By Ryan Bergsma, Training Program Director, Cloud Security Alliance
In this blog we’ll be taking a look at how to earn your Certificate of Cloud Security Knowledge (CCSK), from study materials, to how to prepare, to the details of the exam, including a module breakdown, passing rates, format etc. If you’re considering earning your CCSK, or just exploring the possibility this will give you a good idea of what to expect and resources to draw from as you prepare. At the end I’ve also added some recommendations for how to continue learning cloud security after you’ve earned your CCSK. First things first, lets cover what you’ll need to know in order to pass the exam successfully.
Step 1. What You’ll Need to Know
While there is no official work experience required, it can be helpful for attendees to have at least a basic understanding of security fundamentals, such as firewalls, secure development, encryption, and identity and access management.
Cloud Computing Fundamentals
To start, you’ll need to know the fundamentals of cloud computing, including definitions, architectures, and the role of virtualization. Key topics you’ll need to be familiar with are cloud computing service models, delivery models, and the fundamental characteristics of cloud. You’ll also need to be familiar with the Shared Responsibilities Model.
Infrastructure Security for Cloud Computing
As far as infrastructure security goes, you’ll need to understand the details of securing the core infrastructure for cloud computing- including cloud components, networks, management interfaces, and administrator credentials. You’ll also need to understand virtual networking and workload security, including the basics of containers and serverless.
Managing Cloud Security and Risk
For this section you need to know the important considerations of managing security for cloud computing. That includes risk assessment and governance, as well as legal and compliance issues, such as discovery requirements in the cloud. You’ll also need to know how to use important CSA risk tools including the CAIQ, CCM, and STAR registry and how cloud impacts IT audits.
Data Security for Cloud Computing
One of the biggest issues in cloud security is protecting data, so you will need to understand how data is stored and secured in the cloud. You will also need to know how the data security lifecycle is impacted by cloud and how to apply security controls in a cloud environment. Other important topics include cloud storage models, data security issues with different delivery models, and managing encryption in and for the cloud, including customer managed keys (BYOK).
Application Security and Identity Management for Cloud Computing
Another important area you’ll be tested on is identity and access management and application security for cloud deployments. Topics you’ll need to learn include federated identity, different IAM applications, secure development, and managing application security in and for the cloud.
Cloud Security Operations
Lastly you’ll be tested on key considerations when evaluating, selecting, and managing cloud computing providers. Make sure you also understand the role of Security as a Service providers and the impact of cloud on incident response.
Step 2. How to Study
Get advice from peers…
I’d recommend checking out our Q&A blog series, CCSK Success Stories, where we asked individuals about their experience preparing for and taking the exam. Having prepared for and gone through the exam themselves, they are able to offer insight into what topics they found most challenging, and what you should focus on.
Choose How to Study
Self-study. I’d recommend taking this route if you have don’t have the time or budget to complete a training course, or already have experience in cloud security. You can study for the exam on your own by downloading our free CCSK prep-kit here.
Self-paced training online. If you want training but have a hard time fitting in a regular course and need something flexible enough for your schedule and budget then our self-paced training may be a good fit. You can complete CCSK training modules on-the-go, without any deadlines, at a pace that’s right for you. Preview the course for free here.
Online training with an instructor. For individuals who work best when they can ask questions, the online instructor-led training is a good fit. It may also be an option for companies with a tight travel budget, since it still offers you the ability to attend regularly scheduled class sessions.
In-person training. Of course, in-person training is always nice to have. You get the opportunity to interact with an instructor face to face, ask questions and learn in the same room with other students.
CCSK Plus Course with hands-on labs. This extended version of the CCSK course offers a more practical implementation of the material. It combines the knowledge covered in the regular CCSK Fundamentals Course with hands-on labs where you can practice applying what you learn in real-life scenarios.
Download Study Materials
CSA Security Guidance v.4. This guidance document provides guidance on how to keep your organization secure on the cloud. It is built on previous iterations of the security guidance, dedicated research, public participation from the CSA members, working groups, and the industry experts within our community. The latest version incorporates advances in cloud, security, and supporting technologies, reflects on real-world cloud security practices, integrates the latest CSA research projects, and offers guidance for related technologies. Most notably, this version now incorporates IoT, blockchain and DevSecOps into its guidelines.
