Certified Cloud Security Professional (CCSP) of ISC2 - A Book Review
Posted on September 3, 2025 • 20 minutes • 4050 words
Table of contents
The Book and Authors
Certified Cloud Security Professional (CCSP) is a certification of ISC2. It covers six domains of cloud platforms and their security aspects. CCSP is a vendor-agnostic certification, which means you can obtain related knowledge to apply to all cloud service providers. Universal concepts of cloud services and security within the cloud are explained in the Common Body Knowledge reference. The 3rd edition of the book is written by three authors. 4th, the recent edition is written by only Aaron Kraus. It can be purchased on Amazon or Wiley.
Leslie Fife is a professor at the University of Oklahoma, an information security professional and a CISSP. He has more than 30 years of industry and academia experience.
Aaron Kraus is a professional with over 15 years of experience in the information security industry and holds CCSP and CISSP.
Bryan Lewis is an instructor at the University of Virginia and a security professional who holds CCSP and CISSP. Dr. Lewis has extensive experience in cybersecurity operations focused on strategy, governance and cyber defence.
As an official reference for the CCSP certification, the book covers exam domains and is a fundamental resource for exam preparation. There are also official supplamentary references, such as Practice Tests and Study Guide.
I want to cite specific points from the book.
The Citations
Measured service provides two key benefits. It is the foundation of shifting IT spending from CapEx to OpEx, and it provides additional visibility and transparency into actual IT needs. (p.37)
The major CSPs provide orchestration tools. These include IBM Cloud Orchestrator, Microsoft Operations Management Suite (OMS), and AWS Cloud Formation. These offerings are typically best suited to manage their respective CSP’s services. Organizations utilizing multiple CSPs can utilize multi-cloud orchestration tools to deploy infrastructure across various CSPs, such as Kubernetes. (p.40)
NIST provides a cloud computing reference architecture in SP 500-292, which was based on a Cloud Security Alliance (CSA) working group project for cloud enterprise architecture. (p.40)
The distributed nature of the cloud also means that many services exist in multiple places; updates are typically deployed in stages, so if an issue is encountered, other regions or zones can handle processing without causing downtime. (p.51)
A Confidential Computing Consortium was developed in 2019 to develop models, reference architectures, and best practices for the use of confidential computing. More information can be found at confidentialcomputing.io. (p.58)
The NSG is essentially an access control mechanism protecting the asset and fills the same role as a traditional firewall in a layered defense strategy. (p.64)
The key to securing ephemeral computing lies in properly specifying configuration of the ephemeral asset. When the asset is needed, a definition file is used to create the needed resources. This definition file must specify appropriate configurations like access controls and security settings like encryption to ensure that the resulting asset is properly secured during use. (p.66)
Serverless applications may be more secure since they do not inherit security vulnerabilities of a traditional operating system. (p.67)
The Cloud Security Alliance (CSA) publishes a list of common cloud threats known as the Egregious Eleven. This list highlights threats that target unique elements of cloud computing, such as a lack of cloud security architecture or strategy in immature organizations or those with a significant shadow IT problem. (p.67)
Hygiene refers to basic practices designed to maintain health and is typically associated with practices like handwashing and cleaning surfaces. Cyber hygiene is basically the same practices that maintain the health and security posture of systems. (p.67)
The single most important element of a security hygiene program is applying software patches. (p.68)
The concept of immutable architecture is also important to baselines, as it prohibits changes to environments once they are built. (p.68)
Measuring how much value an organization receives from investing in something is known as return on investment (ROI) and is often part of a security practitioner’s work in justifying spending on security tools and resources. (p.72)
Emerging cloud-agnostic technologies like containers and careful architecting of cloud systems can reduce vendor lock-in. (p.74)
SANS (sans.org) is an organization that provides a variety of services to security practitioners, including training, templates, and the CIS control framework. This control framework is lightweight and is prioritized to address the most-prevalent security threats seen on the Internet. (p.76)
SANS is vendor agnostic, and the security principles are designed to be applied to cloud infrastructure in any CSP. (p.76)
AWS Well-Architected Framework Azure Well-Architected Framework (p.76)
Full details of the CSA Enterprise Architecture and related supporting documents are available at the EA Working Group site. (p.77)
A NIST working group for integrating security into DevOps is a popular resource for DevOps security and can be found here (p.77)
