CCSP
Certified Cloud Security Professional
The Certified Cloud Security Professional (CCSP) is an advanced-level certification that validates deep technical skills and knowledge to design, manage, and secure data, applications, and infrastructure in the cloud. The CCSP demonstrates a practitioner's competence in cloud security architecture, governance, risk management, and compliance, using best practices, procedures, and policies established by industry experts.
This certification covers five consolidated domains: Cloud Architecture and Design, Cloud Data Security, Cloud Platform and Infrastructure Security, Cloud Application Security, and Cloud Operations Legal and Compliance. Candidates must demonstrate expertise in cloud computing architecture, cloud data lifecycle, cloud infrastructure components, secure cloud application development, cloud operations, business continuity, disaster recovery, cloud legal and compliance issues, and risk management in multi-cloud and hybrid environments.
The CCSP uses Computerized Adaptive Testing (CAT) delivering 100-150 questions with a 4-hour time limit. Five years of cumulative paid work experience in IT (with three years in information security and one year in one or more of the six CCSP domains) is required. The CCSP is co-developed with the Cloud Security Alliance and is ideal for cloud architects, cloud security engineers, and enterprise architects.
CCSP Practice Exam 1
Comprehensive 50-question practice exam covering all five CCSP domains: Cloud Architecture and Design, Cloud Data Security, Cloud Platform and Infrastructure Security, Cloud Application Security, and Cloud Operations Legal and Compliance.
CCSP Practice Exam 2
Comprehensive 50-question practice exam covering all five CCSP domains: Cloud Architecture and Design, Cloud Data Security, Cloud Platform and Infrastructure Security, Cloud Application Security, and Cloud Operations Legal and Compliance.
CCSP Practice Exam 3
Comprehensive 50-question practice exam covering all five CCSP domains: Cloud Architecture and Design, Cloud Data Security, Cloud Platform and Infrastructure Security, Cloud Application Security, and Cloud Operations Legal and Compliance.
CCSP Practice Exam 4
Comprehensive 50-question practice exam covering all five CCSP domains: Cloud Architecture and Design, Cloud Data Security, Cloud Platform and Infrastructure Security, Cloud Application Security, and Cloud Operations Legal and Compliance.
CCSP Practice Exam 5
Comprehensive 50-question practice exam covering all five CCSP domains: Cloud Architecture and Design, Cloud Data Security, Cloud Platform and Infrastructure Security, Cloud Application Security, and Cloud Operations Legal and Compliance.
CCSP Practice Exam 6
Comprehensive 50-question practice exam covering all five CCSP domains: Cloud Architecture and Design, Cloud Data Security, Cloud Platform and Infrastructure Security, Cloud Application Security, and Cloud Operations Legal and Compliance.
Отключете цялото съдържание за CCSP
6 Пробен/и тест/ове + Флаш карти — 3 месеца достъп
или включено в месечен абонамент / пакет съдържание
Преглед (10 / 120)
Флаш карти
карти, обхващащи ключови концепции за 120 CCSP
или включено в месечен абонамент / пакет съдържание
110 още карти налични след отключване
Налични езици
Теми на изпита
CCSP Cheat Sheet
Кратък справочник - 6 раздели
CCSP - Certified Cloud Security Professional
The CCSP is an (ISC)² certification that validates advanced competence in cloud security architecture, design, operations, and service orchestration. It demonstrates that the holder has the deep knowledge and hands-on experience required to secure data, applications, and infrastructure in cloud environments. The CCSP is considered the gold standard for cloud security professionals and is recognized globally across industries. It complements the CISSP by focusing specifically on cloud computing security and is ideal for enterprise architects, security administrators, systems engineers, and security consultants who work with cloud-based platforms. The credential requires five years of cumulative paid work experience in IT, of which three years must be in information security and one year in one or more of the six CCSP domains.
