A Certified Cloud Security Professional (CCSP) is one of the most complex in the Cybersecurity scenario, due to the high level of professionalization required, as well as the huge demand of content to be examined in a short time. However, Security Report columnist and BISO Rangel Rodrigues, shows how it is not an impossible task. As long as the candidate follows some tips, the chance of getting success is higher.
Back in about 2005, together with some of my well known friends from Infosec area (Ricardo Giorgi , Alexandre Salgado, Lucimara Desidera, Anchises Moraes, Victor Bonomi, Fernando Fonseca, Cleverson Viel, Wagner Elias, Eduardo Cabral, Fernando Schiavon, Sergio Dias Pereira, Eva Pereira, among others) joined forces in a CISSP studies group, where we spent many hours getting prepared for the exam and built a strong friendship. What a good time that was... After that long journey, I took a long time exploring other ways to keep up to date with the Cybersecurity business.
It was in 2018, after working as a proctor and supervisor on CISSP exam, that I was invited for ISC2 to take part in some CISSP clinics as a volunteer in Tampa/FL. That has woken up my interest in the ISC2's Certified Cloud Security Professional (CCSP). I bought the first edition of the book, but could never effectively focus on the study, and, despite working over some years as Cloud, my issue became literally "time".
Of course, some close friends pushed me to get the certification, but not before 2023, living in the USA for more than 3 years, I really spotted the need of having this certification in my career. It reminds me that I see this process as one of the ways to keep up to date, albeit I know excellent professionals without that certification. Besides the choices I'd like to share a few about this journey towards the CCSP and I hope to support future adventures.
Shortly before, in 2019, I attended a Cloud Security course by the SANS Technology Institute and in 2022, I got my Certificate of Cloudy Security Knowledge (CCSK) by Cloud Security Alliance (CSA). From that, I got extra material from CCSP. That came together with the practical knowledge. The daily living in Cloud projects at my current job was essential to succeeding on the exam.
CCSP is a neutral vendor certification in Cloud Security to evaluate the understanding and application of the Cloud concepts in real sceneries, as, for example, a migration to a miniframe solution in on-premises to a private cloud environment or an internet banking.
The candidate is tested with questions that demand a profound understanding in many aspects of technology, cloud, regulamentations, frameworks, infosec, privacy among others. In my opinion, the CCSP content is made of part of the CCSK and CSA material, along with CISSP and other Cloud technical knowledge in a practical view. Therefore, if you are already part of the cloud security business, you've got something else.
The exam is composed of 150 multiple choice questions and the candidate has but 4 hours to get it completed. In short, on the purpose of collaborating with the Cybersecurity and Cloud Security community, intending to specify some important points for the success in such a complex exam. It's a fact: it's necessary, besides the ISC2 material, to look for other resources and deeply explore the way the Cloud services are used.
1. Study plan
The first step is to set an action plan. In my case, it was a huge challenge, for I bought a voucher for the exam with two possible tries. It made the time for studying and having the test more difficult. It took me almost 3 months of intense training, with more than 4 hours a day during the week and even 8 hours on weekends.
I opted for self-study and bought some available resources about the subject. Among them, the books below:
– CCSP Official Study Guide – CCSP Official Practice Tests – CCSP CBK Reference – CCSP All-In-One – CCSP For Dummies – CCSP Cloud Guardians – CCSK All-In-One – Practical Cloud Security “A Guide for Secure Design and Deployment – Threat Modeling – A Practical Guide for Development Teams – Cloud Auditing Best Practices – Ahead in the Cloud – Cyber Security Risk Management NIST CSF
Other complementary material were: – CCSP Cloud Guru Training – CCSP Training by Udemy by Gwen Bettwy -> She particularly gives precious tips - Important tips from Prabh Nair: https://prabhnair.in/2020/12/27/ccspstudyguideprabh/ – Blog CCSP Alukos: https://ccsp.alukos.com
– Cloud Adoption Framework for Azure: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/
– Microsoft Reference Security Architecture: https://learn.microsoft.com/en-us/security/cybersecurity-reference-architecture/mcra
– CISSP Made Easy: https://cisspmadeeasy.com/2022/02/16/ccsp-final-notes-before-passing-the-exam/
– CloudSecList: https://cloudseclist.com – AWS Security Maturity Model: https://maturitymodel.security.aws.dev/en/model/
As you may see, I used many sources, including researches in papers and infographics about Cloud Security, from specialized companies as AquaSec, Wiz, Orca, CSA, GCP, AWS, Microsoft, Puppet, Snyk, TerraForm, Prisma Cloud, Lacework, etc. All of these companies keep blogs and materials that add up to the preparation for the exam, for bringing new concepts (CSMP, CNAPP, CIEM, etc.) that, up to now, are not covered by the material quoted.
That's the fear of most of the candidates that apply for the exam, for you must not only consider the ISC2 material, but use complementary sources, with a wide vision of new technologies.
