Certificate of Cloud Security Knowledge
What the Industry Says
"With data being the new currency, the control of trust in the cloud is ever more significant. The CSA updated Certificate of Cloud Security Knowledge (CCSK) brings practical guidance to security professionals deploying workloads in the cloud. It delivers the necessary controls that enable security professionals to deploy cloud applications with security and trust mind."
~ Gavin Hill, Director, Product Marketing, Venafi
“Having dealt with security since the creation of our Group 60 years ago, at Kudelski Security we are thrilled to leverage CSA’s Cloud Security Knowledge certification to bring our Cyber Security Division’s engineering experts to a common level of understanding of best practices and benefits of cloud computing. When training clients in corporate and public segments on information security standards, we highlight the importance of CSA’s CCSK certification for IT professionals who need to ensure adoption of secure cloud environment in their organizations.”
~ Joel Conus, VP Cyber Security Operations, Kudelski Security
“The CSA Certificate of Cloud Security Knowledge (CCSK) will provide a consistent way of developing cloud security competency and provide both organizations and agencies the confidence they need to adopt secure cloud solutions.”
~ Melvin Greer, Chief Strategist, Cloud Computing, Lockheed Martin
“The CSA, in providing a set of goals through the CCSK, is challenging security practitioners to become the cloud thought-leaders we need today and tomorrow to ensure safe and secure cloud environments. In developing the CCSK, CSA is 'setting the bar' for security professionals and providing business executives a means to gauge the opinions and rhetoric associated with security in the cloud.”
~ Jerry Archer, CSO, Sallie Mae
“The Certificate of Cloud Security Knowledge provides individuals with a solid foundation in cloud security issues and best practices. Organizations that leverage this training will be better positioned to get the most out of their investments in cloud computing. In addition, the certification can be a large help with recruitment efforts as organizations can easily qualify the experience of an individual in cloud security if they have earned the CCSK certificate.”
~ Gary Phillips, senior director, technology assurance and standards research, Symantec Corp
"As the concept of cloud computing continues to evolve it's important that professionals responsible for managing and maintaining cloud environments keep current with the latest information. The Cloud Security Alliance continues to expand and capture more aspects of cloud computing with new areas of focus and guidance's while expand and adapting existing guidance's to the changing landscape. Continued updates to the CCSK certification is an important part of the rapidly evolving nature of cloud computing and a great measure of individuals commitments to understanding this evolving landscape."
~ David Lingenfelter, Information Security Officer, MaaS360 by Fiberlink
“With CCSK certification, professionals who have Cloud Computing responsibilities can demonstrate thorough Cloud security knowledge based on the CSA’s catalogue of security best practices.”
~ Patrick Harding, CTO, Ping Identity
"Despite the clear agility and cost saving benefits, there are factors which are holding back Cloud usage. These include a deficit of trust and reliability. Enterprises simply do not trust third-parties to protect their sensitive data and connections to Cloud services may be subject to delays and outages. With the new CCSK certification program, the CSA is continuing to provide the industry's most comprehensive, prescriptive guidelines for baking trust and reliability-oriented security best-practices into new cloud initiatives."
~ Mark O'Neill, CTO, Vordel
"As enterprises move toward cloud computing, they are desperately seeking guidance and education in this new domain. CSA is bridging this gap and the CCSK provides an important first step in establishing baseline knowledge for individuals tasked with building and managing applications to the cloud."
~ Michael Sutton, VP, Security Research, Zscaler
CCSK Guidance V3
Click each domain to view a question from the V3 examination
What are the five essential characteristics of cloud computing?
Governance and Enterprise Risk
The level of attention and scrutiny paid to enterprise risk assessments should be directly related to what?
Legal and Electronic Discovery
In the majority of data protection laws, when the data is transferred to a third party custodian, who is ultimately responsible for the security of the data?
Compliance and Audit
What is the most important reason for knowing where the cloud service provider will host the data?
Information Lifecycle Management
What are the six phases of the data security lifecycle?
Portability and Interoperability
Why is the size of data sets a consideration in portability between cloud service providers?
Traditional Security, BCM, D/R
What are the four D's of perimeter security?
Data Center Operations
In which type of environment is it impractical to allow the customer to conduct their own audit, making it important that the data center operators are required to provide auditing for the customers?
What measures could be taken by the cloud service provider (CSP) that might reduce the occurrence of application level incidents?
How should an SDLC be modified to address application security in a Cloud Computing environment?
Encryption and Key Management
What is the most significant reason that customers are advised to maintain in-house key management?
Identity and Access Management
What two types of information will cause additional regulatory issues for all organizations if held as an aspect of an Identity?
Why do blind spots occur in a virtualized environment, where network-based security controls may not be able to monitor certain types of traffic?
When deploying Security as a Service in a highly regulated industry or environment, what should both parties agree on in advance and include in the SLA?
Economic Denial of Service (EDOS), refers to...
Deprecated CCSK Guidance
The Certificate of Cloud Security Knowledge – The Future is Now!