Exam Details
| Exam Code | CCSP |
| Duration | 4 hours (240 minutes) |
| Number of Questions | 150 multiple-choice questions |
| Passing Score | 700 / 1000 |
| Cost | $599 USD |
| Validity | 3 years (requires CPE credits for renewal) |
| Question Types | Multiple choice (single and multiple select) |
| Testing Options | Pearson VUE testing center or online proctored |
| Recommended Experience | 5+ years IT experience, 3+ years in information security, 1+ year in cloud security |
| Certification Body | (ISC)² |
| Domains | 6 domains |
Domain Weights
| Domain | Weight |
|---|---|
| Domain 1: Cloud Concepts, Architecture and Design | 17% |
| Domain 2: Cloud Data Security | 20% |
| Domain 3: Cloud Platform and Infrastructure Security | 17% |
| Domain 4: Cloud Application Security | 17% |
| Domain 5: Cloud Security Operations | 16% |
| Domain 6: Legal, Risk and Compliance | 13% |
Study Tips
- Domains 1, 2, and 3 carry the most weight at 17%, 20%, and 17% respectively; prioritize cloud data security, cloud architecture, and platform security in your study plan
- The shared responsibility model is foundational to every domain; understand how responsibility shifts across IaaS, PaaS, and SaaS for each security control category
- Data lifecycle management (create, store, use, share, archive, destroy) appears throughout multiple domains; know how encryption, DLP, and DRM apply at each phase
- Legal and compliance topics including GDPR, HIPAA, PCI DSS, SOC reports, and cross-border data transfer regulations are tested in Domain 6 and appear in scenario questions across the exam
- Understand the differences between Type 1 and Type 2 hypervisors, multi-tenancy isolation techniques, and virtual network security controls for Domain 3
- Business continuity and disaster recovery in cloud environments require understanding of RPO, RTO, cloud-based failover strategies, and data replication patterns
- The CCSP exam tests conceptual understanding rather than vendor-specific implementations; focus on general cloud security principles applicable across AWS, Azure, and GCP
- Practice scenario-based questions that require you to choose the most appropriate security control for a given cloud deployment model and service model combination
Question Strategy Tips
- Read every question carefully and identify which cloud service model (IaaS, PaaS, SaaS) and deployment model (public, private, hybrid, community) the scenario describes before selecting an answer
- When two answers seem correct, choose the one that aligns most closely with the shared responsibility model for the specified service model
- Look for keywords like "data residency", "data sovereignty", "cross-border", or "jurisdictional" which point toward legal and compliance considerations in Domain 6
- The CCSP exam favors risk-based approaches over absolute security; if an answer eliminates all risk, it is likely too extreme and not the best choice
- Time management is critical with 150 questions in 240 minutes; that gives you approximately 1 minute and 36 seconds per question, so flag difficult questions and return to them
- (ISC)² exams test the "think like a manager" mindset; prioritize governance, risk management, and business alignment over purely technical solutions
- Eliminate obviously wrong answers first to improve your chances on questions where you are uncertain; there is no penalty for guessing
Recommended Resources
- CCSP Official Study Guide (Sybex): The primary study resource covering all six domains in depth with practice questions and review sections aligned to the (ISC)² CBK
- CSA Security Guidance v4: Cloud Security Alliance's comprehensive guidance for critical areas of cloud computing; directly referenced in the CCSP exam objectives
- NIST SP 800-145: The NIST Definition of Cloud Computing; establishes the standard definitions for service models and deployment models used throughout the CCSP exam
- NIST SP 800-146: Cloud Computing Synopsis and Recommendations; extends the definitions with practical guidance on cloud adoption and security considerations
- ISO/IEC 27017 & 27018: Cloud-specific security controls and protection of personally identifiable information in public clouds; frequently referenced in Domain 6
- ENISA Cloud Computing Risk Assessment: European agency's analysis of cloud computing risks; useful for understanding risk frameworks tested in the exam
Domain 1: Cloud Concepts, Architecture and Design (17%)
This domain covers the fundamental cloud computing concepts, reference architectures, and security design principles that form the foundation for all other CCSP domains. You must understand cloud service models, deployment models, the shared responsibility model, and how to design secure cloud architectures using established frameworks and best practices from NIST, CSA, and ISO standards.
