSP

Along with passing the CCSP exam, you must satisfy a few other requirements to achieve the CCSP designation. As a CCSP candidate, you must have at least five years of paid work experience in Information Technology, and at least three of those years must include Information Security experience. Further, you must have at least one year of experience working in one or more of the six domains of the CCSP Common Body of Knowledge (CBK).

(ISC)2 emphasizes practical, real-world experience to fulfill the work experience requirements. In other words, it’s not enough to have IT or Information Security listed as a line-item on your resume — you must have regularly applied relevant knowledge and skills to perform your job duties. Some examples of full-time jobs that may satisfy these requirements include, but aren’t limited to

Cloud architect

Enterprise architect

Information systems security officer

Security administrator

Security analyst

Security engineer

Systems architect

Systems engineer

If you don’t have acceptable full-time work experience, (ISC)2 also accepts part-time work and internships under the following guidelines:

Part-time:

2,080 hours of part-time work equals one year of full-time experience.

Internships:

For paid or unpaid internships, you must provide documentation on company letterhead that confirms your experience.

If you already hold CSA’s CCSK certificate, (ISC)2 waives the requirement for one year of experience in one or more of the six CCSP domains. Even better, if you hold the CISSP credential, then you’re all set for 100 percent of the CCSP experience requirements!

If you don’t already have the required work experience, you can still take the CCSP exam. When you pass, you’ll earn the Associate of (ISC)2 designation and be given six years to earn the required experience and become a fully certified member. You can learn more about CCSP experience requirements at www.isc2.org/Certifications/CCSP/experience-requirements.

Understanding the CCSP Domains

Six security domains are within the CCSP Common Body of Knowledge (CBK), and I cover them fully in Chapters 3 through 14. Think of these domains as the six subject areas that you must master in order to pass the exam. The CCSP domains (and their respective weightings on the exam) are

Domain 1:

Cloud Concepts, Architecture, and Design (17 percent)

Domain 2:

Cloud Data Security (20 percent)

Domain 3:

Cloud Platform and Infrastructure Security (17 percent)

Domain 4:

Cloud Application Security (17 percent)

Domain 5:

Cloud Security Operations (16 percent)

Domain 6:

Legal, Risk and Compliance (13 percent)

Domain 1: Cloud Concepts, Architecture, and Design

Domain 1: Cloud Concepts, Architecture, and Design counts for 17 percent of the CCSP exam and is the foundational domain that lays the groundwork for your understanding of cloud computing. You should think of this domain as your gateway to cloud mastery — everything else simply builds on the elements and concepts outlined here.

In this domain, you learn how to identify and define everyone’s role in a cloud implementation, including both the cloud provider and cloud customer. Domain 1 gives you an understanding of the key technical characteristics of cloud computing and also introduces you to the various capabilities, categories, and deployment models of cloud architectures.

You must consider specific design requirements in order to develop a functional and secure cloud environment. Some of these requirements coincide with your traditional data center, so you should see some familiar content. However, certain features of cloud computing require additional consideration and new approaches. Domain 1 introduces the cloud security data lifecycle and discusses how things like cryptography, network security, and access control should be used to protect against the many unique threats that cloud environments and cloud data face.

Domain 1 also introduces various methods for cloud customers to evaluate and verify cloud providers against established security standards and certifications. Cloud customers cannot manage and control cloud environments the way they control their data centers, so there needs to be a way for them to validate the security and operations of the cloud services they use. Cloud providers can earn certifications across their entire environments and applications, or they can opt for various certifications aimed at specific components and products, such as FIPS 140-3 certification. You learn about all of these topics in Domain 1.

Domain 2: Cloud Data Security

Domain 2: Cloud Data Security is the most heavily weighted domain on the CCSP exam, at 20 percent, and covers identifying, classifying, and securing cloud data. The domain begins with coverage of the cloud data lifecycle and identifies the most important security considerations, from data creation through data destruction.

Each of the cloud service categories (IaaS, PaaS, and SaaS) leverages its own data storage types. Domain 2 defines these types, identifies the threats they face, and explores various unique considerations around securing each of them. While many of the data security technologies used in the cloud are similar to those used in traditional data centers, how they are used varies based on the specific cloud architecture and any regulatory or contractual obligations the cloud provider may have. This domain covers designing and implementing a data security strategy that fits your particular cloud architecture.