The Cloud Controls Matrix. The CSA Cloud Controls Matrix (CCM) provides fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. It builds off of the Security Guidance v4 by giving a detailed understanding of security concepts and principles aligned to its 14 domains.
ENISA’s Cloud Computing Risk Assessment. This document was created by the European Union Agency for Network and Information Security (ENISA). It provides an in-depth and independent analysis outlining the information security benefits and key security risks of cloud computing.
The above study materials are included in the CCSK Prep-Kit. Along with the above documents, the prep-kit includes practice questions and other study resources to help you prepare for the exam. You can download it for free here.
Step 3. Review Exam Details
The Exam Format
The exam is open-book and held online. You can start an exam at any time that works for you. The timeline to complete it is 90 minutes, and you’ll be answering 60 questions selected randomly from the CCSK question pool. The minimum passing score is 80%.
All the questions are multiple choice or true/false. If you’d like to preview a sample question from each module you can download the free CCSK Prep-Kit. For a more comprehensive practice test that covers multiple questions and material from all the modules you can try our online self-paced course.
With and average passing rate of only 62%, the CCSK is a challenging exam to pass. For this reason, make sure you have read through all of the study materials and thoroughly understand the topics before attempting the test. Below is an approximate breakdown of the percentage of questions you could be asked from each domain.
|Domains||% of Questions|
|1. Cloud Computing Concepts||10.00%|
|2. Governance & Enterprise Risk Management||3.33%|
|3. Legal Issues: Contracts and Electronic Discovery||5.00%|
|4. Compliance & Audit Management||5.00%|
|5. Information Governance||3.33%|
|6. Management Plane & Business Continuity||6.67%|
|7. Infrastructure Security||10.00%|
|8. Virtualization & Containers||8.33%|
|9. Incident Response||6.67%|
|10. Application Security||10.00%|
|11. Data Security & Encryption||10.00%|
|12. Identity Entitlement and Access Management||5.00%|
|13. Security as a Service||3.33%|
|14. Related Technologies||1.67%|
*The above percentages are estimates. Questions are selected at random from the CCSK question pool, so having a solid understanding of each domain and the CCM and ENISA documents is essential if you want to pass.
Step 4. Take the Exam
Whether you plan to purchase an exam token directly or will receive one as part of a training package, to attempt the exam,you will first need to create an account on the exam platform. If you plan to self-study and buy a token you can go directly to the link above. If you received an exam token with a training package you will get an email with instructions on how to register and claim your token.
Since the exam is taken online, once you have a test token you can take the test when and where you want. Make sure you have thoroughly studied the exam materials and reviewed your notes if you took a training course. And be sure you have a reliable internet connection and a full 90 minutes in which you will not be interrupted or distracted.
Step 5. Build on the knowledge from the CCSK…
After you’ve earned your CCSK a good way to continue learning about cloud security is following our CloudBytes webinar series or volunteering for a working group. Other ways you can build on your knowledge…
Read the latest CSA research
In general, I recommend being familiar with the Top Threats document series. This helps folks understand the threat landscape for cloud. I’d also take a look at the 12 Most Critical Risks for Serverless Applications.
Use the CCSK to satisfy CPE credits
The CCSK can be used to satisfy continuing professional education credits for several other IT credentials including the CCSP and CISSP.
Gain hands-on experience
Practice building in a cloud environment using management plane best practices and appropriate reference architectures for practice projects. Look at some of the cloud offerings in the market and consider the security implications for the consumer based on the shared responsibilities model.
Consider enrolling in more advanced training
Two courses to consider taking after the CCSK are the Cloud Governance and Compliance or CCSP course. Which one you take will depend on your current job role, and where you are heading career-wise. For those interested in cloud governance or auditing, the Cloud Governance & Compliance (CGC) course is a good path. For those interested in cloud security implementation, the CCSP course is a good path. There may also be vendor specific trainings you may be interested in based on the environment you work in.
Start learning more about cloud security today. Enroll in a free trial of the online, self-paced CCSK training here.