Study Guides for (ISC)2 Certified Cloud Security Professional
I work with server and network security.
I already held (ISC)2 CISSP and CompTIA Security+
I had even written a course on cloud security.
I needed to get the (ISC)2 Certified Cloud Security Professional or CCSP certification. (ISC)2 bought the CCSP certification program from the Cloud Security Alliance. It was pretty new. And, as explained below, it's not about actually securing cloud systems.
(ISC)2 issues counts of certificate holders every 6 months. In June 2018, the last count before I did the exam, just 3,549 people world-wide had the CCSP certification. Meanwhile there were 82,577 people with CISSP just in the U.S.A. (Within 6 months those numbers had grown to 4,518 and 84,557, respectively) The top 10 countries for CCSP were:
Countries with just one CCSP holder each included Bahrain, Curaçao, Georgia, Ghana, Guernsey, Isle of Man, Jamaica, Jordan, Korea, Montenegro, Oman, Philippines, Qatar, Romania, Russia, Senegal, Slovakia, Trinidad and Tobago, Tunisia, and U.S. Virgin Islands.
The exam is very much aimed at a U.S. audience, especially employees of the U.S. Government and its contractors.
How to Understand and Pass the Exam
CCSP is not an introductory certification. ISC2 does not require you to already hold CISSP. However, they assume you know the technology and its associated terminology at the level covered in CISSP. So, CISSP minus the purely management and planning content.
You must be comfortable with cloud concepts. The cloud service models of SaaS, PaaS, and IaaS, and the deployment models of Public, Private, Hybrid, and Community.
Have some familiarity, or at least awareness, of common examples of the various service models. For example:
|SaaS||Gmail, Google Docs, Dropbox, and Salesforce, plus some form of database access through a browser|
|PaaS||Google Apps and the original Microsoft Azure when it was just software development and operation, not full VMs like now, plus some form of database programming|
|IaaS||Google Compute Platform, Amazon EC2, Amazon S3, Microsoft Azure, Rackspace, etc|
However, the exam is not about whether you know how to use any of that technology. It's not as bad as the CompTIA Security+ certification, where the bizarrely misworded questions makes the exam harder if you know the technology. But, knowledge and skill in the technology don't help, either.
The (ISC)2 CCSP exam is entirely about whether you are qualified to advise managers about security issues, especially regulatory compliance issues, associated with moving a project to the cloud.
(ISC)2 assumes that you probably already have the CISSP certification, or at least that you have roughly equivalent background knowledge in cybersecurity. Plus the cloud concept background I mentioned above.
There is almost nothing in the CCSP question pool about cryptography, networking protocols, or operating systems. Out of the 125 questions randomly selected for my exam, I had two about DNS, a rather basic one about cryptography, and two about operating systems in the virtualization environment found in cloud settings. The other 120 questions were about risk management, disaster recovery and business continuity operations, planning, software development project management, business reports, ISO and US Government standards, and regulatory compliance, compliance, compliance.
An entry-level exam like CompTIA Security+ is available most every day at all Pearson-Vue testing centers. That's not the case for CCSP.
Instead of the community college, about 5 miles across town, the nearest locations for me were Indianapolis and Chicago, a little over an hour and about two hours driving time away, respectively. And, it was only available in those locations for two days out of every two weeks. Indianapolis offered it only at 8 AM on those days. I traveled to Chicago and stayed overnight in a hostel, then took it at noon.
Then, be patient. I was told "You have provisionally passed" right after the exam. But ISC2 took almost 10 weeks to send me an email telling me that I had officially passed. And then it was several more weeks before a certificate arrived in the mail.
Here are some study guides. No, these aren't divided into the official domains. These are organized in a way that makes much more sense to me. Many topics appear in multiple places in the official outline. Besides, there's no benefit to being able to say "This question is on a topic from the 'Architectural Concepts and Design Requirements' domain."