The topics of data discovery and data classification are core to any data security strategy. Domain 2 explores these concepts as they pertain to cloud computing and focuses on the cloud-specific challenges associated with each. Here, you learn how multitenancy and the large geographic footprint of most cloud providers make discovering and classifying sensitive data a big challenge and what to do about that. Among the many solutions, this domain covers Information Rights Management (IRM) technologies and how they can be used to enforce specific security and privacy requirements for data in (or outside of) the cloud. In addition to protecting data, this domain covers the concepts of data retention, deletion, and archiving.

Ensuring effective data security also requires that you ensure the auditability, traceability, and accountability of data events. Domain 2 covers the identification of data sources by cloud service category, and the logging, storing, and analyzing of relevant data events. Among the many requirements you explore, this domain emphasizes ensuring chain of custody and nonrepudiation for data events. Don’t worry, Chapters 5 and 6 cover all this jargon, and more!

Domain 3: Cloud Platform and Infrastructure Security

Cloud Platform and Infrastructure Security (Domain 3) counts for 17 percent of the CCSP exam and focuses on the practical matters of securing a cloud platform and its infrastructure. You explore what makes up a cloud’s virtualized (logical) environment and how that relates to the physical environment underneath it — you also dive into what it takes to secure both the logical and physical components of a cloud environment.

In Domain 1, you focus a lot of your attention on the architecture of cloud environments. It’s there that you learn about the virtual infrastructure that enables the power of cloud computing, and appreciate how the underlying physical infrastructure supports all that cloudy goodness. In Domain 3, you explore the unique security concerns and requirements associated with a cloud’s logical and physical environment. Mastery of these concepts requires that you understand a host of cloud-specific risks, including virtualization risks, and learn what security controls and strategies to implement as a result. In Domain 3, you learn all about what it takes to design a secure data center at the logical and physical layers.

A major component of any secure system is ensuring appropriate identity and access management. This domain hits on identification, authentication, and authorization for cloud infrastructures and covers how these topics should be managed by cloud customers who rely on a shared, third-party resources, like the cloud.

Last, but not least, Domain 3 covers the essential topics of business continuity and disaster recovery (BCDR). These concepts are hugely important for any company on any kind of architecture — cloud or legacy. While cloud environments inherently provide a great deal of redundancy over traditional data centers, organizations must understand how cloud usage fits into their overall BCDR strategy. This domain dives into what it takes to develop a comprehensive strategy, including defining your scope, generating your requirements, and appropriately assessing BCDR risks to your organization. While an effective strategy requires lots of planning, it’s also important that your plan is regularly tested to ensure its feasibility and effectiveness.

Domain 4: Cloud Application Security

Domain 4: Cloud Application Security is weighted at 17 percent of the CCSP exam and covers the most critical application security concerns that are relevant to cloud environments. This domain starts with coverage of common cloud-related application security pitfalls and then introduces some of the most significant categories of cloud application vulnerabilities.

One of the primary focal points of Domain 4 is the secure software development lifecycle (SDLC) process. In this domain, you learn all about the phases of that process and how to apply it to secure application development in cloud environments. You not only explore the most common SDLC methodologies (waterfall and agile), but you also take a look at threat modeling and explore how it pertains to secure cloud development and configuration management.

A major part of software development, whether in cloud environments or not, is application testing. In Domain 4, you learn about static and dynamic application security testing (SAST and DAST) — you gain an understanding of the pros and cons of each and how they can be used together to form a comprehensive cloud application testing strategy. You learn about the differences of black box and white box testing and identify when to use each method. To wrap up your study of security testing methodologies, Domain 4 introduces the practices of vulnerability scanning and penetration testing. You learn that these are not the same things and gain an appreciation for how they complement each other as part of your comprehensive application testing strategy.

