Cloud Computing Security Knowledge

A practical, course-based approach from the Cloud Security Alliance. Why you should do it and how best to go about it. Fujitsu information security specialist Gurbir Singh discusses your options.

If you have been working in the Information Security field and already hold the certification such as CISSP and CISM and now want to understand the security challenges associated with Cloud Computing which certification should you go for? The Cloud Computing Security Knowledge (CCSK) from the Cloud Security Alliance is arguably the leading market contender.

Origins

On September 1st 2010, a year after it was founded the Cloud Security Alliance (CSA) announced the Cloud Computing Security Knowledge (CCSK), a Cloud Computing course “aimed at promoting secure cloud computing for all”. Three years on, it is fast becoming the industry leader as a vendor neutral certificate in Cloud Computing security. If you are already a seasoned member of the information security community you can complete it via self study and sit the test at your desk at home anytime of the day or night.

The key players associated with Cloud Computing like HP, Amazon, Microsoft, IBM and VMware have certification programs for their respective cloud technology products and systems. Today even post graduate courses in Cloud Computing are becoming available in the UK (Sheffield, Aberdeen and Cork), Australia and India, some with a specific focus on security.

The CCSK course is different. Its target is the global information security professionals community. Who has helped to put it together? The global information security community. Agreements in service and delivery models and definitions are finally becoming established and only a global, vendor neutral approach can provide the momentum required to achieve this international consensus.

The goal of the CCSK course is to help ”organizations around the world make informed decisions regarding if, when, and how they will adopt Cloud Computing services and technologies”. The course is designed to provide professionals with Cloud Computing responsibilities with the knowledge and ability to demonstrate understanding of security threats and industry best practices for secure Cloud Computing.

Why choose CCSK?

CCSK is not the only course focusing on Cloud Computing security. None of the others like CompTIA, CloudU and the numerous vendor specific courses share the scale of support from the global Cloud Computing industry. The course content and design is the product of input from numerous industry experts from organisations and corporations that are shaping the developing global Cloud Computing environment. Although still in its early days, CCSK has arguably established a clear lead in international recognition.

Structure

In principle the approach is simple. Study the material and then complete an online test. The hour long test consists of 50 multiple choice questions, mostly five options (A-E) and a couple of True or False. Get 40 or more correct and you pass. For $295 USD you get two shots at the test. The second attempt is only available if you fail the first.
There are two ways to complete the course – self study or either one day or two day tutor led course. I won’t discuss the tutor led courses here but note that a schedule of courses available around the world is online at the CSA website and there are others operated by approved trainers that are not.

The CCSK course is based on the content of two key documents: one from the US based Cloud Security Alliance, the other from the European Network and Information Security Agency (ENISA) with its headquarters on the Greek holiday island of Crete.

  • Cloud Computing: Benefits, Risks and Recommendations for Information Security

Although studying these documents is essential, they alone may not be sufficient for a successful test outcome. The references section at the end of the CSA document lists additional useful documents and websites. Others that I found particularly useful include:

The fifty questions in the test are split into three broad categories;

  • 70% CSA Guidance
  • 20% ENISA
  • 10% Applied knowledge related to the best practices in both documents

It is possible to consult the documents during the test but with the clock running you have 72 seconds per question.

Although search and find can help in some instances, the wording of the questions is not sympathetic to this approach. A detailed familiarity with the content of the two key documents is crucial.

The CSA document divides its contents into thirteen separate domains and organises them as three sections. Section one contains just a single domain in “Cloud Architecture”. Section two “Governing the Cloud” includes the five domains dealing with strategic and policy issues. The remaining domains are included in section three as “Operating the Cloud” and focus on tactical security concerns of Cloud Computing architecture.

The ENISA document is a detailed risk assessment in the context of a Cloud Computing architecture. The content came from groups, organisations and individuals selected for their expertise in the subject area from industry, government and academia.

Best Approach?

Completing the CCSK test is not easy. Writing in the summer of 2011, Jim Reavis, executive director of the Cloud Security Alliance reported that Cloud Security Certification Not So Simple and shared a surprising statistics that only 53% had passed.

How easy or difficult the candidate finds the test depends on the unique circumstances of the candidate. If Cloud Computing security is your thing and are looking for an industry recognised and respected qualification, CCSK could be for you. It is not for absolute beginners. If you have a few years of InfoSec experience and are able to self study, here are some steps in sequences which should help.

1. Use the social media (Twitter, Facebook, LinkedIn groups, blogs and podcasts) to keep abreast of Cloud Security Issues.

2. Consciously interact with the cloud. Make regular use of one or more of the following: Skydrive, Icloud, Dropbox, Google Apps or any of the growing list of similar applications.

3. Setup free accounts on e.g. Amazon Web Services and use its Simply Storage Service (S3) and Elastic Cloud Computing (EC2). If like me you are a fan of open source try cloudstack instead of Amazon.

4. A high quality and free cloud security course has been developed by a Ben Kepes, an internationally recognised commentator on Cloud Computing (who also happens to be a farmer from South Island in New Zealand) called CloudU. Although CloudU is made available under the auspices of Rackspace, it is a vendor neutral Cloud Computing course focusing on security. To attain the certificate you have series of ten lessons/white papers, each followed by a quiz with ten questions followed by a final quiz with fifty questions randomly chosen from all of the ten lessons. The pass mark is 80% in every case and should you not be successful – simply try again.

5. Preparation for the CCSK course depends so much on your experience, so there can be no single approach. Familiarity with the contents of the two key documents and some of the others listed above is crucial. Depending on your personal history you will find the content of some domains so obvious that you will choose to skip them.

During the test I found the domain 1,5 and 6 from the CSA document and the ENISA element, along with the applied knowledge from both to be a popular source of the questions.

Work in Progress?

The IT industry is perhaps more than any other under constant change. The version 2.1 of the CSA document, completed in 2009, was the product of nearly one hundred contributors. Invariably, that came through in the different writing styles, presentation and emphasis. Occasional typos, formatting inconsistencies and poor quality of some of the diagrams illustrated the haste under which it was completed. Version 3.0 was published in 2011 but remarkably the CSA websites guides prospective CCSK candidates to continue to use the version 2.1.

The ENISA document “Benefits, risks and recommendations for information security”, is now also dated. It was first published in 2009. It may have been a contrived marriage linking the commercial and InfoSec communities on both sides of the Atlantic but a necessary one to attain the global authority, respect and recognition.

The Future

In establishing the CCSK certification, the CSA has brought together numerous organisations, corporations and individuals. If CCSK is to continue to have the international standing envisaged back in 2009, it should replace the guidance version of 2.1 by 3.0, update or replace the ENISA contribution and incorporate contributions from those countries where huge innovation and adoption of Cloud Computing is currently taking place, including Asia and China.

It should also shake off concerns associated with “open book” tests by introducing the rigour and tradition of tests in a controlled environment. That inevitably will have detrimental impact on costs and convenience for future candidates but will lead to enhanced reputation and wider adoption within the industry.