With My Head in the Clouds: Preparing for the CCSK

The CCSK (Certificate of Cloud Security Knowledge) has rapidly become one of the most valuable cloud certifications — likely even the most valuable cloud certification — and for good reason. Following the accelerating industry adoption of the cloud, the need for responsible and secure implementation of that technology is increasingly critical. As a result, the demand for individuals certified in this body of knowledge will undoubtedly be on the rise for quite some time. So, how do you prepare for this valuable certification and how likely is it that you’ll pass the exam?

Well, the first bit of advice that I have to offer is not to get overconfident. The CCSK exam is not an easy test to pass. Though it has only 60 questions that you have to answer in 90 minutes, the answers are anything but obvious. In fact, the pass rate in 2011 was only 53% (I’m not sure why I haven’t found more recent stats). I’ve seen some claims that people who study the material on their own have only a 50% pass rate while those who engage in formal training have a pass rate greater than 90%. Though I might not have expected such a wide disparity between those who study on their own and those who take formal classes, these figures don’t entirely surprise me. The material is far more broad and much more demanding than I was expecting. And, speaking of formal training … OK, I’ll get to that in a minute.

The good news is that the test is online, available 24 hours a day, and (obviously) open book. But don’t let that 90 seconds per question stat and the fact that you can have a stack of books and papers by your side lead you to believe that you’ll breeze through this particular exam. To give you some background, 92% of the questions are based on the CSA Guidance and the other 8% are based on the ENISA report. These documents are available at these locations:

CSA Guidance

ENISA report

So what is the CSA?

CSA, the Cloud Security Alliance, is an international organization that came together to define and popularize best practices in cloud computing. It brings together corporations, government, industry security practitioners, education, research, etc. to work toward trusted cloud environments. It launched the CCSK — the first cloud security user certification — in 2010.

What is ENISA?

ENISA, the European Union Agency for Network and Information Security, is a European group whose purpose is to enhance the cyber security prevention work and capability of the European Union and its member states to respond to network and information security challenges.

Getting Up to Speed

To get myself well steeped in CCSK concepts, terminology, and know-how, I recently took an online class (actually two back-to-back online classes) with an organization called Intrinsec. The first of these classes focused on the CCSK exam while the other addressed auditing and compliance. Both classes were far better than I ever imagined they might be and the instructor — Graham Thompson — added considerable value to the material presented by adding his own insights and perspectives. He also provided a wealth of additional resources to help the class prepare for the test and to get us on the best footing when we move to acquire and then manage cloud technology. And, as a nice bonus, the first of the two classes provides two opportunities to take the CCSK exam (i.e., the class comes with exam tokens). If that isn’t enough, additional tries will run you $345 a shot.

Some of the highlights of the CCSK class that really hit home for me included:

1) getting a concrete understanding of the responsibilities of both the vendor provider and the purchaser of cloud technology. This changes dramatically depending on whether you are purchasing a “software as a service” (SaaS) offering (involving the least responsibility on your part), “infrastructure as a service” (involving the most responsibility on your part), or platform as a service (PaaS). 2) picking up tips for avoiding vendor lock-in. When moving to cloud services, you should try to keep yourself in a position from which your can “grab your stuff and run” to another vendor if ever you need to. Depending on the technology you select, this can be easy or nearly impossible. 3) understanding what you will be paying for and how to reduce costs (e.g., if you shut services down when you’re not using them). 4) learning how to protect your services and your data when they’re in the cloud.

And that isn’t even close to being an exhaustive list of what the class covered. In the three days, the class moved through all of these areas:

• Introduction to Cloud Computing — along with benefits, definitions, essential characteristics, how to think about multi-tenancy, etc.
• Infrastructure Security for Cloud — components, implications, how to secure a public cloud, risk analysis
• Managing Cloud Security and Risk — encrypting volumes, management plane security, securing virtual hosts, APIs and security, making risk decisions
• How to evaluate providers — what you can demand, what you can only hope for, supplier assessments
• Legal responsibilities (providers, customers, end users), questions of jurisdiction, contracts
• Privacy considerations
• Audits and compliance, including what to watch out for
• Portability — key considerations
• Incident response in the cloud
• Data Security for cloud computing
• Encryption in the cloud
• Data security tools that you might want to consider
• Data storage vs data in motion issues
• Creating and Securing a Cloud Application
• How IaaS and PaaS work
• Identity and Access Management
• Selecting Cloud Services
• Deploying and Securing a Private Cloud
• Reviewing and Preparing for the exam
• Security as a service (SECaaS)

And I won’t even swear that that’s an exhaustive list. We covered a lot of material in those three days, but still had time to ask questions and get some hands-on with some Amazon EC labs.

Check out the Classes

Refer to CCSK PLUS and Cloud Audit and Compliance for more information on the CCSK prep class and the class on CCSK auditing. Though a full week of intense training can be very demanding, having an excellent instructor, being encouraged to ask as many questions as you can come up with, and being provided with a wealth of resources to use in your follow-up studying can make the investment entirely worthwhile.

Of course, there’s only so much you can absorb in a week. If you haven’t already, you will still need to study the CSA Guidance and the ENISA risk report, but the class will help to bring the material into focus and provide you with a lot of expanded information that will likely prove invaluable as you put your certification to use.

And don’t forget that two chances to take the exam are included in the price along with access to some practice tests.

Wrap-Up

If you’re thinking about moving your Unix (or other) systems to the cloud and want to be well versed both in the technology and what to expect from the cloud providers, this class and this certification might be great investments.