CCSP Certified Cloud Security Professional All-in-One - A Book Review
Posted on December 3, 2025 • 5 minutes • 1032 words
Table of contents
The Book and Authors
Certified Cloud Security Professional (CCSP) is a certification of ISC2 that launched on 2015. It is a vendor-neutral certification exam. It requires candidates to prove five years of working experience related with the cloud technologies and information systems.
Daniel Carter is a cybersecurity professional based in DC, US. He holds CISSP, CCSP certifications. His book is available on Amazon.
Even it is not an official CCSP study book, it still supports candidates to cover related domains and prepare to the CCSP exam.
I’d like to thank Daniel Carter, for his contribution to the defense in cyberspace.
I want to cite some points from his book.
The Citations
While the CCSP will in many cases complement other security certifications such as the CISSP, it can also serve as a first or stand-alone certification. (p.21)
It outlines the key characteristics of cloud computing, including on-demand self-service, broad network access, multitenancy, rapid elasticity and scalability, resource pooling, and measured service. (p.23)
Domain 2 also touches on some new and emerging technologies, such as homomorphic encryption, and the likely and important role they will play in the future of data security in general, and specifically within a cloud environment. (p.25)
With cloud computing used extensively to bridge organizations and provide services to large numbers and groups of users, identity and access management (IAM) is a crucial concept for the Cloud Security Professional to be well versed in. (p.27)
Software composition analysis (SCA) enables organizations to correctly identify any use of open source software within their code and ensure they are staying within the licensing requirements of it. (p.28)
Some of the most common legal impacts on any IT system or application are eDiscovery orders and requirements to produce records or data in response to a formal court order or request. (p.30)
Overall, risk can be accepted, avoided, transferred, or mitigated, or a combination of these approaches can be used. (p.30)
If the applications and systems are built in a way where they can be supported, elasticity can be automatically implemented such that the cloud provider, through programmatic means and based on predetermined metrics, can automatically scale the system by adding additional resources and can bill the customer accordingly. (p.42)
With many government contracts, there may be requirements that development teams or the hosting of systems and data be constrained within certain geographic or political borders. (p.48)
Humanized AI incorporates cognitive learning and responses as well as emotional intelligence, but then expands to also add social intelligence. With the addition of social intelligence, the artificial system becomes both aware of itself and self‑conscious as it processes interactions. (p.59)
The Cloud Security Professional must ensure that encryption methods provide high levels of security and protection and do so in a manner that facilitates high performance and system speed. (p.64)
Passwords should never be placed within the code or scripts of an application, as this code is often shared and accessible or can be read from other systems. (p.68)
Many organizations that move computing resources to the cloud lack the staffing and expertise to properly track and verify that cloud resources are being used in an appropriate manner. (p.77) However, when properly configured and monitored, auto‑scaling is very possible, and the full benefits of PaaS can be realized in an efficient manner. (p.85)
The SABSA official website can be found at www.sabsa.org . SABSA provides a group of components, listed next, that can be used in part or in whole as an approach to security architecture for any system: Business Requirements Engineering Framework (Attributes Profiling), Risk and Opportunity Management Framework, Policy Architecture Framework, Security Services‑Oriented Architecture Framework, Governance Framework, Security Domain Framework, and Through‑Life Security Service Management and Performance Management Framework. (p.90)
Apart from ITIL’s use within the cloud security realm, learning ITIL or even getting ITIL certification would be a smart consideration for any security professional. Many organizations in all sectors rely heavily on ITIL principles, and therefore ITIL certification would add a lot to the overall résumé of a security professional. (p.90)
The ITIL is a collection of papers and concepts that lay out a vision for IT Service Management (ITSM). It is essentially a collection of best practices to give companies of all sizes, but more targeted toward large companies, a framework for providing IT services and user support. ITIL can be found at https://www.axelos.com/best-practice-solutions/itil . Five main publications form the core of ITIL. (p.90)
TOGAF is meant to be an open enterprise architecture model that offers a high‑level design approach. It is intended to provide a common framework for architecture design that teams can leverage for a standardized approach. It helps teams avoid common pitfalls, proprietary lock‑in, and communication problems during design and implementation phases as well as throughout the lifecycle of a system. TOGAF, which can be found at www.opengroup.org/subjectareas/enterprise/togaf , addresses the following four critical areas: common language and communications; standardizing on open methods and technologies to avoid proprietary lock‑in; utilizing resources more effectively and efficiently to save money; and demonstrating return on investment. (p.91)
eDiscovery is the process of searching, identifying, collecting, and securing electronic data and records, to ultimately be used in either criminal or civil legal proceedings. (p.291)
Special care should be taken to not schedule audits or testing for busy times of the year for the organization or during peak usage times. (p.314)
The willingness of management to take and accept strategic risks forms the organization’s risk appetite, which is the overall culture of security and how much allowance there is for using specific systems and services when coupled with the classification of data that is being used. (p.323)
In 2012, the European Network and Information Security Agency (ENISA) published a general framework for risk management in regard to cloud computing titled “Cloud Computing: Benefits, Risks, and Recommendations for Information Security.” (p.327)
To be effective, risk management must be fully integrated and efficient in providing information and analysis; it cannot slow down the processes or business of an organization. (p.328)
It is essential to consider the impact and risk of human elements as well. To instill confidence in staff, users, and customers, an organization’s risk management processes and policies should be transparent and visible. (p.328)