I came across this certification a couple of months ago, and it seemed interesting. The startup I'm working for focuses on cloud security, plus the cert is backed by the CSA, so it looked really useful. I'm not one to get a new cert just to add letters to my resume (otherwise I would've gotten a CEH!), but if I can learn new skills and topics then that's what I'm concerned with. Given that this certification is so new, having it on a resume probably won't help pass an HR screen (a search of Monster and Dice returned no job mentioning a CCSK), but I was hopeful that the stuff I learned for the CCSK might be beneficial for the technical portion of an interview. Plus it seemed relatively simple to achieve for a few reasons:
1. The certification exam questions come entirely from 2 freely available documents, no need to pay for an expensive class to get the material.
2. The exam only costs $295 and the voucher doesn't expire. You can pay for it now and take it in a year.
3. The exam can be taken from home, no need to go to a testing center.
4. You get two chances to take the exam, if you fail the first time, you can take it again without having to pay an additional fee.
Now on to the material.
The CCSK certification tests knowledge from 2 documents, the first of which is this:
A 76-page document written by the CSA which presents the 13 domains tested by the certification. The first "domain" is really just an overview of cloud computing which provides some useful material, such as characteristics of cloud computing and the differences between public and private clouds. While useful, the standard Wikipedia article on cloud computing is easier to understand and is more thorough. If you didn't know what cloud computing was before reading this, I doubt you'd fully understand it after.
The remaining 12 domains are:
1. Governance and enterprise risk management
2. Legal and electronic discovery
3. Compliance and audit
4. Information lifecycle management
5. Portability and interoperability
6. Traditional security, business continuity and disaster recovery
7. Data center operations
8. Incident response, notification and remediation
9. Application security
10. Encryption and key management
11. Identity and access management
I won't discuss each domain, but each section basically breaks down like this: A sentence or two about the security risks associated with a given domain, followed by a little discussion of how the security risks are greater for cloud computing than a typical environment. Lastly bullet-point recommendations are given to help resolve/reduce the security concerns. Note: All recommendations given are for businesses who are shopping around for a cloud service provider. THIS CERTIFICATION DOES NOT PROVIDE ANY GUIDELINES FOR SECURING YOUR OWN CLOUD INFRASTRUCTURE. After going through the material, I now think about it as sort of a buyer's guide for organizations looking to use cloud services.
Bottom line: Are the recommendations useful? Yes, there are suggestions like "ensure that an organization has the right to audit their cloud service provider" or "make sure that the VM images given by the provider are trusted." And then there are various recommendations that state "Make sure you put [SOME CLAUSE] in the contract." These are all important and should definitely be considered when choosing a cloud provider. But honestly, making sure things are in the contract and the right to audit should typically always be considered when using any third-party service. It seems like the majority of these recommendations, while useful, are not specific to cloud computing. While there are a few that pertain to cloud computing, such as "make sure you have the right to perform a vulnerability assessment on your applications hosted by the cloud provider", these seem to be in the minority. And I understand that not everything should be cloud-specific, I was just assuming/hoping that there would be more emphasis on cloud computing-specific issues.
The second document for the CCSK is the following:
A 125-page document written by the European Network and Information Security Agency (ENISA). I have not read this document yet. Apparently only 10% of the CCSK certification exam comes from this document (Probably because the CSA wrote the first document and they're the ones offering the certification!) Most of the people I found on the Internet who earned this cert didn't really read this and were still able to pass. Browsing through it, it seems similar to the first document, although honestly, it looks to be organized in a better manner than the first, which leads me to believe there might be less repetition. If I ever decide to take the exam, I'll definitely go through this to see what I can learn even though I probably won't be tested on it.
I have not taken the exam. While I did learn some useful things, I don't necessarily believe I learned enough to justify earning a certification. Still for those interested, here is information on the test:
1. 50 multiple choice questions with a 1-hour time limit
2. Need 80% to pass, can retake it once for free, so 2 chances to pass
3. 70% of the exam is on the CSA document, 20% on the ENISA, and 10% on applied knowledge from material on both
4. You can use the PDFs during the exam
So did I learn something? Yes. Did I learn about cloud security issues? Yes, but only in terms of security policy issues that occur when a business uses a cloud provider, and because of that, a lot of the material seems as if it would apply to a business using any sort of third-party provider/contractor. So the information is definitely useful, but (in my opinion) not very cloud-specific. That, combined with a lot of repetition, left me feeling that cloud security was unfortunately not the focus of the material.
If anyone wants to go through the material, I would suggest reading the first domain of the CSA document, and then just the opening paragraphs of the subsequent domains without the recommendations. This way you might get the feeling that it's actually a guide for cloud security policy, instead of just a buyer's guide for businesses interested in cloud computing.
1. Simple, straightforward material that is freely available
2. Useful information in regards to the security policy implications a business faces when using a cloud service provider
3. Gives some useful policy recommendations that can apply to a number of areas, not just cloud computing
4. Test is cheap, can be taken from home, and you get two chances to pass
2. Some material (in particular many of the policy recommendations) are not very cloud-specific
3. Structure of the material seems to put more emphasis on the recommendations, which (in my opinion), can make it feel more like a "cloud computing buyer's guide" as opposed to a security certification
4. Non-technical, policy-only certification (which I suppose could be a plus depending on your interests)
5. No information for a cloud service provider that wants to secure their own cloud infrastructure
6. New, so no jobs listings mention it
I hope this review is useful, let me know if anyone has any questions.