27017 guides the implementation of these controls in cloud computing environments, while 27018 extends the controls to implement protection of personally identifiable information (PII) processed in the cloud. (p.78)
Because of the commoditized nature of payment processing, many organizations utilize an external payment processor rather than implementing these functions internally. This has the benefit of shifting some risk and elements of PCI DSS compliance away from the organization. However, the outsourcing arrangement brings its own shared responsibility model, meaning the consuming organization must still implement some controls to ensure the security of the payment data. (p.79)
CSPs can enroll in the CSA Security, Trust, Assurance, and Risk (STAR) registry as a way to demonstrate the security and privacy controls they offer. (p.80)
CSA STAR is a voluntary scheme and offers two levels of assurance. CSPs can provide evidence of their security controls, privacy controls, or both, and the registry has two levels of assurance. Level 1 is a self-assessment and allows the CSP to detail their controls in a standardized format so customers can easily compare across CSPs. (p.80)
FIPS 140-2 is scheduled to be retired by 2026… (p.82)
Access controls form the majority of security safeguards during the share phase and should be designed to be both proactive and reactive. (p.86)
Auguste Kerckhoffs, a Dutch cryptographer, defined a simple doctrine that under pins key management: a cryptosystem should be secure even if everything about the system, except the key, is public knowledge. Known as Kerckhoffs’ principle, this simple maxim guides security in cryptographic systems by placing the emphasis on protecting keys. (p.94)
The payment card data is not stored in the app but is instead tokenized. When the user makes a purchase, the app supplies the token along with user identity information to the tokenization server; if the tokenization server accepts the information provided, it accesses the relevant credit card data and supplies it to complete the transaction. (p.100)
AI is a field of computer science with the goal of designing computer systems capable of displaying intelligent thought or problem solving, though the term is often used to describe systems that simply mimic human tasks such as playing strategy-based board games or operating autonomous vehicles. (p.105)
On-premises systems can be scanned relatively easily by placing a DLP agent on servers comprising the system or a network-based DLP that can monitor traffic inside the network. (p.108)
U.S. Graham-Leach-Bliley Act (GLBA), which covers banking uses of PII. (p.110)
In all cases, security practitioners need to be aware of the features available in their organization’s chosen cloud environment and ensure that their organization properly architects or configures the services to meet internal and compliance obligations. (p.117)
Security practitioners should consider defense-in-depth strategies such as highly secure key storage and tightly limited access control over archival data as a compensating control for weaker legacy encryption standards. (p.119)
For high sensitivity data, particularly in the financial services industry, there may be a requirement for data to be** stored immutably,** that is, in a format where it cannot be changed. (p.121)
…security practitioners should ensure that their organizations are not put in situations where they are unable to investigate and hold bad actors accountable. (p.123)
VM escape is a type of attack in which a malicious user can break the isolation between VMs running on a hypervisor by gaining access outside their assigned VM. (p.135)
You retain responsibility for this data and cannot rely on the CSP to securely wipe the physical storage areas. (p.136)
…the amount of work used to protect the management plane is, in the end, a business decision. (p.139)
All services used should have a standard configuration that is reviewed and approved for use by the organization. (p.140)
…the security provided by encryption is improved if the customer securely maintains their own encryption keys external to the cloud vendor. (p.141)
The Resilient Design Institute publishes strategies and principles for resilient design; more information can be found at resilientdesign.org (p.145)
Assessing and mitigating risks posed by third parties requires modified risk management practices, and the customer must also be proactive in addressing their assign ments under the shared responsibility model. (p.146)
Risks are typically measured by these two criteria: likelihood of occurrence and impact to the organization. (p.146)
…the vendor’s third parties can introduce additional risk, so adequate supply chain risk management (SCRM) is required. (p.147)
“Egregious 11: Top Threats to Cloud Computing.” This is a list of common threats and risks to cloud computing, as well as recommended mitigation strategies that cloud customers can implement. The full list is available here. (p.149)
In both cases, the organization is giving up some direct involvement in return for cost savings and other operational efficiency, so the security program must ensure that these business benefits are not outweighed by security risks. (p.150)
The decision to use such an IAM should balance the benefits of efficiency with potential risks like vendor lock-in, single point of failure if all critical services are in the same CSP, and the security capabilities of the CSP’s IAM solution. (p.153)
