Sercan Azizoğlu's Personal Website
October 27, 2025

CCSP (ISC)2 Certified Cloud Security Professional Exam Guide - A Book Review

Posted on October 27, 2025  •  18 minutes  • 3831 words
Table of contents

The Book and Authors

The book is written by Omar A. Turner and Navya Lakshmana and published on June 21 2024. It’s available on Amazon. Mr Turner holds positions in the industry, including General Manager of Security at Microsoft. He has more than 25 years of experience. Madam Lakshmana is a professional with certifications in CISSP, CCSP, and other relevant credentials. She currently works at Siemens Healthineers.

Their book serves as a guide for the ISC2 Certified Cloud Security Professional Exam. It covers wide range of concepts, definitions, cloud service models, security considerations and threats, design principles, evaluations of cloud service providers, cloud data security concepts and architectures, data governance, risk analysis, security controls, business continuity and disaster recovery, application security, secure software development life cycle, IAM design, forensics, Security Operations Center management, legal aspect, privacy, and cloud audit processes and methodologies.

It covers various subjects to train professionals for the exam. Although it focuses on the CCSP exam, it has high potential to become a reputable reference for all cloud security professionals and architects. Although it is not an official ISC2 exam guide, it remains an excellent resource for exam preparation.

I want to thank Mr Turner and Ms Lakshmana for their significant contributions to the field. Specific notes or tips are handy. At the same time, providing references and links to related sources allows readers to explore further aspects.

I want to cite specific points that caught my attention:

The Citations

When choosing cloud providers, portability is an important factor to consider as it can help decrease the chance of vendor lock-in and provide various business benefits by enabling identical cloud deployments to be provisioned by different cloud providers, either for resiliency or to distribute service components to geographically dispersed deployments. (p.25)

JupyterHub and Databricks, for instance, provide cloud-based collaborative environments where data scientists can work together on projects, share code, and streamline workflows. (p.29)

Businesses now have the capacity to take advantage of powerful analytics, automate tedious tasks, and create intelligent applications thanks to cloud computing’s integration of AI and ML. AI as a Service (AIaaS), for example, is an emerging trend in cloud computing that offers AI and ML capabilities through cloud-based services. (p.30)

Filecoin, Storj, andSia are examples of projects offering decentralized storage services that can be integrated into existing cloud computing infrastructure.

Enterprises can choose to implement hundreds of controls for a given information system or asset based on their risk appetite and risk thresholds. (p.46)

This is done by reviewing security logs obtained from IDS. Another example is mandatory vacations of at least 10 consecutive working days for employees of many financial institutions. The absence of an employee for two weeks requires another employee to conduct their tasks and potentially uncover illicit activities conducted in the past. (p.48)

Create a comprehensive incident response plan that addresses potential PaaS security risks. (p.61)

Create incident response and disaster recovery plans tailored specifically for SaaS operations. (p.63)

It has often been said that “the first and foremost thing that needs to be clear in a CSA is how the customer will egress their data out of the system.” For example, it is always recommended to save a backup copy at an on-premise location to ensure data portability. It doesn’t matter if they violate your contract or go bankrupt; there’s not much you can do, so replicating your data nightly should be a core part of your disaster recovery and business continuity plan. (p.75)

You can most likely find an example of your favorite cloud provider’s CSA online for you to review. (p.76)

Google Cloud Platform’s Acceptable Use Policy (AUP) can be found here.

