In just a few short months, the Certified Cloud Security Professional (CCSP) certification offered by IT security professional association (ISC)² will undergo its first refresh since hitting the market in 2015. The CCSP has quickly gained in popularity over its brief four-year existence — it is already (ISC)²'s second-most widely held certification, trailing only the long-established and globally popular CISSP credential.
It may not seem like 2015 was that long ago, but change is constant in the information technology (IT) realm. Let's take a look at the changes that have occurred in the cloud security landscape over the past four years and how those changes are reflected in the content of the revised CCSP exam.
We've witnessed remarkable changes in the cloud computing industry since the first security professionals earned their CCSP certifications. To put things in perspective, Amazon Web Services reported $1.6 billion in revenue during the first quarter of 2015.
That's certainly an enormous amount of money, but it pales in comparison to the $7.4 billion they reported in the final quarter of 2018. That's more than a quadrupling of the size of AWS cloud revenue in just three years. And that doesn't even take into account the growth of the cloud platforms operated by Google, Microsoft, IBM, and others.
Such dramatic growth means that the cloud is playing a far more significant role in enterprise IT than it was just four years ago. As organizations increase their dependence upon cloud computing, this also increases the importance of applying security controls to protect the confidentiality, integrity, and availability of the data and services that we create in those cloud environments.
What's New For the CCSP?
The changes in the 2019 CCSP Body of Knowledge won't surprise anyone who has followed the cloud computing industry over the past four years. The changes in the certification's content track developments in cloud computing security. The revised body of knowledge addresses emerging technologies, reflects a renewed emphasis on coordinated security operations, and acknowledges changes in the legal and regulatory landscape.
Let's take a look at a few of the major new topics covered on the exam:
Relationship between cloud computing and other emerging technologies. Expect to see questions on the CCSP exam covering how the cloud supports other hot topics in computing. The new exam covers machine learning, artificial intelligence, blockchain, Internet of Things (IoT), quantum computing, and containers.
Cloud service provider evaluation. The exam always included questions on how organizations should evaluate the security of cloud providers, but the revised exam includes knowledge of specific standards including ISO 27017, PCI DSS, FIPS 140-2, and the Common Criteria.
Modern data security strategies. You'll be asked to update your knowledge on data security practices to include Data Loss Prevention (DLP), data obfuscation, and data de-identification.
Legal hold processes. It's hard to find an organization that hasn't revisited its litigation hold practices over the past few years and the new CCSP exam recognizes the importance of sorting out discovery procedures with cloud service providers.
Cloud Access Security Brokers (CASB). The exam recognizes the rise of CASB solutions in recent years and incorporates questions about how organizations can use a CASB to supplement their identity and access management practices.
Security operations management. In one of the more substantial additions to the exam, the revised CCSP now includes an entire objective on managing security operations. CCSP candidates should be familiar with the role of the Security Operations Center (SOC) and how it monitors security controls, performs log capture and analysis, and facilitates incident response efforts.
In addition, this objective includes questions about monitoring specific security technologies, including firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), honeypots, vulnerability assessments, and network security groups.
Privacy regulations compliance. The world of privacy changed significantly in 2018 with the rollout of the European Union's General Data Protection Regulation (GDPR) and the revised CCSP exam incorporates knowledge of GDPR as well as the Generally Accepted Privacy Principles (GAPP) and the ISO 27018 standard.
Risk treatment options. In line with an increased emphasis on risk management, the new CCSP exam acknowledges that there is more than one way to address risks in an organization. The old exam only covered risk mitigation techniques, while the new exam expands that coverage to include avoiding, modifying, sharing, and retaining risks.
Those are the major new topics covered on the CCSP exam. While these changes do significantly modernize the exam, they don't reflect a large amount of new material that you'll need to learn. If you've already prepared for the exam using the old objectives, you'll just want to refresh your knowledge of these new issues before exam day.
CCSP Exam Structure Remains Largely Intact
While the exam does cover these new topics, there is much that hasn't changed as well. Most of the core content remains the same from the 2015 exam to the 2019 version. The six CCSP domains remain largely intact, with some minor changes in naming. The old Architectural Concepts & Design Requirements domain is now titled Cloud Concepts, Architecture and Design, while the Operations domain has the more descriptive title of Cloud Security Operations. The Legal & Compliance domain also picked up a new word and is now called Legal, Risk & Compliance.
The exam writers also made some slight adjustments to the domain weightings. Here's a summary of the changes (using the new domain names):
There is one major structural change to the exam. While CCSP candidates will still need to answer 125 questions during the exam period, they'll need to answer them more quickly. Starting in August, candidates will only have three hours to complete the exam, while they had four hours to finish the original test. That decreases the time per question from 115 seconds to 86 seconds.
Overall, this revision of the CCSP exam is more of a minor update than a major refresh. You'll certainly find coverage of topics that have increased in importance over the last four years and repeat test takers will note the 25 percent reduction in time, but the core structure of the CCSP exam remains intact with this revision.