The Official (ISC)2® CCSP® CBK® Reference, Third Edition by Leslie Fife, Aaron Kraus, Bryan Lewis

CCSP®: Certified Cloud Security Professional

The Official (ISC) CCSP® CBK® Reference



Third Edition








Wiley Logo


First and foremost, we offer our deepest appreciation to our spouses, children, and families. Their support and understanding during the long hours of writing and review gave us the time necessary to create this book. This book would not have been possible without our wonderful families.

We would also like to express our appreciation to (ISC)2 for providing the CCSP certification and these certification preparation materials. We are excited to be part of this transformative growth and development of secure cloud computing in the world today.

We would also like to thank John Wiley & Sons, and associate publisher Jim Minatel for entrusting us with the role of creating this study guide. We wish to thank Aaron Kraus for his review and input on the work of other sections, and our technical editor Raven Sims, whose attention to detail made this book so much better. Thanks also goes to project editor Kelly Talbot, content refinement specialist Saravanan Dakshinamurthy, copy editor Kim Wimpsett, and the entire team at Wiley for their guidance and assistance in making this book. We'd also like to thank all of our colleagues and experts who consulted with us while writing this book. You are too many to name here, but we are grateful for your suggestions and contributions.

More than anyone else, we would like to thank our readers. We are grateful for the trust you have placed in us to help you study for the exam.

—The Authors

About the Authors

Leslie D. Fife, CISSP-ISSMP, CCSP, C|CISO, CISA, CISM, CRISC, GDAT, GCED, CBCP, CIPM (and more than 20 other certifications), has more than 40 years of experience in information technology, cybersecurity, and risk management. He is currently an information security risk manager for the Church of Jesus Christ of Latter-day Saints, an assistant professor of practice at Southern Illinois University Carbondale, and an adjunct at the University of Utah. He is also a commissioner for the Computing Accreditation Commission of ABET. His career includes the U.S. Navy submarine service, software development in the defense industry and the oil and gas field service industry, incident response and business continuity in the financial services sector, as well as 22 years as a professor of computer science. He has a PhD in computer science from the University of Oklahoma.

Aaron Kraus, CCSP, CISSP, is an information security professional with more than 15 years of experience in security risk management, auditing, and teaching information security topics. He has worked in security and compliance roles across industries including U.S. federal government civilian agencies, financial services, and technology startups, and he is currently the security engagement manager at Coalition, Inc., a cyber risk insurtech company. His experience includes creating alignment between security teams and the organizations they support, by evaluating the unique threat landscape facing each organization and the unique objectives each organization is pursuing to deliver a balanced, risk-based security control program. As a consultant to a financial services firm he designed, executed, and matured the third-party vendor audit programs to provide oversight of key compliance initiatives, and he led the global audit teams to perform reviews covering physical security, logical security, and regulatory compliance. Aaron is a course author, instructor, and cybersecurity curriculum dean with more than 13 years of experience at Learning Tree International, and he most recently taught the Official (ISC)2 CISSP CBK Review Seminar. He has served as a technical editor for numerous Wiley publications including (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide, 2nd Edition; CCSP Official (ISC)2 Practice Tests, 1st Edition; The Official (ISC)2 Guide to the CISSP CBK Reference, 5th Edition; and (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests, 2nd Edition.

Bryan Lewis, EdD, currently serves as an assistant dean and IT area lecturer for the McIntire School of Commerce at the University of Virginia. Certified as both a CISSP and CCSP, he has extensive experience with cybersecurity operations, research, and instruction in both the public and private sectors. Prior to joining the McIntire School, Dr. Lewis served as a company officer and principal for an audio visual and telecommunications design, engineering, and manufacturing company. His past experience includes large-scale network infrastructure and secure system design, deployments, and migrations, including secure distance-based learning and collaborative space design. He currently serves as a lecturer on network, data, and cloud security with a focus on defensive technologies, secure communications, and the business impacts of information security in the graduate and undergraduate curricula. His primary consulting interests focus on distance learning design, large-scale visualization, information security in the public sector, and collaborative space design projects.

