Certificate of Cloud Security Knowledge

The Future is Now

As cloud computing shows itself to be the future of information technology, several studies have pointed to the necessity of addressing the IT industry’s skills gap and training professionals in both cloud computing and security. Since Cloud Security Alliance first released the Certificate of Cloud Security Knowledge (CCSK) in 2010, thousands of IT and security professionals have taken the opportunity to upgrade their skillsets and enhance their careers by obtaining the CCSK. It was no surprise to us when CIO.com listed CCSK at #1 on the list of Top Ten Cloud Computing Certifications.

Why Obtain the CCSK?

As enterprises and consumers move greater amounts of sensitive information to the cloud, employers struggle to find information security leaders who have the necessary breadth and depth of knowledge to establish cloud security programs protecting sensitive information. The CCSK lets the marketplace know you are ready for the challenge with the first credential dedicated to cloud security, offered by the world’s thought leader in cloud security.

The CCSK Helps You:

• Validate your competence gained through experience in cloud security
• Demonstrate your technical knowledge, skills, and abilities to effectively develop a holistic cloud security program relative to globally accepted standards
• Differentiate yourself from other candidates for desirable employment in the fast-growing cloud security market
• Gain access to valuable career resources, such as tools, networking and ideas exchange with peers

The CCSK Helps Employers:

• Protect against threats with qualified professionals who have the expertise to competently design, build, and maintain a secure cloud business environment
• Increase your confidence that candidates are qualified and committed to cloud security
• Ensure practitioners use a universal language, circumventing ambiguity with industry-accepted cloud security terms and practices
• Increase organizations’ credibility when working with constituents

The CCSK Helps Cloud Providers and Consulting Organizations:

• Increase revenues by winning more business using expertise demonstrated with certified staff
• Increase organizations’ credibility and trust when working with clients and vendors

What is the CCSK?

The CCSK is an examination testing for a broad foundation of knowledge about cloud security, with topics ranging from architecture, governance, compliance, operations, encryption, virtualization and much more. The body of knowledge for the CCSK examination is the CSA Security Guidance for Critical Areas of Focus in Cloud Computing V3, English language version, and the ENISA report “Cloud Computing: Benefits, Risks and Recommendations for Information Security”.

The CCSK examination is a timed, multiple choice examination you take online. The examination consists of 60 multiple choice questions selected randomly from our question pool, and must be completed within 90 minutes. A participant must correctly answer 80% of the questions to receive a passing score. Because the exam is online, it is open book. However, as any veteran of the exam will tell you, 90 minutes is insufficient time to look up every question, and a mastery of the body of knowledge is required. You can check out the official FAQ here for all the essential information about CCSK.

The adoption of the CCSK is fairly broad-based. Certainly cloud providers and information security services firms have been encouraging employees to achieve the CCSK from the very beginning. All of the Third Party Assessment Organizations (3PAOs) within the US Government’s FedRamp program have CCSKs on staff, and a few of these 3PAOs have made this a pervasive part of their offering. Cloud customers were an aggressive adopter of CCSK in 2013, particularly those enterprise users who are engaged with many different cloud providers. The more clouds you use, the more important it is to enforce a consistent baseline of security best practices. As we have said from the beginning, cloud security is a shared responsibility, and cloud users have responsibilities ranging from the governance all the way to configuring technical security controls, depending upon the type of cloud you are using.

Get the Training You Need

As with any IT certification, formal training is an excellent way to improve your chances at successfully passing the exam. We have found that even more important than actually passing the exam is sharing real world experiences with your peers and getting hands on access to cloud systems to apply the best practices. To that end, CSA has developed two courses that address these needs and which we highly recommend. The CCSK Foundation class provides students a comprehensive one day review of cloud security fundamentals, the body of knowledge and prepares them to take the Cloud Security Alliance CCSK v3.0 certificate exam. The CCSK Plus class builds upon the CCSK Foundation class with expanded material and extensive hands-on activities with a second day of training. Students will learn to apply their knowledge as they perform a series of exercises as they complete a scenario bringing a fictional organization securely into the cloud. We find that the lab work greatly reinforces classroom instruction. These courses are available worldwide via out training partner network, led by Master Training Partner HP. Some trainers have the ability to provide distance learning options or to come onsite to your facility to make your learning experience as convenient as possible. You can go to https://cloudsecurityalliance.org/education/training/ for more information.

CCSK – Complementing your knowledge investments

Of course CCSK is not the first security-related certification to appear on the scene, and many of you may wonder how CCSK relates to certifications and education you have already received. Luckily, virtually all of the CCSK early adopters have multiple certifications, and we have been able to discuss this synergy with CCSK holders who also have achieved other certifications. CSA is committed to working with key user certification organizations to make sure that the education we provide aligns with the other certifications you seek. You will certainly see exciting certification partner announcements this year!

