Roadmap to Earning Your Certificate in Cloud Security Knowledge (CCSK)

By Ryan Bergsma, Training Program Director, Cloud Security Alliance

In this blog we’ll be taking a look at how to earn your Certificate of Cloud Security Knowledge (CCSK), from study materials, to how to prepare, to the details of the exam, including a module breakdown, passing rates, format etc. If you’re considering earning your CCSK, or just exploring the possibility this will give you a good idea of what to expect and resources to draw from as you prepare. At the end I’ve also added some recommendations for how to continue learning cloud security after you’ve earned your CCSK. First things first, lets cover what you’ll need to know in order to pass the exam successfully.

Step 1. What You’ll Need to Know

Recommended Experience

While there is no official work experience required, it can be helpful for attendees to have at least a basic understanding of security fundamentals, such as firewalls, secure development, encryption, and identity and access management.

Topics Covered

Cloud Computing Fundamentals

To start, you’ll need to know the fundamentals of cloud computing, including definitions, architectures, and the role of virtualization. Key topics you’ll need to be familiar with are cloud computing service models, delivery models, and the fundamental characteristics of cloud. You’ll also need to be familiar with the Shared Responsibilities Model.

———

Infrastructure Security for Cloud Computing

As far as infrastructure security goes, you’ll need to understand the details of securing the core infrastructure for cloud computing- including cloud components, networks, management interfaces, and administrator credentials. You’ll also need to understand virtual networking and workload security, including the basics of containers and serverless.

———

Managing Cloud Security and Risk

For this section you need to know the important considerations of managing security for cloud computing. That includes risk assessment and governance, as well as legal and compliance issues, such as discovery requirements in the cloud. You’ll also need to know how to use important CSA risk tools including the CAIQ, CCM, and STAR registry and how cloud impacts IT audits.

———

Data Security for Cloud Computing

One of the biggest issues in cloud security is protecting data, so you will need to understand how data is stored and secured in the cloud. You will also need to know how the data security lifecycle is impacted by cloud and how to apply security controls in a cloud environment. Other important topics include cloud storage models, data security issues with different delivery models, and managing encryption in and for the cloud, including customer managed keys (BYOK).

———

Application Security and Identity Management for Cloud Computing

Another important area you’ll be tested on is identity and access management and application security for cloud deployments. Topics you’ll need to learn include federated identity, different IAM applications, secure development, and managing application security in and for the cloud.

———

Cloud Security Operations

Lastly you’ll be tested on key considerations when evaluating, selecting, and managing cloud computing providers. Make sure you also understand the role of Security as a Service providers and the impact of cloud on incident response.

———


Step 2. How to Study

Get advice from peers…

I’d recommend checking out our Q&A blog series, CCSK Success Stories, where we asked individuals about their experience preparing for and taking the exam. Having prepared for and gone through the exam themselves, they are able to offer insight into what topics they found most challenging, and what you should focus on.

Choose How to Study

Self-study. I’d recommend taking this route if you have don’t have the time or budget to complete a training course, or already have experience in cloud security. You can study for the exam on your own by downloading our free CCSK prep-kit here.

Self-paced training online. If you want training but have a hard time fitting in a regular course and need something flexible enough for your schedule and budget then our self-paced training may be a good fit. You can complete CCSK training modules on-the-go, without any deadlines, at a pace that’s right for you. Preview the course for free here.

Online training with an instructor. For individuals who work best when they can ask questions, the online instructor-led training is a good fit. It may also be an option for companies with a tight travel budget, since it still offers you the ability to attend regularly scheduled class sessions.

In-person training. Of course, in-person training is always nice to have. You get the opportunity to interact with an instructor face to face, ask questions and learn in the same room with other students.

CCSK Plus Course with hands-on labs. This extended version of the CCSK course offers a more practical implementation of the material. It combines the knowledge covered in the regular CCSK Fundamentals Course with hands-on labs where you can practice applying what you learn in real-life scenarios.

Download Study Materials

CSA Security Guidance v.4. This guidance document provides guidance on how to keep your organization secure on the cloud. It is built on previous iterations of the security guidance, dedicated research, public participation from the CSA members, working groups, and the industry experts within our community. The latest version incorporates advances in cloud, security, and supporting technologies, reflects on real-world cloud security practices, integrates the latest CSA research projects, and offers guidance for related technologies. Most notably, this version now incorporates IoT, blockchain and DevSecOps into its guidelines.

The Cloud Controls Matrix. The CSA Cloud Controls Matrix (CCM) provides fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. It builds off of the Security Guidance v4 by giving a detailed understanding of security concepts and principles aligned to its 14 domains.

ENISA’s Cloud Computing Risk Assessment. This document was created by the European Union Agency for Network and Information Security (ENISA). It provides an in-depth and independent analysis outlining the information security benefits and key security risks of cloud computing.

The above study materials are included in the CCSK Prep-Kit. Along with the above documents, the prep-kit includes practice questions and other study resources to help you prepare for the exam. You can download it for free here.

Step 3. Review Exam Details

The Exam Format

The exam is open-book and held online. You can start an exam at any time that works for you. The timeline to complete it is 90 minutes, and you’ll be answering 60 questions selected randomly from the CCSK question pool. The minimum passing score is 80%.

Question Format

All the questions are multiple choice or true/false. If you’d like to preview a sample question from each module you can download the free CCSK Prep-Kit. For a more comprehensive practice test that covers multiple questions and material from all the modules you can try our online self-paced course.

Exam Difficulty

With and average passing rate of only 62%, the CCSK is a challenging exam to pass. For this reason, make sure you have read through all of the study materials and thoroughly understand the topics before attempting the test. Below is an approximate breakdown of the percentage of questions you could be asked from each domain.

Domains% of Questions
1. Cloud Computing Concepts10.00%
2. Governance & Enterprise Risk Management3.33%
3. Legal Issues: Contracts and Electronic Discovery5.00%
4. Compliance & Audit Management5.00%
5. Information Governance3.33%
6. Management Plane & Business Continuity6.67%
7. Infrastructure Security10.00%
8. Virtualization & Containers8.33%
9. Incident Response6.67%
10. Application Security10.00%
11. Data Security & Encryption10.00%
12. Identity Entitlement and Access Management5.00%
13. Security as a Service3.33%
14. Related Technologies1.67%
15. CCM 6.67%
16. ENISA5.00%

*The above percentages are estimates. Questions are selected at random from the CCSK question pool, so having a solid understanding of each domain and the CCM and ENISA documents is essential if you want to pass.

Step 4. Take the Exam

Register at the CCSK exam website

Whether you plan to purchase an exam token directly or will receive one as part of a training package, to attempt the exam,you will first need to create an account on the exam platform. If you plan to self-study and buy a token you can go directly to the link above. If you received an exam token with a training package you will get an email with instructions on how to register and claim your token.

Take the exam

Since the exam is taken online, once you have a test token you can take the test when and where you want. Make sure you have thoroughly studied the exam materials and reviewed your notes if you took a training course. And be sure you have a reliable internet connection and a full 90 minutes in which you will not be interrupted or distracted.

Step 5. Build on the knowledge from the CCSK…

After you’ve earned your CCSK a good way to continue learning about cloud security is following our CloudBytes webinar series or volunteering for a working group. Other ways you can build on your knowledge…

Read the latest CSA research

In general, I recommend being familiar with the Top Threats document series. This helps folks understand the threat landscape for cloud. I’d also take a look at the 12 Most Critical Risks for Serverless Applications.

Use the CCSK to satisfy CPE credits

The CCSK can be used to satisfy continuing professional education credits for several other IT credentials including the CCSP and CISSP.

Gain hands-on experience

Practice building in a cloud environment using management plane best practices and appropriate reference architectures for practice projects. Look at some of the cloud offerings in the market and consider the security implications for the consumer based on the shared responsibilities model.

Consider enrolling in more advanced training

Two courses to consider taking after the CCSK are the Cloud Governance and Compliance or CCSP course. Which one you take will depend on your current job role, and where you are heading career-wise. For those interested in cloud governance or auditing, the Cloud Governance & Compliance (CGC) course is a good path. For those interested in cloud security implementation, the CCSP course is a good path. There may also be vendor specific trainings you may be interested in based on the environment you work in.

Start learning more about cloud security today. Enroll in a free trial of the online, self-paced CCSK training here.


CCSK Success Stories: From a Data Privacy Consultant

headshot of Satishkumar Tadapalli

By the CSA Education Team

This is the fourth part in a blog series on cloud security training, in which we will be interviewing Satishkumar Tadapalli a certified and seasoned information security and data privacy consultant. Tadapalli has 12+ years of multi-functional IT experience in pre-sales, consulting, risk advisory and business analysis. He has rich experience in information protection and data privacy, risk management, information security with various ISO 27001 implementation, audits and is currently working for a London-based bank as a risk advisor, looking after 3rd-party assurance and cloud risk assessments.

