The Cloud Security Alliance (CSA) is a U.S. Federal 501(c)6 not-for-profit vendor-independent organization that was formed in late 2008, but now has over 48,000 members. The Cloud Security Alliance aims to educate and promote the use of best practices for providing security assurance within cloud computing. The CSA’s official mission is to “promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing”.
The CSA created the “Security Guidance for Critical Areas of Focus in Cloud Computing” document and the current version is 3.0. This document helps organizations understand the domains for organizations to focus on to securely adopt cloud services. The CSA also created their Cloud Controls Matrix (CCM). This complimentary spreadsheet lists the important standards, regulations and control frameworks and maps them to the CSA’s security domains.
The CSA created their Certificate of Cloud Security Knowledge (CCSK). This vendor-independent certification validates that a security practitioner has a solid understanding of cloud security concepts and the CSA’s cloud security domains. The required reading for this certification include:
You can study online leveraging the free resources listed above, or you can take one of the variety of training classes offered by the CSA and their partners. There are official CCSK Training Classes available (HP Education Services) which includes the CCSK Foundation (2 days) and the CCSK Plus (3 days). Udemy also offers a very economical way to prepare for the CCSK with their “Understand the CCSK Cloud Security Certification” online class.
The CCSK certification exam is an online open-book exam that costs $345. The exam has 60 questions, takes up to 90 minutes to complete, and you must score an 80% or higher to pass, but you get two attempts at passing.
The Cloud Security Alliance (CSA) then formed their Security Trust and Assurance Registry (STAR) accreditation for cloud service providers. The CSA STAR certification uses the CSA’s Cloud Controls Matrix (CCM) and the Consensus Assessments Initiative Questionnaire (CAIQ) to review the service provider’s offerings against these domains and best practices.
The first level (Level One) is the introductory CSA STAR Self-Assessment. The second level (Level Two) has three certifications: CSA STAR Attestation, CSA STAR Certification, and CSA C-STAR Assessment. The third and highest level (Level Three) is the CSA STAR Continuous Monitoring. You can see the STAR registry of service providers that have performed these assurance assessments.
In 2015, the International Information System Security Certification Consortium, Inc., (ISC)2 created their Certified Cloud Security Professional (CCSP) training and certification program. The CCSP Common Body of Knowledge (CBK) consists of six domains: Architectural Concepts & Design Requirements, Cloud Data Security, Cloud Platform & Infrastructure Security, Cloud Application Security, Operations, and Legal & Compliance.
Along with the information about these six domains, (ISC)2 also recommends reading the U.S. NIST documents, the CSA’s CMM, and the ENISA whitepaper (similar to the CSA documents mentioned above). In addition to these, the CCSP also contains information contained within the ISO/IEC 17788:2014 Information technology - Cloud computing - Overview and vocabulary, and the ISO/IEC 17789:2014 Information technology - Cloud computing - Reference architecture.
There are a couple of options for training for the CCSP. (ISC)2 offers their Live In-Person CBK Training Class which includes 5 days of training for $1995. (ISC)2 offers Live On-Line CBK Training Class which includes 5 days of training for $1395 and also offers an On-Demand On-Line CBK Training for $495 ($395 for current CISSPs). I highly recommend the (ISC)2 Certified Cloud Security Professional (CCSP) On-Demand class taught by Adam Gordon. The training is comprehensive and you can consume the training based on your busy schedule at your leisure.
At the end of last year (November 2015), Adam Gordon wrote “The Official (ISC)2 Guide to the CCSP CBK” (ISBN-10: 1119207495, ISBN-13: 978-1119207498, 560 pages, $80 list price). The (ISC)2 also offers Free Flash Cards On-Line (but these seem to be just terms and definitions).
When it comes to the CCSP exam, these are scheduled through Pearson Vue. The exam takes up to 4 hours to complete, contains 125 questions, you must score at least 700 out of 1000 points and the exam costs $549.
SANS has, and continues to offer, the best security training available in the market. SANS has now created a cloud security class that is offered at many of their events as a 2-day in-person or on-line/self-study class. The SANS class is listed as their “SEC524: Cloud Security Fundamentals”. The SANS SEC524 in-person class costs $2130 (list price), but can be reduced to $1350 when you register for this class in addition to another 4 to 6 day SANS class. The SEC524 class is also offered online for $2130 and provides course materials and MP3 audio files of the complete course lecture.
The Day 1 curriculum contains information on: Introduction to Cloud Computing, Security Challenges in the Cloud, Infrastructure Security in the Cloud, Policy and Governance for Cloud Computing, Compliance and Legal Considerations, and Disaster Recovery and Business Continuity Planning in the Cloud. The Day 2 curriculum contains information on: Risk, Audit, and Assessment for the Cloud, Data Security in the Cloud, Identity and Access Management (IAM), and Intrusion Detection and Incident Response.
Cloud security has continued to evolve and now there are training and certification options available from vendor-independent organizations. Being proactive with your cloud security is much better than being reactive with your cloud security. It would behoove your organization to digest these cloud security concepts and then embark on design and then deployment. Alternatively, if your organization has already deployed applications into the cloud and are consuming cloud services, then you can use these domains of knowledge and best practices to assess where you stand. However, if you have gaps between your current cloud security settings, configurations, practices and procedures, then you will have a more difficult time trying to perform a course correction while services are already deployed.