Between Domain 1 and Domain 4, you learn that cloud environments and applications can be made up of multiple components, services, and integrations from various sources. In this domain, you explore the importance of using verified secure software components. You dive into topics like supply-chain management and third-party software management and gain an understanding of using secure and approved Application Programming Interfaces (APIs) and Open Source Software (OSS). After laying this groundwork, Domain 4 covers the architecture of cloud applications and highlights specific security components that you should understand. In this domain, you revisit topics like cryptography and Identity and Access Management (IAM) and learn how they apply specifically to cloud-based application development.

Domain 5: Cloud Security Operations

Domain 5 covers the broad topic of security operations in the cloud, which includes everything from managing your data center’s security to collecting and preserving digital evidence using cloud forensics techniques. This domain is worth 16 percent of the total CCSP exam.

Domain 5 begins with coverage of topics related to implementing and building a cloud infrastructure, both at the physical and logical layers. You learn about secure hardware configuration requirements (such as BIOS security) and also explore how to securely install and configure virtualization management tools. Next, the domain takes you from building your cloud infrastructure to securely operating it. This domain covers the nitty-gritty details associated with access controls for local and remote access, securing your network configurations, and using baselines as a guide, to harden the operating systems throughout your cloud environment. You learn how to securely manage stand-alone hosts, clustered hosts, as well as guest operating systems on the virtualized infrastructure.

Aside from building and operating a secure cloud infrastructure, Domain 5 has a strong focus on securely managing your physical and logical cloud infrastructure, which includes all of the technical, management, and operational activities and controls necessary to keep your cloud environment securely running. This domain covers things like patch management, performance and capacity monitoring, hardware monitoring, and backup and restore functions. You spend some time learning about additional network security controls, like honeypots and network security groups, and also learn about securing and securely using the management plane. Much of this information feeds into the domain’s coverage of the Security Operations Center (SOC) and how a SOC can be used to monitor security controls across a cloud’s physical and logical environment.

One of the most important aspects of Domain 5 involves coverage of operational controls and standards, like ITIL, and how to apply and implement those standards in your cloud environment. You explore common IT topics like change management, incident management, and configuration management, as they specifically pertain to cloud computing. Domain 5 wraps up with an important discussion about managing communication with customers, vendors, and other relevant parties.

Domain 6: Legal, Risk, and Compliance

Domain 6 counts for roughly 13 percent of the CCSP exam and focuses on the many legal and regulatory requirements that pertain to cloud environments. Cloud computing environments often extend across national borders and are subject to multiple different jurisdictions and regulations. You can picture one big cloud that’s hovering over three different countries. Each country has its own regulations and policies, and within that country are several different states or jurisdictions that have their own laws. If that’s not enough, there are also regulations specific to banking, healthcare, education, and the list goes on — but there’s just that one large cloud hovering above, trying to cover everyone down below. Yikes! Maintaining compliance in each territory and industry can be overwhelming. This domain focuses on how cloud providers and customers can handle all their legal, risk, and compliance obligations.

In Domain 6, you learn that a pretty common legal challenge in cloud computing comes in the form of an e-Discovery order to produce data for a court or other government entity. In this domain, you examine the notion of e-Discovery and digital forensics in the cloud, as well as the challenges that come with it.

It’s not good enough for cloud providers to do a bunch of security things and tell their customers trust them — auditing is a huge part of maintaining and demonstrating compliance to regulators and customers. This domain explores the different types of audits and how they impact cloud environments and their design. You explore the auditing process, standards that govern the process, reporting, and the stakeholders involved.

In addition to legal and regulatory requirements, Domain 6 covers the subject of risk management as it pertains to cloud computing. Cloud computing creates a paradigm shift from owning and controlling everything to the Shared Responsibility Model (don’t worry, I discuss this in Chapter 3). With this change, customers need to think about how they assess, manage, and monitor risk different than they ever have. Domain 6 includes various risk frameworks and focuses on applying them in the cloud.

Preparing for the Exam

You can prepare for the CCSP exam in many ways. Self-study (like reading this book) is a very popular way to prepare, but you can include lots of other components in your study plan. Whether it’s practical hands-on experience at work (which is not only helpful, but a requirement for certification) or formal classroom training, you should put together a mix of study elements that works best for your personal learning style.

