2023-01-16
The (ISC)2 CCSP is hot. That's the Certified Cloud Security Professional. It's from the same group that offers the famous CISSP.
At the end of 2018, there were 131,180 people with CISSP worldwide and 84,557 in the U.S.A. But only 4,518 people worldwide held CCSP. Do you want to be one of the new ones this year?
Not What You Expect
I've worked with cloud technology, largely IaaS, on both Google's and Amazon's large cloud systems. I even wrote a course on safely deploying and configuring IaaS cloud servers. Also, how to provision and program PaaS systems.
However... A certification exam is a peculiar challenge. More so for this one, as it isn't what many of us assume. My practical background of working on cloud servers provided no real advantage.
I was able to take Learning Tree's course 1213, the CCSP test-prep course, and it helped me pass the exam on the first attempt.
The Big Picture
They usually discuss a CBK (or Common Body of Knowledge) divided into domains. For CCSP, those are:
- Architectural Concepts & Design Requirements
- Data Security
- Platform & Infrastructure Security
- Application Security
- Operations
- Legal & Compliance
However, that's just the official story...
What's Its Name?
Let's say you removed the title and then showed me the material. Then you told me that the cert was "CCSP." So, what is it?
I would have guessed that it stood for Certified Compliance Security Professional; however, the Cloud is the operative term in this abbreviation.
Yes, some questions use cloud terminology. And some (but not all) of those explicitly ask you to answer in a cloud context. But how many enterprise operations don't include some cloud technology today?
The dominant theme is compliance. Compliance with international law (e.g., GDPR), with national laws and regulations (HIPAA, Sarbanes-Oxley, PIPEDA), and with industry regulations (PCI DSS). Also, government (NIST) and international (ISO) standards and best practices.
So, What Background Do You Need?
CCSP is not an introductory certification. Instead, it assumes that you're familiar with security and IT concepts. You don't have to have CISSP, but you must know the technology covered in that exam.
You must also be comfortable with cloud concepts and terms. Know the cloud service models and deployment models. Understand the architecture. Also, know some common commercial examples of the service models.
When the exam uses cloud terms, it adheres to NIST definitions. See NIST SP-800-145, "The NIST Definition of Cloud Computing." Learning Tree's Introduction to Cloud Computing course also provides a solid background.
Almost nothing in the CCSP question pool about cryptography, networking protocols, or operating systems exists. The test has 125 questions randomly selected from pools for each domain. I got one rather fundamental question about cryptography. Then, two about DNS. Finally, two are about operating systems running on the virtualization environment found in cloud computing.
The other 120 questions, 96% of the exam, were about risk management, disaster recovery and business continuity, software development project management, and ISO and US Government standards. And, of course, compliance, compliance, compliance!
In addition, a significant block of content looks at data center design. Again, this isn't limited to "cloud" in the strict sense of the term. You will know the needed concepts if you have helped design a data center.
What is the Test Like?
There are 125 questions, and you have 4 hours to answer them. This is good news. You aren't as pressed for time as you are with the CompTIA Security+ exam.
Additionally, 25 of those questions don't count. ISC2 inserts 25 "beta questions" they might use someday, but only if they seem helpful. Questions on Linux containers and SDN (or Software-Defined Networking) are already in the question pools using this process.
And then, for the 100 questions that might count, ISC2 looks at the statistics. They drop questions that are too hard or too easy. If the pass rate for a question is too high or too low, then they don't count it.
Here's how to handle that: Don't panic!
When you get a weird question (and you will), give it your best guess and move on.
Do an excellent job of preparing, and don't worry. If you are well prepared, then the strange or surprising questions are those that don't count for or against you. So pick the best answer and move on.
Scenarios
Several questions will be a great paragraph setting up a scenario and then posing a question. The exam tests your ability to read the complex, lengthy text carefully. Many questions have one subtly placed word that makes all the difference. So, read carefully!
You will probably have 4 or 5 questions based on the same scenario. The text may be similar, but read it all. Make sure you spot the vital part in each question.
The pass/fail threshold is 70%. I want to get at least halfway from the minimum passing score to 100% on any certification exam before I risk taking the actual test. So, my preparation goal was 85% or better.
Test Logistics
An entry-level exam like CompTIA Security+ is available almost daily at all Pearson-Vue testing centers. But unfortunately, that's not the case for CCSP.
I traveled to Chicago, about 2 hours away, where it was available two days every two weeks.
Then, be patient. I had to wait almost ten weeks for the official verification after being told, "You have provisionally passed."
You can do it! Take Learning Tree's Certified Cloud Security Professional (CCSP) Training and Certification, then follow the suggestions for further self-study and practice exams.
Good Luck!
This piece was originally posted on May 21, 2019, and has been refreshed with updated styling.