Going for CCSP: Certified Cloud Security Professional

(ISC)² is a nonprofit association for information security professionals. It is international and based on membership, (ISC)2 states that there are roughly almost 200,000 members at the time of this writing. (ISC)2 stands for International Information System Security Certification Consortium. i*i*s*s*c*c = (ISC)2 pretty clever. (ISC)2 makes a CBK or common body of knowledge that all the certifications are based on. (ISC)2 certs are accredited and most are qualifiers for security clearance jobs, DoD 8570. (ISC)2 has a code of ethics, that I personally like:

  1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
  2. Act honorably, honestly, justly, responsibly, and legally.
  3. Provide diligent and competent service to principals.
  4. Advance and protect the profession.

The CSA, Cloud Security Alliance also worked with ISC2 to create the CCSP exam. CSA is an organization internation recognized as well. CSA specialized in cloud security matters, including to help certify and validate complaince by companies that offer cloud services.

So, I’m enrolled at a university where some of the courses require one to pass a certification to pass. One of my courses required studying for the cert and passing an exam, which was honestly just as difficult. However, although getting the certification was not part of my degree program, I was offered a chance to get the exam scheduled. The only stipulation is sharing my results with my college. CCSP is not a cheap exam, so I took the offer up with no reticence. Enough about me, let’s get into the CCSP. I’m excited about this one.

CCSP requiremeNts

For more information, you can find detailed info and domains here CCSP. Note: (ISC)2 If you possess a firm grasp of the domains listed below, your probability of success is good. This is an extremely long, 4-hour, examination. (ISC)2 professional level certifications require 3 years of experience in one of the domains and are verified, waiting on my verification now. When the years of experience requirement isn’t met, an associate of ISC2 can be obtained for a year until the years of experience requirement is obtained.

1. Cloud Concepts, Architecture, and Design17%
2. Cloud Data Security20%
3. Cloud Platform & Infrastructure Security17%
4. Cloud Application Security17%
5. Cloud Security Operations16%
6. Legal, Risk, and Compliance13%

There is a crazy amount of intersection between this exam, ITIL foundations, and Cloud+, specifically Cloud+ objectives 1, 2, and 4. Which makes sense, Cloud+ covered tons of the basics. But deployment and troubleshooting of cloud services is less relevant. This exam is specific to cloud security, and the CCSP is deep on it.

The layout of the domains is pretty straightforward. Here’s a high-level breakdown of my thoughts on each domain.

Cloud Concept, Architecture, and Design

Honestly, the topics here are basically most of the Cloud+ exam. If you have attempted Cloud+ and struggled, I suggest refreshing that. If you haven’t done Cloud+, I recommend that or at least 2 vendor specific certs (Azure, AWS, and GCP). This test dives deep into the standards and practices. I like how this exam touches on a ton of emerging technologies is this domain. This domain is way deeper on understanding comming cloud architecture and design patterns.

Cloud Data Security

This domain is all about the data. Data must be protected this domain covers it all from data at rest, data in transit, and data in use. The data lifecycle from Creation, Storage, Use, Sharing, Archiving, and Destruction is important. DRM (data rights management) and IRM (Information Right Management) are huge here: knowing the differences and how to secure it. Knowing differences between where to use hashing, masking, obfusctaion, DLP, PKI (Public Key Encryption), and symmetric/secret based encryption keys is probably paramount to sucess on topics in this domain. Understanding types of data (structure, unstructured, etc) and ways to classify and discover data is huge. A final takeaway from this domain is understanding numerous laws may govern data in cloud. A legal hold or supeona may mean halting data destruction processes. Customers in Europe may require specfic conditions, due to the GDPR. In America, there are numerous laws and regulations depending on situation including GLBA, HIPAA, COPPA, SOX, and more.

Cloud Platform & Infrastructure Security

Cloud+ was more focused on Cloud from the perspective on the customer/user. This exam focused on cloud security from all perspectives. So this exam touched on physical security way more and I loved it. Data center design topics were some of my favorites and has numerous things I previously did not know about. For example: the tiers of data centers and the level of availability and redunancy at each tier, physical design in relation to security from natural disasters and human threat, enviromental design from hot/cold aisles and HVAC to classes of fire exstinguishers. These are all testable topics and great information to learn as well. I can go on about this domain, but for brevity sake let’s move on.

Cloud Application Security

Knowing the OWASP Top 10 is key here, understanding vunerability testing and penetration testing will serve anyone taking this test very well. The software development lifecycle is extremely important to know not just on this test but agile, waterfall, and Devops are reoccuring themes on numerous certification exams in real life experiences. Threat modeling, secure coding, and application testing methodologies are all topics that one should know. APIs, supply chain, and licensing are topics to learn also. Application security hardware and services are covered WAFs, XML firewalls, API gateways, etc. Finally, IAM (Indentity Access Management) is woven in here too. SSO, SAML, indentity providers, federations, MFA (types of factors), Cloud Access Security Brokers (CASB), using certificates for authentication, are all parts of this domain. I honestly feel authentication could be it’s own domain, it honestly fits into most of the domains.

