M-209 cipher machine.

CCSP Study Notes

Study Guides for (ISC)2 Certified Cloud Security Professional

I work with server and network security. I already held (ISC)2 CISSP and CompTIA Security+ certificates. I had even written a course on cloud security.

CCSP Exam Outline
2019-08-01
However...

I needed to get the (ISC)2 Certified Cloud Security Professional or CCSP certification. (ISC)2 bought the CCSP certification program from the Cloud Security Alliance. It was pretty new. And, as explained below, it's not really about how you would actually go about securing cloud systems.

(ISC)2 issues counts of certificate holders every 6 months. On May 31 2018, the last count before I did the exam, just 3,549 people world-wide had the CCSP certification. Meanwhile there were 82,577 people with CISSP just in the U.S.A. (Within 6 months those numbers had grown to 4,518 and 84,557, respectively) The top 10 countries for CCSP were:

2,050U.S.A.
383U.K.
223Canada
160Netherlands
91Australia
90Germany
79Singapore
57Hong Kong
45Switzerland
45India

Countries with just one CCSP holder each included Bahrain, Curaçao, Georgia, Ghana, Guernsey, Isle of Man, Jamaica, Jordan, Korea, Montenegro, Oman, Philippines, Qatar, Romania, Russia, Senegal, Slovakia, Trinidad and Tobago, Tunisia, and U.S. Virgin Islands.

World-wide numbers:

Date CCSP CISSP
May 31 2019 136,480 5,490

The exam is very much aimed at a U.S. audience, especially employees of the U.S. Government and its contractors.

How to Understand and Pass the Exam

Specific academic terms aren't necessarily needed. For example, CISSP has the Bell-LaPadula model for confidentiality, the Brewer and Nash model (a.k.a. the "Chinese wall" model) for compartmentalization, and the Clark-Wilson model for integrity. CISSP might ask you to recognize the names. CCSP probably won't, but you do need to understand the concepts.

CCSP is not an introductory certification. (ISC)2 does not require you to already hold CISSP. However, they assume you know the technology and its associated terminology at the level covered in CISSP. So, CISSP minus the purely management and planning content.

You must be comfortable with cloud concepts. The cloud service models of SaaS, PaaS, and IaaS, and the deployment models of Public, Private, Hybrid, and Community.

Have some familiarity, or at least awareness, of common examples of the various service models. For example:

SaaS Gmail, Google Docs, Dropbox, and Salesforce, plus some form of database access through a browser
PaaS Google Apps and the original Microsoft Azure when it was just software development and operation, not full VMs like now, plus some form of database programming
IaaS Google Compute Platform, Amazon EC2, Amazon S3, Microsoft Azure, Rackspace, etc

However, the exam is not about whether you know how to use any of that technology. It's not as bad as the CompTIA Security+ certification, where the bizarrely misworded questions makes the exam harder if you know the technology. But, knowledge and skill in the technology don't help, either. For example, know that cloud services can be controlled by APIs in various languages. However, do not worry about knowing how to write one line of code in any of them.

The (ISC)2 CCSP exam is entirely about whether you are qualified to advise managers about security issues, especially regulatory compliance issues, associated with moving a project to the cloud.

(ISC)2 assumes that you probably already have the CISSP certification, or at least that you have roughly equivalent background knowledge in cybersecurity. Plus the cloud concept background I mentioned above.

There are very few questions CCSP question pool focusing on cryptography, networking protocols, or operating systems. Out of the 125 questions randomly selected for my exam, I had two about DNS, a rather basic one about cryptography, and two about operating systems in the virtualization environment found in cloud settings. The other 120 questions were about risk management, disaster recovery and business continuity operations, planning, software development project management, business reports, ISO and US Government standards, and regulatory compliance, compliance, compliance.

Practical Matters

An entry-level exam like CompTIA Security+ is available most every day at all Pearson-Vue testing centers. That's not the case for CISSP or CCSP.

Instead of the community college, about 5 miles across town, the nearest locations for me were Indianapolis and Chicago, a little over an hour and about two hours driving time away, respectively. And, the CCSP exam was only available in those locations for two days out of every two weeks. Indianapolis offered it only at 8 AM on those days. I traveled to Chicago and stayed overnight in a hostel, then took it at noon.

