Find Your Footing in Cloud Security with CCSK

CCSK cloud security laptop and hand

The cloud is here to stay. Organizations of all sizes and industries are turning to cloud services as a flexible, agile alternative to building expensive data centers, maintaining silos of technical expertise, and overprovisioning capacity to meet future demand.


Gartner recently estimated that the cloud computing industry will grow at an 18 percent rate in 2017, reaching a total market size of $246 billion dollars. There's no sign that the adoption of cloud services is slowing down, and a quick search of technical job descriptions shows that technologists with experience on cloud platforms such as Amazon Web Services (AWS), Microsoft Azure, Salesforce, Workday, and other similar services are in high demand.


At the same time, however, that organizations are turning to the cloud to achieve cost savings, improve their agility and drive flexibility in computing, they also remain concerned about the security of data stored and processed in the cloud. Turning over responsibility for handling data at any layer of the cloud computing stack raises the eyebrows of security professionals and calls for a different kind of expertise than securing traditional environments.


While the same basic tenets of confidentiality, integrity, and availability still apply in the world of cloud computing, the cloud presents challenges of its own. Cloud security professionals must depend more upon risk assessments, application-layer controls, and contractual protections than the firewalls and intrusion detection systems commonly found in on-premises data centers.


The Cloud Security Alliance (CSA) recognized this shift in attitudes toward on-premises computing six years ago when they launched the Certificate of Cloud Security Knowledge (CCSK) certification program in 2011. The CCSK was the first major attempt at creating a cloud-specific security certification and attracted some attention from within the cybersecurity profession.


It went unnoticed by many practitioners, however, due, quite simply, to the relative immaturity of the field. In 2017, on the other hand, it's difficult to find an enterprise that doesn't make some use of cloud services, and security professionals are beginning to seek education and certification programs focusing specifically on this high-demand specialty.


Is CCSK a Full Certification?


Most people who do a quick scan of the cloud security certification space walk away a little bit confused — and for good reason! There are two similarly named certification programs available and they share a common sponsor!


In 2015, CSA partnered with the more widely known industry association (ISC)2 to release the Certified Cloud Security Professional (CCSP) certification. While they didn't bill the CCSP as a replacement for the CCSK credential, many in the field viewed the CCSP as a major upgrade to the existing program.


The fact that CSA partnered in the certification raised justifiable questions about the ongoing viability of the CCSK program, and the fact that the CCSK hasn't been revised since its initial release in 2011 lends credence to those concerns.


One of the major differences between the two programs is the type of material that appears on the exam. The CCSK program is clearly billed as a knowledge-based certification. It carries no formal experience requirement and simply requires that candidates demonstrate knowledge of a wide variety of cloud security topics.


The CCSP, on the other hand, is targeted at experienced cloud professionals. In the words of (ISC)2, "the CCSP credential denotes professionals with deep-seated knowledge and competency derived from hands-on experience with cyber, information, software and cloud computing infrastructure security."


The CCSP also has a strictly enforced experience requirement, mandating that candidates prove 5 years of experience in information technology, including 3 years in information security and at least one year in the 6 CCSP domains. The experience difference alone clearly positions the CCSP as for experienced professionals, while the CCSK is more of an entry-level certification. CSA and (ISC)2 seem to acknowledge this directly, allowing CCSK holders to substitute their CCSK credential for one year of the CCSP experience requirement.


Another major difference between the two programs is the rigorousness of the testing. The CCSK program requires correctly answering 48 out of 60 multiple choice questions during a 90-minute exam period. Candidates take the exam from the comfort of their home or office, in an unproctored examination environment.


The CCSP credential, by contrast, employs a much more traditional certification testing environment. Candidates must take the CCSP exam in the proctored environment of a Pearson VUE testing center and have four hours to complete 125 exam questions.


CCSK cloud security duo

Candidates will also find that the two programs differ significantly in their ongoing maintenance requirements. The CCSK actually has no ongoing requirements. Once you pass the CCSK exam, you're certified and you don't need to do anything to maintain your certification on an ongoing basis.


The CCSP implements a continuing education program very similar to the program that (ISC)2 uses for its flagship Certified Information Systems Security Professional (CISSP) program. CCSP certification holders must pay a $100 annual maintenance fee and must complete 30 hours of continuing professional education on an annual basis.


What's Covered on the CCSK?


The CCSK covers a wide variety of cloud computing topics, and you should expect to see questions that quiz your knowledge of those topics. Unlike many certification programs, the CCSK is solely based upon two reference documents cited by the CSA: the CSA's Security Guidance for Critical Areas of Focus in Cloud Computing v3.0 and the European Network and Information Security Agency (ENISA)'s Cloud Computing: Benefits, Risks, and Recommendations for Information Security.


Both of these documents are available for free from their publishers, making it rather straightforward to obtain reference materials and study for the exam. In fact, there's no need to purchase a study guide or take a course. You can download the materials and prepare fully for the exam with just a few weeks' effort.


The CSA security guidance document comprises the vast majority of the material on the exam and does cover a wide range of cloud security knowledge. You'll find that the document divides cloud security issues into 14 distinct domains, each covered by 10 or 20 pages in the guidance document. The 14 CCSK domains as a follows:


1) Architecture
2) Governance and Enterprise Risk Management
3) Legal Issues: Contracts and Electronic Discovery
4) Compliance and Audit Management
5) Information Management and Data Security
6) Interoperability and Portability
7) Traditional Security, Business Continuity, and Disaster Recovery
8) Data Center Operations
9) Incident Response
10) Application Security
11) Encryption and Key Management
12) Identity, Entitlement and Access Management
13) Virtualization
14) Security as a Service


The ENISA document has some overlap with the CSA document in its coverage of cloud security basics, but it adds a strong focus on risk assessment, including a detailed exploration of many of the risks and vulnerabilities associated with doing business in the cloud. The major topics covered by ENISA's cloud risk assessment include:


? Security benefits of cloud computing
? Risk assessment
? Risk types and categories (policy and organizational risks, technical risks, legal risks, and risks not specific to the cloud)
? Vulnerabilities
? Assets
? Information assurance framework
? Information assurance requirements
? Research recommendations


Together, these two documents comprise the entire body of knowledge for the CCSK certification. Remember: The CCSK is a knowledge-based certification and not an experience-based certification. If you read and understand the information contained within these documents, then you will have all of the information that you need to pass the CCSK exam.


One other word of wisdom — the exam is heavily skewed toward the CSA security guidance document. In fact, 92 percent of the exam questions are drawn from that document, while only 8 percent come from the ENISA document. You should prioritize your study time accordingly!


Technology professionals seeking to broaden their understanding of cloud security should consider CCSK a reliable introductory certification. There is a straightforward study process, and the exam itself affords a high degree of convenience and accessibility. Those seeking a more rigorous credential should consider focusing instead on the more advanced CCSP certification program.


Would you like more insight into the history of hacking? Check out Calvin's other articles about historical hackery:
About the Author

Mike Chapple is Senior Director for IT Service Delivery at the University of Notre Dame. Mike is CISSP certified and holds bachelor’s and doctoral degrees in computer science and engineering from Notre Dame, with a master’s degree in computer science from the University of Idaho and an MBA from Auburn University.