Roadmap to Earning Your Certificate in Cloud Security Knowledge (CCSK)

By Ryan Bergsma, Training Program Director, Cloud Security Alliance

In this blog we’ll be taking a look at how to earn your Certificate of Cloud Security Knowledge (CCSK), from study materials, to how to prepare, to the details of the exam, including a module breakdown, passing rates, format etc. If you’re considering earning your CCSK, or just exploring the possibility this will give you a good idea of what to expect and resources to draw from as you prepare. At the end I’ve also added some recommendations for how to continue learning cloud security after you’ve earned your CCSK. First things first, lets cover what you’ll need to know in order to pass the exam successfully.

Step 1. What You’ll Need to Know

Recommended Experience

While there is no official work experience required, it can be helpful for attendees to have at least a basic understanding of security fundamentals, such as firewalls, secure development, encryption, and identity and access management.

Topics Covered

Cloud Computing Fundamentals

To start, you’ll need to know the fundamentals of cloud computing, including definitions, architectures, and the role of virtualization. Key topics you’ll need to be familiar with are cloud computing service models, delivery models, and the fundamental characteristics of cloud. You’ll also need to be familiar with the Shared Responsibilities Model.

———

Infrastructure Security for Cloud Computing

As far as infrastructure security goes, you’ll need to understand the details of securing the core infrastructure for cloud computing- including cloud components, networks, management interfaces, and administrator credentials. You’ll also need to understand virtual networking and workload security, including the basics of containers and serverless.

———

Managing Cloud Security and Risk

For this section you need to know the important considerations of managing security for cloud computing. That includes risk assessment and governance, as well as legal and compliance issues, such as discovery requirements in the cloud. You’ll also need to know how to use important CSA risk tools including the CAIQ, CCM, and STAR registry and how cloud impacts IT audits.

———

Data Security for Cloud Computing

One of the biggest issues in cloud security is protecting data, so you will need to understand how data is stored and secured in the cloud. You will also need to know how the data security lifecycle is impacted by cloud and how to apply security controls in a cloud environment. Other important topics include cloud storage models, data security issues with different delivery models, and managing encryption in and for the cloud, including customer managed keys (BYOK).

———

Application Security and Identity Management for Cloud Computing

Another important area you’ll be tested on is identity and access management and application security for cloud deployments. Topics you’ll need to learn include federated identity, different IAM applications, secure development, and managing application security in and for the cloud.

———

Cloud Security Operations

Lastly you’ll be tested on key considerations when evaluating, selecting, and managing cloud computing providers. Make sure you also understand the role of Security as a Service providers and the impact of cloud on incident response.

———


Step 2. How to Study

Get advice from peers…

I’d recommend checking out our Q&A blog series, CCSK Success Stories, where we asked individuals about their experience preparing for and taking the exam. Having prepared for and gone through the exam themselves, they are able to offer insight into what topics they found most challenging, and what you should focus on.

Choose How to Study

Self-study. I’d recommend taking this route if you have don’t have the time or budget to complete a training course, or already have experience in cloud security. You can study for the exam on your own by downloading our free CCSK prep-kit here.

Self-paced training online. If you want training but have a hard time fitting in a regular course and need something flexible enough for your schedule and budget then our self-paced training may be a good fit. You can complete CCSK training modules on-the-go, without any deadlines, at a pace that’s right for you. Preview the course for free here.

Online training with an instructor. For individuals who work best when they can ask questions, the online instructor-led training is a good fit. It may also be an option for companies with a tight travel budget, since it still offers you the ability to attend regularly scheduled class sessions.

In-person training. Of course, in-person training is always nice to have. You get the opportunity to interact with an instructor face to face, ask questions and learn in the same room with other students.

CCSK Plus Course with hands-on labs. This extended version of the CCSK course offers a more practical implementation of the material. It combines the knowledge covered in the regular CCSK Fundamentals Course with hands-on labs where you can practice applying what you learn in real-life scenarios.

Download Study Materials

CSA Security Guidance v.4. This guidance document provides guidance on how to keep your organization secure on the cloud. It is built on previous iterations of the security guidance, dedicated research, public participation from the CSA members, working groups, and the industry experts within our community. The latest version incorporates advances in cloud, security, and supporting technologies, reflects on real-world cloud security practices, integrates the latest CSA research projects, and offers guidance for related technologies. Most notably, this version now incorporates IoT, blockchain and DevSecOps into its guidelines.

The Cloud Controls Matrix. The CSA Cloud Controls Matrix (CCM) provides fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. It builds off of the Security Guidance v4 by giving a detailed understanding of security concepts and principles aligned to its 14 domains.

ENISA’s Cloud Computing Risk Assessment. This document was created by the European Union Agency for Network and Information Security (ENISA). It provides an in-depth and independent analysis outlining the information security benefits and key security risks of cloud computing.

The above study materials are included in the CCSK Prep-Kit. Along with the above documents, the prep-kit includes practice questions and other study resources to help you prepare for the exam. You can download it for free here.

