Just wanted to drop a blog about how I passed the ISC2 Certified Cloud Security Professional (CCSP) last week. I really wasn’t quite sure what to expect with the different reviews I’ve read over the internet. It seems to be an exam that a lot of folks (even those with a CISSP) seem to struggle with. I actually tried to not read too many reviews as to not psyche myself out. I do have a CISSP and CISSP-ISSAP, so I know how ISC2 constructs their questions (best answer that normally relies on a few key words in the question, but with just enough partly correct answers to throw you off).
I found the exam to be much more similar to what the ISSAP is compared to the CISSP (I did get my CISSP in 2009, so I don’t even count that experience. I mean, it was on paper with a pencil lol). This test was very much scenario based questions vs. memorization of facts. Despite the reviews, I didn’t find the questions to be too poorly worded, just normal ISC2 style. I have never worked in a cloud environment, but am an IT/Cyber architect and a lot of information as far as DevOps, data centers, and virtualization is very similar. I do have a few other cloud certs that provided some basic knowledge which was definetely applicable (AWS CCP, JNCIA-Cloud, and Azure Foundations). So, I feel if you have any background working in deployments in data centers and dealing with virtualization, that experience will come in handy.
Below is a video I did breaking down my study tips, reviewing the learning objectives, and sharing what resources I used. Check out the video if you want a more in-depth breakdown of how I passed the CCSP.
Exam Experience
I took a lot of the time allowed for the exam (3 hours total, I used 2.5) to answer the 125 questions. We all know the ISC2 NDA stuff, so I can’t go into detail about specific questions. But, I will say my previous ISC2 testing experience made the scenario questions much more manageable even though they looked nothing like the study questions I used from Sybex (more on that below). This is very similar to the ISSAP, in that you are answering practical questions for most of the exam. In this scenario, given these threats/risks/requirements which is the most effective solution/protection/answer. By the end of the exam I had 25 of the 100 questions marked as 50/50. I had a lot of others I was only 85% sure. BTW, if you didn’t know, you can’t go back to look at questions after you answered them. It’s important to know that going in. You do get a scratch sheet of paper, and that might be helpful (or it might not lol). And of course you get to deal with all the typical constraints of testing in a Pearson Vue center.
Areas To Study
Make sure you watch the above video, where I go through all the learning objectives in much more detail. Below is a list of topics I would make sure you are familiar with. Not just their definition, but how they work, what risks are associate with them, what benefits/purpose do they serve, and how you would protect them:
Key management, Cloud Deployment and Service models, Interoperability, Portability, Multi tenancy, security in multi-tenant environment, PII, PCI DSS, HIPAA, GDPR, PIPEDA, NIST and ISO policies. Risk management, BC/DR, Encryption and Hashing technologies, Cloud storage types (volume, object, CDNs) and how they map to various cloud deployment and service models, Virtualization, Virtualization risks (operationally/security wise), Understand DevOps, Vulnerability Management, Patch Management, Incident Management, and Problem Management. Difference between an event, incident and problem and how to resolve each. DLP, IPS/IDS (HIDS, NIDS), WAF, DAM, FIPS 140-2, Identity and Access management, Privacy in cloud, Testing and application security in cloud, Contracts and SLAs, regulations. I’m stressing virtualization again, API’s, Encryption, DNSSEC, CASB, SAML, REST, SIEM, Data & Media sanitization, SDN , OWASP threats (what they are and how to protect against them), federation, SOC reports, eDiscovery, software development life cycle (SDLC), and the cloud data life cycle.
If in the CISSP the main takeaway is human safety above everything else…in the CCSP it’s data safety and compliance. This is especially true with meeting foreign regulations when processing the data of EU users. Thanks GDPR!
CCSP Study Resources
The resources I used were Ben Malisow’s Official Study Guide and Practice Tests (Affiliate Link). I heavily relied on the online question bank for those. I tried to focus on the reasons they gave for the answers and understanding why all answers were either right or wrong, not just what the right one was. I think doing that helped a lot. Also used https://ccsp.alukos.com/ for additional study/reference material. For concepts I was stuck on, I made a lot of various infographics (I share them on my Twitter, but have shared them below as well).
CCSP Infographics
Network Knowledge Wrap Up
Ben Malisow’s Sybex CCSP Study Guide and Practice Tests (Affiliate Link)
CCSP All In One (Affiliate Link)
Official CCSP CBK (Affiliate Link)