CCSK Success Stories: From a Quality Security Consultant

This is part of a blog series interviewing cybersecurity professionals who have earned their Certificate of Cloud Security Knowledge (CCSK). In these blogs we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage knowledge from the CCSK in their current roles. In this blog we'll be interviewing Parveen Arora, Independent Consultant to Companies and Director at VVnT Foundation.

1. In your current role as an Independent Consultant to Companies and Director at VVnT Foundation, what does your job involve?

I’m engaged as Quality Security Assessor and Consultant at NEC Corporation India, where I help businesses in cybersecurity, cloud security engineering, privacy by design, scaling DevOps, and implementation of a quality-first approach to build better products and services in compliance to global standards.

My role involves working with global clients in various phases of their projects (across industries). I offer clients pragmatic advice and solutions to quality security challenges based on their business requirements.

At VVnT Foundation, a not-for-profit, our central focus is to create a community of VV&T professionals in India having necessary IT skills in niche/futuristic areas like cloud security, data security and privacy, and DevOps. Our Foundation has embarked on a mission to serve the underprivileged, differently abled, and needy engineers, making them independent and job ready.

2. Can you share with us some complexities in managing cloud computing projects?

Performing proper cloud due diligence and understanding the shared responsibility model is very important in any cloud computing project. It is a must to identify who is responsible for what and document the same in the contract.

Data is the key asset for any organization, so pay special consideration for the security of the same in accordance with the cloud service model you have opted for.

Hybrid is the new reality of cloud, which has added new complexities in areas like integration, data security, portability, interoperability, and BC/DR.

You have to map your compliance and regulatory requirement with the security posture of cloud service providers (CSPs).

3. In managing (outsourced) cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls?

Understand your data before moving it to the cloud. Classify data and define security and compliance requirements for the same.

Define your requirements, responsibilities, and SLA carefully in contract and wherever required involve legal.

Your traditional security processes need to be tuned-in for cloud environments - incident response plans and DevOps cannot be an afterthought. Do not go for customization, as a best practice adopt standard components of cloud.

4. What made you decide to earn your CCSK? What part of the material from the CCSK has been the most relevant in your work and why?

In the recent past, I have been involved in cloud security engagements, so I wanted to further specialize in cloud and IoT security and governance. Earning the CCSK and other CSA credentials is acknowledged as the standard of expertise in cloud security. Now that the Certificate of Cloud Auditing Knowledge (CCAK) is announced, I will go for that as well.

The CCSK has been designed in a very comprehensive manner, providing very useful references to advance your career. The modules within the CCSK are well-structured, covering all aspects of cloud security and governance. It is a great guidance for all cloud security professionals like me, who are working on cloud migration projects.

Although all modules are invaluable, I found CCM and CAIQ as very helpful takeaways for my work.

5. How does the Cloud Controls Matrix (CCM) help communicate with customers?

The CCM, being a comprehensive control framework for cloud security, has become a very good starting point for any cloud practitioner. Using the CCM, it is easy to define a shared responsibility model in the cloud. It also helps you ensure all your compliance, regulatory, and security requirements.

6. What's the value in a vendor-neutral certificate versus getting certified by a vendor? In what scenario are the different certificates important?

With so many cloud vendors in the market, each using their proprietary terms, there is no easy way to understand benchmarks. Vendor-neutral certificates like CCSK are universally accepted as they are not biased toward any particular vendor. Such a certificate provides common concepts and a framework which can be applied across vendors. In the scenario where vendor-specific security is implemented, the vendor-specific certification can be an added advantage.

7. Would you encourage your staff and/or colleagues to obtain CCSK or other CSA qualifications? Why?

Yes, I would highly recommend it, as all cloud practitioners need to have a holistic understanding of cloud security control.

Certificates like CCSK provide insights on how to achieve security in cloud computing. And since it is vendor-neutral, the adopted approach can be applied across cloud vendors. CSA provides a platform to earn many such valuable qualifications.

8. What is the best advice you would give to IT professionals in order for them to scale new heights in their careers?

Our IT industry is constantly changing, but the speed of change in the security domain is highest. While innovation and new developments are happening at scale in all sectors, it is important to understand the associated threat vectors and implement countermeasures accordingly. Responsive security measures will not suffice in the new era; security by design has to be implemented.

The only way to stay relevant in this industry is continuous learning and participation in relevant forums like CSA Circle.

So keep learning and share your learnings.