Cloud Service Models
| Model | Customer Manages | Provider Manages | Examples |
|---|---|---|---|
| IaaS | OS, middleware, runtime, applications, data | Virtualization, servers, storage, networking | AWS EC2, Azure VMs, GCP Compute Engine |
| PaaS | Applications, data | OS, middleware, runtime, virtualization, servers, storage, networking | AWS Elastic Beanstalk, Azure App Service, Google App Engine |
| SaaS | Data (limited), user access configuration | Everything (application, middleware, OS, infrastructure) | Microsoft 365, Salesforce, Google Workspace, Dropbox |
Exam Tip: The shared responsibility model is the single most important concept on the CCSP exam. As you move from IaaS to PaaS to SaaS, the customer's responsibility decreases and the provider's responsibility increases. Always identify the service model before answering any security question.
Cloud Deployment Models
| Model | Description | Use Case |
|---|---|---|
| Public | Infrastructure owned and operated by a cloud provider; shared across multiple tenants; accessed over the internet | General-purpose workloads, development environments, web applications |
| Private | Infrastructure provisioned exclusively for a single organization; can be on-premises or hosted by a third party | Regulated industries, sensitive data, compliance requirements |
| Hybrid | Combination of public and private clouds bound together by technology that enables data and application portability | Cloud bursting, disaster recovery, phased migration |
| Community | Infrastructure shared by several organizations with shared concerns (mission, security, compliance, policy) | Government agencies, healthcare consortiums, research institutions |
Shared Responsibility Model by Service Model
| Security Layer | IaaS | PaaS | SaaS |
|---|---|---|---|
| Physical Security | Provider | Provider | Provider |
| Network Infrastructure | Provider | Provider | Provider |
| Hypervisor / Virtualization | Provider | Provider | Provider |
| Operating System | Customer | Provider | Provider |
| Middleware / Runtime | Customer | Provider | Provider |
| Application | Customer | Customer | Provider |
| Data | Customer | Customer | Customer |
| Identity & Access Management | Customer | Customer | Customer |
Key Insight: Data classification and identity management are ALWAYS the customer's responsibility regardless of the service model. The customer can never fully outsource accountability for their data.
Cloud Reference Architectures
| Framework | Source | Key Focus |
|---|---|---|
| NIST SP 500-292 | NIST | Cloud computing reference architecture defining five major actors: consumer, provider, carrier, broker, auditor |
| NIST SP 800-145 | NIST | Definition of cloud computing: 5 essential characteristics, 3 service models, 4 deployment models |
| CSA Security Guidance | Cloud Security Alliance | 14 domains of cloud security covering governance, operations, and technical security controls |
| TOGAF | The Open Group | Enterprise architecture framework applicable to cloud architecture design and migration planning |
| ISO/IEC 17789 | ISO | Cloud computing reference architecture defining functional components and cross-cutting aspects |
Five Essential Characteristics of Cloud (NIST)
- On-Demand Self-Service: Consumers can provision computing capabilities automatically without requiring human interaction with the service provider
- Broad Network Access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous client platforms
- Resource Pooling: Provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with resources dynamically assigned and reassigned
- Rapid Elasticity: Capabilities can be elastically provisioned and released to scale rapidly outward and inward commensurate with demand
- Measured Service: Cloud systems automatically control and optimize resource use by leveraging a metering capability appropriate to the type of service
Cloud Security Design Principles
- Defense in Depth: Layer multiple security controls so that if one fails, others continue to provide protection; applies to network, host, application, and data layers
- Least Privilege: Grant only the minimum permissions necessary for a user, process, or service to perform its intended function
- Zero Trust: Never trust, always verify; authenticate and authorize every access request regardless of source network or location
- Separation of Duties: Divide critical functions among multiple individuals to prevent fraud and error; no single person should control all phases of a transaction
- Fail Secure: Systems should default to a secure state when they fail; deny access rather than grant it when a security control malfunctions
- Security by Design: Integrate security into every phase of system design and development rather than adding it as an afterthought
Domain 2: Cloud Data Security (20%)
This is the highest-weighted domain on the CCSP exam. It covers the complete data lifecycle, data classification, encryption technologies, data loss prevention, digital rights management, and data de-identification techniques. You must understand how to protect data at rest, in transit, and in use across all cloud service models, and how to ensure data is properly destroyed when no longer needed.
