.

Certificate of Cloud Security Knowledge (CCSK) Review

<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Tue Dec 13, 2011 3:10 pm

Certificate of Cloud Security Knowledge (CCSK) Review

I decided to write a review of the material I went through for the Certificate of Cloud Security Knowledge (CCSK) offered by the Cloud Security Alliance (CSA).  This is not a complete review, as I have not gone through all the material, nor have I taken the exam.  When I first learned of this certification a few months ago, I couldn't find much (useful) information on it, so I decided to post a review for anyone else who might be curious.  Also, this is my first review, so I'm sorry if it sucks ;)  More information on the CCSK can be found here:

https://cloudsecurityalliance.org/education/certificate-of-cloud-security-knowledge/

I came across this certification a couple of months ago, and it seemed interesting.  The startup I'm working for focuses on cloud security, plus the cert is backed by the CSA, so it looked really useful.  I'm not one to get a new cert just to add letters to my resume (otherwise I would've gotten a CEH!), but if I can learn new skills and topics then that's what I'm concerned with.  Given that this certification is so new, having it on a resume probably won't help pass an HR screen (a search of Monster and Dice returned no job mentioning a CCSK), but I was hopeful that the stuff I learned for the CCSK might be beneficial for the technical portion of an interview.  Plus it seemed relatively simple to achieve for a few reasons:

1. The certification exam questions come entirely from 2 freely available documents, no need to pay for an expensive class to get the material.
2. The exam only costs $295 and the voucher doesn't expire.  You can pay for it now and take it in a year.
3.  The exam can be taken from home, no need to go to a testing center.
4.  You get two chances to take the exam, if you fail the first time, you can take it again without having to pay an additional fee.

Now on to the material.

The CCSK certification tests knowledge from 2 documents, the first of which is this:

http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf

A 76-page document written by the CSA which presents the 13 domains tested by the certification.  The first "domain" is really just an overview of cloud computing which provides some useful material, such as characteristics of cloud computing and the differences between public and private clouds.  While useful, the standard Wikipedia article on cloud computing is easier to understand and is more thorough.  If you didn't know what cloud computing was before reading this, I doubt you'd fully understand it after.

The remaining 12 domains are:
1. Governance and enterprise risk management
2. Legal and electronic discovery
3. Compliance and audit
4. Information lifecycle management
5. Portability and interoperability
6. Traditional security, business continuity and disaster recovery
7. Data center operations
8. Incident response, notification and remediation
9. Application security
10. Encryption and key management
11. Identity and access management
12. Virtualization

I won't discuss each domain, but each section basically breaks down like this: A sentence or two about the security risks associated with a given domain, followed by a little discussion of how the security risks are greater for cloud computing than a typical environment.  Lastly bullet-point recommendations are given to help resolve/reduce the security concerns.  Note: All recommendations given are for businesses who are shopping around for a cloud service provider.  THIS CERTIFICATION DOES NOT PROVIDE ANY GUIDELINES FOR SECURING YOUR OWN CLOUD INFRASTRUCTURE.  After going through the material, I now think about it as sort of a buyer's guide for organizations looking to use cloud services.

Bottom line: Are the recommendations useful?  Yes, there are suggestions like "ensure that an organization has the right to audit their cloud service provider" or "make sure that the VM images given by the provider are trusted."  And then there are various recommendations that state "Make sure you put [SOME CLAUSE] in the contract."  These are all important and should definitely be considered when choosing a cloud provider.  But honestly, making sure things are in the contract and the right to audit should typically always be considered when using any third-party service.  It seems like the majority of these recommendations, while useful, are not specific to cloud computing.  While there are a few that pertain to cloud computing, such as "make sure you have the right to perform a vulnerability assessment on your applications hosted by the cloud provider", these seem to be in the minority.  And I understand that not everything should be cloud-specific, I was just assuming/hoping that there would be more emphasis on cloud computing-specific issues.

The second document for the CCSK is the following:

http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment

A 125-page document written by the European Network and Information Security Agency (ENISA). I have not read this document yet.  Apparently only 10% of the CCSK certification exam comes from this document (Probably because the CSA wrote the first document and they're the ones offering the certification!)  Most of the people I found on the Internet who earned this cert didn't really read this and were still able to pass.  Browsing through it, it seems similar to the first document, although honestly, it looks to be organized in a better manner than the first, which leads me to believe there might be less repetition.  If I ever decide to take the exam, I'll definitely go through this to see what I can learn even though I probably won't be tested on it.