Satish holds several certifications including: CISM, CIPM, CIPT, CCSK, ISO27001 LA, CISRA, CPISI, and ITIL V3.

Can you describe your role?

In this diverse, cloud-connected, dynamic world, it’s not easy for me to describe a specific role as I’m required to wear multiple hats depending on the table at which I’m seated. Having said that, currently I’m performing a risk advisory role at one of the largest banks in the UK. This position keeps me challenged in performing contractual risk assurance, data privacy consultations and cloud risk assessment of 3rd-, 4th-, and 5th-party vendors, and governing the supplier risk-assurance activities to ensure that the consumer and providers are adhering to the privacy and security principles and keeping customer data safe and secure.

What got you into cloud security in the first place? What made you decide to earn your CCSK?

Cloud security is an interesting and evolving topic for me. I believe cloud adoption isn’t a choice for organizations in this era, now. For this reason, keeping myself updated on the must-have knowledge in cloud made me pay attention to cloud security. Once I’d decided to get my hands into cloud security, I felt CCSK was my go-to in order to get started with concepts as it covers the foundations of real-world, complex scenarios in cloud implementation, migration, issues in adoption, evaluation of cloud and many others.

… makes you not only think from the cloud deployment view, but also provides guidance for both cloud service provider and consumer views which is very uniquely appreciated and helps in real-world solutioning—especially when you wear multiple hats—of risks from vendor to consumers.”

Could you elaborate on how the materials covered in the exam specifically helped in that way?

Sure, as we all know CCSK isn’t a specific, cloud product-related exam. Rather, I think the intention of this exam is to evaluate how well the key elements or domains of cloud models/service(s) are understood by candidates. Hence, this exam expects you to be aware of key areas such as governance, legal challenges, incident response, compliance, and risk management, which are very essential and challenging in cloud adoption for both consumers and service providers of cloud.

How did you prepare for the CCSK exam?

I mainly followed the CCSK exam preparation kit available on CSA site, plus my limited experience in security and 3rd-party risk assessment helped to crack the CCSK exam.

If you could go back and take it again, how would you prepare differently?

As I mentioned earlier, cloud is a constantly changing world with new threats and challenges evolving almost every day. Hence, I would elevate my knowledge by looking at current study materials from CSA and explore the real challenges and solutions in industries for cloud implementation and adoption.

Were there any specific topics on the exam that you found trickier than others?

I felt that the legal and compliance management along with security incidents handling domains were quite interesting. Primarily, because these areas bring different challenges to cloud services, mainly in detailing the roles and responsibilities and limitations for both cloud consumers and cloud providers.

What is your advice to people considering earning their CCSK?

I strongly advise CCSK aspirants look at this exam as a foundational course and use it as a stepping stone in the vast cloud security journey. CCSK won’t just differentiate you from others by giving you a credential, it will also help you in a longer journey irrespective of your role (cloud consumer, provider or independent cloud risk advisor, etc.) due to its essential concepts, which aren’t specific to any cloud vendor/solution.

Lastly, what material from the CCSK has been the most relevant in your work and why?

It is a bit hard for me to point out one or any specific domain(s) as most of the domains and materials were and are relevant to my work as I’m required to play multiple roles given the nature of business we are in today. Specifically, I use the Security Guidance and the Cloud Controls Matrix the most as I deal with vendor risk management. These help to clarify key roles and responsibilities between the cloud provider and consumer. In addition, these documents act as a guide for me to reassure myself of cloud concepts.

Interested in learning more about cloud security training? Discover our free prep-kit, training courses, and resources to prepare to earn your Certificate of Cloud Security Knowledge here.

Invest in your future with CCSK training

CCSK Success Stories: From an Information Systems Security Manager

By the CSA Education Team

This is the third part in a blog series on Cloud Security Training. Today, we will be interviewing Paul McAleer. Paul is a Marine Corps veteran and currently works as an Information Systems Security Manager (ISSM) at Novetta Solutions, an advanced data analytics company headquartered in McLean, VA.  He holds the CCSK, CISSP, CISM, and CAP certifications among others and lives in the Washington, D.C. area.

Can you describe your role?

I am an ISSM at Novetta Solutions and am primarily responsible for certification and accreditation, continuous monitoring, and the overall security posture of the information systems under my purview. Novetta is also partnered with AWS and that partnership continues to grow so it is a very exciting company to work for.  

What got you into cloud security in the first place? What made you decide to earn your Certificate of Cloud Security Knowledge (CCSK)?

My first InfoSec position was with First Information Technology Services, a Third Party Assessment Organization (3PAO) supporting Microsoft. I was part of the Continuous Monitoring Team, and part of my job was providing adequate justification of open vulnerabilities and depicting mitigation for cloud environments. Understanding cloud security was imperative in performing my job.  I was seeking more of a foundational understanding focused primarily on cloud security. I heard about CCSK through CSA and ISC(2) after doing some research on the best and most valuable Cloud certifications. After reviewing the certification outline and expectations, I decided to review the material and prep for the exam. 

“Open book means nothing when it comes to this exam. There are too many questions that requires a deep understanding of the material…”

Can you elaborate on what the exam experience was like? How did you prepare for the CCSK exam?

The CCSK was not an easy exam by any means. Not only was it a requirement to get 80 percent to pass, but there were only 90 minutes to answer 60 questions. The exam required a deep understanding of the CSA Cloud Security Guidance, as well as the ENISA Cloud Computing Risk Assessment Report. At least for me, it was imperative to read through all of the course material and ensure I understood everything listed in the exam objectives to pass the exam.

If you could go back and take it again, how would you prepare differently?

If I could prepare differently, I would have devoted more time to studying and reading the CSA Guidance and ENISA Report a second time through. To me, one read-through isn’t enough for the depth of this exam and the style of questions the exam presents. It is a hard exam to prepare for. To gain a full understanding of what is expected, it’s important to go through the material more than once and to take notes on your weak areas and subsequently come back to the sections that you feel weakest on and focusing on those areas. 

Were there any specific topics on the exam that you found trickier than others?

Topics on the exam that I found trickier than others included questions that pertained to governance within the cloud and understanding the various security as a service (SecaaS) requirements and the different services regarding SecaaS implementation.

What is your advice to people considering earning their CCSK?

I highly recommend the CCSK for anyone seeking a deeper understanding of cloud security. My advice to people considering the CCSK is to study for the exam like you would any other certification that wasn’t open book. In other words, don’t rely on the fact that it is open book. 

Lastly, what part of the material from the CCSK have been the most relevant in your work and why?

The most relevant material from the CCSK for my career has been Compliance and Audit Management, which was Domain 4 of the CSA Guide v3 when I took the exam. I believe that domain related more to my work experience than any other domain due to my cloud compliance role at the time of my certification. I definitely took the most away from the topics discussed in that domain, such as issues pertaining to Enterprise Risk Management, Compliance and Audit Assurance, and Corporate Governance. The Information Management and Data Security domain was also a very relevant domain for my work.

Interested in learning more about cloud security? Discover our free prep-kit, training courses, and resources to prepare to earn your Certificate of Cloud Security Knowledge here.

Invest in your future with CCSK training

CCSK Success Stories: From the Financial Sector

By the CSA Education Team

This is the second part in a blog series on Cloud Security Training. Today we will be interviewing an infosecurity professional working in the financial sector. John C Checco is President Emeritus for the New York Metro InfraGard Members Alliance, as well as an Information Security professional providing subject matter expertise across various industries. John is also a part-time NYS Fire Instructor, a volunteer firefighter with special teams training in vehicular extrication and dive/ice rescue, an amateur novelist, and routinely donates blood in several adult hockey leagues.

Can you describe your role?

Currently I lead the “Security Innovation Evaluation Team” at a large financial firm where we forage and test emerging technology solutions that will build upon our security posture and fortify our resilience far into the future.

What got you into cloud security in the first place? What made you decide to earn your CCSK?

Whether you are in the automotive, engineering, medical, retail or the information security field, one needs to constantly stay abreast of emerging trends and hype – indeed, “cloud” was one of those emerging trends and hype combined which represented a logical transition from existing legacy infrastructures.

I am a lifelong learner; seeing the early explosion of “cloud providers” who really just wrapped an orchestration layer around virtualization rather than true holistic solutions, was the jumpstart I needed to understand how important the CCM (and CCSK) was.

The CCSK reflects both the operational knowledge of the CCM, as well as the strategic goals for the CSA. The CCM itself is a superset of many existing security control standards, which makes the CCSK all the more relevant to today’s security environment.

Can you elaborate on how the CCSK reflects the operational knowledge of the CCM? Why do you think this is important knowledge for infosec professionals to know?

