CSA Certificate of Cloud Security Knowledge

Jose Malacara

Unless you’ve been living under a rock for the last couple of years, you’ve probably heard many companies touting the benefits of cloud computing ad nauseam. These days it seems like everyone has gone nebulous and jump on the cloud computing bandwagon.  While services like Gmail, Netflix and Salesforce.com have become household names, how do we as industry professionals sort through the buzz and distinguish true cloud players from those who are just blowing smoke? The Cloud Security Alliance (CSA) may have the answer.

 

In September of 2010, the CSA announced the availability of its Certificate of Cloud Security Knowledge, or CCSK, certification. More and more organizations are looking to take advantage of cloud computing in order to lower costs, simplify IT infrastructure, fast-track application development or lower their carbon footprint. The certification aims to raise awareness of cloud computing and the implementation of best practices.

 

Organizations must do their homework before migrating to the cloud in order to become familiar with terms like “elasticity”, “multitenancy” and “virtualization”. Organizations must be able to distinguish between the difference service models like SaaS, PaaS and IaaS in relation to their business requirements prior to selecting a cloud service provider.  Passing the CCSK demonstrates an advanced understanding of a broad range of cloud computing topics. The exam material is comprised of material covered in two documents: the CSA's "Security Guidance for Critical Areas of Focus in Cloud Computing V2.1" and the European Network and Information Security Agency (ENISA) report “Cloud Computing: Benefits, Risks and Recommendations for Information Security.”

 

The CSA guidance outlines 13 domains of key focus:

• Domain 1: Cloud Computing Architectural Framework
• Domain 2: Governance and Enterprise Risk Management
• Domain 3: Legal and Electronic Discovery
• Domain 4: Compliance and Audit
• Domain 5: Information Lifecycle Management
• Domain 6: Portability and Interoperability
• Domain7: Traditional Security, Business Continuity, and Disaster Recovery
• Domain8: Data Center Operations
• Domain9: Incident Response, Notification, and Remediation
• Domain10: Application Security
• Domain11: Encryption and Key Management
• Domain12: Identity and Access Management
• Domain13: Virtualization

 

The ENISA report primarily covers areas of security and applied knowledge:

• Security benefits of cloud
• Risks R.1 – R.35 and underlying vulnerabilities
• Information assurance framework
• Division of liabilities Key legal issues
• Classify popular cloud providers into S-P-I model
• Redundancy
• Securing popular cloud services
• Vulnerability assessment considerations
• Practical encryption use cases

 

Together, the CSA Guidance and ENSIA documents make up the primary study guides for preparing for the CCSK.

 

The exam is administered online and participants are given 60 minutes to answer 50 multiple-choice questions. The cost is $295 and that buys you two test tokens, or attempts, to pass the test.

 

As organizations migrate into the cloud, it is critical for those of us working in the industry to understand the architecture, security and deployment considerations of cloud computing. I myself have signed up for the exam, so stay tuned for my follow-up post about my experience with the CCSK. Wish me luck!