Step 3. Review Exam Details

The Exam Format

The exam is open-book and held online. You can start an exam at any time that works for you. The timeline to complete it is 90 minutes, and you’ll be answering 60 questions selected randomly from the CCSK question pool. The minimum passing score is 80%.

Question Format

All the questions are multiple choice or true/false. If you’d like to preview a sample question from each module you can download the free CCSK Prep-Kit. For a more comprehensive practice test that covers multiple questions and material from all the modules you can try our online self-paced course.

Exam Difficulty

With and average passing rate of only 62%, the CCSK is a challenging exam to pass. For this reason, make sure you have read through all of the study materials and thoroughly understand the topics before attempting the test. Below is an approximate breakdown of the percentage of questions you could be asked from each domain.

Domains% of Questions
1. Cloud Computing Concepts10.00%
2. Governance & Enterprise Risk Management3.33%
3. Legal Issues: Contracts and Electronic Discovery5.00%
4. Compliance & Audit Management5.00%
5. Information Governance3.33%
6. Management Plane & Business Continuity6.67%
7. Infrastructure Security10.00%
8. Virtualization & Containers8.33%
9. Incident Response6.67%
10. Application Security10.00%
11. Data Security & Encryption10.00%
12. Identity Entitlement and Access Management5.00%
13. Security as a Service3.33%
14. Related Technologies1.67%
15. CCM 6.67%
16. ENISA5.00%

*The above percentages are estimates. Questions are selected at random from the CCSK question pool, so having a solid understanding of each domain and the CCM and ENISA documents is essential if you want to pass.

Step 4. Take the Exam

Register at the CCSK exam website

Whether you plan to purchase an exam token directly or will receive one as part of a training package, to attempt the exam,you will first need to create an account on the exam platform. If you plan to self-study and buy a token you can go directly to the link above. If you received an exam token with a training package you will get an email with instructions on how to register and claim your token.

Take the exam

Since the exam is taken online, once you have a test token you can take the test when and where you want. Make sure you have thoroughly studied the exam materials and reviewed your notes if you took a training course. And be sure you have a reliable internet connection and a full 90 minutes in which you will not be interrupted or distracted.

Step 5. Build on the knowledge from the CCSK…

After you’ve earned your CCSK a good way to continue learning about cloud security is following our CloudBytes webinar series or volunteering for a working group. Other ways you can build on your knowledge…

Read the latest CSA research

In general, I recommend being familiar with the Top Threats document series. This helps folks understand the threat landscape for cloud. I’d also take a look at the 12 Most Critical Risks for Serverless Applications.

Use the CCSK to satisfy CPE credits

The CCSK can be used to satisfy continuing professional education credits for several other IT credentials including the CCSP and CISSP.

Gain hands-on experience

Practice building in a cloud environment using management plane best practices and appropriate reference architectures for practice projects. Look at some of the cloud offerings in the market and consider the security implications for the consumer based on the shared responsibilities model.

Consider enrolling in more advanced training

Two courses to consider taking after the CCSK are the Cloud Governance and Compliance or CCSP course. Which one you take will depend on your current job role, and where you are heading career-wise. For those interested in cloud governance or auditing, the Cloud Governance & Compliance (CGC) course is a good path. For those interested in cloud security implementation, the CCSP course is a good path. There may also be vendor specific trainings you may be interested in based on the environment you work in.

Start learning more about cloud security today. Enroll in a free trial of the online, self-paced CCSK training here.


CCSK Success Stories: From a Data Privacy Consultant

headshot of Satishkumar Tadapalli

By the CSA Education Team

This is the fourth part in a blog series on cloud security training, in which we will be interviewing Satishkumar Tadapalli a certified and seasoned information security and data privacy consultant. Tadapalli has 12+ years of multi-functional IT experience in pre-sales, consulting, risk advisory and business analysis. He has rich experience in information protection and data privacy, risk management, information security with various ISO 27001 implementation, audits and is currently working for a London-based bank as a risk advisor, looking after 3rd-party assurance and cloud risk assessments.

Satish holds several certifications including: CISM, CIPM, CIPT, CCSK, ISO27001 LA, CISRA, CPISI, and ITIL V3.

Can you describe your role?

In this diverse, cloud-connected, dynamic world, it’s not easy for me to describe a specific role as I’m required to wear multiple hats depending on the table at which I’m seated. Having said that, currently I’m performing a risk advisory role at one of the largest banks in the UK. This position keeps me challenged in performing contractual risk assurance, data privacy consultations and cloud risk assessment of 3rd-, 4th-, and 5th-party vendors, and governing the supplier risk-assurance activities to ensure that the consumer and providers are adhering to the privacy and security principles and keeping customer data safe and secure.

What got you into cloud security in the first place? What made you decide to earn your CCSK?

Cloud security is an interesting and evolving topic for me. I believe cloud adoption isn’t a choice for organizations in this era, now. For this reason, keeping myself updated on the must-have knowledge in cloud made me pay attention to cloud security. Once I’d decided to get my hands into cloud security, I felt CCSK was my go-to in order to get started with concepts as it covers the foundations of real-world, complex scenarios in cloud implementation, migration, issues in adoption, evaluation of cloud and many others.

