What is the CCSP certification?
The CCSP (Certified Cloud Security Professional) is a cloud security certification jointly offered by ISC2 and the Cloud Security Alliance. It validates advanced cloud security knowledge across six domains: cloud concepts and architecture, data security, platform and infrastructure security, application security, operations, and legal compliance. CCSP requires 5 years of IT experience including 3 years in security and 1 year in cloud.
The CCSP (Certified Cloud Security Professional) is the premier cloud security certification for experienced security professionals who design, manage, and secure cloud environments. Developed jointly by ISC2 (the CISSP organization) and the Cloud Security Alliance, it combines rigorous cloud security knowledge with governance and compliance expertise.
CCSP holders work in cloud security architect, cloud security engineer, and cloud CISO roles. The certification commands salaries of $120,000-$170,000 in the United States. The exam costs $599 USD and requires a passing score of 700 out of 1000.
Exam Overview
| Detail | Information |
|---|---|
| Certification | CCSP - Certified Cloud Security Professional |
| Provider | ISC2 |
| Number of Questions | 150 |
| Time Limit | 3 hours |
| Passing Score | 700/1000 |
| Cost | $599 USD |
| Prerequisites | 5 years IT experience (3 security, 1 cloud) |
| Validity | 3 years (CPE credits for renewal) |
The exam covers six domains:
- Cloud concepts, architecture, and design (17%)
- Cloud data security (20%)
- Cloud platform and infrastructure security (17%)
- Cloud application security (17%)
- Cloud security operations (16%)
- Legal, risk, and compliance (13%)
"CCSP is to cloud security what CISSP is to general security -- a broad, deep credential demonstrating that you understand not just the technical implementation but the governance, compliance, and risk management context in which cloud security decisions are made. Candidates who approach it as a technical-only exam miss the substantial governance component." -- CCSP certified professional community
Domain 1: Cloud Concepts, Architecture, and Design (17%)
Cloud Reference Architecture
Cloud computing essential characteristics (NIST SP 800-145):
- On-demand self-service: Provisioning resources without human interaction
- Broad network access: Available through standard network interfaces
- Resource pooling: Multi-tenant model with shared resources
- Rapid elasticity: Resources appear unlimited and can scale rapidly
- Measured service: Resource usage is monitored, controlled, and reported
Cloud Security Design Principles
Cloud Security Alliance (CSA) Security Guidance provides the authoritative framework for cloud security:
- The CSA Cloud Controls Matrix (CCM) maps cloud controls to major regulatory frameworks
- The Shared Responsibility Model clarifies customer vs. provider security obligations
- CSA STAR (Security Trust Assurance and Risk) program provides cloud provider security assessment
Virtualization Security
Hypervisor security:
- Type 1 hypervisors (bare-metal) have a smaller attack surface than Type 2
- VM escape attacks: Exploiting vulnerabilities to break out of a VM to the hypervisor
- VM sprawl: Unmanaged proliferation of VMs creating security blind spots
- Snapshot security: VM snapshots may contain sensitive data and must be protected
Domain 2: Cloud Data Security (20%)
Data Security Lifecycle
The CSA data security lifecycle defines six phases:
- Create: Data is generated or modified
- Store: Data persists in storage
- Use: Data is actively processed
- Share: Data is distributed to other users or systems
- Archive: Data is moved to long-term storage
- Destroy: Data is securely deleted
Security controls must be appropriate for each lifecycle phase.
Encryption Strategies
| Scenario | Recommended Approach |
|---|---|
| Data at rest in cloud storage | Client-side encryption before upload, or server-side with CMK |
| Data in transit | TLS 1.2 or higher for all connections |
| Database encryption | Transparent Data Encryption (TDE) or field-level encryption |
| Key management | Customer-managed keys (CMK) in cloud KMS or on-premises HSM |
| Tokenization | Replacing sensitive values with non-sensitive tokens (PCI-DSS use case) |
Data Loss Prevention in the Cloud
- CASB (Cloud Access Security Broker): Sitting between users and cloud applications to enforce DLP policies
- API-based CASB: Deep integration with cloud applications for scanning stored content
- Inline CASB: Proxy-based interception for real-time control
- Activity monitoring: Tracking user activity in cloud applications for anomaly detection
Domain 3: Cloud Platform and Infrastructure Security (17%)
Cloud Network Security
Virtual network security components:
- VPC/VNet: Isolated network segments in the cloud
- Security groups: Instance-level stateful firewall
- Network ACLs: Subnet-level stateless packet filtering
- Cloud WAF: Application layer protection for cloud-hosted web applications
- Cloud IDS/IPS: Network-based threat detection in cloud environments
Cloud Storage Security
| Storage Type | Security Considerations |
|---|---|
| Object storage (S3, Azure Blob) | Public access must be explicitly disabled; bucket policies |
| Block storage (EBS, Azure Disk) | Encryption at rest; snapshot sharing controls |
| File storage (EFS, Azure Files) | SMB/NFS security; access control and encryption |