Also Get These, Maybe(ISC)2 CCSP
Download the current version of the CCSP Exam Outline from the (ISC)2 website. It lays out the domain areas and exam policies and procedures.CSA CCM
It's very important to know about the CSA Cloud Controls Matrix, but I don't think it's terribly helpful to spend much time looking through the spreadsheet. Know that it exists, know what types of things appear in it, know what you can answer or figure out with it, and that's about it.Office 365
SOC 1, 2, & 3
Microsoft lets you download a SOC 2 Type 2 report for Office 365 (you have to be signed into a Microsoft cloud account, but then it's free). It's very unusual for a company to let outsiders see these! If you look at it, will that help you prepare for the exam? Maybe. The important thing? Know the intended uses and audiences of SOC 1 Type 1 & 2, SOC 2 Type 1 & 2, and SOC 3 reports.
Be careful. Too much material is available for download from CSA, the Cloud Security Alliance. I looked at some of it after I had prepared and taken the exam. It talked about the same general topics, but about different details using different terminology.
Material I Used
I sat in on a course that used the official (ISC)2 course material. Some companies used to run their own test-prep courses, but (ISC)2 forced them to stop (and, soon after, so did CompTIA). Other companies can teach (ISC)2 courses, but they have to use material they buy from (ISC)2. The (ISC)2 course included a text that's about 750 pages long.
I also had three (ISC)2 books I had purchased from Amazon.
As usual with these types of books, they're not great. More like the least bad. Technical books don't get the quality editing associated with major fiction and history publishers.
They're from (ISC)2 so they don't contradict what the test has as the correct answer. However, any certification organization wants to keep their tests difficult. There will be things in the question pool but unmentioned in the books, and the books will contain things that aren't in the question pool in order to further overload your memory. (ISC)2 are better than CompTIA as far as irrelevant clutter, but their books still contain irrelevancies.
The course textbook was OK. It covers all the exam topics, the "Common Body of Knowledge." Its irrelevant material is largely in the form of suggestions and encouragement to management. It has some very clumsy writing. One howler is:
ISO 27034-1 defines an ONF management process to manage the ONF.
ISC2 books use the words "apply" and "application" in confusing ways while discussing software packages, which are called "applications". And they use the adjective "key" to mean "important" or "crucial" in discussions of cryptography, which uses keys. And, "precompiled" when talking about software development, confusing us about compilers. These aren't exact quotes, but ISC2 books on CISSP and CCSP contain phrases along these lines:
... apply these measures to application development.
... applications of cryptography in application development projects ...
A key concern with key management is ...
A key issue when establishing a public-key infrastructure is ...
[while discussing software review] This analysis is guided by a set of precompiled security threats.
And then there all the simply bad writing in ISC2 material:
Ron Rivest, Adi Shamir, and Leonard Adleman developed RSA in 1977, and as you might have surmised, RSA stands for the first letter of its inventors' surnames.
A textbook from a testing organization will add lots of clutter to distract you and waste your time, like the date of invention and the inventors' names. The textbook is full of fluff like "as you might have surmised", and maybe the authors think it's good writing. Or maybe they want us to think that they have swallowed a thesaurus.
As a means to attenuate possibilities for corruption and theft, the organization can craft an environment where no individual person can complete an entire trusted action.
They use far too many words, saying "certainly can be considered to be" when they should say "is". Or, "can be compiled into the following list" instead of "are".
Plus lots of redundancy: "using and capitalizing on" when "using" makes the point.
Or, "much more rapidly and faster" instead of simply "faster".
On to the books you can buy from Amazon:
I first read The Official (ISC)2 Guide to the CCSP CBK. It's very dry, with somewhat stilted wording. That's exactly what I would expect of their presentation of their so-called "Common Body of Knowledge". Some Amazon reviews complain about it being awkwardly written and hard to read, but I guess they don't realize that's exactly its point.
The CBK book contains some practice questions. Not a lot, just 7 to 15 per domain. They are extremely wordy, and selecting the "correct" answer requires making the same assumptions as the author. Again, that's exactly what I would expect in this book.
The questions are very similar to those in the course material. The questions on the actual exam aren't as long-winded as these. However, be ready to deal with long, hard to read, questions and choices. To some extent, the exam tests your ability to carefully read complex, verbose text. Many questions have one subtly placed word that makes all the difference.
I got 79% on its practice questions the first time through, 57 out of 72.