… makes you not only think from the cloud deployment view, but also provides guidance for both cloud service provider and consumer views which is very uniquely appreciated and helps in real-world solutioning—especially when you wear multiple hats—of risks from vendor to consumers.”

Could you elaborate on how the materials covered in the exam specifically helped in that way?

Sure, as we all know CCSK isn’t a specific, cloud product-related exam. Rather, I think the intention of this exam is to evaluate how well the key elements or domains of cloud models/service(s) are understood by candidates. Hence, this exam expects you to be aware of key areas such as governance, legal challenges, incident response, compliance, and risk management, which are very essential and challenging in cloud adoption for both consumers and service providers of cloud.

How did you prepare for the CCSK exam?

I mainly followed the CCSK exam preparation kit available on CSA site, plus my limited experience in security and 3rd-party risk assessment helped to crack the CCSK exam.

If you could go back and take it again, how would you prepare differently?

As I mentioned earlier, cloud is a constantly changing world with new threats and challenges evolving almost every day. Hence, I would elevate my knowledge by looking at current study materials from CSA and explore the real challenges and solutions in industries for cloud implementation and adoption.

Were there any specific topics on the exam that you found trickier than others?

I felt that the legal and compliance management along with security incidents handling domains were quite interesting. Primarily, because these areas bring different challenges to cloud services, mainly in detailing the roles and responsibilities and limitations for both cloud consumers and cloud providers.

What is your advice to people considering earning their CCSK?

I strongly advise CCSK aspirants look at this exam as a foundational course and use it as a stepping stone in the vast cloud security journey. CCSK won’t just differentiate you from others by giving you a credential, it will also help you in a longer journey irrespective of your role (cloud consumer, provider or independent cloud risk advisor, etc.) due to its essential concepts, which aren’t specific to any cloud vendor/solution.

Lastly, what material from the CCSK has been the most relevant in your work and why?

It is a bit hard for me to point out one or any specific domain(s) as most of the domains and materials were and are relevant to my work as I’m required to play multiple roles given the nature of business we are in today. Specifically, I use the Security Guidance and the Cloud Controls Matrix the most as I deal with vendor risk management. These help to clarify key roles and responsibilities between the cloud provider and consumer. In addition, these documents act as a guide for me to reassure myself of cloud concepts.

Interested in learning more about cloud security training? Discover our free prep-kit, training courses, and resources to prepare to earn your Certificate of Cloud Security Knowledge here.

Invest in your future with CCSK training

CCSK Success Stories: From an Information Systems Security Manager

By the CSA Education Team

This is the third part in a blog series on Cloud Security Training. Today, we will be interviewing Paul McAleer. Paul is a Marine Corps veteran and currently works as an Information Systems Security Manager (ISSM) at Novetta Solutions, an advanced data analytics company headquartered in McLean, VA.  He holds the CCSK, CISSP, CISM, and CAP certifications among others and lives in the Washington, D.C. area.

Can you describe your role?

I am an ISSM at Novetta Solutions and am primarily responsible for certification and accreditation, continuous monitoring, and the overall security posture of the information systems under my purview. Novetta is also partnered with AWS and that partnership continues to grow so it is a very exciting company to work for.  

What got you into cloud security in the first place? What made you decide to earn your Certificate of Cloud Security Knowledge (CCSK)?

My first InfoSec position was with First Information Technology Services, a Third Party Assessment Organization (3PAO) supporting Microsoft. I was part of the Continuous Monitoring Team, and part of my job was providing adequate justification of open vulnerabilities and depicting mitigation for cloud environments. Understanding cloud security was imperative in performing my job.  I was seeking more of a foundational understanding focused primarily on cloud security. I heard about CCSK through CSA and ISC(2) after doing some research on the best and most valuable Cloud certifications. After reviewing the certification outline and expectations, I decided to review the material and prep for the exam. 

“Open book means nothing when it comes to this exam. There are too many questions that requires a deep understanding of the material…”

Can you elaborate on what the exam experience was like? How did you prepare for the CCSK exam?

The CCSK was not an easy exam by any means. Not only was it a requirement to get 80 percent to pass, but there were only 90 minutes to answer 60 questions. The exam required a deep understanding of the CSA Cloud Security Guidance, as well as the ENISA Cloud Computing Risk Assessment Report. At least for me, it was imperative to read through all of the course material and ensure I understood everything listed in the exam objectives to pass the exam.

If you could go back and take it again, how would you prepare differently?

If I could prepare differently, I would have devoted more time to studying and reading the CSA Guidance and ENISA Report a second time through. To me, one read-through isn’t enough for the depth of this exam and the style of questions the exam presents. It is a hard exam to prepare for. To gain a full understanding of what is expected, it’s important to go through the material more than once and to take notes on your weak areas and subsequently come back to the sections that you feel weakest on and focusing on those areas. 

Were there any specific topics on the exam that you found trickier than others?

Topics on the exam that I found trickier than others included questions that pertained to governance within the cloud and understanding the various security as a service (SecaaS) requirements and the different services regarding SecaaS implementation.