If a vendor or CSP system is compromised, then other corporate systems will be similarly compromised since attackers have valid access credentials. (p.154)
All systems should be categorized based on their criticality to the business, and this is usually achieved by performing a business impact analysis (BIA). (p.159)
Tests should be both scheduled and unscheduled. Particularly for new plans and organization immature in the BCP/DCP space, a scheduled test ensures that key personnel are available and will begin the maturation process. Tests that have the potential of being very disruptive should also be scheduled to minimize disruption. (p.163)
The three parts identified by the Software Assurance Forum for Excellence in Code (SAFECode) are executive support and engagement, program design and implementation, and program sustainment and measurement. (p.166)
…a security incident can cause significant or even fatal disruption to an organization’s operations. Security controls help to prevent or avoid these risks, so understanding security risks and ensuring that they are mitigated should be a key business objective, similar to customer satisfaction or revenue. (p.167)
…the CSA Top Threats Working Group has published the top threats to cloud computing. (p.168)
For organizations utilizing other CSA resources, like the cloud controls matrix (CCM), this can be a useful resource for identifying and mitigating cloud security risks. (p.169)
The OWASP Top 10 is a periodically updated list and features the top threats in web application security. (p.169)
SANS CWE Top 25 is a list of the most dangerous software weaknesses. (p.169)
NIST Secure Software Development Framework and the OWASP Software Assurance Maturity Model (SAMM) (p.170)
CSA Egregious 11 is a good summary of cloud-specific risks. (p.176)
The ATASM framework was developed by security professional Brook Schoenfield, who has blogged about the framework, applications to system and cloud application security, and other topics. Additional details about ATASM can be found here (p.182)
The full list of resources can be found at safecode.org (p.183)
In a continuous integration/continuous deployment (CI/CD) environment, automated testing becomes a required feature. (p.186)
Dynamic application security testing is a form of black-box testing. (p.187)
Once an application is deployed, a DAST may not provide sufficient coverage but can be a useful continuous monitoring tool for production applications. (p.188)
Runtime Application Self Protection (RASP). RASP is less a test and more of a security tool but is often integrated with IAST tools. RASP runs on a server and works whenever the application is running. RASP intercepts all calls to and from the application and validates all data requests. The application can be wrapped in RASP, which provides autonomous capabilities to respond to unusual application behavior. If the RASP agent detects suspicious activity, it can take actions like terminating an offending user’s session or shutting down the application. In a layered defense, this is an additional layer and should not replace secure development and testing. (p.188)
An emerging concept in the field of tracking software dependencies is known as the software bill of materials (SBOM). (p.190)
More information on SBOM can be found here. (p.190)
While you may delegate some processes, you cannot delegate responsibility for your data. (p.193)
Secrets can be used to gain access to systems, so protecting them is just as vital as providing robust control over user credentials like passwords. Since many of these secrets grant highly (p.205)
…new hosts will require secrets in order to authenticate, so a secrets management tool, whether provided by the CSP or a third party solution, is critical. (p.205)
…a hash of hardware component versions installed in a system can be relied upon if it is digitally signed by the TPM. (p.209)
RDP was initially a technology specific to Microsoft Windows but is now widely available across Windows, macOS, Linux, and mobile operating systems including iOS and Android. (p.215)
STIGs and additional information can be found here (p.222)
The NIST Checklist repository (which also includes access to DISA STIGs) can be found [here](https://ncp.nist.gov/repository (p.222)
The Center for Internet Security (CIS) publishes baseline guides for a variety of operating systems, applications, and devices, which incorporate many security best practices. (p.222)
Physical controls that could prevent unwanted access in a data center will be largely missing in a cloud as well; not that the CSP is ignoring physical security controls, but the inherently network-accessible nature of the cloud means most administrative functions must be exposed and are therefore susceptible to network-based threats. (p.227)
Regardless of what is being monitored and who performs it, adequate staffing is critical to make monitoring effective. Just as reviews make log files impactful, appropriate users of performance data are also essential. If a metric is captured but the cloud consumer never reviews it, they run the risk of a service being unavailable with no forewarning or paying for services that were not actually usable. (p.232)
