CCSK Overview

Teleseminar June 26, 2014By Dr. Peter HJ van Eijk

About me

Dr Peter HJ van Eijk

One of the world’s most experienced independent cloud trainers; Delivered worldwide to 100s of students

Certified trainer for CSA “Certificate of Cloud Security Knowledge” (CCSK)

Author of “Cloud Business Essentials”Author and Master trainer for “CompTIA Cloud Essentials”Master Trainer for “Virtualization Essentials”Worked earlier at Deloitte, EDS and University of Twente (a.o)

History of CCSK

• Cloud adoption is unavoidable• Security is listed as the number 1 obstacle to

cloud adoption, and for good reason

• Even though cloud computing is a form of outsourcing, its characteristics have a new and very important impact on the security posture and the management of risks.

• The Cloud Security Alliance (CSA) (founded in 2008) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.

• It is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders.

• Membership is free for professionals.

Cloud Security Guidance

• The CSA leads volunteer efforts to produce best practices documents.

• “Security Guidance for Critical Areas of Focus in Cloud Computing V3.0” is the most important document CSA has produced.

• Additionally, ENISA (EU Agency) has produced “Cloud Computing, Benefits, risks and recommendations for information security.

• CCSK tests knowledge of these documents.

CCSK: Certificate of Cloud Security Knowledge

• The CCSK is an examination testing for a broad foundation of knowledge about cloud security, with topics ranging from architecture, governance, compliance, operations, encryption, virtualization and much more.

• CCSK was first released by CSA in 2010• Thousands of IT and security professionals

have obtained the CCSK. • CCSK is the basis for many consumer/vendor

discussions around risk and assurance, and starts to become required in certain segments

• CIO.com listed CCSK as #1 on the list of Top Ten Cloud Computing Certifications (http://www.cio.com/slideshow/detail/129043#slide2)

Contents of CCSK

• The body of knowledge is divided in 15 domains, which we will briefly introduce in this webinar.

• The exam has questions for each domain.• The domains overlap and cross reference at

various points, and a significant portion is managerial rather than technical

Domain 1. Cloud Architecture

• Domain 1 introduces the essential characteristics of cloud computing, service and deployment models, largely based on the NIST definitions and the way it changes security responsibilities.

• Sample question (from CSA website): What are the five essential characteristics of cloud computing?

Who runs it?You choose

YouThey

Domain 2. Governance and Enterprise risk

• Domain 2 describes how cloud computing can be embedded in existing governance and risk management, so as to maximally align with business objectives.

• Sample question: The level of attention and scrutiny paid to enterprise risk assessments should be directly related to what?

Domain 3. Legal and Electronic Discovery

• Domain 3 describes how jurisdiction, contract law and other legal requirements play out in the context of cloud computing.

• Sample question: In the majority of data protection laws, when the data is transferred to a third party custodian, who is ultimately responsible for the security of the data?

Domain 4. Compliance and Audit

• Domain 4 elaborates on compliance obligations (such as industry regulations) and how these can be validated by audits

• Sample question: What is the most important reason for knowing where the cloud service provider will host the data?

Domain 5. Information Management and data security

• Domain 5 gives a number of models to apply to storage technology, as well as data life cycle and ways of controlling information flow across it.

• Sample question: What are the six phases of the data security lifecycle?

Domain 6. Portability and Interoperability

• Domain 6 discusses some considerations around deploying multiple cloud solutions and components.

• Sample question: Why is the size of data sets a consideration in portability between cloud service providers?

Domain 7. Traditional Security, BCM, D/R

• Domain 7 elaborates on traditional data center security, the physical side of cloud computing so to say, including human resources.

• Sample question: What are the four D's of perimeter security?

Domain 8. Data Center Operations

• Domain 8 extends domain 7 by discussing service management.

• Sample question: In which type of environment is it impractical to allow the customer to conduct their own audit, making it important that the data center operators are required to provide auditing for the customers?

Domain 9. Incident Response

• Domain 9 elaborates on the way incident response processes change when IT resources interact in real-time across multiple providers and consumers.

• Sample question: What measures could be taken by the cloud service provider (CSP) that might reduce the occurrence of application level incidents?

Domain 10. Application Security

• Domain 10 discusses risks and control adaptations from the application architecture and implementation perspective.

• Sample question: how should an SDLC be modified to address application security in a Cloud Computing environment?

Domain 11. Encryption and Key Management

• Domain 11 describes multiple encryption use cases in cloud environments, as well as its implications on key management

• Sample question: what is the most significant reason that customers are advised to maintain in-house key management?

Domain 12. Identity and Access Management

• Domain 12 describes how federated identity and access management will enable secure cloud deployment

• Sample question: What two types of information will cause additional regulatory issues for all organizations if held as an aspect of an Identity?

Domain 13. Virtualization

• Domain 13 describes the risks that virtualization technology brings.

• Sample question: Why do blind spots occur in a virtualized environment, where network-based security controls may not be able to monitor certain types of traffic?

Domain 14. Security as a Service

• Domain 14 describes opportunities and concerns around using cloud services for implementing security controls.

• Sample question: When deploying Security as a Service in a highly regulated industry or environment, what should both parties agree on in advance and include in the SLA?

ENISA Document

• The ENISA document lists 35 risk categories, mostly cloud related. Some industry regulations specifically refer to these.

• Sample question: Economic Denial of Service (EDOS), refers to..

Relation with CCM

• The Cloud Controls Matrix is a security and compliance control framework

• Cloud specific, cross-references multiple frameworks, including PCI-DSS, ISO 27001, HIPAA.

• Controls match “Guidance” recommendations closely

• Basis for STAR certification of providers

The CCSK exam

• The CCSK examination is a timed, multiple choice examination you take online. The examination consists of 60 multiple choice questions selected randomly from our question pool, and must be completed within 90 minutes. A participant must correctly answer 80% of the questions to receive a passing score. Because the exam is online, it is open book.

• You get two tries

Studying for CCSK

• Study the documents• Learn to search them• There are only a few sample questions out there• Consider taking a course; most attendants pass

the test• For practical background:– Visit http://www.clubcloudcomputing.com– Subscribe to membership site.

What do you need to get CCSK certification?

Please use chat box now.

QUESTIONS?

Thank you for your attention

www.clubcloudcomputing.comFor more information and class

schedules