What is your advice to people considering earning their CCSK?

I highly recommend the CCSK for anyone seeking a deeper understanding of cloud security. My advice to people considering the CCSK is to study for the exam like you would any other certification that wasn’t open book. In other words, don’t rely on the fact that it is open book. 

Lastly, what part of the material from the CCSK have been the most relevant in your work and why?

The most relevant material from the CCSK for my career has been Compliance and Audit Management, which was Domain 4 of the CSA Guide v3 when I took the exam. I believe that domain related more to my work experience than any other domain due to my cloud compliance role at the time of my certification. I definitely took the most away from the topics discussed in that domain, such as issues pertaining to Enterprise Risk Management, Compliance and Audit Assurance, and Corporate Governance. The Information Management and Data Security domain was also a very relevant domain for my work.

Interested in learning more about cloud security? Discover our free prep-kit, training courses, and resources to prepare to earn your Certificate of Cloud Security Knowledge here.

Invest in your future with CCSK training

CCSK Success Stories: From the Financial Sector

By the CSA Education Team

This is the second part in a blog series on Cloud Security Training. Today we will be interviewing an infosecurity professional working in the financial sector. John C Checco is President Emeritus for the New York Metro InfraGard Members Alliance, as well as an Information Security professional providing subject matter expertise across various industries. John is also a part-time NYS Fire Instructor, a volunteer firefighter with special teams training in vehicular extrication and dive/ice rescue, an amateur novelist, and routinely donates blood in several adult hockey leagues.

Can you describe your role?

Currently I lead the “Security Innovation Evaluation Team” at a large financial firm where we forage and test emerging technology solutions that will build upon our security posture and fortify our resilience far into the future.

What got you into cloud security in the first place? What made you decide to earn your CCSK?

Whether you are in the automotive, engineering, medical, retail or the information security field, one needs to constantly stay abreast of emerging trends and hype – indeed, “cloud” was one of those emerging trends and hype combined which represented a logical transition from existing legacy infrastructures.

I am a lifelong learner; seeing the early explosion of “cloud providers” who really just wrapped an orchestration layer around virtualization rather than true holistic solutions, was the jumpstart I needed to understand how important the CCM (and CCSK) was.

The CCSK reflects both the operational knowledge of the CCM, as well as the strategic goals for the CSA. The CCM itself is a superset of many existing security control standards, which makes the CCSK all the more relevant to today’s security environment.

Can you elaborate on how the CCSK reflects the operational knowledge of the CCM? Why do you think this is important knowledge for infosec professionals to know?

The CCM builds upon existing NIST/ISO standards and produces new controls where existing controls cannot adequately cover the cloud paradigm. If one knows how to properly interpret and use the CCM standard, they most likely understand the non-cloud security standards as well. The CCSK is represents knowledge assurance of the CCM at an operational level; and having a shared origin to the CCM, the CCSK can truly test proficiency of the spirit of the CCM as it was designed, not just its definitions.

How did you prepare for the CCSK exam?

I was an initial member of the NY Metro Chapter of the CSA and aware of the Cloud Controls Matrix. Although my employer was not explicitly referencing the CCM as a security standard, I was pulling from it as a security controls guidance for my employer’s projects.

If you could go back and take it again, how would you prepare differently?

As information security has become more complex and more splintered, simply studying definitions is no longer an effective method to have lasting knowledge. I would suggest two additional study techniques:

  • Understand the “WHY” of each control in the CCM: what was the originating problem statement, what is the scope of that problem statement, and was the control defined to resolve the problem or simply reduce the problem’s impact to a tolerable level? Once you have a good comprehension of the background, then there is no memorization needed … it becomes common sense to the learner.
  • Get DIRTY with some hands-on experience – whether it be an existing work project or reworking an old personal project. Taking an old project and redeploying it using newer technologies and security controls gives the learner unimaginable insight into why a control is written in a certain way. The advantage of using an existing project is that you can focus on the coding, deployment and security control aspects rather than features and requirements. I have revamped my personal “Resume Histogram” project originally written in 1990 as a dial-up BBS site → to a CGI website → to a RoR web application (hey, not every decision was a good one) → to a social media plugin → to a containerized web API.

Were there any specific topics on the exam that you found trickier than others?

I suspect that everyone will have a different topic of weakness. Legal aspects were my weakness, and from the plethora of recent changes in standards and regulations – PCI DSS3, NIST revisions, NYS DFS 500, GDPR and the myriad of local regulations – I suspect it is not going to get any easier.

What is your advice to people considering earning their CCSK?

I have four points of advice:

  1. Get real-life quality experience before you attempt a certification … doctors, nurses, architects and engineers are required to, so why not InfoSec professionals?
  2. Make a habit of learning something every day …  knowledge gets stale, intelligence doesn’t.
  3. Avoid the shortcuts, like boot camps, it’s a crash diet of ignorance;
  4. Be humble, keep an open mind, and listen before you speak … things change, so what you knew was right today may be turned on its head tomorrow. Nobody should want to gain a reputation of being “CIA” (certified, ignorant and arrogant).

