www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Introduction to the CCSPShawn Harris, CISSP-ISSAP, CCSP

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Developed by Cloud Security Alliance (CSA) and (ISC)² to help

information security professionals achieve the highest standard for

cloud security expertise and enable organizations to benefit from the power of cloud computing while keeping sensitive data secure.  

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Why CCSP?The industry needs:

• Professionals who understand and can apply effective security measures to cloud environments

• A reliable indicator of overall competency in cloud security

• Roadmap and career path into cloud security

• Common global understanding of professional knowledge and best practices in the design, implementation and management of cloud computing systems

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Who are CCSPs?

CCSPs are information security professionals with deep-seated knowledge and competency in applying best practices to cloud security architecture, design,

operations, and service orchestration. These professionals have the cloud security knowledge, skills and experience to be successful in securing

their cloud environments.

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

CCSP Candidates• CCSP is most appropriate for those whose day-to-

day responsibilities involve procuring, securing and managing cloud environments or purchased cloud services. In other words, CCSPs are heavily involved with the cloud. Many CCSPs will be responsible for cloud security architecture, design, operations, and/or service orchestration.

Example job functions include, but are not limited to: Enterprise Architect Security Architect Security Manager Security Administrator Security Consultant Systems Architect Systems Engineer Security Engineer

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

The 6 CCSP Domains

• Architectural Concepts & Design Requirements• Cloud Data Security• Cloud Platform & Infrastructure Security• Cloud Application Security• Operations• Legal & Compliance

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Architectural Concepts & Design Requirements

• Understand Cloud Computing Concepts• Cloud Reference Architecture• Security Concepts Relevant to Cloud• Design Principles of Secure Cloud Computing• Identify Trusted Cloud Services

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Cloud Data Security• Understand Cloud Data Lifecycle• Design and Implement Cloud Data Storage

Architectures• Design and Apply Data Security Strategies• Understand and Implement Data Discovery and

Classification Technologies• Design and Implement data protections for PII• Data Rights Management• Data Retention, Destruction and Archiving policies• Design and Implement Auditability, Traceability and

Accountability of Data Events

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Cloud Platform & Infrastructure Security

• Cloud Infrastructure Components• Analyze Risks Associated to Cloud Infrastructure• Design and Plan Security Controls• Plan Disaster Recovery and Business Continuity Management

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Cloud Application Security• Training and Awareness in Application Security• Understand Cloud Software Assurance and Validation• Use Verified Secure Software• Comprehend the Software Development Life-cycle (SDLC) Process• Apply the Secure Software Development Life-Cycle• Comprehend the specifics of Cloud Application Architecture• Design Appropriate Identity and Access Management (IAM) Solutions

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Operations

• Support the Planning Process for the Data Center Design• Implement, Build, Run, and Manage Physical Infrastructure for Cloud

Environment• Implement, Build, Run, and Manage Logical Infrastructure For Cloud

Environment• Ensure Compliance with Regulations and Controls• Conduct Risk Assessment to Logical and Physical Infrastructure• Understand the Collection, Acquisition and Preservation of Digital Evidence• Manage Communication with Relevant Partners

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Legal & Compliance• Understand Legal Requirements and Unique Risks within the Cloud

Environment• Understand Privacy Issues, Including Jurisdictional Variation• Understand Audit Process, Methodologies, and Required Adaptations for

a Cloud Environment• Understand Implications of Cloud to Enterprise Risk Management• Understand Outsourcing and Cloud Contract Design• Execute Vendor Management

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Additional Resources

• ISC2 CCSP Common Body of Knowledge guide book• CSA Cloud Controls Matrix• CSA Cloudbytes Webinars• CCSP Linkedin groups with Q&A opportunities