CCSK Success Stories: From a Project Manager of Certificate Policy

This is part of a blog series interviewing cybersecurity professionals who have earned their Certificate of Cloud Security Knowledge (CCSK). In these blogs we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage knowledge from the CCSK in their current roles. In this blog, we'll be interviewing Tanat Tonguthaisri, Project Manager at the National Root Certification Authority.

1. In your current role, you steer projects to promote NRCA for more public adoption. Can you tell us about what your job involves?

I perform a gap analysis of Certificate Policy and Certification Practice Statement (CP/CPS) and keep improving them in order for NRCA to be accepted into major PKI Trust Stores, such as Apple, Microsoft, Chrome, and Mozilla, plus Adobe for document signing.

2. Can you share with us some complexities in managing cloud computing projects?

Local CSPs in Thailand do not strictly have the five essential characteristics as outlined in NIST SP 800-145 and CSA Security Guidance v4.0. The contracting office needs to be aware of these local players selling snake-oil cloud services and emphasize explicitly in the Request for Proposal and Terms of Reference that the cloud services to be procured must have at least the five essential characteristics of cloud computing.

3. In managing (outsourced) cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls?

Many local CSPs are large companies who have been in the IT business for over a decade. What they package as cloud services do not even have two essential characteristics, i.e., on-demand self-service and rapid elasticity. They repackage Virtual Private Server (VPS) as cloud computing services and charge hefty fees for these snake oil contracts.

4. What made you decide to earn your CCSK? What part of the material from the CCSK has been the most relevant in your work and why?

My first motivation is a personal one. Dr. Nantawan Wongkachonkitti (CIO and Deputy Manager General of Students Loan Fund) was the first person in Thailand to pass the CCSK (v3 back in 2014). At the time, there was no other certificate or certification program related to cloud computing at all.

I believe that even from the very first domain in CSA’s Security Guidance, readers can equip themselves with the correct and properly prepared baseline knowledge to understand the nature of cloud computing services.

5. How does the CCM help communicate with customers?

The Cloud Controls Matrix (CCM) helps tremendously in terms of mapping all the relevant control domains plus their subdomains to most, if not all, major security standards, frameworks and compliance guidelines. With the recent release of CCM v4, the scope and coverage of relevant standards became broader, making it a one-stop shop for cloud practitioners to ensure that they do not miss any important security controls for the cloud services that they provide to their customers. The tabular format in a single, small-size spreadsheet can be navigated rather conveniently when you want to present your case to your clients and need a reliable source of reference materials to back you up.

6. What’s the value in a vendor-neutral certificate like the CCSK or CCSP versus getting certified by AWS? In what scenario are the different certificates important?

The CCSK is definitely the best overall fundamental level method to evaluate one's understanding of cloud concepts. The CCSP adds to the CCSK for intermediate level applications, given its scenario-based exam questions. But once you start working with certain CSPs, it is definitely useful to assess yourself based on the specific ways of doing things for the cloud service of your choice.

7. Would you encourage your staff and/or colleagues to obtain the CCSK or other CSA qualifications? Why?

Most definitely, and I can never stress this enough. I have come across far too many cases of VPS being repacked as snake-oil cloud services. By reading CSA’s Security Guidance, SECaaS guidelines, CCM v4 and ENISA Cloud Computing Risk Assessment documents yourself, you can be equipped with the appropriately prepared foundational knowledge about how cloud computing works. But for a little extra mile, preparing for the CCSK exam motivates you to learn, memorize and comprehend those cloud concepts on a deeper level. When you work in the industry, the ability to recall the right and relevant technical concepts can give you that extra edge to become an even more effective IT (or cloud, or security, or data) professional.

8. What is the best advice you will give to IT professionals in order for them to scale new heights in their careers?

Lifelong learning has been the key for the past many years. Cloud computing helps provide an even more accessible learning platform like Massive Open Online course (MOOC). If you need to get your hands dirty and become hands-on, you need to invest in cloud service simulators and sandboxes for learning purposes. Study the theories and concepts, then practice with actual services via the free-trial offers by major CSPs or per-subscription cloud sandbox platforms, then do a few personal IT projects which can range from security, data and container/cluster computing related, that utilize cloud service platforms. You will become more confident and competent in very little time.