CCSP Certified Cloud Security Professional

Understand cloud computing concepts

• Cloud computing definitions
• Cloud computing roles (e.g., cloud service customer, cloud service provider, cloud service partner, cloud service broker)
• Key cloud computing characteristics (e.g., on-demand self-service, broad network access, multi-tenancy, rapid elasticity and scalability, resource pooling, measured service)
• Building block technologies (e.g., virtualization, storage, networking, databases, orchestration)

• Cloud computing activities
• Cloud service capabilities (i.e., application capability types, platform capability types, infrastructure capability types)
• Cloud service categories (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
• Cloud deployment models (e.g., public, private, hybrid, community)
• Cloud shared considerations (e.g., interoperability, portability, reversibility, availability, security, privacy, resiliency, performance, governance, maintenance and versioning, service levels and Service Level Agreements (SLA), auditability, regulatory)
• Impact of related technologies (e.g., machine learning, artificial intelligence, blockchain, Internet of Things (IoT), containers, quantum computing)

• Cryptography and key management
• Access control
• Data and media sanitization (e.g., overwriting, cryptographic erase)
• Network security (e.g., network security groups)
• Virtualization security (e.g., hypervisor security, container security)
• Common threats

• Cloud secure data lifecycle
• Cloud based Disaster Recovery (DR) and Business Continuity (BC) planning
• Cost benefit analysis
• Functional security requirements (e.g., portability, interoperability, vendor lock-in)
• Security considerations for different cloud categories (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS)

• Verification against criteria (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27017, Payment Card Industry Data Security Standard (PCI DSS))
• System/subsystem product certifications (e.g., Common Criteria (CC), Federal Information Processing Standard (FIPS) 140-2)

Describe cloud data concepts

• Cloud data life cycle phases
• Data dispersion

• Storage types (e.g., long term, ephemeral, raw-disk)
• Threats to storage types

• Structured data
• Unstructured data

• Mapping
• Labeling
• Sensitive data (e.g., Protected Health Information (PHI), Personally Identifiable Information (PII), card holder data)

• Objectives (e.g., data rights, provisioning, access models)
• Appropriate tools (e.g., issuing and revocation of certificates)

• Data retention policies
• Data deletion procedures and mechanisms
• Data archiving procedures and mechanisms
• Legal hold

• Definition of event sources and requirement of identity attribution
• Logging, storage, and analysis of data events
• Chain of custody and non-repudiation

Comprehend cloud infrastructure components

• Logical design (e.g., tenant partitioning, access control)
• Physical design (e.g., location, buy or build)
• Environmental design (e.g., Heating, Ventilation and Air Conditioning (HVAC), multi-vendor pathway connectivity)

• Physical and environmental protection (e.g., on-premise)
• System and communication protection
• Virtualization systems protection
• Identification, authentication, and authorization in cloud infrastructure
• Audit mechanisms (e.g., log collection, packet capture)

• Risks related to the cloud environment
• Business requirements (e.g., Recovery Time Objective (RTO), Recovery Point Objective (RPO), Recovery Service Level (RSL))
• Business Continuity/Disaster Recovery strategy
• Creation, implementation and testing of plan

Advocate training and awareness for application security

• Cloud development basics
• Common pitfalls
• Common cloud vulnerabilities

• Business requirements
• Phases and methodologies

• Functional testing
• Security testing methodologies

Implement and build physical and logical infrastructure for cloud environment

• Hardware specific security configuration requirements (e.g., Basic Input Output System (BIOS) settings for virtualization and Trusted Platform Module (TPM), storage controllers, network controllers)
• Installation and configuration of virtualization management tools
• Virtual hardware specific security configuration requirements (e.g., network, storage, memory, Central Processing Unit (CPU))
• Installation of guest Operating System (OS) virtualization toolsets