For example, the SLA for Microsoft Online Services Worldwide, which is over 100 pages in length, has been updated at least eight times this year. (p.79)

…to maximize the return on their cloud investments in a secure way, businesses must first understand how their data will be stored, managed, and protected in the cloud. (p.87)

…it’s crucial for businesses utilizing cloud infrastructure to regularly update their risk management strategies based on emerging threat intelligence. (p.99)

Use feedback from audits, incident response activities, and new threat intelligence to continuously improve the cloud security policy. (p.103)

For cloud security practitioners, mastering DLM is essential to effectively secure data throughout its lifecycle and navigate the complexities of modern data governance and protection. (p.107)

Understanding IRM equips professionals with the skills to protect sensitive information and implement robust data governance frameworks. (p.122)

Employees must be educated about data classification, usage policies, and security practices. Regular training sessions ensure that staff are aware of the importance of IRM and understand how to comply with data protection policies. (p.124)

Implementing IRM should strike a balance between security and usability to ensure that authorized users can access information efficiently. (p.127)

Deployment of specialized tools, such as Azure security audits and AWS Audit Manager, to continuously monitor and log data-related activities (p.129)

Specialized tools such as Azure security audits and AWS Audit Manager with real-time monitoring capabilities. (p.130)

Use automation to streamline data management tasks and reduce the potential for human error. (p.134)

Data governance strategies are used to restrict access, define roles, and maintain an audit trail. (p.135)

The storage units have no filesystem of their own. Instead, a filesystem is created inside the guest OS whenever a tenant deploys a VM. This is also known as volume storage. (p.150)

To expand on the customer’s role in ensuring storage security, it’s essential to recognize that most cloud service providers offer a variety of security controls and tools designed to protect data. However, the effectiveness of these controls largely depends on how they are configured by the customer. (p.151)

While CSPs can provide the means for security, they do not dictate the level of security that a customer chooses to enforce on their data and applications. Lack of implementation is sometimes caused by a lack of awareness that these controls exist in the first place. (p.151)

Type I hypervisors are typically used in enterprise data centers and cloud environments due to their high efficiency and direct access to hardware resources. Examples of Type I hypervisors include VMware ESXi, Microsoft Hyper-V, and Xen. By running directly on the hardware, Type I hypervisors can offer better performance, scalability, and security compared to Type II hypervisors, which run on top of a host OS. (p.152)

…a Type II hypervisor can be easier to set up and manage, making it suitable for development, testing, and desktop virtualization scenarios. However, this reliance on the host OS can introduce additional overhead, potentially reducing performance and security compared to Type I hypervisors. Examples of Type II hypervisors include VMware Workstation, Oracle VirtualBox, and Microsoft Virtual PC. (p.152)

Apart from the cloud portal (the main web interface of the cloud platform), here are the other key interfaces of the management plane:

For CCSP candidates, mastering the art of identifying and mitigating risks across physical, logical, and virtual environments is not just a skill, it’s a necessity. (p.163)

Questions based on risk assessment calculations such as “Determine the ALE” or “Calculate the risk exposure” could appear, so familiarize yourself with these equations and definitions. (p.165)

…customer-created virtual networks must be protected by access controls such as AWS security groups, Azure network security groups, Google Cloud Platform (GCP) firewall rules, and virtual load balancers. (p.166)

Integration challenges can arise when connecting PaaS solutions with existing on-premise systems or other cloud services, potentially leading to interoperability issues. (p.166)

Vendor lock-in is another significant risk, where migrating data and applications from one SaaS provider to another can be complex and costly, leading to dependence on a single provider. (p.166)

Hybrid cloud may also refer to when public or private cloud services are mixed with on-site hardware and software (virtualized or not). Hybrid cloud can be tricky to configure, especially when services are from different companies, which can increase risk. (p.167)

The security of identity management, data, and on-premises and owned devices is always the responsibility of the customer in the relationship. (p.169)

Some cloud services offer a greater degree of managed security (performed automatically by the CSP) on certain services than others. (p.169)

For strict data residency obligations, cloud services and products must either comply by design or be configured to comply with these data residency requirements. (p.170)

The Cloud Security Alliance’s Security, Trust, and Assurance Registry (STAR) program maintains a registry of STAR Level 2 (third-party audited) CSPs, which are the most trusted in the world, to help guide cloud vendor selection. Level 1, self-assessed, isn’t recommended for secure operations. (p.171)

