Skip to main content
  1. Posts/

I Just Wanted the Duo Power Badge and Stickers, But Cloud Security Hit Me Hard | My CCSP Exam Notes

·902 words·5 mins

Motivation|Why I Wanted CCSP After CISSP
#

Honestly, my reason for taking CCSP was very simple. I just wanted the Duo Power badge and stickers from the ISC2 Taipei Chapter.

I like collecting things. When I saw the CISSP + CCSP Duo Power badge, I felt a strong urge to collect it. Also, before I started studying, I kept hearing that CCSP overlaps about 70% with CISSP, and only adds 30% new cloud content. Because of these two reasons, right after Lunar New Year this year, I made a quick decision to prepare for the CCSP exam (in Simplified Chinese) at the end of April.

But once I actually started reading, I realized CCSP is not just traditional security moved to the cloud. It is more about thinking: “When a system is no longer fully yours, how should data be protected?”

Introduction|What Kind of Certification Is CCSP
#

CCSP is very different from technical certifications like AWS, Azure, or Google Cloud. It does not ask you how to configure a specific service, how to use a specific feature, or how to deploy a specific product. CCSP is not tied to any specific cloud product. Compared to a Cloud Engineer certification, CCSP focuses more on cloud governance and data protection.

Pre-exam Questions|Preparing for CCSP Without Cloud Experience
#

I am a penetration tester. I had no cloud technical experience, no cloud migration experience, no experience designing a multi-cloud architecture, and no real experience managing a cloud environment.

But having no cloud experience does not mean I had zero basic cloud knowledge. I had already passed CISSP and AWS CCP, so I was at least familiar with IaaS / PaaS / SaaS, the shared responsibility model, and some basic cloud concepts. Still, while preparing for CCSP, I clearly felt that my security mindset kept getting reshaped.

In the on-premises world, many things feel natural, because the server, the network, and the hypervisor all belong to you. So your security mindset naturally focuses on “how do I protect the system.”

But once you move into the cloud world, many things change. The infrastructure may not be yours, the hard drive is not yours, and sometimes you cannot even see the logs.

Many security practices that make sense on-premises do not work in the cloud. So your security mindset is forced to change. During this shift in thinking, I realized that the cloud content I once thought was “extra” is actually the key to building a real cloud security mindset, and to passing the CCSP exam.

For example, take data deletion:

  • In a traditional on-premises environment, if you need high-security data destruction, you can degauss the hard drive.

  • In the cloud, the hard drive belongs to the cloud provider. You can never actually get that hard drive, and you can never degauss it yourself. So in the cloud world, data deletion relies on crypto-shredding instead.

So cloud security is not about copying traditional security controls directly into the cloud. It is about redefining who is responsible for what, after responsibilities are split between you and the provider.

Preparation|Asking Myself Open-Ended Questions with AI
#

While preparing for CCSP, I did not do a huge number of practice questions. One reason is that the official OPT question bank did not feel updated. Another reason is that while doing practice questions, I noticed some questions seemed to focus on different points than what the Exam Outline actually wants to test.

So I changed my study method. Instead of just doing practice questions and checking answers, I read a chapter, then used AI to keep throwing open-ended scenarios at me. This forced me to think through the logic behind each topic. This approach was hard, but I think it was a very effective way to learn.

Example scenario 1 from AI:

Suppose your cloud server automatically restarts every day at 2 PM. The operations team responds very quickly, restoring service within 5 minutes after every restart. So their MTTR (Mean Time To Repair) metric looks great, and it seems like “incident management” is working well. However, from a Problem Management point of view, this is clearly a big failure. Why?

What should “Problem Management” aim for in this scenario? How is its goal fundamentally different from the goal of “Incident Management”?

Example scenario 2 from AI:

During an audit, you find that a company’s IRM (Information Rights Management) system is set to “no printing” and “expires after two weeks.” But employees complain that when they are offline on a flight, they cannot open confidential documents that are already downloaded onto their laptops.

Why does an IRM system usually require an active connection to enforce these permission controls? If the system did not require a connection, what kind of “control failure” could happen?

Conclusion|Final Thoughts After the Exam
#

I originally started preparing for CCSP just for the Duo Power badge and stickers. But the process of preparing changed how I think about security. The most valuable part of CCSP is that it forces you to shift your security mindset from “system-centered” to “data-centered,” and from “protecting the system” to “managing the relationship between data and the boundaries of responsibility.”