CCSP Domain #2: Cloud data security [updated 2022]

Mosimilolu Odusanya
August 23, 2022 by
Mosimilolu Odusanya

Earning the CCSP credential means you have the knowledge and skills to secure a cloud environment. Successful candidates must understand the activities, risks and storage architectures required to ensure data security in the cloud. 

The CCSP is comprised of six domains. This article explores the information you need to know and understand for the Domain 2 portion of the test, which contains eight subsections representing 20% of the exam. It assesses your level of mastery of the most critical aspects of cloud data security, as outlined in the CCSP Certification Exam Outline (effective date: August 1, 2022). 

Earn your CCSP, guaranteed!

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!

Domain 2: Cloud data security

2.1 Describe cloud data concepts

Candidates need to understand the following:

  • Cloud data lifecycle phases from creation to storage, usage, sharing, archiving and destruction
  • Data flows
  • Data dispersion and its importance for data resiliency and availability

2.2 Design and implement cloud data storage architectures

Candidates need to understand the storage types and options and the threats and countermeasures applicable to the various cloud service models.

Storage types

  • Infrastructure as a service (IaaS): ephemeral, raw, long-term, volume and object
  • Platform as a service (PaaS): disk, databases, binary large object (blob)
  • Software as a service (SaaS): information storage and management, content and file storage and content delivery network (CDN)

Threats to storage types

Candidates need to understand threats to cloud storage and appropriate countermeasures, such as unauthorized access, regulatory noncompliance, jurisdictional issues, malware and ransomware.

2.3 Design and apply data security technologies and strategies

Candidates need to understand various security technologies and strategies that consumers can use to protect data stored in a cloud environment.

  • Encryption and key management
  • Hashing
  • Tokenization
  • Data loss prevention
  • Data obfuscation
  • Keys, secrets and certificates management

2.4 Implement data discovery

Candidates need to know how to find data in the cloud environment before it can be classified and protected. Having data distributed at more locations increases the attack surface area.

  • Structured data
  • Unstructured data
  • Semi-structured data
  • Data location

Earn your CCSP, guaranteed!

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!

2.5 Plan and implement data classification

Candidates need to understand how to map, label and classify data to indicate the value or sensitivity of the content. This process helps determine appropriate policies and controls to ensure compliance and determine encryption needs, approved use of data, authorized access and proper retention and disposal.

  • Data classification policies
  • Data mapping
  • Data labeling

2.6 Design and implement information rights management (IRM)

Candidates need to understand how IRM works, its importance and its pitfalls in cloud environments, especially involving the security and privacy of an organization’s sensitive data. The two categories of IRM are consumer-grade IRM, also known as digital rights management (DRM), and enterprise-grade IRM.

Objectives (e.g., data rights, provisioning, access models)

Candidates need to understand the various attributes of an IRM system, such as persistence, dynamic policy control, expiration and continuous audit trail.

Appropriate tools (e.g., issuing and revocation of certificates)

Candidates need to understand the critical capabilities of IRM tools and solutions and features to look out for when incorporating IRM into a cloud security architecture.

2.7 Plan and implement data retention, deletion and archiving policies

Candidates need to understand data protection strategies (retention, deletion and archiving) and compliance obligations (i.e., legal, regulatory and contractual).

Data retention policies

Candidates need to understand data retention policies and features required to ensure the cloud consumers meet internal and compliance requirements (e.g., storage costs and access requirements, specified legal and regulatory retention periods and data retention practices).

Data deletion procedures and mechanisms

Candidates need to understand the data deletion procedures required to securely remove data from information systems when they are no longer required. There are three categories of deletion actions for various media types to achieve defensible destruction — clear, purge and destroy.

Data archiving procedures and mechanisms

Candidates must understand the data archiving procedures required to meet an organization’s retention requirements and optimize storage resources in a live production cloud environment.

Legal hold

Candidates need to understand legal holds, electronic discovery and their importance during a legal investigation, along with legal hold roles and responsibilities when negotiating cloud contracts and SLAs.

2.8 Design and implement auditability, traceability and accountability of data events

Candidates must understand the various stages of data moving in cloud environments and the critical methods used to protect data throughout the entire lifecycle. In addition, you should know how to identify, track and analyze data events to ensure security in the cloud environment.

Defining event sources and requirements of identity attribution (Identity, Internet Protocol, address, geolocation)

Candidates must understand the various key event sources, event data and event attributes available for the cloud service models — IaaS, PaaS and SaaS.

Logging, storing and analyzing data events

Candidates need to understand how to collect, verify, store and analyze data collected in a cloud environment.

Chain of custody and nonrepudiation

Candidates need to understand the process of maintaining the chain of custody to ensure data integrity while conducting forensic analysis and incident response.

Earn your CCSP, guaranteed!

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!

How to prepare for the CCSP exam

The CCSP includes six domains. Studying suitable material is essential for passing the CCSP exam. The official preparation material includes:

  • Official (ISC)² CCSP Study Guide, 2nd Edition
  • Official (ISC)² CCSP CBK Reference, 3rd Edition
  • Official (ISC)² CCSP Practice Tests, 2nd Edition
  • Official (ISC)² CCSP Flash Cards 
  • Official (ISC)² CCSP Study App

Need training? Design an individual CCSP learning path that fits your needs and requirements to prepare for the CCSP certification. Start validating your cloud security knowledge by reviewing all the key elements in the second domain of the CCSP common body of knowledge (CBK) — Cloud Data Security.

For more on the CCSP certification, check out our CCSP certification hub.



Mosimilolu Odusanya
Mosimilolu Odusanya

Mosimilolu (or 'Simi') works as a full-time cybersecurity consultant, specializing in privacy and infrastructure security. Outside of work, her passions includes watching anime and TV shows and travelling.