When preparing for the CCSP exam, I recommend that you establish and commit to a study plan. Your study plan should include a firm timeline, study materials of choice, studying methodology, and your selected method(s) of practicing. I recommend either a 90-day or 120-day timeline, depending on your level of experience. If you’ve already passed the CISSP or have many years of Information Security experience, then a 90-day plan should suffice. If you’re starting from a more junior level, consider giving yourself a full four months. The key is to set an aggressive timeline that is realistic based on your current knowledge and time commitments. Make sure that you consider your planned work and family commitments. I will not be held accountable for angry husbands, wives, children, or pets!

To successfully prepare for the CCSP exam, you really have to know your learning style and cater to it. Personally, I learn best by locking myself in a room and reading books in silence. Other people prefer small study groups, and some opt for classroom learning. I present some options in the following sections, but it’s up to you to find the ones that work best for you.

Studying on your own

Self-study is probably the most common way for people to prepare for the CCSP and other exams like it. Many self-study resources are available for you, including books, practice exams, and a host of Internet resources. (See Appendix B for some resources that complement this book.)

Your first step should be to download the official CCSP Certification Exam Outline (www.isc2.org/CCSP-Exam-Outline). I’ve aligned this book with the topics in that document, and it’s a good idea to review it to get an idea of the subjects that you’re about to learn.

Your next step is my personal favorite: Read this book. CCSP For Dummies is (ISC)2-approved and covers of the content in the CCSP CBK. By starting with this book, you get a thorough review of all the topics that you can expect when you sit for the CCSP exam. It doesn’t matter if you read CCSP For Dummies cover to cover or hop around the chapters out of order — the book is modular and meant to be read in any way you want, although upside-down might be a bit tough!

The purchase of this book grants you access to online practice questions and flashcards (see the Introduction for more information). Use these resources to assess your learning after you complete the book.

After reading this book, you should then read any other study resources you can get your hands on to strengthen your understanding and retention of the exam topics. Additional resources can include other books (just make sure they’re (ISC)2-approved!), web resources (see Appendix B), or the wealth of resources that ISC2 recommends on its website (www.isc2.org/certifications/References).

Don’t rely on any single book (including this awesome one!) as your only resource to prepare for the CCSP. The exam covers a wide range of information, and you should get multiple views to ensure you fully understand each topic.

Another key to self-study is validating that you’ve learned and retained critical information. You should answer a whole lot of practice questions. In addition to the ones that come with this book, lots of resources are available for CCSP practice exams and questions. (Check out Appendix B to get you started.) You should know that no practice exams perfectly mirror the CCSP exam — some may be unbearably difficult, while others fail to cover half the exam topics. That’s why I recommend answering as many practice questions from as many sources possible — just make sure that you get your practice questions and exams only from trusted sources.

Once you’ve read through all your study materials and you’ve tested your knowledge with practice questions, you should revisit this book one last time before taking the exam. Maybe you just focus on any notes you’ve taken in the margins or perhaps you do a quick reread of the entire book. Either way, I recommend revisiting this book closer to test day to remind yourself of any details you may have forgotten and clarify any topics that are still fuzzy.

Learning by doing

As Julius Caesar once said, “Experience is the best teacher.” You could read all the cloud security books in the world, but nothing compares to practical hands-on learning.

You might work in a role in which you can use all of the things you learn in this book. If so, you’re really lucky! Use every opportunity you get to apply the wealth of information from this book to what you do at work. If you don’t have a related role, that’s fine, too. Perhaps your company is migrating to the cloud? Or maybe your business already uses cloud services? Find teams and people involved in your organization’s cloud endeavors and seek ways to get involved.

Getting official (ISC)2 CCSP training

While many people are successful using self-study resources to prepare for the CCSP, some opt to attend a seminar or boot camp to brush up on the topics covered in the CCSP CBK. If you’re in the latter group, (ISC)2 offers multiple training options to fit your learning style and schedule. For the most flexibility, you can choose (ISC)2’s self-paced training option. Self-paced training includes online access to recorded instruction and course content, chapter quizzes, learning activities, and more. The course costs $920 for 180 days of access. The course also qualifies you to receive 40 Continuing Professional Education (CPE) credits. This is a great access-anywhere option that puts you in complete control of your learning journey.