About the Technical Editor

Raven Sims, CISSP, CCSP, SSCP, is a space systems senior principal cyber architect in the Strategic Deterrent division of a notable defense contractor. In this role, Sims has responsibility for the division's cyber architecture within the weapon system command-and-control business portfolio, including full-spectrum cyber, cloud computing, as well as mission-enabling cyber solutions supporting domestic and international customers. Most recently, Sims was a cyber architect of the Department of Justice (DoJ) Cybersecurity Services (CSS) team in providing cloud security guidance to all 14+ DoJ components. She was responsible for designing, deploying, and maintaining enterprise-class security, network, and systems management applications within an Amazon Web Services (AWS) and Azure environment. Within this role, she led incident response guidance for the DoJ as it pertained to securing the cloud and how to proactively respond to events within their cloud infrastructure. Sims has held business development, functional, and program positions of increasing responsibility in multiple sectors of the company. Her program experience includes government and international partnerships. Sims earned a bachelor's degree in computer science from Old Dominion University in Norfolk, Virginia, and a master's degree in technology management from Georgetown University in Washington, D.C. She is now pursuing a doctoral degree from Dakota State University in cyber operations. She serves on the board of directors of FeedTheStreetsRVA (FTSRVA); is a member of Society of Women Engineers (SWE) and Zeta Phi Beta Sorority, Inc.; and is the owner of Sims Designs. Sims is nationally recognized for her advancements in cyber and mission solutions as an awardee of the 2019 Black Engineer of the Year (BEYA): Modern Day Technology Award, and UK Cybercenturion awards.

Foreword to the Third Edition

Photograph of Clar Rosso.

EARNING THE GLOBALLY RECOGNIZED CCSP® cloud security certification is a proven way to build your career and better secure critical assets in the cloud. Whether you are picking up this book to supplement your preparation to sit for the exam or you are an existing CCSP using this as a desk reference, you'll find the Official (ISC)2 Guide to the CCSP CBK to be the perfect primer on the cloud security topics covered in the CCSP CBK.

Cloud computing security is one of the most in-demand skillsets in IT today. The designation of CCSP instantly communicates to everyone within our industry that you have the advanced technical skills and knowledge to design, manage, and secure data, applications, and infrastructure in the cloud using best practices, policies, and procedures established by the cybersecurity experts at (ISC)2.

The recognized leader in the field of information security education and certification, (ISC)2 promotes the development of information security professionals throughout the world. As a CCSP with all the benefits of (ISC)2 membership, you are part of a global network of more than 157,000 certified professionals who are working to inspire a safe and secure cyber world.

Drawing from a comprehensive, up-to-date global body of knowledge, the CCSP CBK provides you with valuable insights on how to implement cloud security across different digital platforms that your organization may be using.

If you are an experienced CCSP, you will find this edition of the CCSP CBK to be an indispensable reference on best practices. If you are still gaining the experience and knowledge you need to join the ranks of CCSPs, the CCSP CBK is a deep dive that can be used to supplement your studies.

As the largest nonprofit membership body of certified information security professionals worldwide, (ISC)2 recognizes the need to identify and validate not only information security competency, but also the ability to connect knowledge of several cloud security domains when managing or migrating data to and from the cloud. The CCSP represents advanced knowledge and competency in cloud security architecture, design, operations, and service orchestration.

The opportunity has never been greater for dedicated professionals to carve out a meaningful career and make a difference in their organizations. The CCSP CBK will be your constant companion in protecting and securing the critical data assets of your organization that will serve you for years to come.


An illustration of the signature of Clar Rosso.