As cloud computing shows itself to be the future of information technology, several studies have pointed to the necessity of addressing the IT industry’s skills gap and training professionals in both cloud computing and security. Since Cloud Security Alliance first released the Certificate of Cloud Security Knowledge (CCSK) in 2010, thousands of IT and security professionals have taken the opportunity to upgrade their skillsets and enhance their careers by obtaining the CCSK. It was no surprise to us when CIO.com listed CCSK as #1 on the list of Top Ten Cloud Computing Certifications.
What is the CCSK?
The CCSK is an examination testing for a broad foundation of knowledge about cloud security, with topics ranging from architecture, governance, compliance, operations, encryption, virtualization and much more. The body of knowledge for the CCSK examination is the CSA Security Guidance for Critical Areas of Focus in Cloud Computing V3, English language version, and the ENISA report “Cloud Computing: Benefits, Risks and Recommendations for Information Security”.
The CCSK examination (link to exam site) is a timed, multiple choice examination you take online. The examination consists of 60 multiple choice questions selected randomly from our question pool, and must be completed within 90 minutes. A participant must correctly answer 80% of the questions to receive a passing score. Because the exam is online, it is open book. However, as any veteran of the exam will tell you, 90 minutes is insufficient time to look up every question, and a mastery of the body of knowledge is required. You can check out the official FAQ here for all the essential information about CCSK.
The adoption of the CCSK is fairly broad-based. Certainly cloud providers and information security services firms have been encouraging employees to achieve the CCSK from the very beginning. All of the Third Party Assessment Organizations (3PAOs) within the US Government’s FedRamp program have CCSKs on staff, and a few of these 3PAOs have made this a pervasive part of their offering. Cloud customers were an aggressive adopter of CCSK in 2013, particularly those enterprise users who are engaged with many different cloud providers. The more clouds you use, the more important it is to enforce a consistent baseline of security best practices. As we have said from the beginning, cloud security is a shared responsibility, and cloud users have responsibilities ranging from the governance all the way to configuring technical security controls, depending upon the type of cloud you are using.
Get the Training You Need
As with any IT certification, formal training is an excellent way to improve your chances at successfully passing the exam. We have found that even more important than actually passing the exam is sharing real world experiences with your peers and getting hands on access to cloud systems to apply the best practices. To that end, CSA has developed two courses that address these needs and which we highly recommend. The CCSK Foundation class provides students a comprehensive one day review of cloud security fundamentals, the body of knowledge and prepares them to take the Cloud Security Alliance CCSK v3.0 certificate exam. The CCSK Plus class builds upon the CCSK Foundation class with expanded material and extensive hands-on activities with a second day of training. Students will learn to apply their knowledge as they perform a series of exercises as they complete a scenario bringing a fictional organization securely into the cloud. We find that the lab work greatly reinforces classroom instruction. These courses are available worldwide via out training partner network, led by Master Training Partner HP. Some trainers have the ability to provide distance learning options or to come onsite to your facility to make your learning experience as convenient as possible. You can go to https://cloudsecurityalliance.org/education/training/ for more information.
CCSK – Complementing your knowledge investments
Of course CCSK is not the first security-related certification to appear on the scene, and many of you may wonder how CCSK relates to certifications and education you have already received. Luckily, virtually all of the CCSK early adopters have multiple certifications, and we have been able to discuss this synergy with CCSK holders who also have achieved other certifications. CSA is committed to working with key user certification organizations to make sure that the education we provide aligns with the other certifications you seek. You will certainly see exciting certification partner announcements this year!
One of the most widely sought user accreditations is the Certified Information Systems Auditor ®, from ISACA®. The CISA is considered to be the gold standard for information technology audit, and is also sought by professionals with related job duties. What CISAs have told us is that the CCSK provides the necessary context and focus to successfully audit cloud environments. The more knowledge one has about how clouds work and how they can be secured, the easier it is to identify the appropriate measures to test control objectives and make recommendations for IT systems that one will rarely touch and see. It is a no-brainer that someone calling themselves a cloud auditor would hold both certifications.
The most common certification we see held by CCSKs is the Certified Information Systems Security Professional® (CISSP) from (ISC)2, the most prevalent IT security certification worldwide. What CISSP holders have told us is that the CISSP background has been very useful in helping them study for and pass the CCSK. The CISSP Body of Knowledge consists of 10 domains, while CCSK has 14. All of the CISSP domains have an analog in the CCSK. What CISSPs have told us is that where we have the same domain, the CCSK builds upon the CISSP domain and provides context that is important to cloud. For example, when you think about encryption in cloud, the issue of key management and segmenting this from the ciphertext itself becomes more important. Additionally, the CCSK provides 4 domains that provide emphasis in areas critical to cloud: Security-as-a-Service, Virtualization, Portability and Interoperability, and Data Lifecycle Security.