Maturity models, such as the Cloud Security Maturity Model, can help gauge how well your organization is doing among the wider community. (p.180)

A cloud security professional must help increase security awareness around the organization and ensure that people know security is everyone’s responsibility. (p.181)

Employing Trusted Execution Environments (TEEs) provides a secure area within processors where sensitive data can be processed away from the main operating system, reducing the risk of unauthorized access. (p.192)

…small businesses and nonprofits tend to use open source identity systems such as FreeIPA or OpenLDAP. (p.196)

… the dependence on cloud-based services also introduces unique vulnerabilities, such as data loss due to cyberattacks, service interruptions from technical failures, or downtime resulting from natural disasters affecting data center regions. (p.208)

The management team decides on the acceptable amount of data loss for these scenarios. (p.208)

DR comes into play when catastrophic events such as natural disasters, terrorist attacks, or major fires cause widespread damage. (p.208)

…there needs to be a way for the business to shift to an alternate hosting arrangement where data and services can be restored and made operational within an acceptable timeframe. Planning for such a move should be considered a last resort, reserved for severe outages because of the significant time, cost, and resources involved in making the transition and eventually returning to normal operations. (p.208)

…a slight chance you will encounter a BC plan called a Continuity of Operations Plan (COOP) on the exam. For the CCSP, these two terms are one and the same. (p.209)

BC focuses on maintaining business functions or quickly resuming them in the event of a major disruption. (p.209)

…DR is more technically focused and deals specifically with the recovery and restoration of IT infrastructure and data after a disaster. (p.209)

A great way to make all policies and procedures easier to follow is to include a responsible, accountable, consulted, and informed (RACI) matrix. A RACI matrix identifies the roles and responsibilities of all relevant teams and personnel involved in the BCDR process. (p.216)

Since business requirements and circumstances are constantly changing, it is essential to regularly test and maintain the BCDR plan to ensure its effectiveness and relevance. (p.217)

Tabletop exercises help clarify roles and responsibilities during DR and identify gaps in the plan without impacting actual operations. (p.217)

…application security is especially vital for enterprises that utilize the cloud infrastructure and depend on its agility, flexibility, and scalability. The following are some of its goals:

Insecure APIs: Feature and data-rich APIs that enable data sharing in the cloud are particularly vulnerable; attackers can exploit vulnerabilities in APIs to inject malicious code or commands, leading to unauthorized data access or manipulation. (p.232)

They also need help to monitor user privileges and ensure that only authorized users can access the data in cloud applications. (p.232)

It’s also important to shift left in the cloud because almost all the infrastructure, environments, and resources are determined at the development stage, often using declarative configurations, also known as infrastructure as code (IaC). (p.232)

A CCSP candidate is expected to not only know the differences between each of the vulnerabilities of the OWASP Top 10 but also know the potential examples and mitigation strategies. (p.234)

By prioritizing the most significant risks, those who perform threat modeling may address the web application vulnerabilities that represent the greatest harm. (p.234)

Horizontal and vertical privilege escalation: An attacker can gain access to data or functionality outside of their authorized scope by escalating their privileges either within the same user role (horizontal) or across different roles (vertically) (p.235)

Continuously updating obsolete libraries is one of the most effective methods for mitigating risks. Using a package manager to automate the process of upgrading software packages is suggested. (p.240)

Cloud Web Application and API Protection (WAAP): A cloud WAAP is a holistic multi-cloud platform designed to protect vulnerable web applications and APIs. It combines the functionalities of a WAF, runtime application self-protection (RASP), and other point solutions. (p.246)

Define business objectives: Identify and outline the key business goals that the software supports, establishing a foundational understanding crucial for effective threat modeling. (p.265)

…if an analysis with STRIDE reveals a potential for an elevation of privilege attack on a system component, DREAD can be used to assess the potential damage, how easy the attack would be to reproduce and exploit, how many users would be affected, and how easily the vulnerability could be discovered. (p.267)

DREAD, on the other hand, assesses the risk of prospective security risks. (p.267)

