CCSK Success Stories: From an Information Systems Security Manager

By the CSA Education Team

This is the third part in a blog series on Cloud Security Training. Today, we will be interviewing Paul McAleer. Paul is a Marine Corps veteran and currently works as an Information Systems Security Manager (ISSM) at Novetta Solutions, an advanced data analytics company headquartered in McLean, VA.  He holds the CCSK, CISSP, CISM, and CAP certifications among others and lives in the Washington, D.C. area.

Can you describe your role?

I am an ISSM at Novetta Solutions and am primarily responsible for certification and accreditation, continuous monitoring, and the overall security posture of the information systems under my purview. Novetta is also partnered with AWS and that partnership continues to grow so it is a very exciting company to work for.  

What got you into cloud security in the first place? What made you decide to earn your Certificate of Cloud Security Knowledge (CCSK)?

My first InfoSec position was with First Information Technology Services, a Third Party Assessment Organization (3PAO) supporting Microsoft. I was part of the Continuous Monitoring Team, and part of my job was providing adequate justification of open vulnerabilities and depicting mitigation for cloud environments. Understanding cloud security was imperative in performing my job.  I was seeking more of a foundational understanding focused primarily on cloud security. I heard about CCSK through CSA and ISC(2) after doing some research on the best and most valuable Cloud certifications. After reviewing the certification outline and expectations, I decided to review the material and prep for the exam. 

“Open book means nothing when it comes to this exam. There are too many questions that requires a deep understanding of the material…”

Can you elaborate on what the exam experience was like? How did you prepare for the CCSK exam?

The CCSK was not an easy exam by any means. Not only was it a requirement to get 80 percent to pass, but there were only 90 minutes to answer 60 questions. The exam required a deep understanding of the CSA Cloud Security Guidance, as well as the ENISA Cloud Computing Risk Assessment Report. At least for me, it was imperative to read through all of the course material and ensure I understood everything listed in the exam objectives to pass the exam.

If you could go back and take it again, how would you prepare differently?

If I could prepare differently, I would have devoted more time to studying and reading the CSA Guidance and ENISA Report a second time through. To me, one read-through isn’t enough for the depth of this exam and the style of questions the exam presents. It is a hard exam to prepare for. To gain a full understanding of what is expected, it’s important to go through the material more than once and to take notes on your weak areas and subsequently come back to the sections that you feel weakest on and focusing on those areas. 

Were there any specific topics on the exam that you found trickier than others?

Topics on the exam that I found trickier than others included questions that pertained to governance within the cloud and understanding the various security as a service (SecaaS) requirements and the different services regarding SecaaS implementation.

What is your advice to people considering earning their CCSK?

I highly recommend the CCSK for anyone seeking a deeper understanding of cloud security. My advice to people considering the CCSK is to study for the exam like you would any other certification that wasn’t open book. In other words, don’t rely on the fact that it is open book. 

Lastly, what part of the material from the CCSK have been the most relevant in your work and why?

The most relevant material from the CCSK for my career has been Compliance and Audit Management, which was Domain 4 of the CSA Guide v3 when I took the exam. I believe that domain related more to my work experience than any other domain due to my cloud compliance role at the time of my certification. I definitely took the most away from the topics discussed in that domain, such as issues pertaining to Enterprise Risk Management, Compliance and Audit Assurance, and Corporate Governance. The Information Management and Data Security domain was also a very relevant domain for my work.

Interested in learning more about cloud security? Discover our free prep-kit, training courses, and resources to prepare to earn your Certificate of Cloud Security Knowledge here.

Invest in your future with CCSK training

CCSK Success Stories: From the Financial Sector

By the CSA Education Team

This is the second part in a blog series on Cloud Security Training. Today we will be interviewing an infosecurity professional working in the financial sector. John C Checco is President Emeritus for the New York Metro InfraGard Members Alliance, as well as an Information Security professional providing subject matter expertise across various industries. John is also a part-time NYS Fire Instructor, a volunteer firefighter with special teams training in vehicular extrication and dive/ice rescue, an amateur novelist, and routinely donates blood in several adult hockey leagues.

Can you describe your role?

Currently I lead the “Security Innovation Evaluation Team” at a large financial firm where we forage and test emerging technology solutions that will build upon our security posture and fortify our resilience far into the future.

What got you into cloud security in the first place? What made you decide to earn your CCSK?

Whether you are in the automotive, engineering, medical, retail or the information security field, one needs to constantly stay abreast of emerging trends and hype – indeed, “cloud” was one of those emerging trends and hype combined which represented a logical transition from existing legacy infrastructures.

I am a lifelong learner; seeing the early explosion of “cloud providers” who really just wrapped an orchestration layer around virtualization rather than true holistic solutions, was the jumpstart I needed to understand how important the CCM (and CCSK) was.