Cloud Data Lifecycle
| Phase | Description | Security Controls |
|---|---|---|
| 1. Create | Data is generated, acquired, or modified; classification and labeling should occur immediately | Data classification policy, automatic labeling, metadata tagging, DLP at creation point |
| 2. Store | Data is committed to a storage repository (database, file system, object store) | Encryption at rest, access controls, storage redundancy, integrity verification |
| 3. Use | Data is actively processed, viewed, or used by applications and users | Access controls, DRM, DLP monitoring, activity logging, secure processing environments |
| 4. Share | Data is exchanged between users, systems, or organizations | Encryption in transit (TLS), secure APIs, DLP egress controls, watermarking, DRM |
| 5. Archive | Data is moved to long-term storage and is no longer actively used | Encryption at rest, retention policies, integrity checks, access restrictions, compliance holds |
| 6. Destroy | Data is permanently removed and rendered unrecoverable | Crypto-shredding, secure overwriting, media sanitization, destruction certificates |
Exam Tip: Crypto-shredding (destroying the encryption keys rather than the data itself) is the preferred method for data destruction in cloud environments because the customer rarely has physical access to the storage media.
Encryption Types and Use Cases
| Type | Algorithms | Key Characteristic | Cloud Use Cases |
|---|---|---|---|
| Symmetric | AES-128, AES-256, 3DES | Same key for encrypt and decrypt; fast; bulk data | Data at rest encryption, volume encryption, database encryption, object storage encryption |
| Asymmetric | RSA, ECC, Diffie-Hellman | Public/private key pair; slower; key exchange | TLS handshake, digital signatures, key exchange, certificate-based authentication |
| Hashing | SHA-256, SHA-384, SHA-512 | One-way function; integrity verification | Data integrity checks, password storage, digital signatures, blockchain |
| Homomorphic | Lattice-based schemes | Computation on encrypted data without decryption | Privacy-preserving analytics, secure multi-party computation, confidential computing |
Key Management in Cloud
| Approach | Description | Control Level |
|---|---|---|
| Provider-Managed Keys | Cloud provider generates, stores, and manages all encryption keys | Lowest customer control; simplest to implement |
| Customer-Managed Keys | Customer generates keys using provider's KMS; customer controls key policies and rotation | Medium control; keys stored in provider's HSMs |
| Customer-Supplied Keys (BYOK) | Customer generates keys externally and imports them into the provider's KMS | High control; customer manages key generation and backup |
| External KMS (HYOK) | Keys never leave customer's on-premises HSM; provider calls external KMS for each operation | Highest control; highest latency; most complex |
Exam Tip: BYOK (Bring Your Own Key) and HYOK (Hold Your Own Key) are frequently tested. BYOK imports keys into the provider's KMS while HYOK keeps keys entirely outside the provider's infrastructure.
Data Protection Techniques
| Technique | Description | Reversible | Use Case |
|---|---|---|---|
| Tokenization | Replace sensitive data with a non-sensitive surrogate token; mapping stored in a token vault | Yes (with vault) | Credit card numbers (PCI DSS), SSNs, account numbers |
| Data Masking | Obscure parts of the data while maintaining format (e.g., ****-****-****-1234) | Depends on type | Display in applications, non-production environments, reports |
| Anonymization | Irreversibly remove all identifying information from data sets | No | Research data sharing, analytics, GDPR compliance |
| Pseudonymization | Replace identifiers with pseudonyms; re-identification possible with additional data | Yes (with key) | GDPR-compliant data processing, clinical trials |
DLP, DRM, and Data Discovery
- Data Loss Prevention (DLP): Monitors, detects, and prevents unauthorized data transfers; operates at network (in transit), endpoint (in use), and storage (at rest) levels; critical for preventing data exfiltration from cloud environments
- Digital Rights Management (DRM): Controls what users can do with data after accessing it (copy, print, forward, edit); enforces persistent protection that travels with the data; critical for intellectual property and classified information
- Data Discovery and Classification: Automated scanning of cloud storage to identify sensitive data types (PII, PHI, PCI); essential for knowing what data you have, where it is, and how it is classified
- Information Rights Management (IRM): Subset of DRM focused on documents and emails; enforces view-only, no-print, no-forward, expiration, and watermarking policies
- CASB Integration: Cloud Access Security Brokers provide DLP, encryption, access control, and threat protection as a service between users and cloud applications
Data Classification Levels
| Government | Commercial | Handling Requirements |
|---|---|---|
| Top Secret | Restricted / Confidential | Strongest encryption, strict access controls, full audit trail, need-to-know basis |
| Secret | Confidential / Private | Encryption required, role-based access, monitoring, limited distribution |
| Confidential | Sensitive / Internal | Encryption recommended, standard access controls, internal use only |
| Unclassified | Public | Minimal controls, publicly available, integrity protection may still be needed |
Exam Tip: The data owner is responsible for classifying data. The data custodian is responsible for implementing the security controls that the classification requires. In cloud, the CSP is often the custodian while the customer remains the owner.