Disaster recovery (DR) and business continuity (BC) exercises may be used as formal testing of backup and recovery capabilities, and many organizations conduct such exercises annually. (p.234)
Security groups (also called net work security groups, or NSGs) are an abstraction layer that allows a consumer to define protections required, and the CSP’s infrastructure deploys appropriate virtualized resources as needed. (p.236)
NGFWs combine multiple firewall functions into a single device, such as a stateful firewall and API gateway. Many NGFWs also include other network security protections such as intrusion detection or VPN services. (p.236)
Host-based firewalls, which are software-based, are also often considered a best practice in a layered defense model. (p.236)
Similar to firewalls, however, NIDS/NIPSs may be challenged in a virtualized environment where network traffic between VMs never crosses a switch. A host based intrusion detection system/intrusion prevention system (HIDS/HIPS) is deployed on a specific host to monitor traffic. (p.237)
Vulnerability scanners are an often-used tool in conducting vulnerability assessments and can be configured to scan on a relatively frequent basis as a detective control. Human vulnerability assessments can also be utilized, such as an internal audit function or standard reviews like access and configuration management checks. Even a physical walk-through of a facility to identify users who are not following clean desk or workstation locking policies can uncover vulnerabilities, which should be treated as risks and remediated (p.237)
The use of vulnerability scanners and pentesters may be limited by your CSP’s terms of service, so a key concern for a CCSP is under standing the type and frequency of testing that is allowed. (p.237)
The cloud management console is often confused with the cloud management plane, and in reality, they perform similar functions and may be closely related. The management console is usually a web-based console for use by the cloud consumer to provision and manage their cloud services, though it may also be exposed as an API that customers can utilize from other programs or a command line. It may utilize the management plane’s API for starting/stopping VMs or configuring VM resources such as RAM and network access, but it should not give a cloud consumer total control over the entire CSP infrastructure. The management plane’s access controls must enforce minimum necessary authorization to ensure that each consumer is able to manage their own infrastructure and not that of another customer. (p.238)
The two standards that a CCSP should be familiar with are ISO 20000-1 (not to be con fused with ISO 27001) and ITIL (formerly an acronym meaning Information Technology Infrastructure Library). Both frameworks focus on the process-driven aspects of delivering IT services to an organization, such as remote collaboration services, rather than focusing on just delivering IT systems like an Exchange server. In ITIL, the set of services available is called a service catalog, which includes all the services available to the organization. (p.239)
Prioritize recovery: Not all systems or assets can be recovered all at once, so it is essential that the organization develop a prioritization of critical processes that are essential to the continued functioning of its operations and identify which assets are essential to those processes. (p.241)
ISO 27017 is a “Code of practice for information security controls based on ISO/IEC 27002 for cloud services,” and ISO 27018 is a “Code of practice for protection of personally identi fiable information (PII) in public clouds acting as PII processors.” (p.243)
The goals of this continuous improvement program should be twofold: first to ensure that the IT services (including security services) are meeting the organization’s business objectives and second to ensure that the organization’s security risks remain adequately mitigated. (p.244)
Once a developer has written their code and checked it in, an automated process is triggered to test the code, and if all tests pass, it is integrated and deployed automatically to users. (p.248)
Configuration management (CM, not to be confused with change management, which is also abbreviated CM) comprises practices, activities, and processes designed to maintain a known good configuration of something. (p.250)
Digital forensics is a field that requires very particular skills and is often outsourced to highly trained professionals, but a CCSP must be aware of digital forensic needs when architecting systems to support forensics and how to acquire appropriate skills as needed to respond to a security incident. (p.254)
To block wireless communications during analysis, the use of a Faraday cage, which blocks electromagnetic signals, is a best practice. (p.260)
The CISO Mind Map published by security author Rafeeq Rehman, found at rafeeqrehman.com/?s=mindmap, provides a more information-security-centric view of security operations than ISO 18788. (p.266)
Investigation will begin as the IRT starts to gather information about the incident. This can be as simple as attempting to reproduce a user-reported app issue to determine if it is only affecting that user or is a system-wide issue. (p.276)