The CCSK reflects both the operational knowledge of the CCM, as well as the strategic goals for the CSA. The CCM itself is a superset of many existing security control standards, which makes the CCSK all the more relevant to today’s security environment.

Can you elaborate on how the CCSK reflects the operational knowledge of the CCM? Why do you think this is important knowledge for infosec professionals to know?

The CCM builds upon existing NIST/ISO standards and produces new controls where existing controls cannot adequately cover the cloud paradigm. If one knows how to properly interpret and use the CCM standard, they most likely understand the non-cloud security standards as well. The CCSK is represents knowledge assurance of the CCM at an operational level; and having a shared origin to the CCM, the CCSK can truly test proficiency of the spirit of the CCM as it was designed, not just its definitions.

How did you prepare for the CCSK exam?

I was an initial member of the NY Metro Chapter of the CSA and aware of the Cloud Controls Matrix. Although my employer was not explicitly referencing the CCM as a security standard, I was pulling from it as a security controls guidance for my employer’s projects.

If you could go back and take it again, how would you prepare differently?

As information security has become more complex and more splintered, simply studying definitions is no longer an effective method to have lasting knowledge. I would suggest two additional study techniques:

  • Understand the “WHY” of each control in the CCM: what was the originating problem statement, what is the scope of that problem statement, and was the control defined to resolve the problem or simply reduce the problem’s impact to a tolerable level? Once you have a good comprehension of the background, then there is no memorization needed … it becomes common sense to the learner.
  • Get DIRTY with some hands-on experience – whether it be an existing work project or reworking an old personal project. Taking an old project and redeploying it using newer technologies and security controls gives the learner unimaginable insight into why a control is written in a certain way. The advantage of using an existing project is that you can focus on the coding, deployment and security control aspects rather than features and requirements. I have revamped my personal “Resume Histogram” project originally written in 1990 as a dial-up BBS site → to a CGI website → to a RoR web application (hey, not every decision was a good one) → to a social media plugin → to a containerized web API.

Were there any specific topics on the exam that you found trickier than others?

I suspect that everyone will have a different topic of weakness. Legal aspects were my weakness, and from the plethora of recent changes in standards and regulations – PCI DSS3, NIST revisions, NYS DFS 500, GDPR and the myriad of local regulations – I suspect it is not going to get any easier.

What is your advice to people considering earning their CCSK?

I have four points of advice:

  1. Get real-life quality experience before you attempt a certification … doctors, nurses, architects and engineers are required to, so why not InfoSec professionals?
  2. Make a habit of learning something every day …  knowledge gets stale, intelligence doesn’t.
  3. Avoid the shortcuts, like boot camps, it’s a crash diet of ignorance;
  4. Be humble, keep an open mind, and listen before you speak … things change, so what you knew was right today may be turned on its head tomorrow. Nobody should want to gain a reputation of being “CIA” (certified, ignorant and arrogant).

Lastly, what part of the material from the CCSK have been the most relevant in your work and why?

Ironically, my work over the years has made my weakest area – legal – also the most important and relevant one; especially when it comes to contracts with cloud providers for enterprise projects as well as vendors and managed service providers who run in the cloud.

Interested in completing cloud security training at RSA? CSA is offering a CCSK Plus Course at the RSA Conference 2019 that offers students an extra day of hands-on labs to practice applying what they learn. Learn more or register here.

Invest in your future with CCSK training

Prepare to Take (and Ace) the CCSK Exam at Infosecurity Europe

By Ryan Bergsma, Training Program Director, Cloud Security Alliance

CCSK certification logoHere’s a riddle for you. It’s been called the “mother of all cloud computing security certifications” by CIO Magazine. Search Cloud Security said it’s “a good alternative cloud security certification for an entry-level to midrange security professional with an interest in cloud security.” And, Certification Magazine listed it at #1 on the Average Salary Survey 2016. What is it?

If you answered CSA’s Certificate of Cloud Security Knowledge, more commonly known as CCSK, give yourself a pat on the back. If you’re attending Infosecurity Europe 2018 then give yourself the gift that keeps on giving and register for our CCSK v4 certification training course on June 7. Taught by renowned cloud security expert Peter HJ van Eijk, this one-day workshop will prepare you to take (and ace) the exam.

This exam prep course reflects the fact that the body of knowledge and the CCSK were recently updated to version 4, and includes such relevant topics as DevOps, big data and IoT. Not only will you get up-to-speed on the latest in cloud security, but by earning your CCSK, you’ll be demonstrating that you have the requisite skills and knowledge to ensure that cloud services are implemented and utilized within your organization with the appropriate security controls in place, including technical, as well as management and governance domains.

