M-209 cipher machine.

CCSP Study Notes

Study Guides for (ISC)2 Certified Cloud Security Professional

I work with server and network security. I already held (ISC)2 CISSP and CompTIA Security+ certificates. I had even written a course on cloud security.

However...

I needed to get the (ISC)2 Certified Cloud Security Professional or CCSP certification. (ISC)2 bought the CCSP certification program from the Cloud Security Alliance. It was pretty new. And, as explained below, it's not about actually securing cloud systems.

(ISC)2 issues counts of certificate holders every 6 months. In June 2018, the last count before I did this, just 3,549 people world-wide had the CCSP certification. Meanwhile there were 82,577 people with CISSP just in the U.S.A. The top 10 countries for CCSP were:

2,050U.S.A.
383U.K.
223Canada
160Netherlands
91Australia
90Germany
79Singapore
57Hong Kong
45Switzerland
45India

Countries with just one CCSP holder each included Bahrain, Curaçao, Georgia, Ghana, Guernsey, Isle of Man, Jamaica, Jordan, Korea, Montenegro, Oman, Philippines, Qatar, Romania, Russia, Senegal, Slovakia, Trinidad and Tobago, Tunisia, and U.S. Virgin Islands.

The exam is very much aimed at a U.S. audience, especially employees of the U.S. Government and its contractors.

How to Understand and Pass the Exam

You need to be comfortable with cloud concepts. The cloud service models of SaaS, PaaS, and IaaS, and the deployment models of Public, Private, Hybrid, and Community.

Have some familiarity, or at least awareness, of common examples of the various service models. For example:

SaaS Gmail, Google Docs, Dropbox, and Salesforce, plus some form of database access through a browser
PaaS Google Apps and the original Microsoft Azure when it was just software development and operation, not full VMs like now, plus some form of database programming
IaaS Google Compute Platform, Amazon EC2, Amazon S3, Microsoft Azure, Rackspace, etc

However, the exam is not about whether you know how to use any of that technology. It's not as bad as the CompTIA Security+ certification, where the bizarrely misworded questions makes the exam harder if you know the technology. But, knowledge and skill in the technology don't help, either.

The (ISC)2 CCSP exam is entirely about whether you are qualified to advise managers about security issues, especially regulatory compliance issues, associated with moving a project to the cloud.

(ISC)2 assumes that you probably already have the CISSP certification, or at least that you have roughly equivalent background knowledge in cybersecurity. Plus the cloud concept background I mentioned above.

There is almost nothing in the CCSP question pool about cryptography, networking protocols, or operating systems. Out of the 125 questions randomly selected for my exam, I had one about DNS, a rather basic one about cryptography, and two about operating systems in the virtualization environment found in cloud settings. The other 121 questions were about risk management, disaster recovery and business continuity operations, planning, software development project management, and regulatory compliance, compliance, compliance.

Study Material

Here are some study guides.

Also Get These, Maybe

(ISC)2 CCSP
Exam Outline

Download the current version of the CCSP Exam Outline from the (ISC)2 website. It lays out the domain areas and exam policies and procedures.

CSA CCM

It's very important to know about the CSA Cloud Controls Matrix, but I don't think it's terribly helpful to spend much time looking through the spreadsheet. Know that it exists, know what types of things appear in it, know what you can answer or figure out with it, and that's about it.

Office 365
SOC 1, 2, & 3
reports

Microsoft lets you download a SOC 2 Type 2 report for Office 365 (you have to be signed into a Microsoft cloud account, but then it's free). It's very unusual for a company to let outsiders see these! If you look at it, will that help you prepare for the exam? Maybe. The important thing? Know the intended uses and audiences of SOC 1 Type 1 & 2, SOC 2 Type 1 & 2, and SOC 3 reports.

Be careful. Too much material is available for download from CSA, the Cloud Security Alliance. I looked at some of it after I had prepared and taken the exam. It talked about the same general topics, but about different details using different terminology.

Material I Used

I sat in on a course that used the official (ISC)2 course material. Some companies used to run their own test-prep courses, but (ISC)2 forced them to stop. (And soon after, so did CompTIA) Other companies can teach (ISC)2 courses, but they have to use material they buy from (ISC)2. The (ISC)2 course included a text that's about 750 pages long.

I also had three (ISC)2 books I had purchased from Amazon.

As usual with these types of books, they're not great. More like the least bad. They're from (ISC)2 so they don't lie. However, any certification organization wants to keep their tests difficult. There will be things in the question pool but unmentioned in the books, and the books will contain things that aren't in the question pool in order to further overload your memory. (ISC)2 are much better than CompTIA as far as irrelevant clutter.

