Who Should Read This Book
This book is intended for CCSP candidates. To earn the CCSP, you are expected to have professional experience in the field of information security/IT security, particularly experience related to cloud computing. Candidates will also need to provide evidence of their professional experience to (ISC)2 in the event of passing the exam.
The author has drawn on his own experience studying for and passing the exam as well as years of teaching the Certified Information Systems Security Professional (CISSP) and CCSP preparation courses for (ISC)2. He also solicited feedback from colleagues and former students who have taken the prep course and the exam. The book should reflect the breadth and depth of question content you are likely to see on the exam. Some of the questions in this book are easier than what you will see on the exam; some of them may be harder. Hopefully, the book will prepare you for what you might encounter when you take the test.
The one thing I chose not to simulate in the book is the “interactive” questions; (ISC)2 has stated that the current tests may go beyond the regular multiple-choice format and could include “matching” questions (a list of multiple answers and multiple terms, where the candidate has to arrange them all in order), drag-and-drop questions (where the candidate uses the mouse to arrange items on the screen), and “hot spot” questions (where the candidate uses the mouse to point at specific areas of the screen to indicate an answer). There will probably not be many of these on the exam you take, but they are weighted more in your score than the multiple-choice questions, so pay attention and be extra careful answering those.
Tools You Will Need
In addition to this book, I recommend the CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide, Second Edition, also from Wiley (2019). There is, as stated in this introduction, no magic formula for passing the exam. No single particular book or source with all the answers to the exam exists. If someone claims to be able to provide you with such a product, realize that they are mistaken or, worse, misleading you.
However, you can augment your studying by reviewing a significant portion of the likely sources used by the professionals who created the test. The following is a just a sampling of the possible professional resources the cloud practitioner should be familiar with:
The Cloud Security Alliance’s Notorious Ninehttps://downloads.cloudsecurityalliance.org/initiatives/top_threats/ The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
The OWASP’s Top 10www.owasp.org/index.php/Top_10_2013-Top_10
The OWASP’s XSS (Cross-Site Scripting) Prevention Cheat Sheetwww.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
The OWASP’s Testing Guide (v4)www.owasp.org/images/1/19/OTGv4.pdf
NIST SP 500-292, NIST Cloud Computing Reference Architecturehttp://ws680.nist.gov/publication/get_pdf.cfm?pub_id=909505
The CSA’s Security Guidance v4.0:https://cloudsecurityalliance.org/research/guidance
ENISA’s Cloud Computing Risk Assessment:www.enisa.europa.eu/publications/cloud-computing-risk-assessment
The Uptime Institute’s Tier Standard: Topology and Tier Standard: Operational Sustainability (the linked page includes download options for the documents)https://uptimeinstitute.com/publications
CCSP Certified Cloud Security Professional Objective Map
Domain 1 Cloud Concepts, Architecture, and Design
1.1. Understand cloud computing concepts1.1.1 Cloud computing definitions1.1.2 Cloud computing roles (e.g., cloud service customer, cloud service provider, cloud service partner, cloud service broker)1.1.3 Key cloud computing characteristics (e.g., on-demand self-service, broad network access, multitenancy, rapid elasticity and scalability, resource pooling, measured service)1.1.4 Building block technologies (e.g., virtualization, storage, networking, databases, orchestration)
1.2 Describe cloud reference architecture1.2.1 Cloud computing activities1.2.2 Cloud service capabilities (e.g., application capability types, platform capability types, infrastructure capability types)1.2.3 Cloud service categories (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))1.2.4 Cloud deployment models (e.g., public, private, hybrid, community)1.2.5 Cloud shared considerations (e.g., interoperability, portability, reversibility, availability, security, privacy, resiliency, performance, governance, maintenance and versioning, service levels and Service Level Agreements (SLA), auditability, regulatory)1.2.6 Impact of related technologies (e.g., machine learning, artificial intelligence, blockchain, Internet of Things (IoT), containers, quantum computing)
1.3 Understand security concepts relevant to cloud computing1.3.1 Cryptography and key management1.3.2 Access control1.3.3 Data and media sanitization (e.g., overwriting, cryptographic erase)1.3.4 Network security (e.g., network security groups)1.3.5 Virtualization security (e.g., hypervisor security, container security)1.3.6 Common threats
1.4 Understand design principles of secure cloud computing1.4.1 Cloud secure data lifecycle1.4.2 Cloud-based Disaster Recovery (DR) and Business Continuity (BC) planning1.4.3 Cost benefit analysis1.4.4 Functional security requirements (e.g., portability, interoperability, vendor lock-in)1.4.5 Security considerations for different cloud categories (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
1.5 Evaluate cloud service providers1.5.1 Verification against criteria (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27017, Payment Card Industry Data Security Standard (PCI DSS))1.5.2 System/subsystem product certifications (e.g., Common Criteria (CC), Federal Information Processing Standard (FIPS) 140-2)Domain 2 Cloud Data Security2.1 Describe cloud data concepts2.1.1 Cloud data lifecycle phases2.1.2 Data dispersion2.2 Design and implement cloud data storage architectures2.2.1 Storage types (e.g. long term, ephemeral, raw-disk)2.2.2 Threats to storage types2.3 Design and apply data security technologies and strategies2.3.1 Encryption and key management2.3.2 Hashing2.3.3 Masking2.3.4 Tokenization2.3.5 Data Loss Prevention (DLP)2.3.6 Data obfuscation2.3.7 Data de-identification (e.g., anonymization)2.4 Implement data discovery2.4.1 Structured data2.4.2 Unstructured data2.5 Implement data classification2.5.1 Mapping2.5.2 Labeling2.5.3 Sensitive data (e.g., Protected Health Information (PHI), Personally Identifiable Information (PII), card holder data)2.6 Design and implement Information Rights Management (IRM)2.6.1 Objectives (e.g., data rights, provisioning, access models)2.6.2 Appropriate tools (e.g., issuing and revocation of certificates)2.7 Plan and implement data retention, deletion, and archiving policies2.7.1 Data retention policies2.7.2 Data deletion procedures and mechanisms2.7.3 Data archiving procedures and mechanisms2.7.4 Legal hold2.8 Design and implement auditability, traceability, and accountability of data events2.8.1 Definition of event sources and requirement of identity