Lastly, what part of the material from the CCSK have been the most relevant in your work and why?

Ironically, my work over the years has made my weakest area – legal – also the most important and relevant one; especially when it comes to contracts with cloud providers for enterprise projects as well as vendors and managed service providers who run in the cloud.

Interested in completing cloud security training at RSA? CSA is offering a CCSK Plus Course at the RSA Conference 2019 that offers students an extra day of hands-on labs to practice applying what they learn. Learn more or register here.

Invest in your future with CCSK training

Prepare to Take (and Ace) the CCSK Exam at Infosecurity Europe

By Ryan Bergsma, Training Program Director, Cloud Security Alliance

CCSK certification logoHere’s a riddle for you. It’s been called the “mother of all cloud computing security certifications” by CIO Magazine. Search Cloud Security said it’s “a good alternative cloud security certification for an entry-level to midrange security professional with an interest in cloud security.” And, Certification Magazine listed it at #1 on the Average Salary Survey 2016. What is it?

If you answered CSA’s Certificate of Cloud Security Knowledge, more commonly known as CCSK, give yourself a pat on the back. If you’re attending Infosecurity Europe 2018 then give yourself the gift that keeps on giving and register for our CCSK v4 certification training course on June 7. Taught by renowned cloud security expert Peter HJ van Eijk, this one-day workshop will prepare you to take (and ace) the exam.

This exam prep course reflects the fact that the body of knowledge and the CCSK were recently updated to version 4, and includes such relevant topics as DevOps, big data and IoT. Not only will you get up-to-speed on the latest in cloud security, but by earning your CCSK, you’ll be demonstrating that you have the requisite skills and knowledge to ensure that cloud services are implemented and utilized within your organization with the appropriate security controls in place, including technical, as well as management and governance domains.

Still on the fence? The course price includes the cost of the exam, a $395 value. That’s what we call a sound investment.

Not convinced? Watch this and you will be.

Register.

CCSK Certification vs AWS Certification – A Definitive Guide

By Graham Thompson, CCSK, CCSP, CISSP, Authorized Trainer, Intrinsec Security

I was recently asked about CCSK certification vs AWS certification and which one should be pursued by someone looking to getting into cloud security. This post tries to address the question “which cloud certification is right for you.” I’ll give you a lay of the land for both certifications, available training, the exams, and then conclude with thoughts on which certification is right for you.

Certificate of Cloud Security Knowledge (CCSK)

CCSK logoThe Certificate of Cloud Security Knowledge (CCSK) is from a research organization called the Cloud Security Alliance (CSA). The CSA has created guidance for securing cloud services and released a recently updated version of this guidance (CSA Guidance v4). The guidance is about 150 pages and covers most of the knowledge required to successfully pass the CCSK exam (more about the exam down below).

In a nutshell, the goal of the CCSK is a vendor-neutral look at all cloud security issues that covers the three following areas of knowledge:

Cloud computing concepts and architectures

It begins with answering the question “what is cloud computing,” moves on to the differences between, and other fundamental cloud knowledge.

  • Definitions
  • Service Models (SaaS, PaaS, IaaS)
  • Deployment Models (e.g. Public Cloud, Private Cloud)
  • Reference Architectures
  • Cloud Security Models

Governing in the cloud

Like everything else, cloud security doesn’t (shouldn’t?) operate in a silo. The CCSK addresses how cloud changes governance, risk management and compliance. Other aspects of governing in the cloud include:

  • Contracts
  • Audit management
  • Information governance
  • Business continuity
  • Jurisdictional issues
  • Legal concerns

This information should be known by all individuals who are responsible for governing (and operating) cloud services, regardless of the service models being consumed in your organization.

Operating in the cloud

Moving forward, the CCSK covers the technical components of cloud systems such as:

  • Virtualization (e.g. hypervisors, Software Defined Networks (SDN), VLAN
  • Containers
  • Incident Response
  • Application Security
  • Data Security and Encryption
  • Identity, Entitlement and Access Management
  • Security as a Service
  • Related Technologies (e.g. DevOps, Immutable Infrastructure, IoT, etc)

 CCSK training

Should you take the training or self-study for the CCSK certification exam? That’s your call. Personally, I’m always a fan of doing training because it allows me to get away from the office and completely immerse myself in the subject at hand. I also get the opportunity to learn how things work in the “real world.”

If you prefer the self-study route, you have all the documentation you need listed below to take the exam.

If you are looking at the training route for yourself or your company, you can check out our offerings here. We offer the official and authorized CCSK in on-demand, on-line and in-person settings. We can also offer on-site training that is modified to your corporate requirements. (If you are looking for more info, a lot of these details about the CCSK can be found on Cloud Security Alliance’s website.)

All course registrants also get access to our exclusive CCSK exam prep kit that includes:

  • Immediate access to on-demand CCSK v4 course
  • CCSK exam v4 prep videos
  • Hundreds of CCSK v4 pre-test questions
  • Pre-paid token for the actual CCSK v4 exam

Note: Unfortunately, we are prohibited from offering the exam prep package as a stand-alone product.

