In addition to the CISSP certificate, the Certified Cloud Security Professional (CCSP) certificate is one of the current and most important (ISC)² certificates that is mainly aimed at decision-makers and managers for cloud infrastructures.
The job positions range from cloud engineer to cloud architect to manager. Like all (ISC)² certificates, CCSP is vendor-neutral and therefore independent of the major cloud providers such as AWS, GCP or Azure. A collaboration for the content and exam creation was carried out with the Cloud Security Alliance (CSA) to underline this. The goal is to provide an overarching knowledge without focusing on specific technologies and management plans to successfully secure and optimize cloud computing environments. The focus is global (e.g. USA and EU) and also includes legal, governance and compliance aspects. In summary, the CCSP should demonstrate knowledge and expertise in the following areas:
- Best practices for Cloud secure architecture,
and covers the following domains (Common Body of Knowledge)
- Domain 1. Cloud Concepts, Architecture and Design,
- Domain 2. Cloud Data Security,
- Domain 3. Cloud Platform & Infrastructure Security,
- Domain 4. Cloud Application Security,
- Domain 5. Cloud Security Operations,
- Domain 6. Legal, Risk and Compliance
As usual with (ISC)², there are still a few requirements to be allowed to use the title after passing the exam (and yes, this is audited and must be proven):
- at least five years of cumulative, paid professional experience in information technology
- including three years in information security
- And one year in one or more of the six domains.
If you don’t have that, you don’t become an official (ISC)² member, you just get associate status and get 5 years to acquire the professional experience — once you have that, you can also use the title CCSP. Also remember: membership costs money and you have to pay annual membership fees (as Associate less than Member).
So now for the golden nuggets: How do I pass the exam?
The exam consists of 150 multiple choice questions and 70% is required to pass. The questions are always different and no: the questions are nowhere to be found on the Internet. All (ISC)² tests do not ask for knowledge of technical terms, but are always descriptions of situations to which you have to apply your acquired knowledge:
Company A, headquartered in Chicago, runs an online store with credit cards as payment and is thinking about migrating to the cloud. Its customers extend beyond the U.S. to Europe. Which subsequent regulations have the greatest influence on the company’s decision? (made up question — does not get to it so exactly ;)
So it is not enough to learn terms by heart 😉 All case studies are different and also contain answer options that have to be weighed up (e.g. least important or most important etc.). I also recommend to take the exam in English and also to learn in this language — have heard that the questions in other languages lead to difficulties, because exactly individual points were not explicitly presented in the translation.
Since some domains overlap to the CISSP, the question naturally arises whether it is easier to pass with it. The answer is yes and no: You know many points of course, but it is far from enough to pass the CCSP. Therefore now my recommendation:
Also get the official books by Ben Malisow:
- CCSP Official Study Guide 2nd edition (wiley)
- CCSP Official Practice Test 2nd edition (wiley)
- By purchasing it, wiley gives you the test bank which includes 500 questions and can be run on both notebook and tablet in an app. There are also a few flashcards that I personally found worthless or didn’t understand what they were supposed to do.
Here’s what I recommend:
- First read through the Study Guide and do the Summary questions at the end.
- Then go through the Practice Test: All Domains and the two Practice Exams.
- I marked all wrongly answered questions in the Practise Test in the back of the answers and went through them again — I think all of them twice.
- Finally, the test bank again and again (I think I’ve done 5 times )
- For career changers and people with little previous experience I recommend better the training offered by (ISC²) or courses at providers like firebrand
As a hint
The CCSP is much more technical than the CISSP and the technical questions can also get into the details and important: The details are not in the books! Probably has to do with the fact that professional experience is expected and here I would also like to emphasize: If you don’t have any experience with the cloud or basic IT infrastructure knowledge, you should not take the exam (or attend the courses) — otherwise you will only pass by learning a lot.
Finally, here’s my technical hit list, which you should take a look at separately:
- Virtualization and Hypervisor — understanding principles and variants
- OWASP Top 10 — essential component for development that runs in the cloud
- CSA — With the STAR program, the industry-accepted standard for cloud audits
- Federation Concept, Architecture and Identity (especially important) — essential component for hybrid infrastructures
- SAML and OAuth — mandatory for federation and identity providers
- API and API Security — Interfaces govern almost everything for data exchange between services in today’s world
- REST/SOAP — API standard
- Encryption — Isolation and encryption are important for cloud deployment
- IAM — There should be a basic understanding of this in general
- SDLC — Software development runs differently in the cloud than in the on premise data center
- Data center design — Surprisingly, the other side is also considered here: From the point of view of a cloud provider and how the data center has to be built there.
I hope I could give a good overview and if you have any questions, I’m happy to give some answers on LinkedIn.
Many success and keep on rocking!