Preface

Cloud computing has transformed how organizations build, deploy, and secure their digital ecosystems. As enterprises shift from traditional data centers to API-driven, distributed cloud environments, the need for strong architectural principles and security frameworks becomes paramount. CCSP Domain 1 lays the foundation for understanding this transformation by defining the essential concepts, roles, technologies, and design considerations that govern secure cloud adoption.

This domain introduces the core elements of cloud computing—from NIST characteristics and service models to emerging technologies like containers, serverless, and edge computing. It emphasizes the importance of shared responsibility, secure design patterns, and well-engineered architectures that align with business objectives. It also guides professionals in evaluating cloud service providers, assessing risks, and ensuring compliance through internationally recognized certifications such as Common Criteria (CC) and FIPS 140-2/3.

Ultimately, Domain 1 prepares security practitioners to navigate the complexities of cloud environments with clarity and confidence. It equips them with the foundational knowledge needed to build resilient, scalable, and compliant cloud architectures that can withstand modern threats and support future technological evolution.

1.1 – Understand Cloud Computing Concepts

Cloud Computing Definitions

• Cloud computing delivers computing resources (compute, storage, network, applications) over the Internet on a pay-as-you-go model.
• It relies on shared, scalable, virtualized resources with minimal management effort from the customer.
• NIST defines it by characteristics such as broad access, rapid elasticity, on-demand service, and resource pooling.
• Cloud centralizes management, improves agility, and reduces upfront capital expenses.

Cloud Computing Roles & Responsibilities

Cloud Service Customer (CSC)

• Uses cloud services and manages data, user access, and certain security controls.
• Responsible for configuration, identity, and workload security depending on the model.

Cloud Service Provider (CSP)

• Delivers cloud infrastructure, platforms, or applications.
• Responsible for physical security, underlying hardware, and shared infrastructure.

Cloud Service Partner

• Offers integration, consulting, managed security, or migration services.
• Acts as an intermediary improving adoption and governance.

Cloud Service Broker

• Aggregates, manages, and negotiates cloud services from multiple providers for customers.
• Adds value through standardization, cost optimization, and centralized control.

Regulator

• Ensures compliance with legal, industry, and jurisdictional requirements.
• Imposes standards like GDPR, HIPAA, RBI, PCI DSS, etc.

Key Cloud Characteristics

On-Demand Self-Service

• Customers provision compute/storage resources automatically without human intervention.
• Increases agility and speeds up delivery.

Broad Network Access

• Services are accessible via standard mechanisms (web, API) across devices and networks.
• Enables mobile, distributed, and global access.

Resource Pooling / Multi-Tenancy

• CSP infrastructure is shared across multiple customers with logical isolation.
• Increases efficiency but introduces isolation and side-channel risks.

Rapid Elasticity & Scalability

• Resources automatically scale up/down to meet workload demands.
• Supports business continuity and cost control.

Measured Service

• Cloud usage is monitored, metered, and billed transparently.
• Enables cost optimization and usage accountability.

Building Block Technologies

Virtualization

• Abstracts physical hardware into virtual machines, enabling multi-tenancy and isolation.
• Foundation for cloud scalability and dynamic provisioning.

Storage Technologies

• Includes object storage, block storage, and file storage.
• Supports distributed, durable, and cost-efficient data management.

Networking

• Uses SDN, virtual routing, peering, and load balancing.
• Ensures secure, resilient communication between cloud components.

Databases

• Cloud-native databases (NoSQL, managed SQL, serverless DBs) provide elasticity and high availability.
• Offloads patching, optimization, and scaling to CSP.

Orchestration

• Automates provisioning, scaling, patching, and workload management.
• Tools like Kubernetes, Terraform, and cloud orchestrators maintain consistency and security.

1.2 – Cloud Reference Architecture

Cloud Computing Activities

• Activities include provisioning, deployment, monitoring, scaling, and security enforcement.
• CSPs manage physical infrastructure, while customers focus on applications and data.
• Workflows are automated using APIs, orchestration engines, and self-service portals.
• Activities ensure service delivery meets SLAs, compliance, and operational goals.