• Configure access control for local and remote access (e.g., Secure Keyboard Video Mouse (KVM), Console-based access mechanisms, Remote Desktop Protocol (RDP))
• Secure network configuration (e.g., Virtual Local Area Networks (VLAN), Transport Layer Security (TLS), Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), Virtual Private Network (VPN))
• Operating System (OS) hardening through the application of baselines (e.g., Windows, Linux, VMware)
• Availability of stand-alone hosts
• Availability of clustered hosts (e.g., Distributed Resource Scheduling (DRS), Dynamic Optimization (DO), storage clusters, maintenance mode, high availability)
• Availability of guest Operating System (OS)

• Access controls for remote access (e.g., Remote Desktop Protocol (RDP), Secure Terminal Access, Secure Shell (SSH))
• Operating System (OS) baseline compliance monitoring and remediation
• Patch management
• Performance and capacity monitoring (e.g., network, compute, storage, response time)
• Hardware monitoring (e.g., disk, Central Processing Unit (CPU), fan speed, temperature)
• Configuration of host and guest Operating System (OS) backup and restore functions
• Network security controls (e.g., firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), honeypots, vulnerability assessments, network security groups)
• Management plane (e.g., scheduling, orchestration, maintenance)

• Forensic data collection methodologies
• Evidence management
• Collect, acquire and preserve digital evidence

• Security Operations Center (SOC)
• Monitoring of security controls (e.g., firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), honeypots, vulnerability assessments, network security groups)
• Log capture and analysis (e.g., Security Information and Event Management (SIEM), log management)
• Incident management

Articulate legal requirements and unique risks within the cloud environment

• Conflicting international legislation
• Evaluation of legal risks specific to cloud computing
• Legal frameworks and guidelines
• eDiscovery (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27050, Cloud Security Alliance (CSA) Guidance)
• Forensics requirements

• Difference between contractual and regulated private data (e.g., Protected Health Information (PHI), Personally Identifiable Information (PII))
• Country-specific legislation related to private data (e.g., Protected Health Information (PHI), Personally Identifiable Information (PII))
• Jurisdictional differences in data privacy
• Standard privacy requirements (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27018, Generally Accepted Privacy Principles (GAPP), General Data Protection Regulation (GDPR)

• Internal and external audit controls
• Impact of audit requirements
• Identify assurance challenges of virtualization and cloud
• Types of audit reports (e.g., Statement on Standards for Attestation Engagements (SSAE), Security Operations Center (SOC), International Standard on Assurance Engagements (ISAE))
• Restrictions of audit scope statements (e.g., Statement on Standards for Attestation Engagements (SSAE), International Standard on Assurance Engagements (ISAE))
• Gap analysis
• Audit planning
• Internal Information Security Management System (ISMS)
• Internal information security controls system
• Policies (e.g., organizational, functional, cloud computing)
• Identification and involvement of relevant stakeholders
• Specialized compliance requirements for highly regulated industries (e.g., North American Electric Reliability Corporation/Critical Infrastructure Protection (NERC/CIP), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI))
• Impact of distributed Information Technology (IT) model (e.g., diverse geographical locations and crossing over legal jurisdictions)

• Assess providers risk management programs (e.g., controls, methodologies, policies)
• Difference between data owner/controller vs. data custodian/processor (e.g., risk profile, risk appetite, responsibility)
• Regulatory transparency requirements (e.g., breach notification, Sarbanes-Oxley (SOX), General Data Protection Regulation (GDPR))
• Risk treatment (i.e., avoid, modify, share, retain)
• Different risk frameworks
• Metrics for risk management
• Assessment of risk environment (e.g., service, vendor, infrastructure)

• Business requirements (e.g., Service Level Agreement (SLA), Master Service Agreement (MSA), Statement of Work (SOW))
• Vendor management
• Contract management (e.g., right to audit, metrics, definitions, termination, litigation, assurance, compliance, access to cloud/data, cyber risk insurance)
• Supply-chain management (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27036)