| Database (RDS, Azure SQL) | Network isolation; IAM authentication; audit logging |
Shared Responsibility Matrix
The shared responsibility model allocates security responsibilities:
| Responsibility | IaaS | PaaS | SaaS |
|---|---|---|---|
| Physical datacenter | Provider | Provider | Provider |
| Network infrastructure | Provider | Provider | Provider |
| Hypervisor | Provider | Provider | Provider |
| OS and patches | Customer | Provider | Provider |
| Application runtime | Customer | Provider | Provider |
| Application code | Customer | Customer | Provider |
| Data | Customer | Customer | Customer |
| IAM | Customer | Shared | Shared |
Domain 4: Cloud Application Security (17%)
Secure Software Development Lifecycle in the Cloud
DevSecOps integrates security into every phase of cloud application development:
- Threat modeling: Identifying security threats during design
- SAST: Analyzing source code for vulnerabilities (Checkmarx, Veracode, SonarQube)
- DAST: Testing running applications for vulnerabilities (OWASP ZAP, Burp Suite)
- Software composition analysis: Scanning dependencies for known vulnerabilities (Snyk, OWASP Dependency-Check)
- Container image scanning: Checking Docker images for vulnerabilities (Trivy, Clair)
- Infrastructure as Code scanning: Scanning Terraform/CloudFormation templates for misconfigurations (Checkov, tfsec)
Cloud API Security
- Authentication: API keys, OAuth 2.0, JWT tokens, mTLS for service-to-service
- Rate limiting: Preventing API abuse and DoS
- Input validation: Rejecting malformed or malicious inputs
- API gateway: Centralized policy enforcement for all API traffic
Domain 5: Cloud Security Operations (16%)
Security Monitoring in the Cloud
Cloud-native monitoring services:
| Cloud Provider | Logging Service | SIEM Integration |
|---|---|---|
| AWS | CloudTrail, CloudWatch, GuardDuty | Ingested via Kinesis to Splunk/Sentinel |
| Azure | Azure Monitor, Defender for Cloud | Azure Sentinel native integration |
| GCP | Cloud Logging, Security Command Center | BigQuery or third-party SIEM |
Business Continuity in Cloud
Cloud BCP/DR considerations:
- Multi-region deployment: Active-active or active-passive across cloud regions
- Backup and recovery: Cross-region replication with defined RTO/RPO
- Chaos engineering: Deliberately introducing failures to test resilience (Netflix Chaos Monkey)
- Runbooks: Documented procedures for common failure scenarios
Domain 6: Legal, Risk, and Compliance (13%)
Cloud Compliance Frameworks
- ISO 27017: Code of practice for information security controls for cloud services
- ISO 27018: Code of practice for protecting PII in public clouds
- SOC 2 Type II: Service Organization Control audit covering security, availability, and confidentiality
- FedRAMP: U.S. federal government authorization framework for cloud services
- CSA STAR: Cloud-specific security assurance program with self-assessment and third-party audit tiers
eDiscovery and Forensics in the Cloud
Cloud environments present unique challenges for legal investigations:
- Data jurisdiction: Data may be stored in multiple countries with different legal requirements
- Multi-tenancy: Isolating one tenant's data for eDiscovery without exposing other tenants
- Ephemeral resources: Cloud resources that exist briefly may not leave traditional forensic artifacts
- Contractual access: Cloud provider contracts define what data can be provided and when
Frequently Asked Questions
How does CCSP compare to AWS Security Specialty? CCSP is vendor-neutral and governance-focused covering cloud security concepts applicable across all cloud platforms. AWS Security Specialty is AWS-specific and more technically detailed about AWS security services. Both are respected credentials, but for different audiences: CCSP for cloud security architects and managers overseeing multi-cloud environments; AWS Security Specialty for technical specialists working primarily in AWS.
Is CISSP required before CCSP? CISSP is not required before CCSP, but ISC2 allows CISSP holders to substitute CISSP for the cloud security experience requirement. The credentials are complementary -- many senior security professionals hold both, using CISSP to demonstrate broad security management knowledge and CCSP to demonstrate cloud-specific expertise.
What is the best study approach for CCSP? The most effective combination is the official ISC2 CCSP Study Guide, Ben Malisow's CCSP Official Study Guide, the CSA Security Guidance (free download from Cloud Security Alliance), and hands-on experience in at least one cloud platform. The exam heavily tests governance and compliance knowledge, so allocating study time proportionally to domain weights is important -- candidates with technical cloud backgrounds often underestimate the compliance domains.
References
- ISC2. (2025). CCSP Certification. https://www.isc2.org/certifications/ccsp
- Cloud Security Alliance. (2025). CSA Security Guidance v4. https://cloudsecurityalliance.org/research/guidance/
- Cloud Security Alliance. (2025). Cloud Controls Matrix v4. https://cloudsecurityalliance.org/research/cloud-controls-matrix/
- Malisow, B. (2023). CCSP Certified Cloud Security Professional All-in-One Exam Guide, 3rd Edition. McGraw-Hill.
- NIST. (2011). SP 800-145: The NIST Definition of Cloud Computing. https://csrc.nist.gov/publications/detail/sp/800-145/final
- ISO/IEC. (2021). ISO/IEC 27017:2015 Information Security Controls for Cloud Services. https://www.iso.org/standard/43757.html