The CCM builds upon existing NIST/ISO standards and produces new controls where existing controls cannot adequately cover the cloud paradigm. If one knows how to properly interpret and use the CCM standard, they most likely understand the non-cloud security standards as well. The CCSK is represents knowledge assurance of the CCM at an operational level; and having a shared origin to the CCM, the CCSK can truly test proficiency of the spirit of the CCM as it was designed, not just its definitions.

How did you prepare for the CCSK exam?

I was an initial member of the NY Metro Chapter of the CSA and aware of the Cloud Controls Matrix. Although my employer was not explicitly referencing the CCM as a security standard, I was pulling from it as a security controls guidance for my employer’s projects.

If you could go back and take it again, how would you prepare differently?

As information security has become more complex and more splintered, simply studying definitions is no longer an effective method to have lasting knowledge. I would suggest two additional study techniques:

  • Understand the “WHY” of each control in the CCM: what was the originating problem statement, what is the scope of that problem statement, and was the control defined to resolve the problem or simply reduce the problem’s impact to a tolerable level? Once you have a good comprehension of the background, then there is no memorization needed … it becomes common sense to the learner.
  • Get DIRTY with some hands-on experience – whether it be an existing work project or reworking an old personal project. Taking an old project and redeploying it using newer technologies and security controls gives the learner unimaginable insight into why a control is written in a certain way. The advantage of using an existing project is that you can focus on the coding, deployment and security control aspects rather than features and requirements. I have revamped my personal “Resume Histogram” project originally written in 1990 as a dial-up BBS site → to a CGI website → to a RoR web application (hey, not every decision was a good one) → to a social media plugin → to a containerized web API.

Were there any specific topics on the exam that you found trickier than others?

I suspect that everyone will have a different topic of weakness. Legal aspects were my weakness, and from the plethora of recent changes in standards and regulations – PCI DSS3, NIST revisions, NYS DFS 500, GDPR and the myriad of local regulations – I suspect it is not going to get any easier.

What is your advice to people considering earning their CCSK?

I have four points of advice:

  1. Get real-life quality experience before you attempt a certification … doctors, nurses, architects and engineers are required to, so why not InfoSec professionals?
  2. Make a habit of learning something every day …  knowledge gets stale, intelligence doesn’t.
  3. Avoid the shortcuts, like boot camps, it’s a crash diet of ignorance;
  4. Be humble, keep an open mind, and listen before you speak … things change, so what you knew was right today may be turned on its head tomorrow. Nobody should want to gain a reputation of being “CIA” (certified, ignorant and arrogant).

Lastly, what part of the material from the CCSK have been the most relevant in your work and why?

Ironically, my work over the years has made my weakest area – legal – also the most important and relevant one; especially when it comes to contracts with cloud providers for enterprise projects as well as vendors and managed service providers who run in the cloud.

Interested in completing cloud security training at RSA? CSA is offering a CCSK Plus Course at the RSA Conference 2019 that offers students an extra day of hands-on labs to practice applying what they learn. Learn more or register here.

Invest in your future with CCSK training

Addressing the Skills Gap in Cloud Security Professionals

By Ryan Bergsma, Training Program Director, CSA

bridging the skills gapOne of the math lessons that has always stuck with me from childhood is that if you took a penny and doubled it every day for a month,  it would make you a millionaire. In fact, it wouldn’t even take the whole month, you would be a millionaire on the 28th day. Of course, most of us realize this would be nearly impossible to accomplish in reality (unless you invested in the right crypto at the right time in the fall and early winter of 2017). The reason that this old math lesson comes to mind when I think about the skills gap in IT security, and in particular cloud security, is because of Moore’s Law.

The rise of cybercrime & IT security

Granted doubling every two years is a lot different than doubling every day, but if you take 1970 as the starting point, we are already over 85 percent of the way to our computational power being one million times greater than what it was. I bring this up because it speaks to the rapid increase of power behind the tools that are at the disposal of criminal hackers today. Couple that with the fact that:

  1. Modern society relies so heavily on IT and…
  2. So many of our assets (from personal information, to intellectual property, to bank ledgers) can now be found online

And you have a scenario that is ripe for exploitation. With so much opportunity, albeit illegal, it is no wonder that bad actors have become prolific. And with this group of bad actors growing so rapidly, we see the boom of the IT security industry. Especially given the fact that though it may only take one persistent bad actor to breach a system or network, it generally requires an entire team to protect it.

So… the demand for cybersecurity professionals continues to balloon.

In fact, the Cybersecurity Ventures 2017 Cybersecurity Jobs Report says “Cybercrime will more than triple the number of job openings over the next 5 years” and predicts that there will be 3.5 million unfilled cybersecurity positions by 2021.”

Increased threats to cloud computing

One particular realm of IT that has exploded into the mainstream consciousness in the past decade is cloud computing. Some of the benefits of cloud computing have driven large scale adoption of its use by both individuals and businesses. In many cases, it may even be in use without awareness of its use (or the potential impacts). Whether the awareness of the use of cloud offerings is there or not, the need for security in cloud computing most certainly is. Though it may be possible for cloud solutions to provide heightened levels of security when compared with traditional on-premises IT infrastructures and services, cloud  infrastructures, platforms and services do come with their own unique set of risks. CSA even maintains a list of Top Threats for cloud environments. These factors have left many businesses, even those with already existing IT security departments, scrambling to understand and mitigate the risks associated with the myriad of cloud solutions.

Meanwhile the shift to cloud continues to accelerate. The same Cybersecurity Ventures report also mentions that “Microsoft estimated that 75 percent of infrastructure will be under third-party control (i.e., cloud providers or Internet Services Providers) by 2020.”

Why the skills gap exists

With cybercrime driving the growing demand for cybersecurity professionals, the explosion of cloud usage, and it subsequent need for cloud security professionalswhy is it that so many of these jobs remain unfilled?

The harsh reality is that employers are not able to find the employees to fill these positions because the demand is so great. There are not enough individuals with the skill set and years of experience that employers are looking for to fill these critical positions. A survey of industry influencers conducted by Logic Monitor found that “58% agreed lack of cloud experience in their employees was one of the biggest challenges.” Employers are then left with the choice of leaving the positions unfilled or filling them with under qualified applicants. A 2017 Global Information Security Workforce Study  says that “It is not uncommon for cybersecurity workers to arrive at their jobs via unconventional paths. The vast majority, 87% globally, did not start in cybersecurity, but rather in another career. While many moved to cybersecurity from a related field such as IT, many professionals worldwide arrived from a non-IT background.”

What can be done to address this skills-gap?

Given the growing business demand for skilled cloud security professionals, what can be done to stem the tide of this increasing skills gap?

As an organization

To begin to combat the skills gap in cybersecurity professionals, and cloud security professionals in particular, businesses need to start taking proactive steps. Get your business behind initiatives to document current best practices in security and turn that documentation in training materials for the workforce. In cloud this is especially critical given its rapid development and expansion. This could be in the form of encouraging your senior employees to use some portion of on the clock time to volunteer for these types of initiatives, or it could be directly funding projects to create the new training materials. Organizations need to encourage and incentivize current employees that are less knowledgeable in security to take advantage of current training offers. It could also be worth considering setting up scholarship programs to make cybersecurity training more accessible for the next generation of cybersecurity professionals.

Of course given the gap, businesses also need to be more open to hiring these newly trained security professional into entry level and junior positions so that they can begin to build the experience required to fill more senior positions.

As an individual

And, for individuals who are interested in a cybersecurity career, get yourself into training and pursue certificates and certifications that demonstrate your interests and abilities to businesses that are desperately in need of qualified cybersecurity professionals. There are a wide range of options when it comes to cybersecurity, so make an effort to figure out where your interests lie. Some of the many options include things like computer forensics, pen testing, network security, security policy, end user education, security audit or secure software development. Whether you are interested in writing code or working with people, there are likely security opportunities that will be a good fit for you personally.

If you already have some level of security knowledge and are interested in cloud, our Certificate of Cloud Security Knowledge (CCSK) offering is a great place to start. Holders of the Certified Information Systems Security Professional (CISSP) from (ISC)2 benefit from the alignment between the bodies of knowledge of the two credentials. All CISSP’s 10 domains have an analog in CCSK’s 14 domains; where the domains overlap, CCSK builds on the CISSP domain and provides cloud-specific context.

For those holding ISACA’s Certified Information Systems Auditor (CISA) designation, better understanding of how clouds work and how they can be secured makes it easier to identify the appropriate measures to test control objectives and make appropriate recommendations.

If you’re interested in learning more about cloud security training for you or your team please visit our CCSK Training page or download our Free Prep-Kit.

