CCSP Cloud Security: Architecture, Data Protection, and Compliance in the Cloud

CCSP uses the CSA (Cloud Security Alliance) reference architecture alongside NIST definitions. Service models: IaaS (you manage OS, middleware, applications, data — provider manages hardware and hypervisor), PaaS (you manage applications and data — provider manages everything else), SaaS (you manage identity, access, and data classification — provider manages the application). Deployment models: public cloud (shared infrastructure, multi-tenant), private cloud (dedicated infrastructure, single-tenant — higher cost, higher control), community cloud (shared by organisations with common requirements — government, healthcare), hybrid cloud (interconnected public and private, data portability and workload flexibility). CCSP exam emphasis: multi-tenancy risks (logical isolation failures, noisy neighbour effects), hypervisor security (Type 1 hypervisor = bare metal, smaller attack surface; Type 2 = hosted on OS, larger attack surface), and the trade-off between elasticity and security control.

Data security is the heart of CCSP. Data classification: categorise data by sensitivity (public, internal, confidential, restricted) and regulatory classification (PII, PHI, PCI data, ITAR-controlled). Data states: data at rest (storage — encrypt with AES-256, manage keys with HSM or cloud KMS), data in transit (network — TLS 1.2+ minimum, TLS 1.3 preferred), data in use (processing — confidential computing using Intel SGX or AMD SEV creates encrypted enclaves). Data lifecycle management: Create, Store, Use, Share, Archive, Destroy — security controls apply differently at each stage. Data residency and sovereignty: GDPR requires EU citizen data to remain in the EU unless adequacy agreements exist; other jurisdictions have similar requirements. Data tokenisation replaces sensitive data with non-sensitive tokens in applications, reducing PCI DSS scope. Data masking shows partial or fictitious data in non-production environments.

IAM in the cloud is more complex than on-premises because identities span multiple systems: human users, service accounts, API keys, and machine identities (EC2 instance roles, managed identities). Federated identity: SAML 2.0 (XML-based, used for enterprise SSO to cloud applications), OAuth 2.0 (delegated authorisation — grants access tokens, not identity tokens), OIDC (adds identity layer on top of OAuth 2.0 — returns ID token with user claims), SCIM (System for Cross-domain Identity Management — automates user provisioning and deprovisioning). Cloud IAM principles: least privilege (use fine-grained policies, not broad admin roles), just-in-time access (elevate permissions only when needed, revoke after use — AWS IAM Identity Center, Azure PIM), service account hygiene (rotate keys, disable unused accounts, avoid sharing credentials). CCSP specifically tests entitlement management: provisioning, deprovisioning, and attestation workflows.

Cloud network security uses virtual constructs that mirror physical ones. VPC / VNet: isolated virtual network with subnets, route tables, and internet gateways. Security groups: stateful firewall at the instance level (allow rules only, return traffic automatically permitted). Network ACLs: stateless firewall at the subnet level (explicit allow AND deny rules, both directions required). Transit Gateway and VPC peering: connect multiple VPCs — peering is non-transitive (A-B and B-C does not give A-C connectivity). Cloud WAF: layer 7 filtering for web applications — rules for OWASP Top 10, rate limiting, bot management, geo-blocking. DDoS protection: cloud-native services (AWS Shield Standard/Advanced, Azure DDoS Protection) absorb volumetric attacks at the network edge. Microsegmentation: apply security group rules between workloads within the same VPC to limit east-west lateral movement.

Cloud compliance requires understanding the shared responsibility model for each framework. ISO 27017 extends ISO 27001 for cloud-specific controls. CSA STAR certification: Cloud Security Alliance's cloud-specific assurance programme — Level 1 (self-assessment), Level 2 (third-party audit), Level 3 (continuous monitoring). Forensics in the cloud: legal challenges arise because you do not own the hardware — you cannot image a hypervisor or a shared storage array. Cloud forensics relies on logs (CloudTrail, Azure Monitor, GCP Audit Logs), snapshots, and API call records. Evidence preservation: place a legal hold on snapshots and logs immediately; coordinate with provider through legal channels. eDiscovery in cloud: understand contract terms for data access and export; multi-tenant environments complicate data separation. CCSP legal topics: data breach notification laws (GDPR 72-hour notification, US state laws vary), jurisdiction and choice of law in cloud contracts, right to audit provisions.