Still on the fence? The course price includes the cost of the exam, a $395 value. That’s what we call a sound investment.

Not convinced? Watch this and you will be.

Register.

CCSK Certification vs AWS Certification – A Definitive Guide

By Graham Thompson, CCSK, CCSP, CISSP, Authorized Trainer, Intrinsec Security

I was recently asked about CCSK certification vs AWS certification and which one should be pursued by someone looking to getting into cloud security. This post tries to address the question “which cloud certification is right for you.” I’ll give you a lay of the land for both certifications, available training, the exams, and then conclude with thoughts on which certification is right for you.

Certificate of Cloud Security Knowledge (CCSK)

CCSK logoThe Certificate of Cloud Security Knowledge (CCSK) is from a research organization called the Cloud Security Alliance (CSA). The CSA has created guidance for securing cloud services and released a recently updated version of this guidance (CSA Guidance v4). The guidance is about 150 pages and covers most of the knowledge required to successfully pass the CCSK exam (more about the exam down below).

In a nutshell, the goal of the CCSK is a vendor-neutral look at all cloud security issues that covers the three following areas of knowledge:

Cloud computing concepts and architectures

It begins with answering the question “what is cloud computing,” moves on to the differences between, and other fundamental cloud knowledge.

  • Definitions
  • Service Models (SaaS, PaaS, IaaS)
  • Deployment Models (e.g. Public Cloud, Private Cloud)
  • Reference Architectures
  • Cloud Security Models

Governing in the cloud

Like everything else, cloud security doesn’t (shouldn’t?) operate in a silo. The CCSK addresses how cloud changes governance, risk management and compliance. Other aspects of governing in the cloud include:

  • Contracts
  • Audit management
  • Information governance
  • Business continuity
  • Jurisdictional issues
  • Legal concerns

This information should be known by all individuals who are responsible for governing (and operating) cloud services, regardless of the service models being consumed in your organization.

Operating in the cloud

Moving forward, the CCSK covers the technical components of cloud systems such as:

  • Virtualization (e.g. hypervisors, Software Defined Networks (SDN), VLAN
  • Containers
  • Incident Response
  • Application Security
  • Data Security and Encryption
  • Identity, Entitlement and Access Management
  • Security as a Service
  • Related Technologies (e.g. DevOps, Immutable Infrastructure, IoT, etc)

 CCSK training

Should you take the training or self-study for the CCSK certification exam? That’s your call. Personally, I’m always a fan of doing training because it allows me to get away from the office and completely immerse myself in the subject at hand. I also get the opportunity to learn how things work in the “real world.”

If you prefer the self-study route, you have all the documentation you need listed below to take the exam.

If you are looking at the training route for yourself or your company, you can check out our offerings here. We offer the official and authorized CCSK in on-demand, on-line and in-person settings. We can also offer on-site training that is modified to your corporate requirements. (If you are looking for more info, a lot of these details about the CCSK can be found on Cloud Security Alliance’s website.)

All course registrants also get access to our exclusive CCSK exam prep kit that includes:

  • Immediate access to on-demand CCSK v4 course
  • CCSK exam v4 prep videos
  • Hundreds of CCSK v4 pre-test questions
  • Pre-paid token for the actual CCSK v4 exam

Note: Unfortunately, we are prohibited from offering the exam prep package as a stand-alone product.

CCSK certification exam

In addition to the CSA Guidance, you’ll need to read and understand CSA’s Cloud Controls Matrix (CCM), the Consensus Assessment Initiative Questionnaire (CAIQ), and finally the ENISA Cloud Computing Risk Assessment document. All documents are available from the following download links.

CCSK exam details

The exam itself is taken online any time you wish. There are 60 questions, and you are given 90 minutes to finish. It is an open-book exam, but don’t let that fool you – it’s a pretty tough exam, and I have seen people from various backgrounds fail.

My belief on the reason people fail the exam is because of the diverse nature of the CCSK exam itself. You’re looking at an exam that addresses both cloud operations and cloud governance. Most people will be strong in one or the other, but rarely is someone well-versed in both areas. If you’re in a technical position at work, you’ll need to focus on governance and vice versa, of course.

We have published some pre-test practice questions for exam candidates who are looking to see what they might be up against before taking the actual test. All the questions are based on the new v4 version of the CCSK exam.

Ready to get started? Download the CSA CCSK prep kit or look for upcoming training sessions near you.

Amazon Web Services (AWS Certification)

AWS logo

Amazon has multiple AWS and specialty certifications available.

For convenience, I’m including the roadmap graphic that was on the AWS certification site below:

As you can see, there’s more to the question “CCSK or AWS Certification.” AWS has multiple streams available, but I’m going under the assumption that most people mean the AWS Certified Solutions Architect designation.