Invest in your future with CCSK training

Correction: An earlier version of this post incorrectly attributed the Cybersecurity Jobs Report to Herjavec, when in fact this report was produced by Cybsecurity Ventures. 

headshot of Ryan BergsmaRyan Bergsma is the Training Program Direct at CSA where he manages CSA’s training programs including the Certificate of Cloud Security Knowledge (CCSK) and Cloud Controls Matrix (CCM) Training.

Typical Challenges in Understanding CCSK and CCSP: Technology Architecture

By Peter HJ van Eijk, Head Coach and Cloud Architect, ClubCloudComputing.com

CCSK examAs cloud computing is becoming increasingly mainstream, more people are seeking cloud computing security certification. Because I teach prep courses for the two most popular certifications—the Certificate of Cloud Security Knowledge (CCSK), organized by the Cloud Security Alliance (CSA), and the Certified Cloud Security Professional (CCSP), as organized by (ISC)2—I naturally see a wide variety of people as they work to pass these exams.

My students come from many different backgrounds, each bringing with them a unique set of experiences that color their understanding of the way the cloud is managed and controlled. To some these varying backgrounds might seem a hindrance, but quite the opposite is true because secure cloud adoption is a team sport where diverse backgrounds count in order to reduce the risk to organizations.

Despite their varying backgrounds, they all face similar challenges. A common challenge I see in my courses, especially for less technical people, is understanding information technology architecture in general. It’s something they struggle with, and also something that can be a hurdle in passing the exam. So, what is technology architecture and why is it important?

A technology architecture primer

Cloud computing, in my opinion, does not have that much new technology. Most of the technology we have today was already in existence before the advent of cloud computing.

Today, a common characteristic of the technologies that are relevant for cloud computing is the fact that they facilitate resource pooling and interconnection of systems. Resource pooling is an essential characteristic of cloud computing, and a technology such as server virtualization helps implement that sharing. But that technology should also guarantee proper separation between otherwise independent cloud tenants.

Technologies such as APIs and federated identity management allow the cloud to be made up of a lot of collaborating independent companies. This helps create an IT supply chain. Your average company has hundreds of SaaS suppliers who in turn use hundreds of other cloud companies to help them deliver their services.

APIs also enable the essential cloud characteristic of automatic self-service provisioning. For example, through APIs we can set up auto-scaling services. Again, this is a tool in building the IT supply chain.

Sharing requires caring

The new thing in cloud is sharing between independent companies, interconnecting different, independent providers and automating that. The whole technology architecture now spans the IT supply chain.

This has big governance and security implications. For example, when that collaboration or isolation fails, we cannot escalate these problems to our own CTO or CIO to resolve them. These problems are not confined to a single company anymore. They have to be resolved between companies.

The technical collaboration between companies will only work with proper contracts and management processes. This has to be set up in advance, instead of figuring out how it works later, as is so common inside an enterprise. And the people whose competence is to review these contracts and set up the service management processes therefore must understand how the technology enables that collaboration.

That is why technology architecture is so important for less technical people. And that is also why it can be hard. The CCSK body of knowledge focuses specifically on how cloud technology architecture has an impact on cloud management, in particular on cloud risk management, and that makes it a great tool for building effective cloud adoption teams.

Peter van Eijk is one of the world’s most experienced cloud trainers. He has worked for 30+ years in research, with IT service providers and in IT consulting (University of Twente, AT&T Bell Labs, EDS, EUNet, Deloitte). In more than 100 training sessions, he has helped organizations align on security and speed up their cloud adoption. He is an authorized CSA CCSK and (ISC)2 CCSP trainer, and has written or contributed to several cloud training courses.

 

CCSK Success Stories: Cloud Security Training from a CTO’s Perspective

By the CSA Education Team

Cory Cowgill headshotWe’re kicking off a series on cloud security training today with a Q&A with the Vice President and CTO of Fusion Risk Management, Cory Cowgill. With a background in enterprise software development spanning multiple industries, Cowgill has multiple certifications including Salesforce System Architect and Application Architect, Amazon Web Services Solution Architect, and Cloud Security Alliance Certificate of Cloud Security Knowledge (CCSK). He has presented at Dreamforce, the world’s largest enterprise software conference eight times, and is a member of the Salesforce MVP Hall of Fame.

What led you to the Certificate of Cloud Security Knowledge?

The research and work with the CCM (Cloud Controls Matrix) led me to the CSA Certificate of Cloud Security Knowledge. I am a lifelong learner so I decided to take the exam. I recently passed the CSA Certificate of Cloud Security Knowledge, and I found so much of the content directly valuable. I would recommend it to all IT security professionals. It provides a set of comprehensive and vendor-neutral cloud computing principles that are invaluable across security roles and responsibilities. The CSA Security Guidance v4 document will be required reading for all my engineering talent in our organization going forward.

You said you found so much of the CCSK content “directly valuable.” Could you talk more about the specific content you were able to use in your job?

Sure. As a CTO of a SaaS company, I am often engaged in prospect and customer discussion around our products security posture. I have found all of the domains to be helpful, but I find two domains especially helpful based on where a customer is on their cloud journey. Domain 1, “Cloud Computing Concepts and Architectures” is especially helpful when establishing a conversation with a customer who is very early on their journey, helping establish what the shared responsibility model will look like. For customers who are well on their cloud journey, I find Domain 6, “Management Plane and Business Continuity” to be extremely helpful as the management plane is where they customer will be implementing the majority of their security controls under the shared responsibility model.

What’s the value in a vendor-neutral certificate like the CCSK or CCSP versus getting certified by AWS? In what scenario are the different certificates important?

The CCSK or CCSP provide the most value to individuals who may need to work with an array of cloud vendors. Many organizations have a mix of CSPs who provide a range of SaaS and IaaS solutions. Individuals responsible for the overall security posture of the organization cannot be expected to hold a certification for each CSP’s technology stack. This is where the CCSK or CCSP become valuable as you have a credential that is relevant to assessing the overall security posture regardless of vendor specific technical details. Vendor certifications are valuable to those individuals in the organization who are configuring and administering those specific CSP solutions.

What’s a common problem you see organizations struggling with when migrating to the cloud?

As the CTO I am frequently engaged in discussions with customers and prospects around the security posture of our SaaS product. It is no small understatement to say that there is a lot of education that needs to be done within enterprise IT security teams. Companies struggle to ask the right questions around cloud security as many still do not fundamentally understand the benefits of the cloud. Each organization has a separate set of questions or controls they want to discuss which takes considerable effort from both internal IT security resources and SaaS provider security teams.

This led me to the Cloud Security Alliance (CSA) and the Cloud Controls Matrix (CCM). The CCM addresses these pain points by providing a standardized controls matrix that can be used to drive the discussion between cloud vendors and cloud customers.

How did CCM help communicate with customers?

By providing our standard CCM to prospects and customers along with our other compliance certifications and security assets we can rapidly assure customers and prospects that we are “Protecting the covenant of trust.”

When you said, “companies struggle to ask the right questions around cloud.” What types of questions are companies asking that they shouldn’t be asking? What types of questions do they need to be asking?

Many of the questions I respond to are very granular, infrastructure-related questions phrased or worded in terminology that is very specific to on-premise services. I seldom get asked about the management plane and the security controls and capabilities that fall under the responsibility of a customer in the shared responsibility model. The major CSPs have extremely mature security controls with compliance, certifications, and other attestations around their infrastructure components. While important to review that material and understand the infrastructure controls, the greatest risk is misconfiguration of the cloud services by the customer. Therefore, customers and prospects would be better served by understanding the management plane and security controls that are their responsibility to configure. This applies to all service models whether SaaS, PaaS, or IaaS.

While important to review that material and understand the infrastructure controls, the greatest risk is misconfiguration of the cloud services by the customer.

Some people are unfamiliar with the CSA Security Guidance. What would you compare it to?

All of the major cloud vendors across the service models have detailed documentation and guidance on their security postures and available controls. However, most enterprises have multiple cloud service providers with different delivery models and what is missing is a way to establish a common dialog across these CSPs’ security capabilities. In this regard I would compare the CSA security guidance to a critical guidebook that helps you establish a common dialog across CSPs as you evaluate their security postures.

What’s the biggest hurdle for security professionals who aren’t familiar with the cloud yet?

I think the biggest challenge is that there are so many different cloud technologies which can cause analysis paralysis. Do I get started with IaaS? If so do I pursue AWS, Azure, or Google? Do I start with a huge SaaS / PaaS vendor like Salesforce or ServiceNow? What will be most relevant? And when you couple this large array of CSPs with continually evolving technologies like serverless, it can be overwhelming to many. My advice is you can’t go wrong with any one vendor. You kind of need to just dive in the pool so to speak. Keep up the great work CSA!

If you’re interested in learning more about cloud security training for you or your team, please visit our CCSK Training page.