Cloud Service Capabilities

Application Capabilities (SaaS)

• Deliver full applications accessible via browser or API.
• CSP handles updates, security, infrastructure, and scaling.

Platform Capabilities (PaaS)

• Provide runtimes, databases, developer tools, and managed services.
• Users focus on code; CSP manages infrastructure and OS.

Infrastructure Capabilities (IaaS)

• Provide VMs, virtual networks, storage, and cloud hardware.
• Gives maximum flexibility but increases customer responsibility.

Cloud Service Categories (SaaS, PaaS, IaaS)

• SaaS: CSP manages everything; user controls only data and access.
• PaaS: CSP manages platform; customer manages applications and identities.
• IaaS: CSP provides hardware; customer manages OS, apps, and all configurations.
• Clear understanding prevents misconfigurations—the top cause of cloud breaches.

Cloud Deployment Models

Public Cloud

• Shared infrastructure, most scalable, cost-efficient, and highly flexible.
• Ideal for variable workloads and modern applications.

Private Cloud

• Dedicated infrastructure with stronger control and compliance.
• Higher cost but reduced risk and increased customization.

Hybrid Cloud

• Combines public and private environments for flexibility and data sovereignty.
• Enables workload mobility and DR options.

Community Cloud

• Shared by organizations with similar security or regulatory needs.
• Useful for government, banking, or healthcare groups.

Multi-Cloud

• Using multiple public cloud providers for resilience or vendor independence.
• Reduces lock-in but increases complexity and governance needs.

Cloud Shared Considerations

• Interoperability: Ability for systems across clouds to work together.
• Portability: Ability to move workloads with minimal redesign.
• Reversibility: Ability to exit or migrate from a CSP safely.
• Availability & Resiliency: Ensures uptime through redundancy and failover.
• Security & Privacy: Must align with shared responsibility and data laws.
• Performance: Latency, bandwidth, and workload optimization must be planned.
• Governance & Compliance: Ensures policy enforcement across distributed environments.
• Maintenance & Versioning: CSP handles updates; customers must adapt dependencies.
• SLA & Auditability: Defines service guarantees and enables transparency.
• Regulatory & Outsourcing: Requires diligence around data residency and vendor risk.

Impact of Related Technologies

Data Science, ML, AI

• Enhance analytics, automation, anomaly detection, and decision-making.
• Introduce privacy, model integrity, and data poisoning risks.

Blockchain

• Provides immutable, distributed ledgers for high-integrity workloads.
• Increases transparency but brings scalability challenges.

IoT

• Generates massive data streams requiring scalable cloud processing.
• Introduces endpoint security and network exposure risks.

Containers & Kubernetes

• Provide lightweight, portable, scalable deployment environments.
• Require strong image security and runtime controls.

Quantum Computing

• Can break existing cryptographic schemes in future.
• Drives need for quantum-safe encryption.

Edge Computing

• Moves compute closer to devices for low-latency processing.
• Requires distributed security and monitoring.

Confidential Computing

• Encrypts data while in use using hardware-backed secure enclaves.
• Mitigates insider and hypervisor compromise risks.

DevSecOps

• Integrates security early in development pipelines.
• Automates code scanning, secrets management, and policy-as-code.

1.3 – Security Concepts Relevant to Cloud Computing

Cryptography & Key Management

• Protects cloud data in transit, at rest, and in use through strong encryption.
• Customer and provider roles vary based on service model.
• Key management includes key creation, rotation, escrow, destruction, and auditing.
• Technologies: KMS, HSM, BYOK, HYOK, and cloud-native key vaults.

Identity & Access Control

User Access

• Includes authentication, MFA, federation, SSO, and least privilege.
• Strong identity hygiene prevents credential misuse.

Privileged Access Management (PAM)

• Protects admin accounts with JIT access, session recording, and strict approval.
• Reduces insider and compromise risks.

Service Access (Machine/Workload Identities)

• APIs, functions, microservices authenticate using tokens and certificates.
• Compromised machine identities can lead to full environment takeover.