Domain 3: Cloud Platform and Infrastructure Security (17%) & Domain 5: Cloud Security Operations (16%)
These domains cover the physical and logical components of cloud infrastructure, the security of compute, network, and storage resources, disaster recovery and business continuity planning in cloud environments, communication security, and the management plane that controls all cloud resources. You must understand how to design, plan, and manage the physical and logical security of cloud infrastructure and day-to-day operations.
Physical and Logical Infrastructure Security
| Component | Physical Security | Logical Security |
|---|---|---|
| Compute | Physical server access, hardware tamper protection, BIOS/firmware integrity | Hypervisor hardening, VM isolation, secure boot, memory encryption, container sandboxing |
| Network | Physical cable security, switch port protection, facility perimeter controls | Virtual networks (VPC/VNet), firewalls, security groups, NACLs, micro-segmentation, SDN |
| Storage | Media handling, secure disposal, physical access to storage arrays | Encryption at rest, access policies, object versioning, immutable storage, data segregation |
| Data Center | Fencing, mantrap, biometrics, CCTV, guards, environmental controls (HVAC, fire suppression) | Management plane access controls, API gateway security, audit logging, SIEM integration |
Virtualization Security
| Concept | Description | Security Concern |
|---|---|---|
| Type 1 Hypervisor | Bare-metal; runs directly on hardware (VMware ESXi, Microsoft Hyper-V, Xen, KVM) | Smaller attack surface; preferred for cloud; hypervisor escape is primary threat |
| Type 2 Hypervisor | Hosted; runs on top of a host OS (VirtualBox, VMware Workstation) | Larger attack surface; host OS vulnerabilities affect all guests; not used in production cloud |
| VM Sprawl | Uncontrolled proliferation of VMs without proper tracking or decommissioning | Increases attack surface; unpatched VMs; wasted resources; compliance gaps |
| VM Escape | Attacker breaks out of a guest VM and gains access to the hypervisor or other VMs | Most critical virtualization threat; mitigated by patching, hardening, and isolation controls |
| Container Security | Containers share the host OS kernel; lighter than VMs but weaker isolation boundary | Image scanning, runtime protection, least-privilege, read-only filesystems, namespace isolation |
Disaster Recovery and Business Continuity in Cloud
| Strategy | RPO | RTO | Cost | Description |
|---|---|---|---|---|
| Backup & Restore | Hours | Hours-Days | Lowest | Regular backups to cloud storage; restore from backup when disaster occurs |
| Pilot Light | Minutes-Hours | Hours | Low | Minimal core infrastructure always running in DR region; scale up when needed |
| Warm Standby | Minutes | Minutes-Hours | Medium | Scaled-down but fully functional copy running in DR region; scale up on failover |
| Multi-Site Active/Active | Near zero | Near zero | Highest | Full production capacity in multiple regions simultaneously; automatic failover |
Key Terms: RPO (Recovery Point Objective) = maximum acceptable data loss measured in time. RTO (Recovery Time Objective) = maximum acceptable downtime. MTBF = mean time between failures. MTTR = mean time to repair.