Invest in your future with CCSK training

 

Cory Cowgill headshotCory Cowgill is the Vice President & Chief Technology Officer, Fusion Risk Management, Inc., where he is responsible for research and development, customer engagement, operations and security, and go-to market initiatives. With a background in enterprise software development spanning multiple industries, Cowgill leads with a dedication to technology and risk management.

How Can the Financial Industry Innovate Faster?

By Peter HJ van Eijk, Head Coach and Cloud Architect, ClubCloudComputing.com

financial services stock chart

How can the financial industry innovate faster? Why do non-technical people need to have a basic understanding of cloud technology?

Imagine this scenario. Davinci is a company providing a SaaS solution to banks to process loans and mortgage applications. Davinci runs its own software on an AWS platform, and a significant number of large mortgage providers depend on the service. As you can imagine, the loan approval process involves a lot of personal and financial data, which naturally presents a tremendous privacy risk. This raises the question of who is going to take care of these and other risks.

Cloud security: Who does what?

Cloud distributes responsibility for IT services across an IT supply chain. This supply chain is composed of independent providers, which implies that companies have technical boundaries that are matched by organizational and contractual boundaries. The concept of having technical boundaries is new—this issue didn’t exist before the digital revolution.

In our example, there is both an organizational and a technical boundary between the mortgage providers and the SaaS provider. So the question is, what happens on either side?

Amazon Web Services calls this the shared responsibility model for cloud security. I would simplify that as: What do I do, and what do you do? For example, who is responsible for patching the Operating System in an IaaS service model? Who is responsible for protecting customer data in a SaaS model? The answer will vary from company to company, technology to technology, and even from threat to threat.

Allocation of shared responsibility

Legal contracts must address the allocation of responsibilities, otherwise they are not enforceable. But, who is going to check those contracts? Who needs to make sure the contracts actually specify those tasks and lays out who is responsible for doing them and how to monitor and enforce them? Typically, this is a job for procurement and legal.

Because of this, people (in this case: procurement and legal) need to have a solid understanding not only of the given service, but also of which (technical) tasks are not part of that service.

A baseline understanding of cloud responsibilities is critical. Insufficient understanding delays the entire assessment process and reduces its quality. As one of my legal course students once said:

When I go into a conversation with a cloud provider I have time for, let’s say, 10 questions. If all these questions go to understanding basic cloud terminology and technology, I have missed the opportunity to talk about the real risk and opportunity for our company.

My takeaway from this is the following: Educate your lawyers, procurement and so on. Help them understand the cloud well enough to ask educated questions. Help them know where technical boundaries need to be translated into legal controls. Help them understand the technical and organizational shared responsibility model.

When adopting cloud (and thereby sharing responsibility with providers) make sure that everyone involved in the decision-making, implementation and enforcement has a basic understanding of:

  • cloud services and service models;
  • how these services map to technical infrastructure and software; and
  • how each of these can be located in different places and be under the control of different organizations.

Adopt faster

Better understanding of the shared responsibility model leads to faster cloud adoption because it reduces fruitless back and forth on ‘who does what.’

There are several ways to better understand the shared responsibility model. But in my opinion, the best way to gain deeper understanding, speed up dialogue, and accelerate profitable and secure cloud adoption is to study a vendor-neutral body of knowledge such as that demonstrated by CSA’s Certificate of Cloud Security Knowledge (CCSK). The CCSK tests for a broad foundation of knowledge about cloud security, with topics ranging from architecture, governance, compliance, operations, encryption, virtualization and much more, and elaborates on understanding cloud models, risks and appropriate controls, as well as the Cloud Controls Matrix, which is a very effective tool in cloud provider evaluation.

Interested in learning more about drivers and barriers to cloud adoption in the financial industry? Here a few posts and articles to get you started.

Peter van Eijk is one of the world’s most experienced cloud trainers. He has worked for 30+ years in research, with IT service providers and in IT consulting (University of Twente, AT&T Bell Labs, EDS, EUNet, Deloitte). In more than 100 training sessions, he has helped organizations align on security and speed up their cloud adoption. He is an authorized CSA CCSK and (ISC)2 CCSP trainer, and has written or contributed to several cloud training courses.

CCSK in the Wild: Survey of 2018 Certificate Holders

CCSK examEven as more organizations migrate to the cloud, there’s still a concern as to how well those cloud services are being secured. According to an article by Forbes66% of IT professionals say security is their greatest concern in adopting a cloud computing strategy.”

As you embark on your quest to fill this skills gap, you may benefit from learning how other professionals have used certificates to expand and validate their cloud knowledge. In this blog we are going to explore how Certificate of Cloud Security Knowledge (CCSK) is being used in the wild. As the first step into this exploration we surveyed current holders to ask them how their certificate impacted their job, career and overall professional development. A summary of findings from the survey, job board postings and testimonials is shared below.

Topics we’ll discuss in this blog:

  • Survey Findings
  • CCSK in Job Postings
  • Overview of Testimonials

Survey Findings

Of the individuals who had successfully passed the exam, over 40 percent reported that the CCSK helped directly progress their career- either via a salary increase, promotion, or new job/role.

Graph showing How has your career progressed since earning your CCSK

In some cases CCSK holders were given new responsibilities and moved from a more generic security role into a cloud-focused position. Specialization is a key, whether it be through a certification or other learning program. Mike Rosa, Sr. Director Public Sector Security at Salesforce affirmed this saying, “The CCSK sets me apart as an expert in Cloud Security, not a security generalist. The world is moving to cloud, and my resume should reflect this change.

Another common way the certificate helped was building credibility with clients, and helping individuals work within more specialized roles. Since it offered proof of knowledge and established trust, respondents reported being able to better serve their clients’ needs.

One of the more tangible benefits of a certificate is the possibility of a salary increase. Taking a look at those who reported a salary increase, we saw that 15.61 percent saw an increase between 8 percent to 10 percent. Below you can see the distribution of individuals who received an increase in salary of some kind.

Graph showing salary increase since earning CCSK

Types of Jobs

What types of jobs do a CCSK holders have? We found that 22 percent of the people who received a promotion were promoted into a managerial, VP/Director, or Executive role. Titles varied, but the graphic below lists the top keywords listed in respondent’s job titles.

job titles available to CCSK holders

Complementary Certifications

What types of complementary certificates did they hold or pursue? Of the people who took our survey, 52.46 percent also have their CISSP. Certificates and certifications focus on a select area of knowledge, and earning complementary certificates can be valuable. Below are some of the other certifications commonly held.

graph showing which certifications respondents hold

The flipside of this question also yielded interesting results. When asked which other certifications people intend to pursue we received mixed results. The percent interested in earning their CCSP was over 30 percent compared to the 15 percent who already held their CCSP when they took the exam.

Graph asking which certifications people will pursue

As you may already be aware, one year of experience for the CCSP is covered by earning your CCSK since the two certificates complements each other. Whereas the CCSK is more tactical, the CCSP has more of a strategic focus. You’re free to draw your own conclusions, but if you’re interested in learning more about the differences between the two, you can read CCSK vs CCSP: An Unbiased Comparison.

Job Board Searches

A question we often get is whether or not employers are looking for the CCSK and how frequently it shows up in job boards. For job postings, HPE recently conducted a search of posts listing cloud certifications as a credential. They conducted the search for the CCSS, CCSP, PCSM and several other cloud certifications on the market. Below is a summary the results they gleaned for the CCSK.

February 2018 Job Search

Certificate SimplyHired Indeed LinkedIn LinkUp Total
CCSK 180 224 145 132 681

These results vary depending on location and time of year, however, it gives a good estimate of what to expect. In an informal search during October, we discovered the following results for the United States.

October 2018 Job Search

Certificate SimplyHired Indeed LinkedIn LinkUp Total
CCSK 89 321 231 258 899

The amount of postings went up, but the actual number of listings varies throughout the year. As with all things, it is best to do your own research before determining if the CCSK is right for you. Job titles listed included: Network Security Engineer, Security Consultant,  Information Security Cloud Governance Engineer, Cloud Security Architect and Sr. Security Engineer, to name a few.

Overview of Testimonials

Last but not least we collected written feedback on how earning the cloud certificate specifically helped in people’s jobs or career. To make it easier we grouped the responses into the following categories.

Survey Testimonials Revealed

  • How their career progressed
  • How CCSK helped build credibility with clients
  • What makes the CCSK unique from other certificates.
  • How it helped them on the job
  • Benefits of a vendor-neutral certificate

In following blog posts we will be exploring some of these topics more in-depth. For now we’ve listed snippets from testimonials we received that give you an idea of what people said.

How has the CCSK helped progress your career?

Answers to How as CCSK helped progress your career

Whether or not you opt for a cloud certification there are plenty of ways to learn more about cloud security. A couple of free resources that CSA has available for you to use include: CloudBytes webinars, research artifacts and the CCSK Prep-Kit.