Data & Media Sanitization

Overwriting

• Rewrites data on customer-managed storage to prevent recovery.
• Less common in cloud but used in IaaS-controlled environments.

Cryptographic Erase

1. Deletes encryption keys to render data inaccessible instantly.
2. Preferred in cloud due to lack of physical media access.

Network Security

Network Security Groups (NSG/Firewall)

• Control traffic using allow/deny rules at VM or subnet level.
• Implement micro-segmentation for isolation.

Traffic Inspection

• Uses IDS/IPS, WAF, DDoS filtering, and packet logging.
• Detects anomalies and malicious traffic patterns.

Geofencing

• Restricts access to specific geographic regions.
• Helps enforce compliance and reduce threat exposure.

Zero Trust Network

• Removes implicit trust; verifies each request continuously.
• Uses identity-aware routing, segmentation, and behavioral monitoring.

Virtualization Security

Hypervisor Security

• Protects against VM escape, side-channel attacks, and hypervisor compromise.
• Requires strict patching and isolation.

Container Security

• Ensures image integrity, secure registries, and runtime control via Kubernetes policies.
• Reduces drift with immutable images.

Ephemeral Computing

• Short-lived instances reduce persistence of malware and misconfigurations.
• Ideal for autoscaling clouds.

Serverless Security

• No servers to manage; security focuses on event triggers, IAM roles, and code dependencies.
• Requires tight control over APIs and data flows.

Common Threats

• Misconfigurations, insecure APIs, cross-tenant data exposure, stolen credentials, DDoS, and SSRF.
• Weak IAM and neglected monitoring are leading causes of cloud breaches.
• Multi-tenancy and API-driven environments expand the attack surface.

Security Hygiene

Patching

• Regular updates prevent exploitation of known vulnerabilities.
• CSP patches infrastructure; customers patch workloads and containers.

Baselining

• Sets a secure configuration standard for cloud resources.
• Prevents drift and enforces compliance across environments.

1.4 – Design Principles of Secure Cloud Computing

Cloud Secure Data Lifecycle

• Six stages: Create → Store → Use → Share → Archive → Destroy.
  
• Each stage requires encryption, tagging, access control, logging, and monitoring.
  
• Cloud adds responsibilities like classification, backup integrity, and multi-region governance.
  
• Proper lifecycle control ensures compliance and reduces exposure.

Cloud-Based BC/DR Plan

• BC focuses on uninterrupted operations; DR focuses on recovery after failures.
• Cloud enables multi-AZ/region architectures, automated failover, and replication.
• Key parameters: RPO, RTO, failback strategy, and backup validation.
• Regular DR testing ensures resilience against CSP outages or regional disasters.

Business Impact Analysis (BIA)

• Identifies critical processes, dependencies, downtime tolerance, and financial impact.
• Cloud BIAs include CSP reliability, network dependencies, and data sovereignty.
• Results inform RTO/RPO decisions and guide resilience investment planning.
• ROI and cost-benefit analysis justify the level of redundancy required.

Functional Security Requirements

• Portability: Ability to move workloads across providers with minimal effort.
• Interoperability: Ability for different cloud APIs, tools, and platforms to communicate.
• Vendor Lock-In: Dependency on proprietary tools increases long-term cost and risk.
• Using open standards, containers, and IaC frameworks reduces future migration challenges.

Security Responsibilities Across Cloud Service Models

SaaS

• Provider manages application and platform; customer manages access and data governance.

PaaS

• Provider manages runtime, OS, and platform; customer manages code and identity.

IaaS

• Provider manages physical layer; customer manages OS, network, and applications.
• Clear division of responsibilities prevents misconfigurations and compliance gaps.

Cloud Design Patterns

SANS Security Principles

• Defense-in-depth, least privilege, separation of duties, and secure defaults.
• Provides fundamental security building blocks.

Well-Architected Framework (AWS/Azure/GCP)

• Covers identity, detection, data protection, resilience, and infrastructure security.
• Ensures cloud architectures are secure, reliable, efficient, and cost-optimized.