Assurance: This is a measure of confidence in the cloud environment or the application itself that measures how well it can keep itself, its users, and the systems it connects to and that are dependent on it safe from any threats it might encounter over the course of its use. (p.276)

Validation: This is the process of confirming that an application meets both the expectations and the needs of its users. Its purpose is to test the reliability, functionality, and usability of the product, and it does this by executing the application’s code. Its functions include but are not limited to usability testing, functionality testing, security testing, system testing, and performance testing. (p.276)

Verification: This is the process of making sure an application is developed as per the specifications it was designed for. It tests the code, design, and architecture of the application but does not need to execute code to do so. This process commonly includes code verification, design verification, and requirement verification. (p.276)

Such insights are crucial for ensuring that the application not only functions correctly but also delivers a quality experience to users consistently. The four main types of non-functional tests include the following:

REST is a type of software architecture that describes how components, connectors, and data points are used for various web applications. They use the HTTP protocol and support numerous data formats, including XML and JSON. (p.286)

SOAP is both a protocol and a standard for exchanging data between two or more web services. The most common is HTTP, but File Transfer Protocol (FTP) is also popular. SOAP only allows data that is XML-formatted, and there is no data caching involved. It typically has worse performance and not as much scalability as REST. (p.286)

…government agencies and large corporations are more likely to see open source as a problem waiting to happen, given that they are constantly preaching to their customers about their security, professionalism, and threat-level analysis. (p.287)

Use API gateways:

Authorization creep refers to the gradual accumulation of excessive access rights or privileges beyond what is necessary for an individual’s role or responsibilities. (p.312)

In the event of a compromise or unused secrets, a welldefined revocation process is essential, and automation should be leveraged to minimize response time. (p.321)

…a well-defined incident response plan is crucial for addressing secrets exposure promptly, with procedures for containment, investigation, and remediation. (p.321)

The concept of “noisy neighbors” refers to situations where the performance of one VM on shared hardware impacts the performance of neighboring VMs. (p.322)

IaC is a key methodology in cloud computing that enables the automated and consistent deployment of infrastructure resources. IaC involves describing and managing infrastructure components, including VMs, networks, and storage, using code or configuration files rather than manual processes. (p.333)

Integrate policy-as-code solutions such as AWS Service Control Policies (SCPs), Azure policies, or GCP organization policies to establish guardrails, such as prohibiting resource deployments with public IPs, enforcing encryption at rest, and ensuring auditing and key rotation. (p.345)

Problem management focuses on proactively identifying and eliminating the root causes of recurring incidents to prevent future disruptions. (p.362)

The CLOUD Act aims to address legal challenges related to cross-border data access and enhances cooperation between nations in criminal investigations. (p.375)

NIST Special Publication 800-37, the Risk Management Framework (RMF) emphasizes the importance of continuous monitoring as a key component of the risk management process. (p.397)

Azure Network Security Groups (NSGs), AWS Security Groups, or GCP Firewall Rules define security rules that control inbound and outbound traffic to Network Interfaces (NICs), VMs, and subnets. (p.398)

EU GDPR: Organizations in the EU must report data breaches to authorities within 72 hours and, if it poses a high risk, notify affected individuals promptly (p.417)

Evaluate the CSP’s policies on data portability and consider exit strategies. Ensure that data can be easily migrated or retrieved in a usable format if the relationship with the provider ends, minimizing risks associated with vendor lock-in. (p.418)

A distinctive risk in cloud eDiscovery is the difficulty associated with physically searching and seizing cloud resources, such as storage or hard drives. (p.419)

risk can never be entirely eliminated. Instead, organizations aim to reduce risk to an acceptable level based on their risk tolerance, business objectives, and available resources. Residual risk refers to the level of risk that remains after implementing risk mitigation measures. (p.428)

Organizations often use risk transfer/share alongside mitigation strategies. While mitigation reduces the overall risk, transferring the residual financial risk through mechanisms such as insurance provides an additional layer of protection. (p.428)