Interested in going deeper? Learn how to earn your Certificate in Cloud Security Knowledge by visiting our website.

Cybersecurity Certifications That Make a Difference

By Jon-Michael C. Brook, Principal, Guide Holdings, LLC

cloud security symbol overlaying laptop for cybersecurity certificationsThe security industry is understaffed. By a lot. Previous estimates by the Ponemon Institute suggest as much as 50 percent underemployment for cybersecurity positions. Seventy percent of existing IT security organizations are understaffed and 58 percent say it’s difficult to retain qualified candidates. ESG’s 2017 annual global survey of IT and cybersecurity professionals suggests the biggest shortage of skills is in cybersecurity for at least six years running. It’s a fast moving field with hacker’s crosshairs constantly targeting companies; mess up and you’re on the front page of the Wall Street Journal. With all of the pressure and demand, security is also one of the best paying segments of IT.

Cybersecurity is a different vernacular, with a set of acronyms and ideas far outside even its information technologies brethren. For the gold standard as a security professional, the title to have is the Certified Information Systems Security Professional (CISSP) from the ISC2 (isc2.org). The requirements grow increasingly strict since my testing in 2001. Not lax, mind you, but five-year industry minimums and certified professional attestation gives the credential even more heft. There is an associate version available, the Associate Systems Security Certified Practitioner (SSCP) that eliminates the time and sponsorship minimums and would be appropriate for someone new to the field.

Adding to the professional shortages are new IT delivery methods, a la cloud computing. Amazon Web Services is the giant in the space, offering several certifications for cloud architecture and implementation. Microsoft and Google round out the top three. These, too, are hot commodities, as cloud is a relatively nascent industry and not very well understood. Layer security onto the cloud platform, and you find certifications such as the Cloud Security Alliance’s Certificate of Cloud Security (CCSK) and, again, the ISC2’s Certified Cloud Security Professional (CCSP). In 2017, Certification Magazine listed cloud security certifications as some of the highest salary increases available to an IT professional.

One caveat to all of the excitement of underemployment: recruiters, headhunters and hiring managers. Position requirements are sometimes outlandish or poorly vetted, such as the requisition asking for 10 years of cloud and 20 years of security experience. Amazon Web Services started in 2006. Microsoft Azure and Google Compute Platform were seen as cannibalistic to existing revenue streams. Even five years of cloud industry experience is a lifetime, and the industry moves so fast that AWS’s Certified Solutions Architect (AWS-ASA) requires re-certification every two years vs. the standard three for the rest of IT. They, too, have a security exam recently out of beta, the AWS Certified Security Specialty, though it requires one of their associate certifications first.

If you have the appetite for learning, add privacy to the mix. The number of industry vertical regulations (healthcare’s HIPAA, Payment Card Industry’s PCI-DSS, finance’s FINRA/SOX, etc…) and regionally specific requirements (EU’s GDPR) have the International Association of Privacy Professionals (IAPP), offering eight Certified Information Privacy Professional (CIPP) certifications. As an IT professional in the US, the Certified Information Privacy Technologist (CIPT) and CIPP/US are probably the most attainable and attractive.

Jon-Michael C. Brook, Principal at Guide Holdings, LLC, has 20 years of experience in information security with such organizations as Raytheon, Northrop Grumman, Booz Allen Hamilton, Optiv Security and Symantec. He is co-chair of CSA’s Top Threats Working Group and the Cloud Broker Working Group, and contributor to several additional working groups. Brook is a Certified Certificate of Cloud Security Knowledge+ (CCSK+) trainer and Cloud Controls Matrix (CCM) reviewer and trainer.

Prepare to Take (and Ace) the CCSK Exam at Infosecurity Europe

By Ryan Bergsma, Training Program Director, Cloud Security Alliance

CCSK certification logoHere’s a riddle for you. It’s been called the “mother of all cloud computing security certifications” by CIO Magazine. Search Cloud Security said it’s “a good alternative cloud security certification for an entry-level to midrange security professional with an interest in cloud security.” And, Certification Magazine listed it at #1 on the Average Salary Survey 2016. What is it?

If you answered CSA’s Certificate of Cloud Security Knowledge, more commonly known as CCSK, give yourself a pat on the back. If you’re attending Infosecurity Europe 2018 then give yourself the gift that keeps on giving and register for our CCSK v4 certification training course on June 7. Taught by renowned cloud security expert Peter HJ van Eijk, this one-day workshop will prepare you to take (and ace) the exam.

This exam prep course reflects the fact that the body of knowledge and the CCSK were recently updated to version 4, and includes such relevant topics as DevOps, big data and IoT. Not only will you get up-to-speed on the latest in cloud security, but by earning your CCSK, you’ll be demonstrating that you have the requisite skills and knowledge to ensure that cloud services are implemented and utilized within your organization with the appropriate security controls in place, including technical, as well as management and governance domains.

Still on the fence? The course price includes the cost of the exam, a $395 value. That’s what we call a sound investment.

Not convinced? Watch this and you will be.

Register.

CCSK Certification vs AWS Certification – A Definitive Guide

By Graham Thompson, CCSK, CCSP, CISSP, Authorized Trainer, Intrinsec Security

I was recently asked about CCSK certification vs AWS certification and which one should be pursued by someone looking to getting into cloud security. This post tries to address the question “which cloud certification is right for you.” I’ll give you a lay of the land for both certifications, available training, the exams, and then conclude with thoughts on which certification is right for you.

Certificate of Cloud Security Knowledge (CCSK)

CCSK logoThe Certificate of Cloud Security Knowledge (CCSK) is from a research organization called the Cloud Security Alliance (CSA). The CSA has created guidance for securing cloud services and released a recently updated version of this guidance (CSA Guidance v4). The guidance is about 150 pages and covers most of the knowledge required to successfully pass the CCSK exam (more about the exam down below).

In a nutshell, the goal of the CCSK is a vendor-neutral look at all cloud security issues that covers the three following areas of knowledge:

Cloud computing concepts and architectures

It begins with answering the question “what is cloud computing,” moves on to the differences between, and other fundamental cloud knowledge.

  • Definitions
  • Service Models (SaaS, PaaS, IaaS)
  • Deployment Models (e.g. Public Cloud, Private Cloud)
  • Reference Architectures
  • Cloud Security Models

Governing in the cloud

Like everything else, cloud security doesn’t (shouldn’t?) operate in a silo. The CCSK addresses how cloud changes governance, risk management and compliance. Other aspects of governing in the cloud include:

  • Contracts
  • Audit management
  • Information governance
  • Business continuity
  • Jurisdictional issues
  • Legal concerns

This information should be known by all individuals who are responsible for governing (and operating) cloud services, regardless of the service models being consumed in your organization.

Operating in the cloud

Moving forward, the CCSK covers the technical components of cloud systems such as:

  • Virtualization (e.g. hypervisors, Software Defined Networks (SDN), VLAN
  • Containers
  • Incident Response
  • Application Security
  • Data Security and Encryption
  • Identity, Entitlement and Access Management
  • Security as a Service
  • Related Technologies (e.g. DevOps, Immutable Infrastructure, IoT, etc)

 CCSK training

Should you take the training or self-study for the CCSK certification exam? That’s your call. Personally, I’m always a fan of doing training because it allows me to get away from the office and completely immerse myself in the subject at hand. I also get the opportunity to learn how things work in the “real world.”

If you prefer the self-study route, you have all the documentation you need listed below to take the exam.

If you are looking at the training route for yourself or your company, you can check out our offerings here. We offer the official and authorized CCSK in on-demand, on-line and in-person settings. We can also offer on-site training that is modified to your corporate requirements. (If you are looking for more info, a lot of these details about the CCSK can be found on Cloud Security Alliance’s website.)

All course registrants also get access to our exclusive CCSK exam prep kit that includes:

  • Immediate access to on-demand CCSK v4 course
  • CCSK exam v4 prep videos
  • Hundreds of CCSK v4 pre-test questions
  • Pre-paid token for the actual CCSK v4 exam

Note: Unfortunately, we are prohibited from offering the exam prep package as a stand-alone product.

CCSK certification exam

In addition to the CSA Guidance, you’ll need to read and understand CSA’s Cloud Controls Matrix (CCM), the Consensus Assessment Initiative Questionnaire (CAIQ), and finally the ENISA Cloud Computing Risk Assessment document. All documents are available from the following download links.

CCSK exam details

The exam itself is taken online any time you wish. There are 60 questions, and you are given 90 minutes to finish. It is an open-book exam, but don’t let that fool you – it’s a pretty tough exam, and I have seen people from various backgrounds fail.