I first read The Official (ISC)2 Guide to the CCSP CBK. It's very dry, with somewhat stilted wording. That's exactly what I would expect of their presentation of their so-called "Common Body of Knowledge". Some Amazon reviews complain about it being awkwardly written and hard to read, but I guess they don't realize that's exactly its point.

The CBK book contains some practice questions. Not a lot, just 7 to 15 per domain. They are extremely wordy, and selecting the "correct" answer requires making the same assumptions as the author. Again, that's just what I would expect.

The passing cutoff is 70% as best as we can tell. (ISC2 says "700 points out of 1000" but then they do some statistics and throw out some questions that seem to be too hard or easy. We don't know exactly what they do, in general or on your specific exam event, but 70% is our best information.

The questions are very similar to those in the course material. The questions on the actual exam aren't as long-winded as these. However, be ready to deal with long, hard to read, questions and choices. To some extent, the exam tests your ability to carefully read complex, verbose text. Many questions have one subtly placed word that makes all the difference.

I got 79% on its practice questions the first time through, 57 out of 72.

The pass/fail threshold is 70%. On any certification exam I want to be getting at least halfway from the minimum passing score to 100%. So, for this exam, my goal would be 85% or better.

I next read the CCSP (ISC)2 CCSP Official Study Guide. Compared to the CBK book, it's far more readable, almost chatty. It contains some stories of real-world examples of some of the threat concepts. While those make for far less boring reading, I didn't find them necessary or even helpful for understanding the content. Again, they expect you to already have the technical cybersecurity background.

Inigo Montoyo thinks you don't understand.

One of its authors is awfully fond of the word "motif", frequently working it in where it isn't at all appropriate. Don't worry, the real test doesn't misuse "motif" on every tenth question.

It has an introductory chapter and then a 30-question assessment exam. I got 83.3% on it.

Then there are 11 chapters, two on each domain except #4, "Application Security". That keeps all the chapters fairly short, which is nice. Each chapter ends with a 20-question domain-specific exam, 20 questions on each except 25 on the first "Legal and Compliance" chapter. Overall on those, I got 198 out of 225, or 88%. That's significantly higher, but...

These questions in this book are significantly easier than those in the other books and, as I discovered, the actual exam. Just like the real test they include several "Which of these is not true?" questions. The wrong one, the correct choice for the answer, tends to be obviously wrong in this book.

Let's pretend they ask you about cryptography on the CCSP exam. This book might have:

Which of these is not a cryptographic tool for protecting data confidentiality?

  1. AES
  2. ECC
  3. RSA
  4. Crouching Tiger

OK, that's a little exaggerated, but not much. Meanwhile the real exam might have:

Which of these is not a cryptographic tool for protecting integrity of medical data stored in an IaaS environment?

  1. SHA-256
  2. SHA-512
  3. AES
  4. Whirlpool

That's more challenging. They're all cryptographic tools, and the one that doesn't belong is often the best solution to a cryptographic problem. You have to notice the word integrity in the question, and realize that Whirlpool is a less commonly used hash function. Plus, this question has a more realistic amount of distracting clutter.

So, while I was glad that I had higher scores, I didn't count on that meaning much. OK, on to the last book!

Finally, I worked through the book of CCSP Official (ISC)2 Practice Tests. It had a test of 90 to 150 questions for each of the six domains, plus two 125-question mixed "final exams".

This book kept the constant abuse of "motif" dialed back to maybe 25% that of the study guide.

On its exams I got the following:

Domain 188.8%
Domain 288.7%
Domain 386.0%
Domain 485.2%
Domain 574.5%
Domain 683.3%
Final 183.2%
Final 288.0%

The Books Have Problems

These are technical books, so the copy editing is weak. The practice exam book especially needs some work. About every 100 to 150 questions, the answer key in the back would be mixed up as to which answer is correct. If you get a question "wrong", in those cases it would be because it listed the wrong letter. Read the explanation, you might find that it describes the one you selected.

The funniest part I found was in the Operations Domain section of the CBK book. It's in a section about designing and operating a data center, so the premise here is that you're running your private cloud infrastructure.

What seems to have happened is that someone wrote a short section, a little over a page long, about keyboard-video-mouse switches you would use with rack-mounted servers. They must have used the acronym "KVM" throughout.

Then, apparently, a second person came along and replaced "KVM" with "Kernel-based Virtual Machine" in the section heading and the first time in the text.

Well, KVM in that sense is very important in a private cloud! It's the mechanism by which the Linux kernel functions as a hypervisor for full system virtualization. I started reading the section thinking it explained their views on how to securely configure and use kernel-based full virtualization.

Imagine my confusion when I got to the list of important features including warning stickers, and flashing LEDs, and circuit boards soldered into place. I eventually figured out what was going on. The mention of "unsecure emanations" was a red flag.

ISC2 book confusing keyboard-video-mouse switches with kernel-based full virtualization.