Some people learn best in a traditional classroom setting, and (ISC)2 has an answer for that, too. You can sign up for classroom-based training led by (ISC)2 or an official (ISC)2 training provider. These are offered on-site — at an (ISC)2 classroom or partner facility — as five- or six-day training seminars that cover the entire CCSP CBK in less than a week.

(ISC)2 also offers private on-site training for groups of ten or more. This is ideal if your organization wants to train an entire team at once as(ISC)2 sends an authorized instructor to the location of your choosing. If you’re looking for the best of both worlds, (ISC)2 offers an option that is led by an authorized instructor, but accessed from the comfort of your own home (or wherever you might be). You can choose a university-style course that meets online with a variety of scheduling options, including weekdays, weekends, and evenings.

You can find course schedules, costs, and additional information regarding official (ISC)2 training at www.isc2.org/training.

Attending other training courses

While (ISC)2 and their official partners provide excellent training courses, other legitimate organizations also offer quality training options. As any IT certification grows in popularity, so do the number of companies offering training services — it never fails.

Make sure that you do your research before handing over your hard-earned money to one of these companies. Search online to learn more about the company and course instructor. Ask your friends and colleagues whether they’ve taken the course or had any experiences with the training organization. Get as much information as possible to make sure the company is reputable and the training is useful.

Practice, practice, practice

Practice questions are the best way to confirm that you understand the topics that you’ll be tested on when you take the CCSP exam. You should definitely start with the practice questions included with this book (see the Introduction for more information). After that, you can search for additional sample questions and practice exams — just make sure you’re using reputable sources. When answering practice questions, make note of the types of questions you get wrong and revisit those topics in this book and your other study materials.

It’s a good idea to time yourself when taking practice exams. You have four hours to answer 150 questions on the real exam, so make sure you’re averaging under roughly 90 seconds per question.

Ensuring you’re ready for the exam

Okay, so you read this book and answered the included practice questions. Then you read some more books and took additional practice exams. Maybe you found a CCSP study group or perhaps you decided to take a five-day bootcamp — when are you ready for the exam? You could easily study for months on end and spend lots of money on study material, but at some point, you just have to challenge the exam.

I recommend laying out a 90- or 120-day study plan and sticking to it. CCSP For Dummies has all the information you need to pass the CCSP exam. Read this book, take plenty of notes, and answer the practice questions until you grasp the content. Follow up by reading other books and study materials, and answering as many other practice questions as possible.

The key to any effective plan is having a clear end-goal. Once you can consistently score 85 percent in each domain, I’d say you’re ready for the exam!

Registering for the Exam

I recommend picking an exam date and registering for the exam at the beginning of your CCSP journey. The sooner you decide to register, the sooner you can have a firm goal to work toward!

Exam prices, taxes, and currency depend on your location. The current exam fee is $599 in the United States.

The CCSP exam is a computer-based test (CBT) and can be taken at a Pearson VUE testing center nearest you; Pearson VUE is the exclusive administrator for all (ISC)2 exams around the world.

Registering for the exam is pretty easy if you follow these steps:

Navigate to the Pearson VUE website by visiting

www.pearsonvue.com/isc2

.

Create an account for yourself with Pearson VUE.

Select the exam you’re registering for.

Hopefully that’s the CCSP, or else I’m writing the wrong book!

Find the day, time, and Pearson VUE testing center that works best for you.

Pay your exam fee and register for the exam.

(ISC)2 offers reasonable and appropriate accommodations for test takers who have a legitimate need for special accommodations (such as a medical condition, for example). If you require special accommodations, contact (ISC)2 before registering for your exam. Visit www.isc2.org/Register-for-Exam for more information.

If you arrive at your test center more than 15 minutes after your scheduled exam time, you’ll be considered late. If this happens, the testing center may choose to turn you away. If you’re deemed late or if you miss the exam, you can kiss your exam fee goodbye!

You can reschedule or cancel your exam by contacting Pearson VUE, by phone, at least 24 hours before your scheduled exam. If you want to reschedule or cancel online, you have up to 48 hours before your scheduled exam to do so. Pearson VUE charges $50 to reschedule your exam, while it will run you $100 to cancel.