My belief on the reason people fail the exam is because of the diverse nature of the CCSK exam itself. You’re looking at an exam that addresses both cloud operations and cloud governance. Most people will be strong in one or the other, but rarely is someone well-versed in both areas. If you’re in a technical position at work, you’ll need to focus on governance and vice versa, of course.

We have published some pre-test practice questions for exam candidates who are looking to see what they might be up against before taking the actual test. All the questions are based on the new v4 version of the CCSK exam.

Ready to get started? Download the CSA CCSK prep kit or look for upcoming training sessions near you.

Amazon Web Services (AWS Certification)

AWS logo

Amazon has multiple AWS and specialty certifications available.

For convenience, I’m including the roadmap graphic that was on the AWS certification site below:

As you can see, there’s more to the question “CCSK or AWS Certification.” AWS has multiple streams available, but I’m going under the assumption that most people mean the AWS Certified Solutions Architect designation.

Regardless of the track or specialty, let’s make one thing extremely clear: AWS is a vendor and the complete focus will be on HOW things are done in AWS, specifically. Amazon says so themselves in their certification descriptions: “technical role-based certification.”

AWS Certified Solutions Architect – Associate

Below is the list of recommended knowledge you should have before even considering the AWS Architect – Associate exam.  I have done this exam (yes, I passed) and I wrote about my thoughts on that exam here.

  • One year of hands-on experience designing available, cost-efficient, fault-tolerant, and scalable distributed systems on AWS
  • Hands-on experience using compute, networking, storage, and database AWS services
  • Hands-on experience with AWS deployment and management services
  • Ability to identify and define technical requirements for an AWS-based application
  • Ability to identify which AWS services meet a given technical requirement
  • Knowledge of recommended best practices for building secure and reliable applications on the AWS platform
  • An understanding of the basic architectural principles of building on the AWS Cloud
  • An understanding of the AWS global infrastructure
  • An understanding of network technologies as they relate to AWS
  • An understanding of security features and tools that AWS provides and how they relate to traditional services

More information about the associate level certification from Amazon can be found here.

AWS Certified Solutions Architect – Professional

I have not taken this exam. That said, I have worked with many people who have taken and passed the professional exam. These people really know their AWS stuff. I think it is fair to say there aren’t many people who have the professional designation who just know the theory of things, but rather have years of practical hands-on experience in AWS.

In order to take the professional-level exam you must have the associate-level certification already.

Here is the list of knowledge AWS expects their professional architect holders to have:

  • Designing and deploying dynamically scalable, highly available, fault-tolerant, and reliable applications on AWS
  • Selecting appropriate AWS services to design and deploy an application based on given requirements
  • Migrating complex, multi-tier applications on AWS
  • Designing and deploying enterprise-wide scalable operations on AWS
  • Implementing cost-control strategies

In my view, you’re expected to be able to take everything you know from the associate level and apply it to enterprise scale.

More information about the professional level certification from Amazon can be found here.

AWS training

For the AWS Architect – Associate certification, you can either take the self-study approach or attend an actual training session. Bottom line here is this is not a theory-based exam. You will need to have actually spun up server instances and have worked with AWS services before taking the actual exam.

Amazon has excellent learning collateral in their whitepapers that you should study if you are going solo. The resources they recommend are:

If you’re looking for an AWS Architect – Associate training session, the applicable course is a 3-day session called Architecting on AWS.  Their course schedule page can be found here.

The applicable AWS Architect – Professional course is the 3-day Advanced Architecting on AWS course. The course schedule page can be found here.

AWS certification exam

A word to the wise. Passing the AWS Architect is all about two things:

  1. Hands-on experience, and
  2. Knowing what is covered in the exam.

As I mention in my thoughts on the AWS exam piece, buy the practice exam. Don’t even think about cheaping out on this one. Seriously. Doubly seriously if you’re doing the self-study approach.

AWS exam details

The AWS exam is a scaled score exam. In other words, not all questions have the same value. Easy questions are worth less than harder ones. I’m not alone when I say I hate these types of exams as you have no idea how you’re actually doing as you go through the questions. And an added bonus, Amazon states you need a “720” (out of 1,000) to pass the test, which does not mean 72 percent because the questions all have different values.

Download the AWS Certified Solutions Architect – Associate (February 2018)

Download the AWS Certified Solutions Architect – Professional exam guide.

Which cloud certification is right for you?

As we covered, the two certifications are not similar at all. The CCSK is relevant to both governance and operational security of cloud services. It is written by an independent body and is completely vendor agnostic. The AWS certifications are 100-percent technical and are specific to AWS implementations.

  • CCSK certification addresses the “what” of cloud security
  • AWS certification addresses the “how” of AWS implementations

If you are looking to understand cloud security challenges, the CCSK is right for you. If you are in management and need to understand the impact cloud services will have on your organization, the CCSK is for you. If you work in operations and need to better understand the security challenges associated with cloud in general, the CCSK is for you.

If you are working in a dedicated AWS technical position, the AWS Certified Architect is the certification you should go with. If you are working with AWS in a security capacity, you should do the CCSK first, then follow up with the vendor-specific AWS training.

From a corporate perspective, everyone involved with information technology, ranging from procurement through risk management and operations should attend the CCSK session, even if it is an accelerated 1-day “awareness” session.

Graham Thompson is a cloud security architect and delivers both CCSK and CCSP official courses as an authorized trainer for Intrinsec Security. You can reach Graham on LinkedIn or by old fashioned e-mail.

CCSK vs CCSP: An Unbiased Comparison

CCSP CCSK pyramidBy Graham Thompson, CCSK, CCSP, CISSP, Authorized Trainer, Intrinsec Security

Introduction

CCSK vs CCSP–I’m commonly asked two questions whenever someone discovers I’m an instructor for both the Cloud Security Alliance CCSK and (ISC)2 CCSP courses:

1 – “What’s the difference between the two certifications?”
2 – “How hard is the CCSK exam?” … It’s very hard, but more on that later!

In this entry I’ll identify the differences between two of the industry’s highest regarded cloud security certifications, CCSK and CCSP. Hopefully after reading you’ll know which certification will better fit your professional goals. I don’t believe I have a bias here because I’ve been teaching both courses for a while. In fact, I delivered the first public CCSK course outside of the initial Train-the-Trainer in San Jose. As for the CCSP, I actually helped develop that course. I believe what follows is an honest opinion between the two courses.

CCSK| Certificate of Cloud Security Knowledge (Updated for v4 Course)

The Certificate of Cloud Security Knowledge (CCSK) by the Cloud Security Alliance is considered to be the grand-daddy of cloud security certifications. Why? Primarily because the CCSK was quite literally the industry’s first examination of cloud security knowledge when it was released back in 2011. The course breakdown is roughly split 60/40 between tactical (technical) and strategic (business driven) discussion of cloud security. It is agnostic in approach. To be honest, when I’m delivering CCSK training I probably spend a little too much time equating IaaS tactical security discussions to how it’s done in AWS, but I (and students) feel this approach drives home the controls they cover in the course.

Update for CCSK Version 4

The best way to describe the updates for CCSK V4 are that from a strategic 20,000-foot view it’s mostly more of the same. Governance, contracts, risk management, legal aspects are covered to mostly the same degree but they expanded it to be more global in nature.

However, drop down the viewpoint to that of a more tactical 1,000-foot view and the updated version is very different. Example: leveraging Lambda serverless computing and object storage to remove network attack paths back to the datacenter isn’t exactly a governance item; but from a more tactical approach, it really shows the different architecture patterns you can leverage in cloud that are basically impossible in traditional computing. They also pull in discussions that didn’t exist before such as containers, CI/CD toolchains, DevOps, Chaos engineering and expanded discussions surrounding Software Defined Networking security concepts.

CCSK Course Details

For the CCSK course itself, it’s delivered in two different formats:

  • CCSK Foundation (1 or 2-day course)
  • CCSK PLUS (2 or 3-day course)

What’s the main difference between the two different formats, aside from the course length? It comes down to practical experience and course exercises.

  • The CCSK Foundation format can be delivered over one day, which means you have the time to review theory, but not enough for in-depth class discussion or practical exercises.
  • The CCSK PLUS has everything presented in the CCSK Foundation format, but with more time to really drive home the major topics and learning objectives with course exercises/activities. Quite literally, the following formula applies:

CCSK PLUS = CCSK Foundation + AWS labs

In my personal opinion, a person with limited cloud exposure will find a 1-day crash course to be a complete waste of time. I’ve seen it myself, and that is why as a trainer I don’t usually deliver the course in a single day. However if you are new to cloud and can only do the 1-day session, do yourself a favor and read/understand the guidance v4 document before you take the class. Alternatively, if you’ve been working in cloud for a while and are looking to understand what CSA has to say on cloud security, you would likely prefer the 1-day approach. If you are looking for more info, a lot of these details about the CCSK can be found on Cloud Security Alliance’s website.