Then, be patient. I was told "You have provisionally passed" right after finishing the CCSP exam. But (ISC)2 took almost 10 weeks to send me an email telling me that I had officially passed. And then it took even longer before a certificate arrived in the mail. My certificate, updated membership card, and lapel pin arrived 20.5 weeks after my exam.

Study Material

Here are some study guides. No, these aren't divided into the official domains. These are organized in a way that makes much more sense to me. Many topics appear in multiple places in the official outline. Besides, there's no benefit to being able to say "This question is on a topic from the 'Architectural Concepts and Design Requirements' domain."

Buy The Practice Exam Book

Buy the CCSP Official (ISC)2 Practice Tests book. I have further suggestions of other books and study guides below. I sat in on a course that used a (ISC)2 textbook, I would still want the practice exam book. If I hadn't been able to take the course and get its textbook, I would want at least one of the (ISC)2 books listed further below.

Also Get These, Maybe

(ISC)2 CCSP
Exam Outline
2019-08-01

Download the current version of the CCSP Exam Outline from the (ISC)2 website. It lays out the domain areas and exam policies and procedures.

CSA CCM

It's very important to know about the CSA Cloud Controls Matrix, but I don't think it's terribly helpful to spend much time looking through the spreadsheet. Know that it exists, know what types of things appear in it, know what you can answer or figure out with it, and that's about it.

Office 365
SOC 1, 2, & 3
reports

Microsoft lets you download a SOC 2 Type 2 report for Office 365 (you have to be signed into a Microsoft cloud account, but then it's free). It's very unusual for a company to let outsiders see these! If you look at it, will that help you prepare for the exam? Probably not. The important thing? Know the intended uses and audiences of SOC 1 Type 1 & 2, SOC 2 Type 1 & 2, and SOC 3 reports.

Be careful. Too much material is available for download from CSA, the Cloud Security Alliance. I looked at some of it after I had prepared and taken the exam. It talked about the same general topics, but about different details using different terminology.

Material I Used

I sat in on courses for both CISSP and CCSP that used the official (ISC)2 course material. Some companies used to run their own test-prep courses, but (ISC)2 forced them to stop (and, soon after, so did CompTIA). Other companies can teach (ISC)2 courses, but they have to use material they buy from (ISC)2. Each (ISC)2 course included a text that's about 750 pages long.

For CCSP I also purchased three (ISC)2 books from Amazon. As for CISSP, I passed that exam several years before, but I have looked at the corresponding (ISC)2 books.

As usual with these types of books, they're not great. More like the least bad. Technical books don't get the quality editing associated with major fiction and history publishers.

They're from (ISC)2 so they don't contradict what the test has as the correct answer. However, any certification organization wants to keep their tests difficult. There will be topics in the question pool that are unmentioned and unexplained in the books. And, the books will contain topics that aren't in the question pool, because that further overloads your memory. (ISC)2 are better than CompTIA as far as irrelevant clutter, but their books still contain irrelevancies.

The course textbooks were OK. They cover all the exam topics, the "Common Body of Knowledge" for each exam. Their irrelevant material is largely in the form of suggestions and encouragement to management. Both the CISSP and CCSP courses include a lot of material that can distract managers into going off on tangents about how to organize manage projects. On both exams it's important to select answers about the importance of management:

  1. Senior management make the strategic decisions.
  2. Those management decisions are based on business concerns, such as comparing the expected benefit to the cost of a new security measure.
  3. Management must set and enforce policies for security preparations and operations — change management, configuration management, vulnerability scanning, threat analysis, plans for business continuity and disaster recovery, and so on.
  4. As the security professional, you must communicate security information to management in terms they will understand and appreciate.

However, there is nothing in the exams about management theory or practice. (ISC)2 hopes that people with interest or background in management will become distracted. From what I've seen, those discussions of management can be very distracting to many attendees, who can quickly be focused on material not relevant to the exams.

All the (ISC)2 material contains some very clumsy writing. One howler from the CCSP material is:

ISO 27034-1 defines an ONF management process to manage the ONF.