Communication Security in Cloud
- TLS 1.2/1.3: Standard for encrypting data in transit between clients and cloud services; TLS 1.3 reduces handshake latency and removes weak cipher suites
- IPSec VPN: Site-to-site and client-to-site encrypted tunnels connecting on-premises networks to cloud VPCs; uses ESP (encryption) and AH (authentication) protocols
- Private Connectivity: Dedicated network connections (AWS Direct Connect, Azure ExpressRoute, GCP Cloud Interconnect) that bypass the public internet for lower latency and higher security
- API Security: Secure all management plane API calls with authentication (API keys, OAuth, SAML), authorization (RBAC), rate limiting, input validation, and TLS encryption
- DNS Security: DNSSEC for integrity verification, DNS-over-HTTPS/TLS for privacy, private DNS zones within cloud VPCs to prevent DNS leakage
Management Plane Security
- Management Plane: The set of APIs, consoles, and tools used to configure, monitor, and manage cloud resources; compromise of the management plane means total loss of control
- Authentication Controls: Enforce multi-factor authentication (MFA) for all management plane access; use federation with enterprise IdP; prohibit shared credentials
- Authorization Controls: Apply least privilege through RBAC; use just-in-time (JIT) access for elevated privileges; separate duties between security, operations, and development roles
- Audit Logging: Log all management plane actions including who did what, when, and from where; protect logs from tampering with immutable storage; forward to centralized SIEM
- Network Restrictions: Restrict management plane access to specific IP ranges or VPN connections; use private endpoints where available to prevent exposure to the public internet
Exam Tip: The management plane is the most critical attack surface in cloud computing. If an attacker gains administrative access to the management plane, they can control all resources, access all data, and disable all security controls.
Cloud Security Operations Concepts
- Change Management: Formal process for requesting, reviewing, approving, and implementing changes to cloud infrastructure; prevents unauthorized modifications and reduces outage risk
- Patch Management: Regular cycle of identifying, testing, and applying security patches; responsibility varies by service model (customer patches OS in IaaS, provider patches in PaaS/SaaS)
- Vulnerability Management: Continuous scanning, assessment, and remediation of vulnerabilities in cloud workloads; includes image scanning for containers and serverless functions
- Incident Management: Detection, analysis, containment, eradication, recovery, and post-incident review; cloud-specific challenges include shared infrastructure and forensic data collection
- Configuration Management: Maintain a known-good baseline configuration for all cloud resources; use infrastructure as code (IaC) and continuous compliance monitoring to detect drift
Domain 4: Cloud Application Security (17%) & Domain 6: Legal, Risk and Compliance (13%)
These domains cover the legal and regulatory landscape of cloud computing, compliance frameworks, audit processes, e-discovery challenges, secure software development lifecycle in cloud environments, API security, DevSecOps practices, and Cloud Access Security Brokers (CASBs). You must understand how to build secure applications for cloud deployment and how to navigate the complex legal and regulatory requirements of operating in the cloud.
Key Regulations and Compliance Frameworks
| Regulation / Standard | Scope | Key Requirements |
|---|---|---|
| GDPR | EU personal data of EU residents | Lawful basis for processing, right to erasure, data portability, 72-hour breach notification, DPO appointment, data protection impact assessments, cross-border transfer restrictions |
| HIPAA | US protected health information (PHI) | Privacy Rule, Security Rule, Breach Notification Rule, Business Associate Agreements (BAAs), administrative/physical/technical safeguards |
| PCI DSS | Payment card data globally | 12 requirements covering network security, encryption, access control, monitoring, vulnerability management, and security policies |
| SOX | US publicly traded companies | Internal controls over financial reporting, audit trails, data integrity, access controls for financial systems |
| ISO/IEC 27001 | Global information security | Information Security Management System (ISMS), risk assessment, Annex A controls, continuous improvement, certification audits |
| ISO/IEC 27017 | Cloud-specific security controls | Extension of 27002 controls with cloud-specific guidance for both providers and customers |
| ISO/IEC 27018 | PII protection in public cloud | Consent, transparency, data minimization, restrictions on sub-processing, breach notification |
Audit and Assurance in Cloud
| Report Type | Description | Use Case |
|---|---|---|
| SOC 1 Type I | Design of controls at a point in time related to financial reporting | Financial audits; limited assurance |
| SOC 1 Type II | Design and operating effectiveness of controls over a period (typically 6-12 months) | Financial audits; stronger assurance |
| SOC 2 Type I | Design of controls at a point in time for trust service criteria (security, availability, processing integrity, confidentiality, privacy) | Cloud provider security assessment; initial evaluation |
| SOC 2 Type II | Design and operating effectiveness over a period for trust service criteria | Cloud provider security assessment; preferred for due diligence |
| SOC 3 | General-use report based on SOC 2 criteria; publicly available summary | Marketing; public trust seal; less detailed than SOC 2 |
| CSA STAR | Cloud Security Alliance Security Trust Assurance and Risk registry; three levels of assurance | Cloud-specific security certification; complements SOC 2 |
Exam Tip: SOC 2 Type II is the most commonly requested report for cloud provider due diligence because it evaluates both the design and operating effectiveness of controls over an extended period. SOC 1 is for financial reporting controls, not security.