CCSK certification exam

In addition to the CSA Guidance, you’ll need to read and understand CSA’s Cloud Controls Matrix (CCM), the Consensus Assessment Initiative Questionnaire (CAIQ), and finally the ENISA Cloud Computing Risk Assessment document. All documents are available from the following download links.

CCSK exam details

The exam itself is taken online any time you wish. There are 60 questions, and you are given 90 minutes to finish. It is an open-book exam, but don’t let that fool you – it’s a pretty tough exam, and I have seen people from various backgrounds fail.

My belief on the reason people fail the exam is because of the diverse nature of the CCSK exam itself. You’re looking at an exam that addresses both cloud operations and cloud governance. Most people will be strong in one or the other, but rarely is someone well-versed in both areas. If you’re in a technical position at work, you’ll need to focus on governance and vice versa, of course.

We have published some pre-test practice questions for exam candidates who are looking to see what they might be up against before taking the actual test. All the questions are based on the new v4 version of the CCSK exam.

Ready to get started? Download the CSA CCSK prep kit or look for upcoming training sessions near you.

Amazon Web Services (AWS Certification)

AWS logo

Amazon has multiple AWS and specialty certifications available.

For convenience, I’m including the roadmap graphic that was on the AWS certification site below:

As you can see, there’s more to the question “CCSK or AWS Certification.” AWS has multiple streams available, but I’m going under the assumption that most people mean the AWS Certified Solutions Architect designation.

Regardless of the track or specialty, let’s make one thing extremely clear: AWS is a vendor and the complete focus will be on HOW things are done in AWS, specifically. Amazon says so themselves in their certification descriptions: “technical role-based certification.”

AWS Certified Solutions Architect – Associate

Below is the list of recommended knowledge you should have before even considering the AWS Architect – Associate exam.  I have done this exam (yes, I passed) and I wrote about my thoughts on that exam here.

  • One year of hands-on experience designing available, cost-efficient, fault-tolerant, and scalable distributed systems on AWS
  • Hands-on experience using compute, networking, storage, and database AWS services
  • Hands-on experience with AWS deployment and management services
  • Ability to identify and define technical requirements for an AWS-based application
  • Ability to identify which AWS services meet a given technical requirement
  • Knowledge of recommended best practices for building secure and reliable applications on the AWS platform
  • An understanding of the basic architectural principles of building on the AWS Cloud
  • An understanding of the AWS global infrastructure
  • An understanding of network technologies as they relate to AWS
  • An understanding of security features and tools that AWS provides and how they relate to traditional services

More information about the associate level certification from Amazon can be found here.

AWS Certified Solutions Architect – Professional

I have not taken this exam. That said, I have worked with many people who have taken and passed the professional exam. These people really know their AWS stuff. I think it is fair to say there aren’t many people who have the professional designation who just know the theory of things, but rather have years of practical hands-on experience in AWS.

In order to take the professional-level exam you must have the associate-level certification already.

Here is the list of knowledge AWS expects their professional architect holders to have:

  • Designing and deploying dynamically scalable, highly available, fault-tolerant, and reliable applications on AWS
  • Selecting appropriate AWS services to design and deploy an application based on given requirements
  • Migrating complex, multi-tier applications on AWS
  • Designing and deploying enterprise-wide scalable operations on AWS
  • Implementing cost-control strategies

In my view, you’re expected to be able to take everything you know from the associate level and apply it to enterprise scale.

More information about the professional level certification from Amazon can be found here.

AWS training

For the AWS Architect – Associate certification, you can either take the self-study approach or attend an actual training session. Bottom line here is this is not a theory-based exam. You will need to have actually spun up server instances and have worked with AWS services before taking the actual exam.

Amazon has excellent learning collateral in their whitepapers that you should study if you are going solo. The resources they recommend are:

If you’re looking for an AWS Architect – Associate training session, the applicable course is a 3-day session called Architecting on AWS.  Their course schedule page can be found here.

The applicable AWS Architect – Professional course is the 3-day Advanced Architecting on AWS course. The course schedule page can be found here.

AWS certification exam

A word to the wise. Passing the AWS Architect is all about two things:

  1. Hands-on experience, and
  2. Knowing what is covered in the exam.

As I mention in my thoughts on the AWS exam piece, buy the practice exam. Don’t even think about cheaping out on this one. Seriously. Doubly seriously if you’re doing the self-study approach.

AWS exam details

The AWS exam is a scaled score exam. In other words, not all questions have the same value. Easy questions are worth less than harder ones. I’m not alone when I say I hate these types of exams as you have no idea how you’re actually doing as you go through the questions. And an added bonus, Amazon states you need a “720” (out of 1,000) to pass the test, which does not mean 72 percent because the questions all have different values.

Download the AWS Certified Solutions Architect – Associate (February 2018)

Download the AWS Certified Solutions Architect – Professional exam guide.

Which cloud certification is right for you?

