Exploring the Certified Cloud Security Professional (CCSP) Certification

Organizations around the world are quickly moving IT services to cloud computing platforms in an attempt to meet a wide range of business needs. From business organizations implementing a user-friendly and cost-effective SaaS platform for e-mail and calendaring to firms chasing wholesale adoption of infrastructure-as-a-service (IaaS), enterprise IT is clearly undergoing a radical transformation.

As services migrate to the cloud, there is high demand for security professionals experienced in adapting existing security controls to cloud environments. How can organizations gauge whether their existing security staff and potential hires have the knowledge required to operate effectively in a cloud-based environment?

(ISC)² and Cloud Security Alliance (CSA) recently joined forces in a unique partnership designed to address this problem for the entire industry. As the producer of the Certified Information Systems Security Professional (CISSP), the industry's gold standard security certification, (ISC)² brings substantial certification expertise to the table. CSA, on the other hand, has a long background in developing and promoting cloud security standards. The product of their collaboration is the new Certified Cloud Security Professional (CCSP) credential.

Inside the CCSP Exam

The CCSP exam is computer-based and uses the standard multiple-choice format found on many IT certification exams. Candidates will face 125 multiple-choice questions containing four possible answer choices each. There are 100 actual exam questions, while the remaining 25 are research questions used to prepare future examination question pools. Passing the exam requires a scaled score of 700 out of 1,000 possible points from the scored exam questions.

CCSP candidates will not face simulation-based questions where they are asked to manipulate IT systems or perform configurations. The exam does, however, include scenario-based questions where the candidate is asked to read a detailed scenario and then answer several multiple-choice questions pertaining to that scenario. The questions in these sections follow the same four-option multiple choice style used on the remainder of the exam.

Candidates who successfully pass the examination must also demonstrate hands-on expertise in cloud security issues. Earning the CCSP requires at least five years of experience in information technology, three years of experience in information security,  and a year of experience in one of the six CCSP domains.

Candidates who already hold CISSP certification automatically meet all three of the CCSP experience requirements. Candidates holding the CSA's Certificate of Cloud Security Knowledge (CCSK) automatically meet the one year of CCSP domain-specific experience requirement, but must still demonstrate that they meet the remaining two requirements.

Exploring the Six Domains of Cloud Security

Cloud security is a specialization within the broader field of information security. IT professionals seeking a career in this area may wish to start with a general information security certification, such as CompTIA's Security+, or (ISC)²'s own SSCP, before tackling a cloud security specialization. The six CCSP domains of knowledge focus on security issues specific to cloud computing and presume that the candidate is already familiar with the basics of information security. Let's take a look at each of the six CCSP domains and the cloud-specific security issues they cover.

Domain 1: Architectural Concepts and Design Requirements focuses on the fundamental concepts of cloud computing. Candidates must have a working knowledge of cloud computing concepts and models, as well as the high-level security issues associated with the cloud, such as encryption, access control, hypervisor security and network security. This domain includes a focus on securing different cloud computing environments, including software, platform, and infrastructure services. Candidates must also demonstrate the ability to understand the principles of sound cloud security design and cloud service certification programs.

Domain 2: Cloud Data Security begins the certification's deep dive into cloud-specific technical security issues. Candidates must be able to describe cloud-based data storage architectures and the controls commonly used to secure those environments, such as encryption, tokenization, data masking and data lifecycle management. This domain also includes coverage of data rights management (DRM) technology, retention, deletion and archiving policies and ensuring the auditability of cloud data events.

Domain 3: Cloud Platform and Infrastructure Security covers the physical and virtual security risks around cloud infrastructure. This includes the protection of virtualization platforms, communication between cloud services and implementation of audit mechanisms. CCSP candidates must be able to conduct cloud risk assessments and design appropriate security controls in response to identified risks. Finally, this domain also includes the development of appropriate business continuity and disaster recovery plans around the use of cloud services.

Domain 4: Cloud Application Security explores the application security issues found in cloud computing environments. Security professionals taking the exam will face questions relating to cloud software assurance, the software development lifecycle (SDLC) and the appropriate integration of identity and access management solutions with cloud-based computing services.

Domain 5: Operations dives into the new operational issues that arise from the use of cloud computing services. Many of the topics covered in this domain focus on the management of cloud infrastructure and are geared toward security professionals working for cloud service providers, rather than the customers of cloud services. Questions from this domain can be quite technical and explore the design, implementation and management of both physical and logical cloud infrastructure.

Domain 6: Legal and Compliance ensures that candidates grasp the complex legal and regulatory issues that emerge when organizations create and adopt cloud computing services. These include legal and privacy issues related to cloud computing, the impact of cloud computing on enterprise risk management programs and the auditing of cloud security controls. This domain also includes coverage of cloud contract design, security issues related to outsourcing arrangements and the management of cloud computing vendors.

The six CCSP domains cover a wide variety of topics but also dive deeply into technical security issues related to cloud computing. Candidates shouldn't be surprised if they answer a high-level question about cloud security policies right before diving down into a detailed question on VLAN configurations that enable isolation between different IaaS customers. This exam is not for the faint of heart and should be attempted only by experienced security professionals who are quite familiar with cloud computing issues.

Will the CCSP Catch On?

The CCSP credential holds great promise, but faces some challenges to adoption. The unique partnership between (ISC)² and CSA provides good marketing clout, and (ISC)²'s deep experience in developing and marketing security certification programs strongly suggests that the CCSP credential will do well. That said, (ISC)² has tried to roll out specialized security certifications in the past with mixed success.

We'll see some early indications of the CCSP's viability based upon the number of candidates sitting for the exam over the next few months. (ISC)² aggressively marketed the credential to their strong existing base of CISSP credential holders and the waiver of the experience requirement is an alluring inducement for those individuals to sit for the exam if they are so inclined.

Basically, existing CISSPs only need to pay the $549 exam fee and pass the exam to earn the certification. If they adopt the certification in large numbers, that will help provide the critical mass necessary for the CCSP's success. If CISSPs don't get on board, then the challenge of building a strong contingent of CCSP holders becomes more problematic. In either case, (ISC)² will need to successfully identify and engage cloud professionals seeking security training if CCSP is to be more than a niche certification. Time will tell!