CCSK – a roadmap for your future
CCSK provides a strong educational foundation for all stakeholders in cloud computing. We cannot stop with what we have built and need to continue to innovate to address the challenges. Below is our roadmap for the CCSK program:
CCSK Version 4. Our next update to the examination will be version 4 in 2015. In preparation for the next version, we will publish the revised body of knowledge in late 2014. The two most critical additions to CCSK will be Big Data (see our Big Data Research) and Mobile Security (see our to Mobile Research). The technologies have a high affinity with how cloud will operate in the future. You can begin today by reading the research we have already released in these areas and getting involved in the working groups.
CCSK Developer. There is a critical need to educate developers to follow best practices. The agility that cloud affords, and the usage of software modules of unknown provenance creates obvious problems. CSA will release initial developer training in September 2014 as a workshop at CSA Congress US, and will continue to improve it based on feedback. Our current plan is to focus on education, not certification, but we will definitely listen to the community.
CCSK Assurance. As the CSA research in governance, risk and compliance becomes the backbone in cloud trust and assurance, there is a need to provide more education specifically geared to these tools. Providing more in depth knowledge about using the GRC Stack components: Cloud Controls Matrix (CCM), Consensus Assessment Initiative Questionnaire (CAIQ), CloudAudit and Cloud Trust Protocol (CTP), is important for IOT assurance professionals. It is also critical for cloud as well as technology companies seeking to automate a continuously trusted cloud. As with CCSK Developer our current plan is to focus on education in 2014 and not certification. We think this course will be a great source of CPEs for other security-related certifications.
Information security is often described as a journey, not a destination unto itself. Education is the beginning, middle and end of our security journey. We believe that the CCSK can help you meet your needs in securing the future of IT.
Meet the CCSKs
Certificate of Cloud Security Knowledge holders include some of the industry’s top experts solving real world problems, assisted by their CCSK education. Check out our featured CCSK expert below:
Jan De Clercq is a solution architect and HP Distinguished Technologist specializing in IT security, identity and access management, cloud computing and Microsoft infrastructures. He is currently working in the HP Technology Services Consulting worldwide IT Assurance Portfolio team where he is the lead architect and content developer for the Cloud Protection, Mobility Protection and Platform Protection services. Jan has over fifteen years of experience in the areas of consulting and technical training. Jan has provided security, cloud, identity management, and Microsoft infrastructure consulting to some of Digital, Compaq and HP's largest customers. He is a well-respected industry member of the security community and has been invited to present at major security conferences. He also has written security-focused books and articles for industry publications – recently he co-authored the "Cloud Computing Protected".
Jan was closely involved in the creation of the HP Cloud Protection Reference Architecture (CP RA). This is the HP Technology Services Consulting framework for helping organizations secure hybrid cloud solutions. The reference architecture addresses cloud security holistically by taking into account an organization’s business, functional, technical and implementation cloud security needs and by including the correct people, policy, process, procedure, product as well people controls in the cloud security solution. The CSA cloud security best practices (that are reflected in both the CSA collateral and the CCSK certification) are one of the fundamental building blocks that underpin the HP CP RA. Jan significantly benefited from both the CSA collateral and his CCSK certification while he was building the CP RA and he continuous to take advantage of them in his ongoing customer cloud security engagements.
David Gibbs, CCSK, CISSP - David Gibbs is Chief Technologist – Military Healthcare for HP Enterprise Services, US Public Sector. He is responsible for the development and execution of strategic and innovative technology initiatives for HP and clients. He maintains roadmaps and innovation agendas, leads research and development efforts, and continually assesses technology capabilities to guide optimized solutions for military healthcare clients.
With over 25 years’ experience, David delivers thought leadership, facilitates understanding and collaboration, and is a catalyst for innovative solutions. For the past decade, David envisioned and architected secure and effective enterprise-level information technology solutions to enable improved delivery of healthcare. He contributed directly to client projects applying his expertise with information security, enterprise architecture, directory services, federated identity management, enterprise management, messaging, and mobile computing.
Recognizing the growing interest in cloud computing among his customers and knowing the level of security required for military and healthcare systems, David completed the Certificate in Cloud Security Knowledge (CCSK) offered by the Cloud Security Alliance. The practical information acquired from the CCSK body of knowledge strengthened David’s understanding of cloud security and empowers him to collaborate effectively with customers and colleagues to evaluate and develop secure cloud computing solutions.
An educator and technologist, David participates in professional and academic activities that bridge computer science, health information technology, and adult education. He enjoys helping people think, understand, construct knowledge, solve problems, and make informed decisions. His passion for teaching has been fueled throughout his career by facilitating formal and informal learning, including delivery of hundreds of information technology certification workshops and also teaching undergraduate courses for two years as a part-time faculty member in a university computer science department.
David maintains a variety of industry certifications and professional memberships relevant to his work with information security and healthcare information technology. His academic preparation includes a Bachelor of Science in Computer Science from East Tennessee State University followed by a Master of Science in Education from California State University – East Bay. David is currently writing a dissertation related to information systems requirements elicitation as he completes a Ph.D. in Adult, Professional, and Community Education at Texas State University.