(ISC)2 books use the words "apply" and "application" in confusing ways while discussing software packages, which are called applications. And they use the adjective "key" to mean "important" or "crucial" within discussions of cryptography, which uses keys. And, "precompiled" to mean "organized into a list" when talking about software development, confusing us about compilers. These aren't exact quotes, but (ISC)2 books on CISSP and CCSP contain phrases along these lines:

... apply these measures to application development.

... applications of cryptography in application development projects ...

A key concern with key management is ...

A key issue when establishing a public-key infrastructure is ...

[while discussing software review] This analysis is guided by a set of precompiled security threats.

And then there all the simply bad writing in (ISC)2 material:

Ron Rivest, Adi Shamir, and Leonard Adleman developed RSA in 1977, and as you might have surmised, RSA stands for the first letter of its inventors' surnames.

A textbook from a testing organization will add lots of clutter to distract you and waste your time, like the date of invention and the inventors' names. The textbooks are full of fluff like "as you might have surmised", and maybe the authors think it's good writing. Or maybe they want us to think that they have swallowed a thesaurus.

As a means to attenuate possibilities for corruption and theft, the organization can craft an environment where no individual person can complete an entire trusted action.

They use far too many words, saying "certainly can be considered to be" when they should say "is". Or, "can be compiled into the following list" instead of "are".

Plus lots of redundancy: "using and capitalizing on" when "using" makes the point.

Or, "much more rapidly and faster" instead of simply "faster".

On to the books you can buy from Amazon. I'm listing them in the order I read and used them.

Official Guide to the CBK

I first read The Official (ISC)2 Guide to the CCSP CBK. It's very dry, with somewhat stilted wording. That's exactly what I would expect of their presentation of their so-called "Common Body of Knowledge". Some Amazon reviews complain about it being awkwardly written and hard to read, but I guess they don't realize that's exactly its point.

The CBK book contains some practice questions. Not a lot, just 7 to 15 per domain. They are extremely wordy, and selecting the "correct" answer requires making the same assumptions as the author. Again, that's exactly what I would expect in this book.

Looking back over the three extra books that I purchased, they were all helpful. But for me, this one was the least helpful.

The passing cutoff is 70% as best as we can tell. (ISC)2 says "700 points out of 1000" but then they do some statistics and throw out some questions that seem to be too hard or easy. We don't know exactly what they do, in general or on your specific exam event, but 70% is our best information.

The questions are very similar to those in the course material. The questions on the actual exam aren't as long-winded as these. However, be ready to deal with long, hard to read, questions and choices. To some extent, the exam tests your ability to carefully read complex, verbose text. Many questions have one subtly placed word that makes all the difference.

I got 79% on its practice questions the first time through, 57 out of 72.

The pass/fail threshold is 70%. On any certification exam I want to be getting at least halfway from the minimum passing score to 100%. So, for this exam, my goal would be 85% or better.

Study Guide

I next read the CCSP (ISC)2 CCSP Official Study Guide. Compared to the CBK book, it's far more readable, almost chatty. It contains some stories of real-world examples of some of the threat concepts. While those make for far less boring reading, I didn't find them necessary or even helpful for understanding the content. Again, they expect you to already have the technical cybersecurity background.

If I hadn't taken the course and gotten its textbook, I would have wanted both the CBK book above and this one. If I had to choose between the CBK book and the study guide, I would choose this one.

Inigo Montoyo thinks you don't understand.

One of its authors is awfully fond of the word "motif", frequently working it in where it isn't at all appropriate. Don't worry, the real test doesn't misuse "motif" on every tenth question.

It has an introductory chapter and then a 30-question assessment exam. I got 83.3% on it.

Then there are 11 chapters, two on each domain except just one on #4, "Application Security". That keeps all the chapters fairly short, which is nice. Each chapter ends with a 20-question domain-specific exam, 20 questions on each except 25 on the first "Legal and Compliance" chapter. Overall on those, I got 198 out of 225, or 88%. That's significantly higher, but...

These questions in this book are significantly easier than those in the other books and, as I discovered, the actual exam. Just like the real test they include several "Which of these is not true?" questions. The wrong one, the correct choice for the answer, tends to be obviously wrong in this book. That makes these questions too easy.

