CCSP

17%  ·  Cloud vocabulary, the service and deployment models, and the reference architecture.

Cloud computing definitions

• Five essential characteristics — NIST SP 800-145 — on-demand self-service · broad network access · resource pooling · rapid elasticity · measured service.
• Roles — cloud consumer · provider · broker (adds value on top of a provider) · carrier · auditor.
• Key building blocks — virtualisation · storage · networking · databases · orchestration.

Service models

• IaaS — the consumer manages everything from the operating system up; the provider owns the virtualisation layer down.
• PaaS — the consumer manages applications and data only; runtime and middleware are the provider’s.
• SaaS — the consumer manages data and access configuration; everything else is the provider’s.

Deployment models

• Public — provider-owned and multi-tenant; private — single-tenant, on- or off-premises; community — shared by organisations with common concerns; hybrid — two or more bound for data and application portability.
• The trade-off is control versus responsibility — moving up the stack shifts work to the provider but reduces the consumer’s visibility.

Design principles and assurance

• Functional requirements — portability · interoperability · availability — guard against vendor lock-in.
• Relevant certifications — ISO/IEC 27017 (cloud controls) · ISO/IEC 27018 (PII in public cloud) · CSA STAR.

20%  ·  The data lifecycle and the controls that protect data at rest, in transit, and in use. The heaviest domain.

Cloud data lifecycle

• Create → store → use → share → archive → destroy — controls and risks differ at every phase.
• Destroy, in the cloud, almost always means crypto-shredding — destroying the keys, because tenants cannot guarantee physical media destruction.

Storage architectures

• IaaS — volume (block) and object storage; PaaS — structured (databases) and unstructured stores; SaaS — content and file storage.
• Threats map to the architecture — for example object-storage misconfiguration leading to public exposure.

Data protection technologies

• Encrypt at rest and in transit (TLS); separate key custody from data custody — KMS · BYOK · HYOK — so the provider cannot read the data alone.
• Tokenisation substitutes a non-sensitive token · masking is static (a copy) or dynamic (on the fly) · pseudonymised data is still personal data under GDPR.

Discovery, classification and rights

• Discovery is label-based, metadata-based, or content-based; classification drives labelling, which drives policy and retention.
• Information rights management (IRM) keeps the access controls attached to the file wherever it travels.

17%  ·  The physical, logical, and virtual infrastructure, multi-tenancy risk, and BCDR planning.

Infrastructure components

• Physical environment · network and communications · compute · virtualisation · storage · the management plane.
• The management plane is the highest-value target — compromising it means control over every tenant’s resources.

Risks specific to shared infrastructure

• Isolation failure and hypervisor escape · noisy-neighbour resource exhaustion · side-channel attacks · loss of governance.
• Mitigations are tenant isolation, hardened hypervisors, and isolated management traffic.

Network and compute controls

• Segmentation and micro-segmentation · security groups and NACLs · TLS everywhere · zero-trust over implicit network trust.
• Harden the host, minimise the attack surface, and keep the management network off the data path.

Business continuity and disaster recovery

• RTO is the maximum tolerable downtime · RPO is the maximum tolerable data loss in time · RSL is the recovery service level as a percentage of capacity.
• An untested BCDR plan is an assumption, not a control — test failover across regions or providers.

17%  ·  Secure SDLC in the cloud, application threats, and the identity and assurance tooling around cloud apps.

Secure software development lifecycle

• Requirements → design → development → testing → deployment → operations — security belongs in every phase, not a final gate.
• Threat-model with STRIDE — spoofing · tampering · repudiation · information disclosure · denial of service · elevation of privilege.

Application security testing

• SAST is white-box on source, early; DAST is black-box on the running app; IAST and RASP are instrumented or self-protecting at runtime.
• Software composition analysis (SCA) covers third-party and open-source dependencies — the supply-chain blind spot.

Supplemental controls and architecture

• WAF for layer-7 filtering · API gateway for throttling, authn/authz, and schema validation · sandboxing for untrusted code.
• Watch the OWASP Top 10 — injection, broken access control, and misconfiguration dominate cloud apps.

Identity and access management

• Federation with SAML or OIDC · single sign-on · multi-factor authentication · short-lived credentials over long-lived secrets.
• Centralise secrets management rather than embedding credentials in code or images.

16%  ·  Building, running, and managing cloud infrastructure operationally, plus digital forensics and stakeholder communication.

Building and running the infrastructure

• Harden hardware (BIOS/firmware, TPM, secure boot) and the operating system against baselines such as the CIS Benchmarks.
• Secure the network — VLANs · TLS · DNSSEC · hardened DHCP — and keep patch and vulnerability management continuous.

Managing operations

• Use ITIL / ISO/IEC 20000-1 for service management — change · configuration · release · problem management.
• Centralise logging into a SIEM and run continuous monitoring against performance and availability baselines.

Digital forensics in the cloud

• Chain of custody is harder — data is volatile, multi-tenant, and multi-jurisdiction — so define forensic support in the contract.
• Follow ISO/IEC 27037 (evidence handling) and the 27041 / 27042 / 27043 series, plus 27050 for e-discovery.

Communication and the SOC

• Communicate with vendors · customers · partners · regulators — each has different timing and content needs.
• SOC functions — detection · triage · incident response · threat hunting.

13%  ·  The legal landscape, privacy, audit, and enterprise risk management for cloud. The smallest domain but definition-heavy.

Legal requirements and risk

• Conflicting international legislation drives data sovereignty and localisation concerns; e-discovery follows ISO/IEC 27050.
• Know the doctrines — due care versus due diligence · criminal versus civil versus administrative law.

Privacy

• Core regulations — GDPR (EU) · CCPA / CPRA (California) · HIPAA (US health) · GLBA · SOX.
• GDPR roles — data subject · controller · processor · sub-processor · DPO · supervisory authority — and Privacy by Design as a baseline.

Audit process and methodologies

• SOC 1 / SOC 2 / SOC 3 reports, each Type I (design) or Type II (operating effectiveness over time).
• Negotiate a right-to-audit clause; reuse shared assessments such as the CSA CAIQ and STAR registry to reduce duplication.

Vendor and supply-chain risk

• Treat risk explicitly — accept · avoid · transfer · mitigate — then monitor the residual.
• Contract and SLA terms that matter — uptime and penalties · data ownership · breach notification · exit and portability.