Taking the Exam

The CCSP is a computer-based testing (CBT) exam that consists of 150 multiple-choice questions. You have a maximum of four hours to complete the exam — that’s about 96 seconds per question. (ISC)2 uses a scaled scoring approach and requires you to achieve at least 700 out of a possible 1,000 points to pass the CCSP exam.

On every CCSP exam, 50 of the 150 questions are known as pre-test items that are included for research purposes only. Pre-test items do not count toward your score and are used by (ISC)2 to try new questions. You won’t know which questions are pre-test items, so it’s important that you do your best to answer each of the 150 questions accurately.

If you’ve never taken a CBT exam, you can watch a demo and take a tutorial on the Pearson Vue website by visiting www.pearsonvue.com/athena/athena.asp.

When you get to the Pearson Vue testing center, you must check in before sitting for the exam. The standard check-in process involves the following steps:

Present two forms of ID (refer to the (ISC)

2

website or your exam confirmation email for acceptable forms of ID.

Have your photo taken.

Provide your signature.

Submit to a palm scan (unless it’s prohibited by law).

Before your exam begins, you are granted five minutes to read the (ISC)2 Non-Disclosure Agreement (NDA). If you fail to read and accept it within the allotted time, your exam will end, and you lose your exam fees! Instead of dealing with this kind of pressure right before answer 150 tough questions, I recommend you download and read the NDA before test day. You can find a link to download the NDA in Appendix B.

Some questions on your exam may appear to have multiple right answers, but success on the CCSP requires that you select the best answer for each question. Use the process of elimination to get rid of two answers that are clearly wrong. You’ll be left with the correct answer and what psychometricians (people who study the science of testing) call a distractor. If you take a deep breath and dig deep into your memory bank, you’ll have a great shot at eliminating the distractor and choosing the single correct answer.

Identifying What to Do After the Exam

After four grueling hours (or less) and 150 mind-bending questions, you’re all done with your CCSP exam! So, now what? Well, in most cases, you’ll have your unofficial test results as soon as you finish the exam — hopefully you’ve passed, and you can go celebrate!

If, for whatever reason, you don’t pass the exam on your first try, don’t fret! It’s not uncommon for folks to need a couple tries on such a tough exam — although CCSP For Dummies is here to help you avoid that fate! Candidates who fail their first try must wait 30 days before taking the exam again. If failure happens to you, I strongly recommend you read this book again and take lots of practice exams within that 30 days. If you fail a second time, you must wait 90 days to try again. If you fail again, I need you to eat, drink, and sleep cloud security for that 90 days! Read and reread this book (and review your other resources) until you know all six domains inside and out.

Okay, enough about that — you’re here to pass the CCSP! Once you receive formal notification that you’ve passed the exam, you have nine months to complete the CCSP endorsement process. Endorsement is the act of having an existing (ISC)2 credential holder attest to your work experience and give (ISC)2 the thumbs-up to welcome you into the family. Visit www.isc2.org/endorsement for more information.

Once you pass the exam and complete the endorsement process, you are officially a Certified Cloud Security Professional! But this isn’t the end of your journey — in fact, your CCSP journey is a lifelong one. You must remain a member in good standing by doing two things:

Paying your annual maintenance fee (AMF):

All (ISC)

2

certified members must pay an AMF of $125 every year on their certification anniversary (except those who hold only the CC certification — they pay $50 per year). (ISC)

2

uses members’ AMFs to maintain their certifications and all the support systems and benefits that come with being a member.

Completing your Continuing Professional Education (CPE):

Once you’re a CCSP credential holder, you must demonstrate ongoing maintenance and enhancement of your cloud security knowledge by earning CPEs. As a CCSP, you must earn at least 90 CPE credits every three years, with a suggested minimum of 30 CPEs annually. You can earn CPE credit by completing activities that are directly related to the CCSP domains, including (but not limited to)

Attending a conference, seminar, or presentation

Finishing a project that’s outside your normal work duties

Writing a whitepaper or book

Volunteering for a charitable organization

Taking a higher education course

Reading a book or magazine

Chapter 2

Identifying Information Security Fundamentals

IN THIS CHAPTER

Recognizing the pillars of information security

Identifying threats, vulnerabilities, and risks

Discovering how to control access to your data

Exploring encryption

Planning for and responding to security incidents