One of the most widely sought user accreditations is the Certified Information Systems Auditor ®, from ISACA®. The CISA is considered to be the gold standard for information technology audit, and is also sought by professionals with related job duties. What CISAs have told us is that the CCSK provides the necessary context and focus to successfully audit cloud environments. The more knowledge one has about how clouds work and how they can be secured, the easier it is to identify the appropriate measures to test control objectives and make recommendations for IT systems that one will rarely touch and see. It is a no-brainer that someone calling themselves a cloud auditor would hold both certifications.

The most common certification we see held by CCSKs is the Certified Information Systems Security Professional® (CISSP) from (ISC)2, the most prevalent IT security certification worldwide. What CISSP holders have told us is that the CISSP background has been very useful in helping them study for and pass the CCSK. The CISSP Body of Knowledge consists of 10 domains, while CCSK has 14. All of the CISSP domains have an analog in the CCSK. What CISSPs have told us is that where we have the same domain, the CCSK builds upon the CISSP domain and provides context that is important to cloud. For example, when you think about encryption in cloud, the issue of key management and segmenting this from the ciphertext itself becomes more important. Additionally, the CCSK provides 4 domains that provide emphasis in areas critical to cloud: Security-as-a-Service, Virtualization, Portability and Interoperability, and Data Lifecycle Security.

CCSK – a roadmap for your future

CCSK provides a strong educational foundation for all stakeholders in cloud computing. We cannot stop with what we have built and need to continue to innovate to address the challenges. Below is our roadmap for the CCSK program:

CCSK Version 4. In preparation for the next version, we will publish the revised body of knowledge, CSA Security Guidance v4.0 and add a critical addition of the Cloud Controls Matrix v4.0 in 2016. New technologies have a high affinity with how cloud will operate in the future. You can begin today by reading the research we have already released and getting involved in the working groups.

CCSK Developer. There is a critical need to educate developers to follow best practices. The agility that cloud affords, and the usage of software modules of unknown provenance creates obvious problems. CSA will release initial developer training as a workshop at CSA Congress US, and will continue to improve it based on feedback. Our current plan is to focus on education, not certification, but we will definitely listen to the community.

CCSK Assurance. As the CSA research in governance, risk and compliance becomes the backbone in cloud trust and assurance, there is a need to provide more education specifically geared to these tools. Providing more in depth knowledge about using the GRC Stack components: Cloud Controls Matrix (CCM), Consensus Assessment Initiative Questionnaire (CAIQ), CloudAudit and Cloud Trust Protocol (CTP), is important for IOT assurance professionals. It is also critical for cloud as well as technology companies seeking to automate a continuously trusted cloud. As with CCSK Developer our current plan is to focus on education and not certification. We think this course will be a great source of CPEs for other security-related certifications.

Information security is often described as a journey, not a destination unto itself. Education is the beginning, middle and end of our security journey. We believe that the CCSK can help you meet your needs in securing the future of IT.

Additional Information

CCSK - (SPANISH) - TEST ONLINE HERE!

CCSK Preparation Guide

CCSK Frequently Asked Questions (FAQ)

Certification Board

Meet the CCSKs

Certificate of Cloud Security Knowledge holders include some of the industry’s top experts solving real world problems, assisted by their CCSK education. Check out our featured CCSK expert below:

Jan De Clercq

Senior Consultant, HP Consulting and Integration, Hewlett-Packard, Belgium

Jan De Clercq is a solution architect and HP Distinguished Technologist specializing in IT security, identity and access management, cloud computing and Microsoft infrastructures. He is currently working in the HP Technology Services Consulting worldwide IT Assurance Portfolio team where he is the lead architect and content developer for the Cloud Protection, Mobility Protection and Platform Protection services. Jan has over fifteen years of experience in the areas of consulting and technical training. Jan has provided security, cloud, identity management, and Microsoft infrastructure consulting to some of Digital, Compaq and HP’s largest customers. He is a well-respected industry member of the security community and has been invited to present at major security conferences. He also has written security-focused books and articles for industry publications – recently he co-authored the “Cloud Computing Protected”.

Jan was closely involved in the creation of the HP Cloud Protection Reference Architecture (CP RA). This is the HP Technology Services Consulting framework for helping organizations secure hybrid cloud solutions. The reference architecture addresses cloud security holistically by taking into account an organization’s business, functional, technical and implementation cloud security needs and by including the correct people, policy, process, procedure, product as well people controls in the cloud security solution. The CSA cloud security best practices (that are reflected in both the CSA collateral and the CCSK certification) are one of the fundamental building blocks that underpin the HP CP RA. Jan significantly benefited from both the CSA collateral and his CCSK certification while he was building the CP RA and he continuous to take advantage of them in his ongoing customer cloud security engagements.