E-Discovery and Cloud Forensics
- E-Discovery: Legal process of identifying, collecting, and producing electronically stored information (ESI) in response to litigation or regulatory investigation; cloud complicates this with data spread across multiple jurisdictions and providers
- Legal Hold: Obligation to preserve all potentially relevant data when litigation is reasonably anticipated; cloud providers may need to cooperate with preservation requests
- Chain of Custody: Documented chronological history of evidence handling; in cloud, collecting forensic evidence requires coordination with the CSP and may be limited by multi-tenancy
- Data Sovereignty: Laws requiring data to be stored and processed within specific geographic boundaries; may conflict with cloud provider's global infrastructure
- Right to Audit: Contractual clause allowing the customer to audit the CSP's controls; may be satisfied by third-party audit reports (SOC 2) rather than direct access
Secure SDLC in Cloud
| SDLC Phase | Security Activities |
|---|---|
| Requirements | Security requirements gathering, abuse case definition, risk analysis, compliance requirements identification, data classification |
| Design | Threat modeling (STRIDE, DREAD), security architecture review, secure design patterns, attack surface analysis |
| Implementation | Secure coding standards (OWASP), code review, SAST (static analysis), SCA (dependency scanning), secrets management |
| Testing | DAST (dynamic analysis), penetration testing, fuzzing, IAST, security regression testing, API security testing |
| Deployment | Security configuration review, hardening, IaC security scanning, container image scanning, runtime protection |
| Operations | Monitoring, logging, incident response, patch management, vulnerability scanning, configuration drift detection |
API Security and DevSecOps
- API Authentication: API keys for simple identification, OAuth 2.0 for delegated authorization, OpenID Connect for authentication, mutual TLS (mTLS) for service-to-service communication
- API Security Controls: Rate limiting to prevent abuse, input validation to prevent injection, output encoding, request/response schema validation, API gateway as a security enforcement point
- OWASP API Top 10: Broken object-level authorization, broken authentication, broken object property-level authorization, unrestricted resource consumption, broken function-level authorization, server-side request forgery, security misconfiguration, lack of protection from automated threats
- DevSecOps Pipeline: Integrate security tools into CI/CD: SAST in build, SCA for dependencies, DAST in staging, container scanning before deployment, IaC scanning for misconfigurations, secrets detection in code
- CASB (Cloud Access Security Broker): Security policy enforcement point between cloud users and cloud services; provides visibility, compliance, threat protection, and data security; deployed as forward proxy, reverse proxy, or API-based
Cloud Contract and Legal Considerations
- Service Level Agreement (SLA): Contractual commitment defining performance metrics (uptime, response time), remedies for non-compliance (credits), exclusions, and measurement methods
- Data Processing Agreement (DPA): Required under GDPR between data controller and data processor; defines processing purposes, security measures, sub-processor management, and data subject rights
- Cloud Service Agreement (CSA): Master agreement covering terms of service, acceptable use, data ownership, liability limitations, termination rights, and data return/destruction obligations
- Business Associate Agreement (BAA): Required under HIPAA when a CSP handles PHI; defines permitted uses, safeguards, breach notification, and termination conditions
- Vendor Lock-In Risk: Dependence on a single CSP's proprietary technologies making migration difficult; mitigate with open standards, containers, multi-cloud architectures, and portability requirements in contracts
Exam Tip: The CCSP exam expects you to understand that legal liability cannot be transferred to the cloud provider. The data owner (customer) remains accountable for data protection even when processing is outsourced. Contracts define responsibilities but not accountability.
