More and more enterprise organizations are planning and deploying into cloud platforms. This trend is occurring despite organizations historical push-back on cloud services claiming that they are less secure than private on-premises data centers. Even though there is evidence to suggest that cloud application attacks are on the rise, there are best practice methods to secure cloud services. On one hand, internal data center services may be tucked nice and neat behind the corporate perimeter firewall, there is evidence that many enterprises do not secure their systems adequately. On the other hand, even though a cloud serve may be out-of-site and virtualized in a hyperscale multi-tenant data center, patching and solid discipline can make them secure. Now that enterprises have a clearer understanding of cloud services and how to secure them, there are now commonly accepted methods to help make clouds more secure. The appearance of cloud security training and certifications is helping organizations securely consume cloud services.
Cloud Security Alliance
The Cloud Security Alliance (CSA) is a U.S. Federal 501(c)6 not-for-profit vendor-independent organization that was formed in late 2008, but now has over 48,000 members. The Cloud Security Alliance aims to educate and promote the use of best practices for providing security assurance within cloud computing. The CSA’s official mission is to “promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing”.
The CSA created the “Security Guidance for Critical Areas of Focus in Cloud Computing” document and the current version is 3.0. This document helps organizations understand the domains for organizations to focus on to securely adopt cloud services. The CSA also created their Cloud Controls Matrix (CCM). This complimentary spreadsheet lists the important standards, regulations and control frameworks and maps them to the CSA’s security domains.
The CSA created their Certificate of Cloud Security Knowledge (CCSK). This vendor-independent certification validates that a security practitioner has a solid understanding of cloud security concepts and the CSA’s cloud security domains. The required reading for this certification include:
- CSA guidance version 3.0, Security Guidance for Critical Areas of Focus in Cloud Computing
- European Network and Information Security Agency (ENISA) whitepaper “Cloud Computing: Benefits, Risks and Recommendations for Information Security”
- U.S. NIST documents (SP 800-144, SP 800-145, SP 800-146, SP 500-292, SP 500-293, SP 500-299)
- the CCSK certification FAQ
- and the CCSK Prep Guide (CCSK-Prep-Guide-V3.pdf)
You can study online leveraging the free resources listed above, or you can take one of the variety of training classes offered by the CSA and their partners. There are official CCSK Training Classes available (HP Education Services) which includes the CCSK Foundation (2 days) and the CCSK Plus (3 days). Udemy also offers a very economical way to prepare for the CCSK with their “Understand the CCSK Cloud Security Certification” online class.
The CCSK certification exam is an online open-book exam that costs $345. The exam has 60 questions, takes up to 90 minutes to complete, and you must score an 80% or higher to pass, but you get two attempts at passing.
The Cloud Security Alliance (CSA) then formed their Security Trust and Assurance Registry (STAR) accreditation for cloud service providers. The CSA STAR certification uses the CSA’s Cloud Controls Matrix (CCM) and the Consensus Assessments Initiative Questionnaire (CAIQ) to review the service provider’s offerings against these domains and best practices.
The first level (Level One) is the introductory CSA STAR Self-Assessment. The second level (Level Two) has three certifications: CSA STAR Attestation, CSA STAR Certification, and CSA C-STAR Assessment. The third and highest level (Level Three) is the CSA STAR Continuous Monitoring. You can see the STAR registry of service providers that have performed these assurance assessments.
(ISC)2 Certified Cloud Security Professional (CCSP)
In 2015, the International Information System Security Certification Consortium, Inc., (ISC)2 created their Certified Cloud Security Professional (CCSP) training and certification program. The CCSP Common Body of Knowledge (CBK) consists of six domains: Architectural Concepts & Design Requirements, Cloud Data Security, Cloud Platform & Infrastructure Security, Cloud Application Security, Operations, and Legal & Compliance.
Along with the information about these six domains, (ISC)2 also recommends reading the U.S. NIST documents, the CSA’s CMM, and the ENISA whitepaper (similar to the CSA documents mentioned above). In addition to these, the CCSP also contains information contained within the ISO/IEC 17788:2014 Information technology - Cloud computing - Overview and vocabulary, and the ISO/IEC 17789:2014 Information technology - Cloud computing - Reference architecture.
There are a couple of options for training for the CCSP. (ISC)2 offers their Live In-Person CBK Training Class which includes 5 days of training for $1995. (ISC)2 offers Live On-Line CBK Training Class which includes 5 days of training for $1395 and also offers an On-Demand On-Line CBK Training for $495 ($395 for current CISSPs). I highly recommend the (ISC)2 Certified Cloud Security Professional (CCSP) On-Demand class taught by Adam Gordon. The training is comprehensive and you can consume the training based on your busy schedule at your leisure.
At the end of last year (November 2015), Adam Gordon wrote “The Official (ISC)2 Guide to the CCSP CBK” (ISBN-10: 1119207495, ISBN-13: 978-1119207498, 560 pages, $80 list price). The (ISC)2 also offers Free Flash Cards On-Line (but these seem to be just terms and definitions).
When it comes to the CCSP exam, these are scheduled through Pearson Vue. The exam takes up to 4 hours to complete, contains 125 questions, you must score at least 700 out of 1000 points and the exam costs $549.
SANS SEC524: Cloud Security Fundamentals
SANS has, and continues to offer, the best security training available in the market. SANS has now created a cloud security class that is offered at many of their events as a 2-day in-person or on-line/self-study class. The SANS class is listed as their “SEC524: Cloud Security Fundamentals”. The SANS SEC524 in-person class costs $2130 (list price), but can be reduced to $1350 when you register for this class in addition to another 4 to 6 day SANS class. The SEC524 class is also offered online for $2130 and provides course materials and MP3 audio files of the complete course lecture.
The Day 1 curriculum contains information on: Introduction to Cloud Computing, Security Challenges in the Cloud, Infrastructure Security in the Cloud, Policy and Governance for Cloud Computing, Compliance and Legal Considerations, and Disaster Recovery and Business Continuity Planning in the Cloud. The Day 2 curriculum contains information on: Risk, Audit, and Assessment for the Cloud, Data Security in the Cloud, Identity and Access Management (IAM), and Intrusion Detection and Incident Response.
Cloud security has continued to evolve and now there are training and certification options available from vendor-independent organizations. Being proactive with your cloud security is much better than being reactive with your cloud security. It would behoove your organization to digest these cloud security concepts and then embark on design and then deployment. Alternatively, if your organization has already deployed applications into the cloud and are consuming cloud services, then you can use these domains of knowledge and best practices to assess where you stand. However, if you have gaps between your current cloud security settings, configurations, practices and procedures, then you will have a more difficult time trying to perform a course correction while services are already deployed.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.