As we covered, the two certifications are not similar at all. The CCSK is relevant to both governance and operational security of cloud services. It is written by an independent body and is completely vendor agnostic. The AWS certifications are 100-percent technical and are specific to AWS implementations.

  • CCSK certification addresses the “what” of cloud security
  • AWS certification addresses the “how” of AWS implementations

If you are looking to understand cloud security challenges, the CCSK is right for you. If you are in management and need to understand the impact cloud services will have on your organization, the CCSK is for you. If you work in operations and need to better understand the security challenges associated with cloud in general, the CCSK is for you.

If you are working in a dedicated AWS technical position, the AWS Certified Architect is the certification you should go with. If you are working with AWS in a security capacity, you should do the CCSK first, then follow up with the vendor-specific AWS training.

From a corporate perspective, everyone involved with information technology, ranging from procurement through risk management and operations should attend the CCSK session, even if it is an accelerated 1-day “awareness” session.

Graham Thompson is a cloud security architect and delivers both CCSK and CCSP official courses as an authorized trainer for Intrinsec Security. You can reach Graham on LinkedIn or by old fashioned e-mail.

34 Cloud Security Terms You Should Know

By Dylan Press, Director of Marketing, Avanan

Cloud Security 101 written on a chalkboardWe hope you use this as a reference not only for yourself but for your team and in training your organization. Print this out and pin it outside your cubicle.

How can you properly research a cloud security solution if you don’t understand what you are reading? We have always believed cloud security should be simple, which is why we created Avanan. In an attempt to simplify it even more we have created a glossary of 34 commonly misunderstood cloud security terms and what they mean.

Account Takeover

A type of cyber attack in which the hacker spends extended periods of time dormant in a compromised account, spreading silently within the organization through internal messages until they have access to information that is valuable to them. They may use the account to attack other organizations.

Related: Read our whitepaper Cloud Account Takeover

Advanced Persistent Threat (APT)

This an attack in which an the attacker gains access to an account or network and remains undetected after the initial breach. The “advanced” describes the initial breach technique (phishing or malware) that was able to evade the victim’s security. The attack is “persistent” because the attacker continues to carry out the attack through reconnaissance and internal spread long after the initial breach.

Advanced Threat Protection (Microsoft ATP)

Microsoft offers its Advanced Threat Protection for an additional $24 per user per year. It includes capabilities not available in the default Office 365/Outlook.com account:

  • Safe Links: replaces each URL, checking the site before redirecting the users.
  • Safe Attachments: scanning attachments for malware
  • Spoof Intelligence: analyzes external emails that match your domain.
  • Anti-phishing Filters: looks for signs of incoming phishing attacks.

Anomaly

A type of behavior or action that seems abnormal when observed in the context of an organization and a user’s historical activity. It is typically analyzed using some sort of machine-learning algorithm that builds a profile based upon historical event information including login locations and times, data-transfer behavior and email message patterns. Anomalies are often a sign that an account is compromised.

API Attack

An API (Application Programming Interface) allows two cloud applications to talk to one other directly, allowing a third party to read or make changes directly within a cloud application. Creating an API connection requires a user’s approval, but once created, runs silently in the background, often with little or no monitoring. An API-based attack typically involves fooling the user into approving an API connection with a phishing attack. Once granted the API token, the attacker has almost complete access and control, even if the user changes the account password. To break the connection, the user must manually revoke the API token.

Behavioral Analysis

A security measure in which a file’s behavior is monitored and analyzed in an isolated environment in order to see if it contains hidden malicious functions or is communicating with an unknown third-party.

Brand Impersonation

A method of phishing attack in which the perpetrator spoofs the branding of a well-known company to fool the recipient into entering credentials, sharing confidential information, transferring money or clicking on a malicious link. An example might be a forged email that looks like it is from a social media company asking to verify a password.

Breach Response

A form of security that remedies the damage caused by a breach. For example, changing passwords, revoking API tokens, resetting permissions for shared documents, enabling multi-factor-authentication, restoring lost or edited documents, documenting and classifying leaked information, identifying potential pathways to collateral compromise.

CASB

An acronym for Cloud Access Security Broker. This is a type of security that monitors and controls the cloud applications that an organization’s employees might use. Typically, the control is enforced by routing web traffic through a forward- or reverse-proxy. CASBs are good for managing Shadow IT and limiting employee’s use of certain SaaS or the activity within those SaaS but do not monitor third-party activity in the cloud–i.e. shared documents or email.

Related: Can a CASB Protect You from Phishing or Ransomware?

Cloud Access Trojan

Also known as a CAT, a Cloud Access Trojan describes any method of accessing a cloud account without the use of a username and password, for example, a malicious user syncing a desktop app, forwarding all email to an external account, connecting a malicious script or simply authorizing a backup service for which they have full access. In each case, the attacker needs only momentary access, often gained through a phishing attack.

Related: Cloud Access Trojan: The Invisible Back Door to Your Enterprise Cloud

Cloud Messaging Apps

Cloud-based communication services that include email but are used by companies for internal communication but also might include trusted partners. Often employees imbue more trust in these apps even though they are just as capable of distributing malware or phishing messages.