CCSK Exam Breakdown

I mentioned the exam was pretty hard at the start of this blog entry. The reason for this has everything to do with the split between tactical and strategic domains of knowledge.

People are either tactical types or strategic governance types. The tactical types enjoy the bits and bytes of computing and that’s totally cool. Then, you have the governance types. These are the managers, directors and others where the mindset is how the business as a whole may be impacted by cloud adoption. One person having a foot in both areas is pretty rare, and that is what makes the CCSK exam so hard. I’ve seen hardcore techies fail, and I’ve seen MBA’s fail.

One thing to note that I’ve heard from heads of training departments has to do with it being an open book exam that is not proctored, rather it is taken online from any location (home/office/hotel). It appears these traits lead some to think less of the exam because it doesn’t seem to be as “legitimate” as closed-book proctored. I still contend properly-written open book exams are legitimate and the exam is tough. I believe it would be impossible to answer 60 questions in 90 minutes if you have to research every question. I would have no problem hiring someone who has a CCSK but not the CCSP.

Continuing Professional Education Credits (CPE)

The CCSK course is CPE eligible. Keep in mind the CPE guidelines for courses are that you must take lunch and breaks into account, meaning a 3-day course winds up netting you 21 CPEs (7 per day). Not bad! Side note- the CCSK does not require CPE maintenance, once you have earned it—it’s yours.

Concluding Thoughts on CCSK

With the updated v4 content, the CCSK remains highly relevant to security professionals who are seeking a course that delivers a general tactical and strategic understanding of the challenges and advantages of cloud. Ready to get started? Download our CCSK prep kit or look for upcoming training sessions near you. If, instead, you are looking for coverage of traditional information security concepts in addition to cloud specific issues, you might want to look at the CCSP.

CCSP| Certified Cloud Security Professional (updated for 2017 version)

(ISC)² is the organization who gets the credit for the CCSP. However, (ISC)² and Cloud Security Alliance (the organization who founded CCSK) collaborated to create the CCSP course and certification exam. Also (ISC)² is the same organization who developed the popular CISSP designation. The CCSP looks and feels like a cloud version of the CISSP.

The CCSP is, in my humble opinion, more suited for CISSP holders. The CCSP will go into many subjects that are assumed knowledge in the CCSK. For example, the OSI reference model is covered in the CCSP whereas the CCSK assumes you have this knowledge already when talking to encapsulation of packets in an SDN network.

Course Details

The main difference between CCSP and CCSK can be found in three areas: Expanded governance discussion, Datacenter Security and Privacy. A CISSP is expected to understand a wide range of security domains and ISC2 wants to ensure that CCSP certified professionals are fully aware of the governance and security issues that come along with cloud, the datacenter and the privacy of consumers using cloud services. So really, when the dust settles, the following formula pretty much sums up the new CCSP:

CCSP = CCSK + Expanded Governance Items + Traditional Security + Privacy

The CCSP course is typically delivered over a 5-day period. There’s some repetition in the material and you can finish it in the allotted 5 days. I wouldn’t say it can be done in 4 days either.

Course Format

The CCSP course is pretty much 100% lecture. There are no labs at all. Zero. None. Zilch. Nada. Instead, you have a series of Q&A and work-group type of scenarios that are peppered throughout the course. This makes the CCSP a course that could be considered more strategic in nature. I would give the CCSP a 70% strategic, 30% tactical approach; almost the inverse of the CCSK.

Update for 2017 version

(ISC)² updated the CCSP Common Book of Knowledge (CBK) and the course in 2017.  The CBK itself is about 150 pages bigger than its predecessor (735 vs 584) This update expands on concepts, introduces new subjects (such as economics of cloud, business requirements, etc.) and new technologies (e.g. DevOps, Containers, etc.), albeit to a lesser technical degree than the CCSK.

CCSP Exam Breakdown

As for the exam itself, I’m under an NDA, so I naturally can’t get into the types of questions they present. I think it would be a fair statement though to say the average CCSP exam candidate is a CISSP holder and  would be tested on knowledge of both cloud and traditional data center security concepts.

Continuing Professional Education Credits (CPE)

CCSP is listed as a 40-hour course, so you should be taking home roughly 35 CPE’s.  Of note for current CISSP’s is that future CPEs earned apply to both the CISSP and CCSP designations. Keep in mind-the CSA’s CCSK can be substituted for one year of experience in pursuit of the (ISC)2 CCSP Certification.

Concluding Thoughts on CCSP

While the latest version of the CCSP expands discussion on strategic issues it doesn’t get into the same depth of tactical discussion that is found in the CCSK. The course is written along the same lines of the CISSP, so coverage includes everything that an Information Security Professional should know to secure an environment, ranging from the physical design of a datacenter up to cloud application security.

 CCSK vs. CCSP| Final Thoughts

As I said earlier, I don’t have a bias here. I’ve laid out what I consider to be the strengths of both offerings This table basically recaps some highlights:

CCSK Course Highlights CCSP Course Highlights
100% focused on cloud security. –Covers traditional information security and cloud security
60% tactical, 40% strategic 70% strategic, 30% tactical
Quicker delivery and more comprehensive review of cloud-specific technologies (e.g. SDN, DevOps, Serverless) More comprehensive review of IT security principles along the lines of the CISSP CBK
Less expensive course and exam More expensive course and exam
Open book exam online (exam included with training cost) Closed book proctored exam at testing center (exam additional charge)

Which Do I Prefer?

I appreciate the coverage of the CCSP, but if I had to do only one, I would do the CCSK because it is 100% focused on cloud security and architectural patterns as well as cloud-specific technologies are covered in greater depth (even more so after the v4 update). I also prefer how it’s consumed in a shorter time frame (due to aforementioned cloud focus).

If you have the time and resources doing both is not a bad idea either. In that case, I would do the CCSK first then the CCSP (and the CCSK counts as 1 year of experience towards the CCSP requirements, as well). Either way, the only way you can go wrong is by not doing either one.

About the author
Graham Thompson is a cloud security architect and delivers both CCSK and CCSP official courses as an authorized trainer for Intrinsec Security. You can reach Graham on LinkedIn or by old fashioned e-mail.

Five Reasons to Reserve Your Seat at the CCSK Plus Hands-on Course at RSAC 2018

By Ryan Bergsma, Training Program Director, Cloud Security Alliance

man investing in Certificate of Cloud Security Knowledge courseThe IT job market is tough and it’s even tougher to stand out from the pack, whether it’s to your current boss or a prospective one. There is one thing, though, that can put you head and shoulders above the rest—achieving your Certificate of Cloud Security Knowledge (CCSK). CCSK certificate holders have an advantage over their colleagues and get noticed by employers across the IT industry, and no wonder.

It’s been called the “mother of all cloud computing security certifications” by CIO Magazine, and Search Cloud Security notes that it’s “a good alternative cloud security certification for an entry-level to midrange security professional with an interest in cloud security.” So it was no surprise when Certification Magazine listed CCSK at #1 on the Average Salary Survey 2016.

For those interested in taking their careers to the next level, we are offering the CCSK Plus Hands-on Course (San Francisco, April 15-16) at the 2018 RSA Conference.

Our intensive 2-day course gives you hands-on, in-depth cloud security training, where you’ll learn to apply your knowledge as you perform a series of exercises to complete a scenario bringing a fictional organization securely into the cloud.

Divided into six theoretical modules and six lab exercises, the course begins with a detailed description of cloud computing, and goes on to cover material from the official Security Guidance for Critical Areas of Focus in Cloud Computing, Cloud Controls Matrix v3.0.1 (CCM) documents from Cloud Security Alliance, and recommendations from the European Network and Information Security Agency (ENISA).

Still on the fence? Here are five reasons you need to register today.

  1. Get trained by THE best in the business. Rich Mogull, a prominent industry analyst and sought-after speaker at events such as RSAC and BlackHat, will be there to guide you through this 2-day, intensive cloud security course. Not only is he the most experienced CCSK trainer in the industry, but he created the course content. Need we say more?
  2. Gain actionable security knowledge. In addition to learning the foundational differences of cloud, you’ll acquire practical knowledge and the skills to build and maintain a secure cloud business environment right away. It’s good for you and good for your company.
  3. Make the boss sit up and notice. Your newfound knowledge will translate to increased confidence and credibility when working within the cloud, and just maybe a better job or dare we say, a raise?
  4. Move to the head of the class. By the end of the course, you’ll be prepared to take the CCSK exam to earn your Cloud Security Alliance CCSK v4.0 certificate, a highly regarded certification throughout the industry certifying competency in key cloud security areas. ‘Nuff said.
  5. Invest in your future. The course price includes the cost of the exam, a $395 value. That’s what we call a sound investment.

Still not convinced? Watch this and you will be.

Register.