Risk transfer, or risk sharing, is a risk management strategy where an organization shifts the financial burden or responsibility of potential losses to another party. This is often achieved through mechanisms such as insurance policies, contractual agreements, or partnerships. (p.428)

Risk acceptance is a risk management strategy wherein an organization consciously acknowledges and tolerates a certain level of risk without implementing specific measures to mitigate or transfer it. (p.428)

Organizations opt for risk acceptance when the cost of mitigating a particular risk exceeds the potential impact, and the risk is deemed manageable within acceptable limits. (p.429)

…risk acceptance might not be a viable option when there are regulatory mandates or obligations associated with specific activities. (p.429)

ISO 31000:2018 is a globally recognized standard that provides comprehensive guidance on risk management. (p.429)

NIST SP 800-146, titled Cloud Computing Synopsis and Recommendations, serves the purpose of demystifying the field of cloud computing in straightforward language and offering guidance for information technology decision-makers. The document includes clear definitions of cloud computing terminology, as well as an exploration of the advantages and risks associated with all service models. (p.432)

You should specify policy limits, indicating the maximum amount the insurance provider pays for a covered incident, and detail any deductibles payable by the insured party. You should also clearly identify exclusions or limitations, delineating circumstances not covered. (p.442)

ISO/IEC 27036 outlines assurance mechanisms to ensure that suppliers meet the required security standards. This may include assessments, audits, and ongoing monitoring of supplier performance. (p.443)

…OECD has established guidelines known as the “OECD Privacy Guidelines” or “OECD Privacy Principles.” These principles were initially developed in 1980 and have served as a foundational framework for privacy protection. (p.450)

The Federal Trade Commission (FTC) has regulatory oversight of GLBA and is responsible for enforcing its provisions. (p.458)

ISO/IEC 27018 is an international standard that provides guidelines for protecting PII in the context of cloud computing. …The standard is applicable to organizations acting as PII processors in a cloud computing environment. (p.464)

Compliance with standards often demonstrates adherence to best practices and industry benchmarks. Standard-setting organizations can be independent bodies, government agencies, industry groups, or international entities that include experts, industry professionals, government representatives, and other stakeholders to develop and maintain standards. (p.467)

Frameworks are structured sets of guidelines, best practices, and processes designed to help organizations achieve specific objectives or develop and implement policies. An example is the National Institute of Standards and Technology (NIST) Cybersecurity Framework for managing and improving cybersecurity risk. (p.467)

Tort laws deal with civil wrongs that cause harm or loss to individuals. They provide remedies for those who have been wronged by the actions of others. Duty of care is a legal obligation requiring individuals or entities to act reasonably and responsibly to prevent foreseeable harm to others.

Auditing is a systematic examination or inspection of financial, operational, or information system processes to ensure compliance with established standards, policies, regulations, or best practices. (p.476)

Cloud computing, with its dynamic and scalable nature, introduces unique challenges to traditional sampling practices. Unlike traditional on-premises environments, cloud infrastructures are characterized by rapid changes, elastic resource scaling, and a diverse array of services. (p.479)

Due to the sensitive nature of the information disclosed in SOC 2 reports, organizations may require parties requesting access to such reports to sign a Non-Disclosure Agreement (NDA). (p.481)

The CSA STAR audit reports provide stakeholders with valuable insights into the security controls implemented by the CSP. (p.482)

It refers to the Cloud Controls Matrix (CCM), which serves as the basis for evaluating security controls. The criteria align with industryrecognized standards and best practices. The CSA STAR certification program includes various levels, each offering a different degree of assurance:

Policies provide a standardized approach to recurring situations, ensuring that actions and decisions are not arbitrary but based on predefined standards. (p.489)

CSPs are responsible for ensuring that their policies incorporate regulatory requirements and industry best practices to provide customers with a secure and compliant cloud environment. (p.491)

Social Media

LinkedIn