Typical Challenges in Understanding CCSK and CCSP: Technology Architecture
Blog Article Published: 12/03/2018
By Peter HJ van Eijk, Head Coach and Cloud Architect, ClubCloudComputing.com
As cloud computing is becoming increasingly mainstream, more people are seeking cloud computing security certification. Because I teach prep courses for the two most popular certifications—the Certificate of Cloud Security Knowledge (CCSK), organized by the Cloud Security Alliance (CSA), and the Certified Cloud Security Professional (CCSP), as organized by (ISC)2—I naturally see a wide variety of people as they work to pass these exams.
My students come from many different backgrounds, each bringing with them a unique set of experiences that color their understanding of the way the cloud is managed and controlled. To some these varying backgrounds might seem a hindrance, but quite the opposite is true because secure cloud adoption is a team sport where diverse backgrounds count in order to reduce the risk to organizations.
Despite their varying backgrounds, they all face similar challenges. A common challenge I see in my courses, especially for less technical people, is understanding information technology architecture in general. It’s something they struggle with, and also something that can be a hurdle in passing the exam. So, what is technology architecture and why is it important?
A technology architecture primer
Cloud computing, in my opinion, does not have that much new technology. Most of the technology we have today was already in existence before the advent of cloud computing.
Today, a common characteristic of the technologies that are relevant for cloud computing is the fact that they facilitate resource pooling and interconnection of systems. Resource pooling is an essential characteristic of cloud computing, and a technology such as server virtualization helps implement that sharing. But that technology should also guarantee proper separation between otherwise independent cloud tenants.
Technologies such as APIs and federated identity management allow the cloud to be made up of a lot of collaborating independent companies. This helps create an IT supply chain. Your average company has hundreds of SaaS suppliers who in turn use hundreds of other cloud companies to help them deliver their services.
APIs also enable the essential cloud characteristic of automatic self-service provisioning. For example, through APIs we can set up auto-scaling services. Again, this is a tool in building the IT supply chain.
Sharing requires caring
The new thing in cloud is sharing between independent companies, interconnecting different, independent providers and automating that. The whole technology architecture now spans the IT supply chain.
This has big governance and security implications. For example, when that collaboration or isolation fails, we cannot escalate these problems to our own CTO or CIO to resolve them. These problems are not confined to a single company anymore. They have to be resolved between companies.
The technical collaboration between companies will only work with proper contracts and management processes. This has to be set up in advance, instead of figuring out how it works later, as is so common inside an enterprise. And the people whose competence is to review these contracts and set up the service management processes therefore must understand how the technology enables that collaboration.
That is why technology architecture is so important for less technical people. And that is also why it can be hard. The CCSK body of knowledge focuses specifically on how cloud technology architecture has an impact on cloud management, in particular on cloud risk management, and that makes it a great tool for building effective cloud adoption teams.
Peter van Eijk is one of the world's most experienced cloud trainers. He has worked for 30+ years in research, with IT service providers and in IT consulting (University of Twente, AT&T Bell Labs, EDS, EUNet, Deloitte). In more than 100 training sessions, he has helped organizations align on security and speed up their cloud adoption. He is an authorized CSA CCSK and (ISC)2 CCSP trainer, and has written or contributed to several cloud training courses.