Clar Rosso



THE CERTIFIED CLOUD SECURITY Professional (CCSP) denotes a professional with demonstrated ability across important aspects of architecture, data security, and risk management in cloud computing. The exam covers knowledge and skills across six domains of practice related to cloud security, codified in the (ISC)2 CCSP Common Body of Knowledge (CBK):

  • Domain 1: Cloud Concepts, Architecture, and Design
  • Domain 2: Cloud Data Security
  • Domain 3: Cloud Platform and Infrastructure Security
  • Domain 4: Cloud Application Security
  • Domain 5: Cloud Security Operations
  • Domain 6: Legal, Risk, and Compliance

Passing the exam is one condition of certification, and to qualify for the certification, a professional must have five years of experience in information technology, of which three years must be in a security-specific capacity and at least one year dedicated to one or more of the six CCSP domains.

Professionals take many paths into information security, and there are variations in acceptable practices across different industries and regions. The CCSP CBK represents a baseline standard of security knowledge relevant to cloud security and management, though the rapid pace of change in cloud computing means a professional must continuously maintain their knowledge to stay current. As you read this guide, consider not only the scenarios or circumstances presented to highlight the CBK topics, but also connect it to common practices and norms in your organization, region, and culture. Once you achieve CCSP certification, you will be asked to maintain your knowledge with continuing education, so keep topics of interest in mind for further study once you have passed the exam.

Domain 1: Cloud Concepts, Architecture, and Design

Understanding cloud computing begins with the building blocks of cloud services, and the Cloud Concepts, Architecture, and Design domain introduces these foundational concepts. This includes two vital participants: cloud service providers and cloud consumers, as well as reference architectures used to deliver cloud services like infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). These relatively new methods of accessing IT resources offer interesting business benefits like shifting spending from capital expenditure (CapEx) to operating expenditure (OpEx). This changes the way organizations budget and pay for the IT resources needed to run their business, so it is not uncommon to see financial leaders driving adoption of cloud services. New IT service models bring with them new forms of information security risks, however, which must be assessed and weighed so the organization achieves an optimal balance of cost (in the form of risk) with benefits (in the form of reduced IT spending). This will drive decisions on which cloud deployment model to adopt, like public or private cloud, as well as key internal governance initiatives when migrating to and managing cloud computing.

Domain 2: Cloud Data Security

Information security is fundamentally concerned with preserving the confidentiality, integrity, and availability of data. Although cloud computing upends many legacy IT models and practices, security risks to information systems remain. The Cloud Data Security domain does introduce new concepts like the cloud data lifecycle, as well as cloud-specific considerations like data dispersion and loss of physical control over storage media that requires unique approaches to data disposal. Cloud security practitioners must understand how to implement controls for audit and accountability of data stored or processed in the cloud, as well as crucial oversight tasks like data discovery to create an inventory. This domain introduces proactive safeguards intended to manage sensitive data stored in the cloud, like masking, tokenization, data loss prevention (DLP), and classification of data. Cloud-specific considerations and adaptations of traditional controls are a primary concern, since cloud services remove traditional capabilities like physical destruction of disk drives, while adding new capabilities like instantaneous global data replication.

Domain 3: Cloud Platform and Infrastructure Security

There are two perspectives treated in the Cloud Platform and Infrastructure Security domain. Cloud providers require skilled security practitioners to design, deploy, and maintain both physically and logically secure environments. This includes buildings, facilities, and utilities needed to provide the cloud service offering, as well as configuration and management of software systems like hypervisors, storage area networks (SANs), and software-defined networking (SDN) infrastructure. A key concern is the security of data stored by the cloud consumers, particularly properly isolating tenant data to avoid leakage between cloud tenants. From the perspective of the cloud consumer, traditional security controls will require adaptation for cloud environments, such as the use of virtualized hardware security modules (HSM) to generate and manage cryptographic keys, and additional layers of encryption required to reduce the risk associated with giving up physical control of storage media. Audit mechanisms like log collection are traditionally present in cloud environments, but abilities like packet capture and analysis may not be available due to multitenant data concerns. Disaster recovery and business continuity are also presented in this domain; while the inherent high availability nature of many cloud services is beneficial for organizations, proper configuration to take advantage of these features is required.

