Domain 1: Cloud Concepts, Architecture & Design Module 7 of 70

Module 7: Related Technologies (AI, IoT, Containers, Quantum)

CCSP Domain 1 — Cloud Concepts, Architecture & Design Section B 7 min read
The CCSP exam's August 2026 outline explicitly includes AI security, IoT, containers, and quantum considerations. These are not footnotes — expect direct questions about the security implications of deploying these technologies in cloud environments.

Artificial Intelligence and Machine Learning in the Cloud

The 2026 CCSP outline reflects ISC2's recognition that AI and ML are now mainstream cloud workloads with unique security considerations. The exam tests several AI-specific concerns:

Data Poisoning and Model Security

AI models are only as reliable as their training data. Data poisoning — the intentional introduction of malicious data into training sets — can cause models to produce incorrect or harmful outputs. The exam treats training data as a critical asset that requires integrity controls, access management, and provenance tracking.

AI Supply Chain Risks

Many organizations use pre-trained models or third-party AI services. The exam tests whether you understand the supply chain risks: a compromised pre-trained model can introduce vulnerabilities that persist through fine-tuning and deployment. Model provenance and validation are essential controls.

Exam insight: When a question describes an organization using a cloud-based AI service to process sensitive data, consider data exposure risks. The data sent to the AI service may be retained for training, shared with third parties, or processed in jurisdictions that violate data residency requirements. The SLA must address these concerns.

AI Governance

The exam expects you to understand that AI governance includes accountability for AI-driven decisions, transparency in how models process data, and compliance with emerging AI regulations. In cloud deployments, the shared responsibility model applies: the CSP manages the AI infrastructure, but the customer is accountable for the ethical and legal implications of AI outputs.

Internet of Things (IoT)

IoT devices generate massive data volumes that often flow to cloud platforms for processing and storage. The exam tests IoT security through the lens of cloud integration:

  • Authentication and identity: IoT devices often have limited processing power, making traditional authentication mechanisms impractical. The exam may ask about certificate-based authentication, device identity management, and secure bootstrapping.
  • Data in transit: IoT data flowing to cloud endpoints must be encrypted, but constrained devices may not support standard TLS. Lightweight cryptographic protocols are a valid exam topic.
  • Attack surface expansion: Each IoT device is an entry point. Compromised devices can be used to attack cloud infrastructure through authorized connection channels.

Containers and Orchestration

Containers (Docker) and orchestration platforms (Kubernetes) are standard in cloud-native architectures. The exam has expanded its container coverage significantly:

Container Security Concerns

Image vulnerabilities (base images with known CVEs), runtime security (container escapes), secrets management (credentials in container images or environment variables), and network segmentation between containers. The exam expects you to know that container images should be scanned before deployment, pulled from trusted registries, and minimized to reduce attack surface.

Orchestration Security

Kubernetes introduces its own security considerations: RBAC for cluster access, network policies for pod-to-pod communication, secrets management, and API server security. The exam may present a scenario where a misconfigured Kubernetes cluster exposes sensitive workloads.

Quantum Computing

Quantum computing threatens current cryptographic algorithms. The exam tests your understanding of this threat and appropriate preparations:

Harvest now, decrypt later: Adversaries may collect encrypted data today with the intention of decrypting it when quantum computers become capable. For data with long confidentiality requirements (decades), this threat is current, not future.

Post-quantum cryptography (PQC): NIST has published post-quantum cryptographic standards. The exam expects you to know that organizations should begin transitioning to quantum-resistant algorithms, starting with a cryptographic inventory of current systems.

Exam trap: Quantum computing does not break all cryptography. Symmetric algorithms like AES-256 remain relatively safe (quantum computing halves the effective key length, making AES-256 equivalent to AES-128, which is still considered secure). The primary threat is to asymmetric algorithms (RSA, ECC) used for key exchange and digital signatures.

Serverless and Functions as a Service (FaaS)

Serverless computing executes code in response to events without requiring the customer to manage any infrastructure. Security concerns include function-level access control, execution environment isolation, dependency vulnerabilities, and the challenge of applying traditional security monitoring to ephemeral workloads.

Key Takeaways

Emerging technologies extend cloud security challenges. AI introduces data poisoning and governance concerns. IoT expands the attack surface. Containers require image security and orchestration hardening. Quantum computing threatens asymmetric cryptography. For each technology, apply the shared responsibility model and ask: who manages what, and what are the unique risks?

Next Module Module 8: Cryptography and Key Management in the Cloud