The second CCSP domain is ‘Cloud Data security’. This vast domain evaluates the candidate’s technical understanding of:
- Various phases of cloud data life cycle
- Cloud data storage architecture including the storage types,security threats and controls
- Data security strategies along with other objectives
This domain of the CCSP certification carries 20% weightage in the exam. The sub-objectives of the CCSP Domain 2 – Cloud Data security include:
- Understanding of Cloud Data life cycle(Cloud Security Alliance guidance)
The exam expects the candidate to possess thorough understanding of various stages of the cloud data life cycle such as creating, storing, using, sharing, archiving, and destroying. In addition, the candidate also needs to have an understanding of risks and security controls associated with each stage of the cloud data life cycle for instance, how to upload data while executing the “create” phase of the cloud data life cycle securely.
- Designing and Implementing Cloud Data Storage Architectures
The next sub-objective tests the candidate’s knowledge on the cloud data storage architectures including IaaS(Infrastructure as a service), SaaS(Software as a service) and PaaS(Platform as a service).‘IaaS’ is a cloud based infrastructure offered as a service. Organizations can subscribe to use and access the cloud infrastructure including servers, hard drives, shared resources and storage on a need basis and pay for the services subscribed for.‘SaaS’ is a cloud based service that allows organizations and individuals to access and use a range of software. Offered as subscription model based services, cloud software or SaaS facilitate anywhere anytime access to various features of the software with just the internet connectivity. The SaaS model involves working with applications on the cloud by using an API. Email, CRM, and many other applications are these days offered as SaaS that enable you to only access the much needed components of the software without investing any cost to purchase and install the entire software on local machine.Another sub-objective of this domain is to assess the knowledge of candidates on different threats to cloud data storage such as unauthorized usage of cloud data among various others.The certification seekers must have the holistic understanding of the ISO/IEC 27040 document that explains trusted ways to mitigate storage security risks.Additionally, the candidate should also know the different technologies such as encryption to address the cloud threats. (Certfied Cloud Security Professional)
- Designing and Applying Effective Data Security Strategies
The next sub-objective focuses to test the certification seeker’s understanding about planning and designing data security strategies like encryption, key management, masking and tokenization. This domain also ensures that the candidate must know the application of technologies such as time and duration of cloud storage and encryption needs of the organization.
The candidate is tested for the understanding of emerging cloud technologies like bit splitting, data obfuscation and homomorphic encryption that process encrypted data without decrypting.
- Understanding and Implementing Data Discovery and Classification Technologies
In context to the next sub-objective, candidates are expected to understand and implement different data discovery and classification technologies.The different data discovery approaches revolve around big data, real time analytics and agile analytics and business intelligence (BI). Widely used data discovery methods include metadata based discovery, label based discovery and content based discovery.Once data is discovered, it needs to be classified. Candidates are expected to understand classification technologies such as encryption and DLP (data leak prevention or data loss protection) expertly.
- Designing and Implementing Relevant Jurisdictional Data Protections for Personally Identifiable Information (PII)
Witha voluminous personal data such as name, address and contact details being stored on the cloud, appropriate cloud data protections are vital and may vary across different locations worldwide. To ensure that each organization achieve compliance to the globally accepted laws and regulations, this sub-objective makes sure to test candidate’s know-how about:
- Data privacy acts
- Implementation of data discovery
- Classification of discovered sensitive data
- Mapping and definition of controls
- Application of defined controls for PII
- Designing and Implementation of Data Rights Management
Data stored on the cloud must be restricted to prevent from unauthorized view, access, and copy for utmost security. This sub-objective ensures that the crucial measure to enable data rights management are implemented effectively.Candidates are also explained the data rights objectives and efficient tools to uphold authorized use of the data.
- Planning and Implementation of Data Retention, Deletion, and Archiving Policies
The certification exam validates candidate’s skills to devise and implement various data retention policies such as retention periods, applicable regulation, retention formats and, any others. It also tests candidate’s understanding about data deletion and archiving policies on the cloud with this sub-objective.
- Designing and Implementing Auditability, Traceability and Accountability of Data Events
In the last sub-objective of ‘Cloud data security’, the certification seeker is assessed to know the auditability, traceability, and accountability of data events on the cloud. In this context, the candidate is expected to know:
- Defining event sources and identity attribution requirement
- Data event logging
- Storage and analysis of data events (for instance, SIEM or Security Information and Event Management)
- Continuous optimizations
- Chain of custody and non-repudiation
The above mentioned sub-objectives form an integral part of the CCSP Domain 2. To gain more insights about CCSP Domains and get trained from industry experts with hands-on exposure, register with InfoSec Train.Find the CCSP class schedules and related details at https://www.infosectrain.com/courses/ccsp/.