Let's pretend they ask you about cryptography on the CCSP exam. This book might have:

Which of these is not a cryptographic tool for protecting data confidentiality?

  1. AES
  2. ECC
  3. RSA
  4. Crouching Tiger

OK, that's a little exaggerated, but not much. Meanwhile the real exam might have:

Which of these is not a cryptographic tool for protecting medical data integrity in an IaaS environment hosted at a public cloud provider?

  1. SHA-256
  2. SHA-512
  3. AES
  4. Whirlpool

That's more challenging. They're all cryptographic tools, and the one that doesn't belong is often the best solution to a cryptographic problem. You have to notice the word integrity in the question, and realize that Whirlpool is a less commonly used hash function. Plus, this question has a more realistic amount of distracting clutter. And look, the cloud terms here, "IaaS" and "public", are just unimportant distractors. That is, there's irrelevant in this question, but in other questions they will be the crucial words for selecting the correct answer.

So, while I was glad that I scored higher on the tests in this second book, I didn't count on that meaning much. OK, on to the last book, the one I would definitely want to have!

Practice Tests

Finally, I worked through the book of CCSP Official (ISC)2 Practice Tests. It had a test of 90 to 150 questions for each of the six domains, plus two 125-question mixed "final exams".

This book kept the constant abuse of "motif" dialed back to maybe 25% that of the study guide. It contained, as I had hoped, the most useful and most realistic practice questions.

On its exams I got the following:

Domain 188.8%
Domain 288.7%
Domain 386.0%
Domain 485.2%
Domain 574.5%
Domain 683.3%
Final 183.2%
Final 288.0%

Why Are These Books So Different?

(ISC)2 is very strict about maintaining a "Chinese wall" just like the CISSP CBK describes (where it's also called the Brewer and Nash Model). People involved in any way in creating exam content are not allowed to have anything to do with writing course material or (ISC)2 books, and they are not allowed to teach the course.

So, the authors of these study books and the official (ISC)2 course look at the published Common Body of Knowledge outline, and give it their best guess as to what they think is important.

Through a "train-the-trainer" series I had to go through before teaching the CISSP course, I came to realize that the CISSP course has far more authors than the course textbook tells you. It lists four authors, but I think it was at least twice that.

The result is that the different domains in the course textbook can be presented in noticably different writing styles. This was noticeable in both course textbooks, a little more so in the CISSP course.

So Many Incomplete Scenarios and Questions

Many of the practice questions in the course material, and in these books, and also on the real exam, are incomplete. The only appropriate response in the real world would be, "Finish the explanation of what's happening or the desired result. I need more information before I can give you a good answer." The frustrating practice questions help to prepare you for frustrating exam questions.

The Books Have Problems

These are technical books, so the copy editing is weak. The practice exam book especially needs some work. About every 100 to 150 questions, the answer key in the back would be mixed up as to which answer is correct. If you get that question "wrong", it might be because it listed the wrong letter. Read the explanations in the answer key, you might find that it describes the one you selected.

The funniest error I found was in the Operations Domain section of the CBK book for CCSP. It's in a section about designing and operating a data center, so the premise here is that you're running your own private cloud infrastructure.

What seems to have happened is that someone wrote a short section, a little over a page long, about keyboard-video-mouse switches you would use with rack-mounted servers. They must have used the acronym "KVM" throughout.

Then, apparently, a second person came along and replaced "KVM" with "Kernel-based Virtual Machine" in the section heading and the first time in the text.

Well, KVM in that sense is very important in a private cloud! It's the mechanism by which the Linux kernel functions as a hypervisor for full system virtualization. It seems to me that it's much more important to get the virtualization right. Interface switch design isn't as critical. I started reading the section thinking that it explained their views on how to securely configure and use kernel-based full virtualization.

Imagine my confusion when I got to the list of important features including warning stickers, flashing LEDs, and circuit boards soldered into place. I eventually figured out what was going on. The mention of "unsecure emanations" was a red flag.

ISC2 book confusing keyboard-video-mouse switches with kernel-based full virtualization.

OK, that's more than enough snark. On to some study guides for the domains. Again, this is my organization of topics, not the official domain definitions.