CCSP SAH v2

1. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Introduction to the CCSP
Shawn Harris, CISSP-ISSAP, CCSP

2. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Developed by Cloud Security Alliance
(CSA) and (ISC)² to help information
security professionals achieve the highest
standard for cloud security expertise and
enable organizations to benefit from the
power of cloud computing while keeping
sensitive data secure.

3. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Why CCSP?
The industry needs:
• Professionals who understand and can apply effective
security measures to cloud environments
• A reliable indicator of overall competency in cloud
security
• Roadmap and career path into cloud security
• Common global understanding of professional knowledge
and best practices in the design, implementation and
management of cloud computing systems

4. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Who are CCSPs?
CCSPs are information security professionals with deep-
seated knowledge and competency in applying best
practices to cloud security architecture, design, operations,
and service orchestration. These professionals have the
cloud security knowledge, skills and experience to be
successful in securing their cloud environments.

5. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
CCSP Candidates
• CCSP is most appropriate for those whose day-to-day
responsibilities involve procuring, securing and managing
cloud environments or purchased cloud services. In other
words, CCSPs are heavily involved with the cloud. Many
CCSPs will be responsible for cloud security architecture,
design, operations, and/or service orchestration.
Example job functions include, but are not limited to:
 Enterprise Architect  Security Architect
 Security Manager  Security Administrator
 Security Consultant  Systems Architect
 Systems Engineer  Security Engineer

6. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
The 6 CCSP Domains
• Architectural Concepts & Design Requirements
• Cloud Data Security
• Cloud Platform & Infrastructure Security
• Cloud Application Security
• Operations
• Legal & Compliance

7. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Architectural Concepts & Design
Requirements
• Understand Cloud Computing Concepts
• Cloud Reference Architecture
• Security Concepts Relevant to Cloud
• Design Principles of Secure Cloud Computing
• Identify Trusted Cloud Services

8. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Cloud Data Security
• Understand Cloud Data Lifecycle
• Design and Implement Cloud Data Storage Architectures
• Design and Apply Data Security Strategies
• Understand and Implement Data Discovery and Classification
Technologies
• Design and Implement data protections for PII
• Data Rights Management
• Data Retention, Destruction and Archiving policies
• Design and Implement Auditability, Traceability and
Accountability of Data Events

9. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Cloud Platform & Infrastructure
Security
• Cloud Infrastructure Components
• Analyze Risks Associated to Cloud Infrastructure
• Design and Plan Security Controls
• Plan Disaster Recovery and Business Continuity Management

10. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Cloud Application Security
• Training and Awareness in Application Security
• Understand Cloud Software Assurance and Validation
• Use Verified Secure Software
• Comprehend the Software Development Life-cycle (SDLC) Process
• Apply the Secure Software Development Life-Cycle
• Comprehend the specifics of Cloud Application Architecture
• Design Appropriate Identity and Access Management (IAM) Solutions

11. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Operations
• Support the Planning Process for the Data Center Design
• Implement, Build, Run, and Manage Physical Infrastructure for Cloud Environment
• Implement, Build, Run, and Manage Logical Infrastructure For Cloud Environment
• Ensure Compliance with Regulations and Controls
• Conduct Risk Assessment to Logical and Physical Infrastructure
• Understand the Collection, Acquisition and Preservation of Digital Evidence
• Manage Communication with Relevant Partners

12. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Legal & Compliance
• Understand Legal Requirements and Unique Risks within the Cloud Environment
• Understand Privacy Issues, Including Jurisdictional Variation
• Understand Audit Process, Methodologies, and Required Adaptations for a Cloud
Environment
• Understand Implications of Cloud to Enterprise Risk Management
• Understand Outsourcing and Cloud Contract Design
• Execute Vendor Management

13. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Additional Resources
• ISC2 CCSP Common Body of Knowledge guide book
• CSA Cloud Controls Matrix
• CSA Cloudbytes Webinars
• CCSP Linkedin groups with Q&A opportunities