Cloud Security Operations

This one is probably the toughest to write a synopsis for me. The range is wide on here. It starts at harware and lower level applications: TPM, HSM, hypervisors, and firmware. Domain 5.2 is superwide from patching and numerous monitoring concepts (IDS, IPS) to ACLs and Virtual Private Cloud (VPC) concept. Securing services is hugh here DNS, DCHP, NTP, SNMP, etc. Forensics, incident management, and scurity assessments to security monitoring (think SIEMs and SOC here). Best practices for each of the above is mentioned. There are mentions of ITIL embedded in the domains and all training material I consumed. ITIL is a set a ITSM (IT service management) processes and considerations and I highly recommend looking at ITIL foundations materials in conjuction with this exam.

I mentioned some legal and compliance considerations in my synopsis of the cloud data security domain. The legalities in the cloud are huge and vast. Regulations can vary based on where the end user is, where the cloud business cllecting data operates, or where the data is stored. There are also SLAs, SLAs are typically agreements between a company and it’s customer (individual or organization). Understanding ediscovery is mentioned in this domain. How do you make sure data and the chain of custody is preserved so it’s admissible for subpeonas and court proceedings. The differences in roles for people responsible for data is an important concept: data owner, data steward, data custodians, etc. Outsourcing to vendors and related contracts are a part of this domain. Auditing is big section as well.

PREPARATION

To prepare for these exams I mainly used an ebook copy of the official guide (which I did finish reading in its entirety, roughly 500 pages), LinkedIn, Pluralsight, and Udemy resources I have access to through my school. WGU also provides vouchers for certification exams in your degree program, they provide up to 2. After which, exams become an out-of-pocket experience. Out of pocket, this is a $600 test, yikes! However, this wasn’t in my degree program. I was given the option to take this exam with a shot attempt. Because, readers, I doubt anyone else volunteering me a shot at this anytime soon and $600 is a lot of money to me.

LinkedIn, Pluralsight and Udemy all offered video training. Over the last few years I have used Azure, GCP, and AWS on different levels. This blog is ran by equipment powered by cloud services. I have secured network access to cloud services in my career and administered indentity and access controls for SaaS products (software as a service).

I studied for this exam for maybe 10 days. This exam is deep and to say it is specifically on cloud security, it is maybe 2nd widest in terms of technical content outside the Cicso Enterprise Core exam. 90-95% I was familiar with at surface level at least already. There were still several dozen topics that I had to learn, relearn, or dive a little deeper into understanding. Between Udemy, Pluralsight, and LinkedIn’s material I’d say all of those plus reading the book should get a person with at least 5 years of cloud and security experience ready to pass this monster.

EXAM EXPERIENCE

The process for taking ISC² tests involves going through PearsonVue. PearsonVUE is a company that does proctor computer-based examinations. ISC² only allows for in-person testing. Scheduling exams through PearsonVue has historically, I’ve done it over a dozen times now, been extremely intuitive, and never had issues. Before the pandemic there were almost always on-site times, now they are sparse to the point of extinction in my area. Therefore, I had no choice but to schedule this test 2-3+ weeks in advance. The check-in process is a beast, including a palm vein scan – the first time I’ve done that for an exam. They required two forms of ID, must not be expired, one must be photo ID (license, state issued ID, passport, etc.), both must have your signature. Your signature is also required, mostly as part of acknowleging Terms of Conditions and the NDA. Which also note, I will NEVER tell you questions on the exam. I may divuldge topics, objectives, and domains so please take no offense to me possibly ignoring requests for particulars around exam questions.

The test experience was pretty smooth. The test is LONG. It’s labeled as a 4-hour 150 question exam. I was able to knock it out in 2.5 hrs. I took the Cloud+ exam online about 8 hours prior, I was drained tired already. I was able to power through about 60% in an hour, then fatigue set in. I’m sure I got some question wrong on the back half. However, my preparation for this exam was deep. I was well prepared and I ended up with a pass.

TAKEAWAYS and points

This is the 2nd hardest cert I’ve obtained, next to the Cisco CCNP Enterprise. I liked it. This is truly a professional level exam. To prepare I had to really dedicate myself to the content. A lot of the advanced cloud and network content was new to me, but I feel I’m better off for learning it.

I have started the endorsement process for this and have been approved for assoicate status so far. Being part of the ISC2 comes with some perks. So I’m excited for some of those benefits. Not so much annual maintenance fees and the mandatory contuining profession education (CPE) credits required to keep the creditials active. However, those reuirements don’t vary much once you get more (the $50 fee for associates and $75 for full members never changes). Therefore, I plan to take the CISSP (Certified Information Systems Security Professional) at some point in the future. Being a member comes with great discounts on books and training material, so that’s a huge win.

This cert requires a few years of experience. You can get a year waived if you have CSA’s CCSK cert. If you pass, you can get associate status for a year. So honestly, I don’t think this cert is for anyone new in their career but a great goal to work towards. If you currently have some years of experience in a cloud role or are responsible for any tasks in the domans above. This is probably going to be good for you. Sidenote: don’t discount you experience if you think you’ve done adminstration or security in the cloud I’d be more than happy to look over your resume because it’s possible you can fit the requirements.

Cloud is accelerating as a parmount tech domian, security will always be quintessential. I feel this exam is the blueprint of validating cloud security professionals. I love forward to see the evolution in the field and to see more individuals obtain designations like this.

I hope this was informative. Feel free to reach out to me on social media if you have questions. Thank you for reading.