CSA Enterprise Architecture

• Provides a cloud-specific model aligning business, governance, and technology domains.
• Helps design secure, compliant cloud solutions.

DevOps Security / DevSecOps

• Integrates security early in CI/CD pipelines: code scanning, testing, secrets management.
• Automates compliance using policy-as-code and infrastructure-as-code validation.
• Reduces vulnerabilities and improves speed of secure releases.
• Ensures continuous security alongside continuous delivery.

1.5 – Evaluate Cloud Service Providers

1. Common Criteria (CC)

Common Criteria (ISO/IEC 15408) is an international framework for evaluating the security functionality and assurance of IT products (hardware, software, systems).
It provides a standardized, repeatable method to determine how secure a product truly is.

1.1 Goals of Common Criteria

• Provide internationally recognized assurance that a product meets specific security requirements.
• Allow vendors to define what security features their product offers and how they are evaluated.
• Support global procurement by harmonizing security certification.
• Help customers compare products based on verified assurance levels.

1.2 Core Components of CC

Let’s break them down:

1. Protection Profile (PP)

• A generic, reusable set of security requirements for a product category.
• Example: “PP for Firewalls”, “PP for Smartcards”, etc.
• Not vendor-specific; defines what security capabilities are expected from that type of product.

2. Security Target (ST)

• A vendor-specific document defining the product’s security claims.
• Includes:
  • Product description
  • Threats addressed
  • Security requirements
  • Assurance measures
• Evaluation is done against the ST.

3. Evaluation Assurance Levels (EAL 1–7)

These levels measure depth and rigor of testing.

✔ EAL 1 – Functionally Tested

• Minimal assurance; basic testing.
• For low-risk environments.

✔ EAL 2 – Structurally Tested

• Requires documentation and configuration management.

✔ EAL 3 – Methodically Tested & Checked

• Requires development environment maturity and systematic testing.

✔ EAL 4 – Methodically Designed, Tested, Reviewed

• Most common in commercial products.
• Balanced cost vs. assurance.

✔ EAL 5 – Semi-formally Designed & Tested

• Stronger engineering oversight and rigorous testing.

✔ EAL 6 – Semi-formally Verified, Designed & Tested

• Used for high-risk systems (intelligence or military components).

✔ EAL 7 – Formally Verified, Designed & Tested

• Highest assurance, mathematically proven.
• Extremely expensive and rare.

1.3 CC Evaluation Process (All Stages)

Stage 1 — Preparation

• Vendor prepares the Security Target (ST).
• Selects applicable Protection Profiles (PP).

Stage 2 — Evaluation Planning

• Evaluation lab reviews ST and evaluation scope.
• Defines testing approach based on EAL level.

Stage 3 — Documentation Review

• Review of ST, design documentation, architecture, and security functions.
• Ensures all claims are consistent and testable.

Stage 4 — Testing & Analysis

• Evaluators perform:
  • Vulnerability analysis
  • Penetration testing
  • Functional testing
  • Architecture review
  • Configuration review

Stage 5 — Assurance Evaluation

• Assessment of:
  • Development environment
  • Supply chain security
  • Change control
  • Testing procedures
  • Life-cycle support

Stage 6 — Certification

• Certification body reviews evaluation report.
• Product is granted a recognized CC certification.
• Certificate listed in global CCS/CEM databases.

Why Common Criteria Matters in Cloud

• Customers rely on CC-certified components like hypervisors, firewalls, HSMs, and network devices.
• Helps ensure cloud infrastructure meets recognized security standards.
• Useful for regulated sectors: defense, banking, government.

FIPS 140-2 / 140-3 Certification (Cryptographic Modules)

FIPS 140 is a U.S. and Canadian government standard for certifying cryptographic modules.
Used for cloud services, hardware security modules (HSMs), libraries, and encryption appliances.

2.1 What FIPS Certifies

FIPS 140 certifies:

• Encryption algorithms
• Cryptographic libraries (OpenSSL, KMS modules)
• Hardware Security Modules (HSMs)
• Key generation mechanisms
• Random number generators
• Key storage and tamper protection

2.2 FIPS 140 Security Levels (1–4)

✔ FIPS Level 1 — Basic Security

• Software-only encryption allowed.
• Minimal physical security.
• Entry-level compliance (e.g., software crypto libraries).