Carnegie Mellon University Software Engineering Institute (SEI)—Incident Management Capability Assessment: SEI publishes a variety of capability maturity models, which can be useful for organizations assessing how robust their procedures are currently and identifying opportunities for future improvement. (p.278)
NIST SP 800-61, Computer Security Incident Handling Guide: This NIST standard is also freely available and breaks incident handling down into four high-level phases: Preparation, Detection and Analysis, Containment Eradication and Recovery, and Post Incident Activity. (p.279)
Forensics, especially cloud forensics, is a highly specialized field that relies on expert technicians to perform the detailed investigations required for discovery while not compromising the potential evidence and chain of custody. (p.291)
Cloud Security Alliance (CSA): Although they do not provide a specific cloud forensics and eDiscovery framework, CSA has done a cross-mapping of relevant ISO standards for cloud computing environments. This includes several key practices that extend forensics to cloud computing and can be accessed here (p.292)
ISO-IEC 27042:2015: This standard is a guideline for the analysis and interpretation of digital evidence. Security practitioners can use these methods to demonstrate proficiency and competence with an investigative team. (p.293)
ISO/IEC 27043:2015: The security techniques document covers incident investigation principles and processes. This can help a security practitioner build processes for various types of investigations, including unauthorized access, data corruption, system crashes, information security breaches, and other digital investigations. (p.293)
Privacy is defined as the state of being free from observation by others, and it is often discussed alongside security. The two fields are not the same, however. Privacy is often codified into laws and regulations as an individual’s right, which organizations must uphold when they collect, store, or process the individual’s information. (p.294)
In practice, most CSPs do not allow all customers to perform their own audits, but instead publish security and privacy documentation such as ISO 27001 or SOC 2 Type II reports for all customers. If these audits identify a weakness or deficiency that increases risk, the contract should specify that the customer can terminate the contract with no penalties. (p.298)
Perhaps the defining feature of U.S. data privacy law is its fragmentation. There is no overarching law regulating data protection in the United States. In fact, the word privacy is not included in the U.S. Constitution. However, there are now data privacy laws in each of the 50 states as well as U.S. territories. (p.300)
The Privacy Shield agreement is a framework that regulates the transatlantic movement of PII for commercial purposes between the United States and the European Union. (p.300)
Under the CLOUD Act, U.S. law enforcement agencies and any counterparts in a corresponding country with an agreement in place can issue requests for data. (p.300)
GLBA explicitly identifies security measures such as access controls, encryption, segmentation of duties, monitoring, training, and testing of security controls. (p.302)
It is important to ensure that the monitoring strategy does not create a breach of privacy protections the users are entitled to. (p.304)
A system that is operating under normal conditions in a particular region can be compliant with legal obligations, but a disaster that causes failover to another region could be a violation of the regulatory requirements. (p.310)
…a SOC 2 report can show customers how well a CSP’s controls are designed and whether they are operating as intended to reduce risk. These reports can play an important role in the following: Organizational oversight. Vendor management programs. Internal corporate governance and risk management processes. Regulatory oversight (p.312)
Insurance carriers are in the business of managing risk, and it is unlikely a carrier will offer insurance if the organiza tion cannot show they have adequate risk mitigations in place. Therefore, risk transfer is often used in conjunction with risk mitigation. (p.330)
Mitigated risks should be evaluated to determine if the residual risk, that is, the risk that remains after the control is implemented, falls below the organization’s risk tolerance. If the residual risk remains too high, other mitigations or risk transfer should be implemented. (p.330)
Cloud professionals need strong project and people management skills to be successful when performing activities such as the following: Assess vendors. Assess vendor lock-in risks. Assess vendor viability (p.338)
Explore escrow options: Escrow is a legal term used when a trusted third party holds something on behalf of two or more other parties, such as a bank holding money on behalf of the individuals buying and selling a home. In IT services, escrow is often used as a way to hold sensitive material like source code or encryption keys. Exposure of the information to unauthorized parties could be damaging but may be necessary in extreme circumstances. For example, a CSP that performed custom software development may wish to protect the intellectual property of their source code, but if they go out of business, their customers are left with an unmaintainable system. (p.338)
ISO 27036:2021 provides a set of practices and guidance for managing cybersecurity risks in supplier relationships. (p.341)