Regardless of the track or specialty, let’s make one thing extremely clear: AWS is a vendor and the complete focus will be on HOW things are done in AWS, specifically. Amazon says so themselves in their certification descriptions: “technical role-based certification.”

AWS Certified Solutions Architect – Associate

Below is the list of recommended knowledge you should have before even considering the AWS Architect – Associate exam.  I have done this exam (yes, I passed) and I wrote about my thoughts on that exam here.

  • One year of hands-on experience designing available, cost-efficient, fault-tolerant, and scalable distributed systems on AWS
  • Hands-on experience using compute, networking, storage, and database AWS services
  • Hands-on experience with AWS deployment and management services
  • Ability to identify and define technical requirements for an AWS-based application
  • Ability to identify which AWS services meet a given technical requirement
  • Knowledge of recommended best practices for building secure and reliable applications on the AWS platform
  • An understanding of the basic architectural principles of building on the AWS Cloud
  • An understanding of the AWS global infrastructure
  • An understanding of network technologies as they relate to AWS
  • An understanding of security features and tools that AWS provides and how they relate to traditional services

More information about the associate level certification from Amazon can be found here.

AWS Certified Solutions Architect – Professional

I have not taken this exam. That said, I have worked with many people who have taken and passed the professional exam. These people really know their AWS stuff. I think it is fair to say there aren’t many people who have the professional designation who just know the theory of things, but rather have years of practical hands-on experience in AWS.

In order to take the professional-level exam you must have the associate-level certification already.

Here is the list of knowledge AWS expects their professional architect holders to have:

  • Designing and deploying dynamically scalable, highly available, fault-tolerant, and reliable applications on AWS
  • Selecting appropriate AWS services to design and deploy an application based on given requirements
  • Migrating complex, multi-tier applications on AWS
  • Designing and deploying enterprise-wide scalable operations on AWS
  • Implementing cost-control strategies

In my view, you’re expected to be able to take everything you know from the associate level and apply it to enterprise scale.

More information about the professional level certification from Amazon can be found here.

AWS training

For the AWS Architect – Associate certification, you can either take the self-study approach or attend an actual training session. Bottom line here is this is not a theory-based exam. You will need to have actually spun up server instances and have worked with AWS services before taking the actual exam.

Amazon has excellent learning collateral in their whitepapers that you should study if you are going solo. The resources they recommend are:

If you’re looking for an AWS Architect – Associate training session, the applicable course is a 3-day session called Architecting on AWS.  Their course schedule page can be found here.

The applicable AWS Architect – Professional course is the 3-day Advanced Architecting on AWS course. The course schedule page can be found here.

AWS certification exam

A word to the wise. Passing the AWS Architect is all about two things:

  1. Hands-on experience, and
  2. Knowing what is covered in the exam.

As I mention in my thoughts on the AWS exam piece, buy the practice exam. Don’t even think about cheaping out on this one. Seriously. Doubly seriously if you’re doing the self-study approach.

AWS exam details

The AWS exam is a scaled score exam. In other words, not all questions have the same value. Easy questions are worth less than harder ones. I’m not alone when I say I hate these types of exams as you have no idea how you’re actually doing as you go through the questions. And an added bonus, Amazon states you need a “720” (out of 1,000) to pass the test, which does not mean 72 percent because the questions all have different values.

Download the AWS Certified Solutions Architect – Associate (February 2018)

Download the AWS Certified Solutions Architect – Professional exam guide.

Which cloud certification is right for you?

As we covered, the two certifications are not similar at all. The CCSK is relevant to both governance and operational security of cloud services. It is written by an independent body and is completely vendor agnostic. The AWS certifications are 100-percent technical and are specific to AWS implementations.

  • CCSK certification addresses the “what” of cloud security
  • AWS certification addresses the “how” of AWS implementations

If you are looking to understand cloud security challenges, the CCSK is right for you. If you are in management and need to understand the impact cloud services will have on your organization, the CCSK is for you. If you work in operations and need to better understand the security challenges associated with cloud in general, the CCSK is for you.

If you are working in a dedicated AWS technical position, the AWS Certified Architect is the certification you should go with. If you are working with AWS in a security capacity, you should do the CCSK first, then follow up with the vendor-specific AWS training.

From a corporate perspective, everyone involved with information technology, ranging from procurement through risk management and operations should attend the CCSK session, even if it is an accelerated 1-day “awareness” session.

Graham Thompson is a cloud security architect and delivers both CCSK and CCSP official courses as an authorized trainer for Intrinsec Security. You can reach Graham on LinkedIn or by old fashioned e-mail.