Avani Desai

Executive Vice President, Schellman & Company, Inc.

Avani Desai is a Principal and the Executive Vice President at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance, and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations.

Lauren Edmonds

Senior Manager, Schellman & Company, Inc.

Lauren Edmonds is a Senior Manager at Schellman & Company, Inc.. Prior to joining Schellman, Lauren was a technology risk consultant for Protiviti, Inc., evaluating and assessing global corporations IT control environments and business processes relative to Sarbanes-Oxley compliance. In addition, she has internal audit experience in network security, revenue recognition, IT general controls, and systems development life cycle methodologies. Through the various audits performed, Lauren has evaluated risks and controls for a number of industries including financial services, manufacturing, marketing, distribution and service-based organizations.

David Gibbs

Chief Technologist, Military Healthcare for HP Enterprise Services, US Public Sector

David Gibbs, CCSK, CISSP, is responsible for the development and execution of strategic and innovative technology initiatives for HP and clients. He maintains roadmaps and innovation agendas, leads research and development efforts, and continually assesses technology capabilities to guide optimized solutions for military healthcare clients.

With over 25 years’ experience, David delivers thought leadership, facilitates understanding and collaboration, and is a catalyst for innovative solutions. For the past decade, David envisioned and architected secure and effective enterprise-level information technology solutions to enable improved delivery of healthcare. He contributed directly to client projects applying his expertise with information security, enterprise architecture, directory services, federated identity management, enterprise management, messaging, and mobile computing.

Recognizing the growing interest in cloud computing among his customers and knowing the level of security required for military and healthcare systems, David completed the Certificate in Cloud Security Knowledge (CCSK) offered by the Cloud Security Alliance. The practical information acquired from the CCSK body of knowledge strengthened David’s understanding of cloud security and empowers him to collaborate effectively with customers and colleagues to evaluate and develop secure cloud computing solutions.

An educator and technologist, David participates in professional and academic activities that bridge computer science, health information technology, and adult education. He enjoys helping people think, understand, construct knowledge, solve problems, and make informed decisions. His passion for teaching has been fueled throughout his career by facilitating formal and informal learning, including delivery of hundreds of information technology certification workshops and also teaching undergraduate courses for two years as a part-time faculty member in a university computer science department.

David maintains a variety of industry certifications and professional memberships relevant to his work with information security and healthcare information technology. His academic preparation includes a Bachelor of Science in Computer Science from East Tennessee State University followed by a Master of Science in Education from California State University – East Bay. David is currently writing a dissertation related to information systems requirements elicitation as he completes a Ph.D. in Adult, Professional, and Community Education at Texas State University.

Stephen Halbrook II

Senior Manager, Schellman & Company, Inc.

Stephen Halbrook is a Senior Manager at Schellman & Company, Inc. Stephen is a FedRAMP and FISMA practice leader and assists with service delivery across all service lines including SOC, PCI-DSS, ISO, FedRAMP, FISMA and HIPAA services. Stephen also helps assist large and complex organizations that have multiple compliances needs helping them strategically align their efforts to maximize cost and efficiencies. He has more than 12 years of experience performing attestation and compliance examinations. Prior to Schellman he was with Deloitte’s Audit and Enterprise Risk Services group.

Meet the Early Adopters

Developed by two leading non-profits focused on cloud and information security, the Cloud Security Alliance (CSA) and (ISC)², the Certified Cloud Security Professional (CCSP) credential denotes professionals with deep-seated knowledge and competency derived from hands-on experience with cyber, information, software and cloud computing infrastructure security. CCSPs help achieve the highest standard for cloud security expertise and enable organizations to benefit from the power of cloud computing while keeping sensitive data secure.

The CCSP credential is designed for experienced information security professionals with at least five years of full-time IT experience, including three years of information security and at least one year of cloud security experience. The CCSP credential is suitable for mid-level to advanced professionals involved with IT architecture, web and cloud security engineering, information security, governance, risk and compliance, and even IT auditing.

The CCSP exam, administered at Pearson Vue Testing Centers across the globe, tests competence in the six CCSP domains of the (ISC)² CBK (Common Body of Knowledge). Candidates have 4 hours to complete 125 multiple choice questions with a score of 700 or better out of 1000 to pass. The six domains covered on the exam are:

• Architectural Concepts & Design Requirements
• Cloud Data Security
• Cloud Platform & Infrastructure Security
• Cloud Application Security
• Operations
• Legal & Compliance

Learn more about the CCSP credential and its training opportunities:

Visit the (ISC)² Website