2. Read, study and take notes!
Not many secrets here. The evaluation demands dedication and hard studying, without skipping subjects. Take a reading even of those subjects you think you have a deep knowledge of, taking notes on the most relevant topics, thinking of real sceneries where that concept can be used on Cloud protection.
Separate and write all of those relevant topics down in a notebook, because that may help your brain record all the content and the notes will work as the last review before the official exam.
Some fundamental tips about the content:
- For the CCSP exam, think about how you must protect your organization and the data saved on the Cloud provider.
- Keep in mind that cryptography is a key factor in the perspective of data protection. It means that in some matters, cryptography will be the most exact answer, so addressing the cryptography use in the scenery given may be really useful.
- Be sure about the cryptography resources used in Cloud, the methods of data protection in traffic or data at rest and what is the best way to protect the cryptography key used. Will the
client or the CSP be in charge of its management? Who will be responsible and what's the safest scenery?
- Deeply understand the difference between the Cloud models and works: IaaS, PaaS, SaaS, private, public, community, hybrid e multi-cloud. A tip: Pay attention to the shared management model in IaaS, SaaS e PaaS between client and provider. The exam has the meaning of testing how deep you're aware of a real case.
- Still about shared responsibility, this may also be one of the highlights of the exam. I suggest you keep aware, for example, of the PaaS model, concerning the division between the layers and responsibilities between the client and the CSP. Who's the responsible for applying a patch on the OS in PaaS or laaS? Or who's always responsible for the independent data of the model? Soon, beware the Cloud Layer model (Application, Service, Image, Software Defined Data Center, Hypervisor, Infrastructure).
- Understand what are the failure points in a virtual environment (cloud), the API usage, how to protect them, how the logs management happens, the integration with SIEM; what are the important factors, how to make a hypervisor security, what are the kinds of attacks and preventive measures. Also, stay tuned about the images security (integrity), containers, kubernetes, security groups, SDN, crypto shredding and the access protection to the management plan.
- Access control, in my point of view, is the most important. Concepts such as IAM, Federation, RBAC, ABAC can be readily asked in the test. Remember that MFA is fundamental for remote management and access to the management plan and don't forget the access accounts profiling, avoiding blast radius.
- Other aspects are patch management, hardening, change management, configuration management (ITIL) and automation.
Understand how much you can collaborate with the security, for example: DevSecOps, IaC, concepts of SASE, DLP, CASB, SOAR, ZNTA, cyber kill chain, etc.
- The domain of Data Security is the most evaluated in the CCSP exam, so that, be prepared for the data's cycle of life (create, store, use, share, archive e destroy), as well as where it comes from and in what phase each control must be applied and the aspects of jurisdiction and local laws of every country. Special attention to the privacy and compliance with laws as GDPR, CCPA, LGPD, GLBA, Sox, PCI-DSS, HIPAA, among others.
- Be fluent in the development of safe software, SLDC, SAST, DAST, IAST, SCA, OWASP, Threat Modeling, STRIDE, Threat Intelligence, Tokenization or Data Masking.
- BC and DR are old subjects, therefore, important in Cloud, so that, pay attention to the authentication, integrity, availability, resilience, portability, interoperability, vendor lock-in, vendor lock-out, backup, BIA, cost reduction (TCO), CAPEX, OPEX, contract models, SLA.
- Read the norms, frameworks and standards: NIST 800-145, FIPS-140, ISO 27050, ISO 27017, 27018, 27001, 27002, 27005, NIST CSF, NIST RMF, 31000, ENISA, CSA and others...
- It's important to mention the Risk Management concepts and process value, as much as understand the differences between reports SOC 1, SOC2 (type 1 and 2) and SOC 3, besides the models CAIQ and CCM from CSA, and PCI-DSS requirements.
- Once the data is on Cloud in multi-tenancy, there's the worryness with data from other clients being captured during the e-discovery process (chain of custody), widely explored in the exam. Who's responsible for recovering the data? Is there anything defined in the contract? How is the audit in the Cloud made? What are the responsibilities between the parts? What is the best and safest scenario when you have such sensible data?
May a hybrid cloud be an alternative?
At last, it's not possible to cover all the subjects in this article, because it's the matter for a whole book, on what I'm working on.
Certainly, the exam for CCSP certification is not easy nor impossible. The exam deeply explores the level of knowledge and experience in complex cloud scenarios. If you are an experienced professional in the area, or you already have CISSP, CCSK or similar certifications, I think it's worth considering a 3 month preparation. Within a tight and focused timesheet, I think you'll achieve your outcome.
Don't forget to do the test simulations and in the last week, read the tips of the quoted material in this article. They're precious!
Review the notes you took, for all of them will be stored in your brain. Use the strategies that make sense to you in the exam and don't study the day before the exam. Let your mind rest, practicing a sport or another activity to relax.
Remember: All you got in your studies is already stored in your brain. During the exam, the most important thing is to focus. Read it twice or three times the most complex questions, be sure to select the most appropriate answer, cause it will match your experiences and definitely keep track of the clock.
With these tips, I believe you will be able to pass the defying CCSP exam Godspeed!
Comentários
Postar um comentário