​CCSK Success Stories: From a Cloud Trust Associate

This is part of a blog series interviewing cybersecurity professionals who have earned their Certificate of Cloud Security Knowledge (CCSK). In these blogs we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage knowledge from the CCSK in their current roles. In this blog we'll be interviewing Khuan Seng, Cloud Trust Associate at PwC Singapore.

1. In your current role as a Cloud Trust Associate at PwC Singapore, you provide services in assurance and audit. Can you tell us about what your job involves?

I’m part of PwC Singapore’s Cloud Trust Team and we provide cloud security advisory and assurance services to clients at the pre-implementation and operational phase of the various transformation projects. In my current role as a practitioner, I am involved in performing the assurance and audit related fieldwork pertaining to areas of my expertise in cloud risk, controls, compliance.

2. Can you share with us some complexities in managing cloud computing projects?

The complexities tend to arise when there are different cloud services and deployment models in multiple environments driven by the shared responsibility model. This leads to permutations that will require time, effort, and, most importantly, cloud security expertise to determine the right direction and approach because each service model and deployment model combination comes with its unique set of challenges.

The common variation is an Infrastructure-as-a-Service (IaaS) model coupled with a public cloud deployment model. While this setup is similar to a traditional on-premise model, the organizations might face challenges in extending governance to the cloud because cloud service providers (CSPs) are unlikely to customize offerings or assume new obligations to a specific customer due to their model of service provision which caters to economies of scale.

On the other hand, Software-as-a-Service (SaaS) in public cloud has the most convenient setup and maintenance, but this service and deployment model provides the least visibility and control into the underlying infrastructure. As a result, there will be a greater reliance on assessment and contracts between the organizations and CSPs to manage governance.

3. In managing (outsourced) cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls?

Getting the fundamentals right is paramount to avoid common pitfalls throughout the cloud transformation journey. Some of these fundamentals include:

1. A comprehensive understanding of the relationship between the shared responsibility model with the cloud service and deployment models will help set you and your team in the right direction and approach.
2. Be very clear of your organization's risk appetite and tolerance levels because the risk appetite and tolerance level should not simply increase for the sake of moving to the cloud. Proper risk assessments must always be conducted before embarking on any outsourced cloud project to ensure the project stays within the organization's governance framework.

4. What made you decide to earn your CCSK? What part of the material from the CCSK has been the most relevant in your work and why?

There’s a demand for certified professionals in the market and I believe certifications encourage learning and professional development which also proves my credibility and competence to our clients.

The CCSK All-in-One Exam Guide was my primary study material and the most relevant chapter would be ‘Compliance and Audit Management’ as it directly correlates with the work that I do in the area of risk, controls, and compliance.

5. How does CCM help communicate with customers?

The Cloud Controls Matrix (CCM) helps communicate the key control objectives required for migrating to the cloud and serves as a useful guide for new cloud customers. What is most useful is the controls are mapped to the Architectural Relevance, Service and Shared Responsibility Models. They tell us exactly at which level each control operates and who the responsibility belongs to depending on the service model, either the CSP, customer or both.

Another beneficial feature is the mapping against various standards, best practices, guidelines, notices and regulations with some specific to the cloud while others are generic or sector specific. This is particularly useful in determining the compliance posture. By leveraging this, we can save up tremendous time and effort.

6. What’s the value in a vendor-neutral certificate like the CCSK or CCSP versus getting certified by AWS? In what scenario are the different certificates important?

I see these two types of certifications (vendor-neutral and vendor-specific) as quite different and, in fact, quite complementary. They can be compared to learning how to drive, where we begin with the theory and subsequently move on to practical application.

I see the vendor-neutral certificates can be useful in equipping people with the necessary theories, security principles, common challenges, and best practices. On the other hand, the vendor-specific certification provides the necessary training to help people operate the respective platforms effectively.

7. Would you encourage your colleagues to obtain CCSK or other CSA qualifications? Why?

Yes. CCSK and the Certificate of Cloud Auditing Knowledge (CCAK), for example, provide the fundamentals in the areas of cloud security and cloud auditing, which are important to many cloud professionals. It’s imperative we recognize that modern problems require modern solutions because the typical way of addressing security and auditing on-premise does not work with the cloud.

Therefore, we can equip ourselves with the necessary knowledge, obtain insights and build up the competency through these qualifications to address the gap.

8. What is the best advice you will give to IT professionals in order for them to scale new heights in their careers?

It’s important to adopt a continuous learning mindset because what is relevant today may be irrelevant tomorrow, especially with the rapid evolution of the technology world. With this in mind, stay abreast with the ongoing developments in the cloud and the larger technology space, and equip or upskill yourself with the necessary skill sets so that you can continuously provide meaningful added value to your team and your clients.