Cloudify

Taking a software that was created for on-premise or datacenter usage, wrapping it with an API container and converting it to a cloud service. For example, taking the malware analysis blade from a perimeter appliance and adapting it so that it can be configured and scaled without the need for direct management. This also includes the automation of software licensing and version control.

Compromised Account

An account which has been accessed and is possibly controlled by an outside party for malicious reasons. This can be done either via API connection or by gaining credentials to the account from a leak or phishing email. Typically, the goal of the attacker is to remain undetected, in order to use it as a base for further attacks.

Related: Account Takeover: A Critical Layer Of Your Email Security

Data Classification

A security and compliance measure in which all of an organization’s documents are scanned and categorized based on their sensitivity and then are automatically encrypted or adjusted to the correct sharing level permissions. For example documents containing customer information or employee social security numbers would be classified as highly sensitive and encrypted where as an external facing white paper would be classified as non-sensitive and likely not encrypted.

DLP (Data Leak Prevention or Data Loss Prevention)

A type of security that prevents sensitive data, usually files, from being shared outside the organization or to unauthorized individuals within the organization. This is done usually through policies that encrypt data or control sharing settings.

DRM

Digital Rights Management: a set of access control technologies for restricting the use of confidential information, proprietary hardware and copyrighted works, typically using encryption and key management. (Also see IRM)

Gateway

A gateway is any device or  is another word for an MTA, please see the definition for MTA.

IRM

Information Rights Management is a subset of Digital Rights Management that protects corporate information from being viewed or edited by unwanted parties typically using encryption and permission management. (also see DRM)

Latency

The added time it takes for an email to be delivered to its intended recipient. Security measures sometimes add latency as they perform scans on the email prior to allowing the email to reach the user’s inbox.

Malconfiguration

A deliberate configuration change within a system by a malicious actor, typically to create back-door access or exfiltrate information. While the original change in configuration might involve a compromised account or other vulnerability, a malconfiguration has the benefit of offering long term access using legitimate tools, without further need of a password or after a vulnerability is closed.

Misconfiguration

A dangerous or unapproved configuration of an account that could potentially lead to a compromise typically done by a well-intentioned user attempting to solve an immediate business problem. While there is no malicious intent, misconfiguration is actually the leading cause of data loss or compromise.

MTA

An acronym for Message Transfer Agent. An MTA is an appliance or service that acts as the authorized server-of-record for electronic messages, eventually passing them on to the final mail server.

Related: 7 Reasons Not to Use an MTA Gateway

Phishing

A type of attack in which a message (often email, but could be any messaging system) is sent from a malicious party disguised as a trusted source with the intention of fooling the recipient into giving up credentials, money, or confidential data. It often includes a malicious link or file, but could be a simple as a single sentence that causes some sort of insecure response. (Also see Spearphishing.)

Proxy

A proxy can include any gateway, service or appliance that causes a rerouting of traffic through an appliance or cloud service. For example, a web proxy or CASB will redirect a user’s web browsing in order to decrypt the traffic and block particular applications or data. Mail proxy gateways (see MTA) reroute incoming email in order to scan and block spam, phishing or other malicious email. A proxy is limited in its visibility as it cannot monitor or control traffic it cannot see, i.e. remote and non-employee web usage or internal email traffic.

Quarantine

The act of encrypting, moving or changing the share permissions of a file so that it is unreachable by a user until it can be deemed safe or authorized by the intended recipient.

Ransomware

A type of malware that encrypts the files on an endpoint device using a mechanism for which only the attacker has the keys. While the attacker will offer the key in exchange for payment, fewer than half of victims that do pay actually recover their files.

Sandboxing

A type of security measure that involves testing a file or link in a controlled environment to see what effect it has on the emulated operating system, typically the first line of defense against zero-day attacks for which there is no signature or pre-knowledge of the code.

Shadow IT

Any unapproved cloud-based account or solution implemented by an employee for business use. It might also include the use of an unknown account with an approved provider, but administered by the user rather than corporate IT.

Shadow SaaS

An unapproved cloud application that is connected in some way (typically by API) to that organization’s SaaS or IaaS with access to corporate data but without permission from the organization.

Spearphishing

A type of phishing attack that is designed to target a small number of users, sometimes only one user such as a CEO. Spear-phishing attacks usually involve intensive research by the hacker to increase the chances that the intended target will fall for it.

Tokens

A unique authorization key used for API interactions. Each token is granted a certain level of access and control and often continues to provide access until the token is manually revoked.

URL Analysis

A security measure that reviews a link to assess if it is genuine and will direct to a safe and expected destination with no unintended side effects.

URL Impersonation

A technique used in phishing attacks in which the hacker creates a URL that looks like a link to a trusted website to the untrained eye. These techniques can be thwarted using URL analysis.

User Impersonation

A technique used in phishing attacks in which the hacker makes their email look like it is coming from a trusted sender, either a corporation or another employee. This can be done by editing their nickname or using an email address that looks like it is from a trusted organization.

We will be continuing to add to this list and if you have any suggestions for terms to include please reach out to [email protected].