✔ FIPS Level 2 — Tamper-Evident

• Tamper-evident seals or coatings required.
• Role-based authentication needed.
• Used in many cloud HSM services.

✔ FIPS Level 3 — Tamper-Resistant

• Strong protection against physical access and extraction.
• Identity-based authentication.
• Keys erased upon tamper detection.
• Used in higher-security HSMs (banking, military).

✔ FIPS Level 4 — Highest Level

• Protects against environmental attacks (voltage, temperature).
• Modules can self-destruct or zeroize keys if attacked.
• Rare; military and government use.

2.3 FIPS Evaluation Modules

Certifications cover 11 areas including:

1. Cryptographic Module Specification
2. Roles, Services & Authentication
3. Finite State Model
4. Physical Security
5. Operational Environment
6. Cryptographic Key Management
7. Self-tests
8. Design Assurance
9. Mitigation of Attacks
10. EMI/EMC
11. Software/Firmware Security

2.4 FIPS 140 Evaluation Stages

Stage 1 — Submission

• Vendor submits module to a NIST-accredited Cryptographic Module Testing Lab.

Stage 2 — Documentation Review

• Lab reviews:
  • Security Policy
  • Architecture
  • Key management approach
  • Module boundaries

Stage 3 — Algorithm Testing

• All encryption algorithms are tested under:
  • AES
  • RSA
  • ECC
  • SHA
  • DRBG (random generation)
• Must use NIST-approved algorithms only.

Stage 4 — Functional Testing

• Tests for roles, key lifecycle, authentication, configuration, and operation modes.
• Validates proper self-tests and error-handling.

Stage 5 — Physical Security Testing (Levels 2–4)

• Inspects tamper-evidence, tamper resistance, environmental protection.
• Includes attempts to breach casing, extract keys, or alter hardware.

Stage 6 — Attacks & Resistance

• Lab tests known attack vectors:
  • Side-channel attacks
  • Fault injection
  • Power analysis
  • Timing attacks

Stage 7 — Certification

• Lab submits detailed report to NIST/CMVP.
• Module listed in the official NIST FIPS 140-2/3 Validated Modules List.

Why FIPS Matters in Cloud

• Ensures cryptography used by CSPs is strong, validated, and tamper-resistant.
• AWS CloudHSM, Azure Key Vault, and Google Cloud KMS rely on FIPS-certified modules.
• Mandatory in regulated industries:
  • Government
  • Defense
  • Financial institutions
  • Healthcare (HIPAA encryption)

Exam Crams

1. Know NIST cloud traits: On-demand, Access, Pooling, Elasticity, Measured service.
2. Multi-tenancy risk → Isolation + hypervisor/container hardening.
3. Shared responsibility: SaaS = provider, IaaS = customer, PaaS = shared.
4. IAM first: MFA, least privilege, RBAC/ABAC, JIT, API key hygiene.
5. Crypto: KMS vs HSM, rotation, separation, cryptographic erase.
6. Secure Data Lifecycle: Create → Store → Use → Share → Archive → Destroy.
7. Network: SG/NSG, WAF, ZTNA, microsegmentation, encrypted transit.
8. Virtualization: Image scanning, hypervisor security, serverless config.
9. BC/DR via multi-region, snapshots, RTO/RPO alignment.
10. Key standards: ISO 27017, CC (EAL1–EAL7), FIPS 140-2/3.

Conclusion

Domain 1 establishes the foundational knowledge required to understand how cloud environments operate and how they should be secured. It connects cloud architecture, service models, emerging technologies, and shared responsibility into a cohesive security framework.

Mastery of this domain ensures professionals can evaluate cloud providers, design resilient architectures, and apply the correct controls at every layer of the cloud stack. With a deep understanding of these principles, practitioners are well prepared to support secure cloud transformation and make informed decisions that align with business, compliance, and risk objectives.