Domain 4: Cloud Application Security

Security practitioners working in cloud computing environments face the challenge of more rapid deployment, coupled with the relative ease with which more users can develop sophisticated cloud applications. Again, these are advantages to the business at the possible expense of security, so the Cloud Application Security domain presents key requirements for recognizing the benefits offered by cloud applications without introducing unacceptable risks. These begin with a focus on the importance of fostering awareness throughout the organization of common cloud security basics, as well as specific training for cloud app developers on vulnerabilities, pitfalls, and strategies to avoid them. Modifications to the software development lifecycle (SDLC) are presented to help accommodate changes introduced by cloud-specific risks, such as architectures designed to avoid vendor lock-in and threat modeling specific to the broadly accessible nature of cloud platforms. Since many cloud computing services are delivered by third parties, this domain introduces assurance, validation, and testing methods tailored to address the lack of direct control over acquired IT services and applications. It also introduces common application security controls and specifics of their implementation for cloud environments, like web application firewalls (WAF), sandboxing, and Extensible Markup Language (XML) gateways. Many cloud services rely heavily on functionality offered via application programming interfaces (APIs), so it is crucial that security practitioners understand how data is exchanged, processed, and protected by APIs.

Domain 5: Cloud Security Operations

The Cloud Security Operations domain is a companion to many of the concepts introduced in the Cloud Platform and Infrastructure Security domain. It deals with issues of implementing, building, operating, and managing the physical and logical infrastructure needed for a cloud environment. There is a heavy focus on the cloud service provider's perspective, so concepts in this domain may be unfamiliar to some security practitioners who have only worked to secure cloud services as a consumer. The concepts are largely similar to legacy or on-premises security, such as the secure configuration of BIOS and use of Trusted Platform Module (TPM) for hardware security, deployment of virtualization management tools, and configuring remote maintenance capabilities to allow remote administrative tasks. Considerations unique to cloud environments include the additional rigor required in the configuration of isolation features, which prevent data access across tenants, as well as the much larger demands of managing capacity, availability, and monitoring of vast, multicountry data centers. Traditional security operations (SecOps) are also of critical concern for security practitioners in a cloud environment, such as the management of vulnerability and patch management programs, network access and security controls, as well as configuration and change management programs. Additional SecOps activities covered in this domain include supporting incident response and digital forensics when security incidents occur, as well as traditional security operations center (SOC) oversight and monitoring functions for network security, log capture and analysis, and service incident management. These tasks are also covered from the cloud consumer’s perspective, as many cloud services and security tools provide log data that must be analyzed to support policy enforcement and incident detection.

Domain 6: Legal, Risk, and Compliance

Legal and regulatory requirements are a significant driver of the work many information security professionals perform, and cloud computing makes this increasingly more complex due to its inherently global nature. The Legal, Risk, and Compliance domain details the conflicting international laws and regulations that organizations will encounter when using cloud services. These present financial risks, additional compliance obligations and risk, as well as technical challenges like verifying that cloud applications and services are configured in accordance with compliance requirements. One particularly important area of focus is privacy legislation; with many countries and localities introducing strict requirements to safeguard privacy data, organizations using the cloud must weigh any financial benefits of a cloud migration against potential fines if they violate these laws. New challenges are also emerging around jurisdiction over multinational cloud services: how do you determine jurisdiction for a U.S. based company operating a cloud data center in Singapore processing data belonging to a Swiss citizen? Three different laws potentially overlap in this scenario. Processes for audits, assurance, and reporting are also covered, as security practitioners must understand and be able to implement both internal oversight mechanisms like gap analysis and audit planning, while also selecting and supporting external auditors for standards like Service Organization Control (SOC) audit reports. Some organizations may even find themselves in such heavily regulated industries, like healthcare or national defense, that the potential risks of cloud computing outweigh any cost savings. These types of decisions must be driven by solid risk management principles, which require adequate assessment and mitigation techniques. Since cloud service providers are third parties not directly under the control of the organization, vendor risk management practices like contract design and service level agreements (SLAs) must be utilized to execute the chosen risk management strategy.


If you believe you've found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts, an error may occur.

To submit your possible errata, please email it to our Customer Service Team at with the subject line “Possible Book Errata Submission.”