CCSP Domain 1:
Cloud Concepts, Architecture & Design

NIST Cloud Reference Architecture

Defines five major actors: Cloud Consumer, Cloud Provider, Cloud Auditor, Cloud Broker, Cloud Carrier. Each has distinct activities and responsibilities in the cloud ecosystem.

• Cloud Consumer — uses services; manages user access, data, applications (in IaaS/PaaS)
• Cloud Provider — provides service, manages infrastructure, handles physical security and hypervisor
• Cloud Auditor — conducts independent assessments of security controls and performance
• Cloud Broker — manages use, performance, and delivery from multiple CSPs
• Cloud Carrier — provides connectivity (network transport) between consumer and provider

CSA Enterprise Architecture

The Cloud Security Alliance EA provides a framework for secure cloud adoption across business, information, application, technology, and security layers. Aligns to the Open Group TOGAF and SABSA frameworks.

Logical vs. Physical Architecture

• Logical — abstract view: tenants, applications, APIs, services, virtual networks
• Physical — actual hardware: data centers, servers, network gear, storage arrays, power/cooling

Cryptography & Key Management

• Encryption at rest, in transit, and in use (confidential computing)
• Key management: HSM (Hardware Security Module), BYOK (Bring Your Own Key), HYOK (Hold Your Own Key)
• Cryptographic standards: FIPS 140-2 for module validation; AES-256, RSA-2048+, ECC

Identity and Access Control

• User access — MFA, SSO, least privilege, role-based access control (RBAC)
• Privileged access — PAM (Privileged Access Management), just-in-time access
• Service access — service accounts, API keys, OAuth, OIDC, federated identity

Data & Media Sanitization

• Overwriting — may not be feasible for cloud storage (shared, distributed media)
• Cryptographic Erase — destroy encryption keys rendering data permanently unreadable; preferred cloud method
• Physical destruction — not applicable to CSP-managed hardware

Network Security

• Security groups (virtual firewall), network ACLs, VPC segmentation
• Traffic inspection: IDS/IPS, WAF, Cloud-native security services
• Geofencing, geo-restriction of access and data residency
• Microsegmentation for zero trust architectures

Virtualization Security

• Hypervisor security — Type 1 (bare-metal) more secure than Type 2; patch aggressively
• Container security — image scanning, namespace isolation, no privileged containers
• Ephemeral computing — short-lived instances reduce attack surface; immutable infrastructure
• Serverless security — function-level permissions, event injection risks
• Isolation — logical separation between tenants is critical (multi-tenancy risk)

Common Cloud Threats

Security Hygiene

• Patching and vulnerability management at cloud scale
• Baselining and configuration management (CIS Benchmarks)
• Immutable architecture — replace don't patch in production
• Image hardening and golden AMIs / container images

Cloud Secure Data Lifecycle (6 Phases)

"Can Students Usually Score Above D?" → Create · Store · Use · Share · Archive · Destroy

• Create — data is generated; classify at creation
• Store — persist to storage; apply encryption and access controls
• Use — data in use (memory); confidential computing protects here
• Share — transmitted to users/systems; encrypt in transit (TLS)
• Archive — long-term storage; retention policies, regulatory holds
• Destroy — secure deletion / cryptographic erase; certificate of destruction

BC/DR in Cloud

• RTO (Recovery Time Objective) — how fast must you recover?
• RPO (Recovery Point Objective) — how much data loss is tolerable?
• Multi-region replication, failover, active-active vs. active-passive strategies
• Testing: tabletop, functional, full interruption exercises

BIA — Business Impact Analysis

• CBA (Cost-Benefit Analysis) — justify security investment vs. risk reduction value
• ROI — quantify security controls in financial terms
• Identify critical systems, data, dependencies, and impact of outages

Shared Responsibility Model

Cloud Design Patterns

• SANS Security Principles — least privilege, defense in depth, fail safe, complete mediation
• Well-Architected Framework — AWS/Azure/GCP pillars: security, reliability, performance, cost optimization, operational excellence
• CSA Enterprise Architecture — holistic cloud security reference for enterprise design
• Secure by Design — security integrated from the start, not bolted on

DevSecOps

• Integrate security into every phase of the CI/CD pipeline (shift left)
• Automated security testing: SAST, DAST, SCA in pipelines
• Infrastructure as Code (IaC) security scanning
• Security gates before deployment; immutable artifacts

Key Evaluation Criteria

• Compliance certifications and third-party audit reports
• Transparency: published security whitepapers, SLAs, data processing agreements
• Supply chain security: vendor due diligence, sub-processors

Key Certifications & Reports

Cloud Threat Detection & Analysis with AI/ML

• Behavioral analytics — baseline normal behavior; flag deviations as threats
• Anomaly detection — ML models identify outlier events in logs, network traffic, API calls
• UEBA (User and Entity Behavior Analytics) — monitor users AND systems for insider threats and compromised accounts
• AI-powered SIEM integration: real-time pattern matching at scale across cloud telemetry

Data Source Validation & Verification

• Training data integrity — validate that datasets used to train security AI models are uncontaminated
• Data poisoning prevention — adversarial manipulation of training data to bias model outputs
• Provenance tracking — know where training data came from; chain of custody for AI datasets
• Input validation for AI systems: sanitize inputs to prevent prompt injection and model manipulation

SOAR — Security Orchestration, Automation & Response

• Automated playbooks — predefined response workflows triggered automatically on security alerts
• AI-driven triage — prioritize incidents by severity, context, and business impact using ML
• Integrates SIEM, ticketing, threat intel, and remediation tools
• Reduces MTTR (Mean Time to Respond) by automating repetitive analyst tasks

Ethical Concerns

• Bias in AI security tools — models trained on biased data produce discriminatory or inaccurate threat scores
• Explainability (XAI) — security teams must understand why an AI flagged an event (black-box problem)
• Accountability — who is responsible when an AI security tool makes a wrong decision?
• Fairness — equitable application of AI-driven security controls across user populations

Regulatory Requirements

• EU AI Act — risk-based framework classifying AI systems (Unacceptable / High / Limited / Minimal risk); security-related AI may be classified high-risk
• NIST AI RMF (AI Risk Management Framework) — four functions: Govern, Map, Measure, Manage; voluntary U.S. framework for responsible AI
• Emerging AI governance — ISO/IEC 42001 (AI Management System), OECD AI Principles, national AI strategies