The pass/fail threshold is 70%. On any certification exam I want to be getting at least halfway from the minimum passing score to 100%. So, for this exam, my goal would be 85% or better.
I next read the CCSP (ISC)2 CCSP Official Study Guide. Compared to the CBK book, it's far more readable, almost chatty. It contains some stories of real-world examples of some of the threat concepts. While those make for far less boring reading, I didn't find them necessary or even helpful for understanding the content. Again, they expect you to already have the technical cybersecurity background.
One of its authors is awfully fond of the word "motif", frequently working it in where it isn't at all appropriate. Don't worry, the real test doesn't misuse "motif" on every tenth question.
It has an introductory chapter and then a 30-question assessment exam. I got 83.3% on it.
Then there are 11 chapters, two on each domain except just one on #4, "Application Security". That keeps all the chapters fairly short, which is nice. Each chapter ends with a 20-question domain-specific exam, 20 questions on each except 25 on the first "Legal and Compliance" chapter. Overall on those, I got 198 out of 225, or 88%. That's significantly higher, but...
These questions in this book are significantly easier than those in the other books and, as I discovered, the actual exam. Just like the real test they include several "Which of these is not true?" questions. The wrong one, the correct choice for the answer, tends to be obviously wrong in this book. That makes these questions too easy.
Let's pretend they ask you about cryptography on the CCSP exam. This book might have:
Which of these is not a cryptographic tool for protecting data confidentiality?
- Crouching Tiger
OK, that's a little exaggerated, but not much. Meanwhile the real exam might have:
Which of these is not a cryptographic tool for protecting medical data integrity in an IaaS environment?
That's more challenging. They're all cryptographic tools, and the one that doesn't belong is often the best solution to a cryptographic problem. You have to notice the word integrity in the question, and realize that Whirlpool is a less commonly used hash function. Plus, this question has a more realistic amount of distracting clutter. And look, the one cloud term here, "IaaS", is just an unimportant distractor.
So, while I was glad that I scored higher on the tests in this second book, I didn't count on that meaning much. OK, on to the last book!
Finally, I worked through the book of CCSP Official (ISC)2 Practice Tests. It had a test of 90 to 150 questions for each of the six domains, plus two 125-question mixed "final exams".
This book kept the constant abuse of "motif" dialed back to maybe 25% that of the study guide. It contained, as I had hoped, the most useful and most realistic practice questions.
On its exams I got the following:
So Many Incomplete Scenarios and Questions
Many of the practice questions in the course material, and in these books, and also on the real exam, are incomplete. The only appropriate response in the real world would be, "Finish the explanation of what's happening or what you need. I need more information before I can give you a good answer." The frustrating practice questions help to prepare you for frustrating exam questions.
The Books Have Problems
These are technical books, so the copy editing is weak. The practice exam book especially needs some work. About every 100 to 150 questions, the answer key in the back would be mixed up as to which answer is correct. If you get a question "wrong", in those cases it would be because it listed the wrong letter. Read the explanations in the answer key, you might find that it describes the one you selected.
The funniest error I found was in the Operations Domain section of the CBK book. It's in a section about designing and operating a data center, so the premise here is that you're running your own private cloud infrastructure.
What seems to have happened is that someone wrote a short section, a little over a page long, about keyboard-video-mouse switches you would use with rack-mounted servers. They must have used the acronym "KVM" throughout.
Then, apparently, a second person came along and replaced "KVM" with "Kernel-based Virtual Machine" in the section heading and the first time in the text.
Well, KVM in that sense is very important in a private cloud! It's the mechanism by which the Linux kernel functions as a hypervisor for full system virtualization. It seems to me that it's much more important to get the virtualization right. Interface switch design isn't as critical. I started reading the section thinking that it explained their views on how to securely configure and use kernel-based full virtualization.
Imagine my confusion when I got to the list of important features including warning stickers, flashing LEDs, and circuit boards soldered into place. I eventually figured out what was going on. The mention of "unsecure emanations" was a red flag.
OK, that's more than enough snark. On to some study guides for the domains. Again, this is my organization of topics, not the official domain definitions.