Domain 1: Cloud Concepts, Architecture & Design Module 1 of 70

Module 1: Cloud Computing Definitions and Roles

CCSP Domain 1 — Cloud Concepts, Architecture & Design Section A 6 min read
When the CCSP exam tests cloud computing definitions and roles, it is not asking you to recite NIST SP 800-145. It is asking you to identify which party carries responsibility in a specific scenario and why. The exam expects you to think in terms of accountability, not vocabulary.

Why Definitions Matter on the Exam

Many candidates walk into the CCSP assuming definition questions will be easy recall. They are not. The exam uses cloud computing definitions as the foundation for scenario questions about responsibility, risk ownership, and contractual obligations. If you cannot precisely distinguish between a cloud provider, a cloud customer, a cloud broker, and a cloud carrier, you will misassign responsibility in more complex questions later.

The CCSP follows the NIST definitions closely, but the exam tests your ability to apply them. You need to know not just what each role is, but what each role is accountable for when something goes wrong.

The NIST Cloud Definition — Exam Lens

NIST SP 800-145 defines cloud computing through five essential characteristics, three service models, and four deployment models. You will see these in later modules. For now, understand the core definition: cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.

The exam loves to test the boundaries of this definition. If a question describes a scenario where resources are not shared, provisioning takes weeks, or significant manual intervention is required, the correct answer may be "this is not cloud computing." Do not force every IT scenario into a cloud box.

Cloud Roles — Who Is Accountable?

Cloud Service Provider (CSP)

The entity that makes cloud services available. On the exam, the CSP is responsible for the infrastructure they manage, but their responsibility boundary shifts depending on the service model. In IaaS, the CSP manages physical infrastructure and hypervisors. In SaaS, the CSP manages nearly everything. The exam will test whether you can correctly place the responsibility boundary.

Cloud Service Customer (CSC)

The organization consuming cloud services. The critical exam concept here is that the cloud customer always retains accountability for their data, even when they delegate operational responsibility to a CSP. This is the single most important principle in CCSP Domain 1. Delegation of processing does not mean delegation of accountability.

Exam trap: When a question asks who is "responsible" for data protection in the cloud, the answer is almost always the cloud customer. The CSP may be responsible for implementing specific controls, but the customer is accountable for ensuring those controls exist.

Cloud Service Broker

An intermediary that manages the use, performance, and delivery of cloud services. Brokers negotiate relationships between customers and providers. On the exam, brokers appear in scenarios involving multi-cloud management, service aggregation, or integration. The key distinction: a broker does not own the infrastructure — they facilitate access to it.

Cloud Service Carrier

The intermediary that provides connectivity and transport of cloud services between CSPs and CSCs. Think network providers and telecommunications companies. The exam may test whether you recognize that a carrier's failure (network outage) is different from a provider's failure (service outage) — and the contractual implications differ.

Cloud Auditor

An independent party that can conduct an assessment of cloud services, information system operations, performance, and security. The exam tests whether the auditor is truly independent. If a CSP's internal team conducts the audit, it is not a cloud auditor in the NIST sense.

Scenario Thinking: Applying Roles

Consider this scenario: A healthcare organization stores patient records in a SaaS application. The SaaS provider experiences a breach, and patient data is exposed. A regulatory body investigates. Who is accountable?

The instinct is to blame the SaaS provider — they got breached. But the CCSP exam expects you to recognize that the healthcare organization (the cloud customer) is accountable to regulators for protecting that data. They chose the provider, they should have verified controls, and they are the data controller. The SaaS provider may bear contractual liability, but regulatory accountability stays with the customer.

This pattern repeats across the entire exam. Whenever you see a breach, compliance failure, or data loss scenario, ask: "Who is the data owner?" That entity is accountable.

Common Exam Traps

  • Confusing responsibility with accountability: A CSP can be responsible for implementing encryption. The customer is accountable for ensuring encryption is in place.
  • Assuming the broker is the provider: A cloud broker that aggregates services from multiple CSPs is not a CSP. They do not own infrastructure.
  • Forgetting the carrier: Network connectivity issues are carrier problems, not provider problems. SLA language matters here.
  • Treating cloud as always better: The exam does not assume cloud is the correct answer. Some scenarios describe situations better served by on-premises solutions.

Key Takeaways for the Exam

Cloud computing has a precise definition. Not everything hosted remotely qualifies. The five roles (provider, customer, broker, carrier, auditor) each carry distinct responsibilities and accountability boundaries. The customer never delegates accountability for data, regardless of the service model. When you see a CCSP question involving roles, your first move should be to identify the data owner — accountability follows ownership.

Next Module Module 2: Key Cloud Characteristics