IaaS vs PaaS vs SaaS Security Responsibilities
| Security Control | IaaS | PaaS | SaaS |
|---|---|---|---|
| OS Patching | Customer | Provider | Provider |
| Network Firewall Rules | Customer | Shared | Provider |
| Application Security | Customer | Customer | Provider |
| Data Encryption at Rest | Customer | Shared | Provider |
| Identity & Access Mgmt | Customer | Customer | Customer |
| Physical Security | Provider | Provider | Provider |
Encryption: Symmetric vs Asymmetric
| Feature | Symmetric | Asymmetric |
|---|---|---|
| Keys | Single shared key | Public/private key pair |
| Speed | Fast (1000x faster) | Slow (computationally expensive) |
| Key Distribution | Challenging (key must be shared securely) | Easy (public key can be shared openly) |
| Common Algorithms | AES-128, AES-256, 3DES | RSA, ECC, Diffie-Hellman |
| Cloud Use Case | Bulk data encryption at rest | Key exchange, digital signatures, TLS handshake |
| Scalability | n(n-1)/2 keys needed for n users | 2n keys needed for n users |
Tokenization vs Encryption vs Masking
| Feature | Tokenization | Encryption | Masking |
|---|---|---|---|
| Reversible | Yes (with token vault) | Yes (with key) | No (static) / Yes (dynamic) |
| Format Preserved | Yes | No (ciphertext different length/format) | Yes |
| Mathematical Basis | No (random mapping) | Yes (cryptographic algorithm) | No (substitution/hiding) |
| PCI DSS Scope | Reduces scope (tokens are not card data) | Does not reduce scope | Reduces scope if irreversible |
| Best For | PCI compliance, structured data (CC#, SSN) | Bulk data, files, databases, backups | Display in UIs, test environments, reports |
SOC 1 vs SOC 2 vs SOC 3
| Feature | SOC 1 | SOC 2 | SOC 3 |
|---|---|---|---|
| Focus | Financial reporting controls | Trust service criteria (security, availability, etc.) | Same as SOC 2 (summary) |
| Audience | User auditors | Specified parties under NDA | General public |
| Detail Level | Detailed | Detailed | Summary only |
| Cloud Relevance | Financial SaaS providers | All CSPs (most requested) | Marketing trust seal |
DR Strategies: Cost vs Recovery Speed
| Feature | Backup/Restore | Pilot Light | Warm Standby | Active/Active |
|---|---|---|---|---|
| Cost | $ | $$ | $$$ | $$$$ |
| RTO | Hours-Days | Hours | Minutes-Hours | Near zero |
| RPO | Hours | Minutes-Hours | Minutes | Near zero |
| Idle Resources | None (only storage) | Minimal core services | Scaled-down full stack | Full production capacity |
| Failover | Manual | Semi-automated | Mostly automated | Automatic |
CASB Deployment Modes
| Mode | How It Works | Pros | Cons |
|---|---|---|---|
| Forward Proxy | Intercepts traffic from user to cloud; requires agent or PAC file on endpoint | Real-time inline control; works for all apps | Requires endpoint configuration; does not cover unmanaged devices |
| Reverse Proxy | Sits in front of the cloud application; no endpoint agent needed | Agentless; covers unmanaged devices | Only works for known cloud apps; URL rewriting needed |
| API-Based | Connects directly to CSP APIs to monitor and control; out-of-band | No latency impact; deep visibility; covers sanctioned apps | Not real-time (near real-time); cannot block inline |
Exam Tip: Many organizations use a combination of all three CASB modes. Forward proxy for managed devices, reverse proxy for unmanaged/BYOD devices, and API-based for deep inspection and compliance scanning of data already in the cloud.