By: Shelby Welty
September 16, 2021
How To Pass CCSP
By: Shelby Welty
September 16, 2021
Becoming a Certified Cloud Security Professional requires proficiency across six key domains that reflect today's security leaders' biggest challenges.
Summary: Certified Cloud Security Professionals are experts in implementing and managing secure cloud-based apps and data systems. Passing the exam requires proficiency across six domains, which reflect the most pertinent issues today's security leaders face. Here is an overview of what candidates need to know to pass the CCSP exam.
Cloud computing offers a proven way for today's organizations to overcome the challenges of scalability and adaptability. Yet, despite the clear benefits of the cloud, this kind of distributed computing architecture presents fresh concerns around information security. Moreover, these issues are constantly evolving as threat actors exploit new vulnerabilities and attack vectors.
(ISC)2, which maintains the industry-leading Certified Cloud Security Professional (CCSP) accreditation, should ensure its ongoing relevance. To pass the CCSP exam, candidates must familiarize themselves with the latest best practices outlined in the most recent version of the framework.
Passing a CCSP exam requires candidates to become deeply familiar with six core domains of cloud security. These domains were refreshed in the latest exam, and course content updates were announced in August 2019. Here is an overview of what each domain covers and its weight in the exam:
Domain 1: Architectural concepts and design (17%)
The first domain sets the stage for the entire framework by introducing the key concepts and best practices around cloud security. This is based on the ISO/IEC 17788 standard.
Candidates will first need to familiarize themselves with the basics of cloud computing and individuals' roles in implementing, maintaining, and securing cloud-based apps and services.
This domain also introduces the various types of cloud architectures and the unique security challenges they introduce. To that end, it covers all the cloud infrastructure types, deployment models, and service-delivery models.
Domain 2: Cloud data security (19%)
Cloud data security holds the greatest weight in the exam, although not by much. This domain focuses on data security rather than deployment and service models.
Candidates will need to garner an extensive knowledge of the entire cloud data lifecycle, including data in transit, in use, and at rest. In other words, it addresses the security of data at each stage of its lifecycle from the moment it is created to the moment it is finally destroyed.
The second domain also delves into cloud storage architectures before exploring the design and implementation of data security strategies and processes like encryption and obfuscation. Finally, the domain tackles policies around cloud data protection and auditability.
Domain 3: Cloud platform and infrastructure security (17%)
The third domain focuses on the security of cloud infrastructure. This covers the fundamentals of cloud architecture, such as designing a secure data center, planning security controls, and disaster recovery planning. The domain covers both physical and virtual cloud infrastructure, both of which present unique security challenges.
Strategy and planning take a central focus in this domain, which covers disaster recovery and business continuity planning and considers both physical and virtual infrastructures. Candidates will also learn to effectively evaluate and quantify risk, conduct security tests, and design and plan appropriate security and remediation controls.
Domain 4: Cloud application security (17%)
Having addressed security challenges around cloud infrastructure and data, the next domain focuses on the application layer. It addresses the best practices to consider when deploying apps in a cloud environment and how the software development lifecycle (SDLC) relates to each project.
Security training and awareness also play a central role in this domain, given that cloud apps serve end-users, who are themselves common targets for threat actors. However, the domain addresses the entire cloud app development stack, including the development of identity and access management solutions, cloud app architecture, and the correct usage of APIs.
Domain 5: Cloud security operations (17%)
Many cloud security threats are operational in nature, meaning that they relate to issues that arise from using cloud computing services rather than the underlying infrastructure. The questions in this part of the exam relate to areas like planning processes around data center design and cloud infrastructure management.
Although the CCSP credential is geared more towards the technical side of cloud security than the leadership side, this domain covers the various management and regulatory frameworks, such as ITIL and ISO/IEC 20000-1. It also addresses security operations, such as digital forensics, auditability, and managing communications with stakeholders.
Domain 6: Legal, risk, and compliance (13%)
This domain concerns the candidate's knowledge of legal and regulatory compliance-related issues around cloud computing. The latest CCSP domain refresh also focuses on risk management, particularly outsourcing and vendor management. These changes reflect some of the most pervasive concerns in today's enterprise environments, like supply chain risk and contract management. It also ensures that candidates are up to speed with current regulatory frameworks, such as GDPR and CCPA.
Preparing for the exam
Aside from the prerequisite to have at least five years of experience working in IT, including three in information security, preparing for the exam can take several months.
Although study materials are an essential part of the learning process, candidates should not rely entirely on the official study materials. Every bit as important is a hands-on training that puts candidates in simulated real-world use cases of the sort they are likely to encounter as accredited CCSPs.
Finally, candidates should always take several mock exams before the real thing, since doing so will help familiarize them with the exam structure and greatly boost the chances of passing.
Cybrary for Teams is an all-one-one workforce development platform that helps organizations develop stronger cybersecurity skills, prepare for new certifications, and track team progress. Enroll your team in our CCSP course today!