The Exam
I have not taken the exam.  While I did learn some useful things, I don't necessarily believe I learned enough to justify earning a certification.  Still for those interested, here is information on the test:

1. 50 multiple choice questions with a 1-hour time limit
2. Need 80% to pass, can retake it once for free, so 2 chances to pass
3. 70% of the exam is on the CSA document, 20% on the ENISA, and 10% on applied knowledge from material on both
4. You can use the PDFs during the exam

Summary
So did I learn something?  Yes.  Did I learn about cloud security issues?  Yes, but only in terms of security policy issues that occur when a business uses a cloud provider, and because of that, a lot of the material seems as if it would apply to a business using any sort of third-party provider/contractor.  So the information is definitely useful, but (in my opinion) not very cloud-specific.  That, combined with a lot of repetition, left me feeling that cloud security was unfortunately not the focus of the material.

If anyone wants to go through the material, I would suggest reading the first domain of the CSA document, and then just the opening paragraphs of the subsequent domains without the recommendations.  This way you might get the feeling that it's actually a guide for cloud security policy, instead of just a buyer's guide for businesses interested in cloud computing.

Pros:
1. Simple, straightforward material that is freely available
2. Useful information in regards to the security policy implications a business faces when using a cloud service provider
3. Gives some useful policy recommendations that can apply to a number of areas, not just cloud computing
4. Test is cheap, can be taken from home, and you get two chances to pass

Cons:
1. Repetitive
2. Some material (in particular many of the policy recommendations) are not very cloud-specific
3. Structure of the material seems to put more emphasis on the recommendations, which (in my opinion), can make it feel more like a "cloud computing buyer's guide" as opposed to a security certification
4. Non-technical, policy-only certification (which I suppose could be a plus depending on your interests)
5. No information for a cloud service provider that wants to secure their own cloud infrastructure
6. New, so no jobs listings mention it

References:
https://cloudsecurityalliance.org/education/certificate-of-cloud-security-knowledge/
http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
https://cloudsecurityalliance.org/CCSK-prep.pdf

I hope this review is useful, let me know if anyone has any questions.
Sec+, eCPPT
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Wed Dec 14, 2011 6:57 pm

Re: Certificate of Cloud Security Knowledge (CCSK) Review

Wow, nothing?  I'll make sure to pick a more interesting topic to review next time  :)
Sec+, eCPPT
<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Wed Dec 14, 2011 7:25 pm

Re: Certificate of Cloud Security Knowledge (CCSK) Review

tl;dr. :P

Seriously, nice review. I love their exam policy: free courseware, voucher never expires, take it at home, and try again free if you fail! We need to find more certifications like this! ;D
Put that in your pipe and grep it!
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Thu Dec 15, 2011 12:52 am

Re: Certificate of Cloud Security Knowledge (CCSK) Review

If only the material was superb and or a lot of jobs required the certification!

But I'll let you know if I find any more certs like this!
Sec+, eCPPT
<<

millwalll

Post Thu Dec 15, 2011 5:25 am

Re: Certificate of Cloud Security Knowledge (CCSK) Review

Cool Review first time I have heard of this course too. Was it expensive to take the course was there any fee involved ?
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Thu Dec 15, 2011 12:03 pm

Re: Certificate of Cloud Security Knowledge (CCSK) Review

I had come across this certification a little while back, but didn't look into it too much myself.  Thanks for the review.
GSEC, eCPPT, Sec+
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Thu Dec 15, 2011 1:00 pm

Re: Certificate of Cloud Security Knowledge (CCSK) Review

Jamie.R wrote:Cool Review first time I have heard of this course too. Was it expensive to take the course was there any fee involved ?


Nope the material is free, the test costs $295.  I think there is also a 2-day training course that costs money but I don't know why you'd take it.
Sec+, eCPPT
<<

millwalll

Post Thu Dec 15, 2011 4:49 pm

Re: Certificate of Cloud Security Knowledge (CCSK) Review

Cool thank for the info
<<

Haz3

Newbie
Newbie

Posts: 5

Joined: Thu May 26, 2011 4:11 pm

Post Sun Dec 18, 2011 5:41 am

Re: Certificate of Cloud Security Knowledge (CCSK) Review

Great write-up thanks!

I've been interested in the CCSK, but until I see a job advert asking for it, is the exam worth the money?  ???

Please keep us updated if you decide to go for the exam.
CISA CISSP

Return to General Certification

Who is online

Users browsing this forum: Mrtim83 and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software