Enhancing your Cloud Security Knowledge through CCSK certification

Enhancing your Cloud Security Knowledge through

Cloud Security Alliance(CSA)’s  CCSK  certification

CCSK Certificate of Cloud Security Knowledge

Introduction

Cloud computing is the latest disruptive technology affecting the IT landscape with number of businesses transitioning to the cloud to save capital expenses as well as take advantages of rapid scalability of cloud computing. However security is the biggest hindrance to high adoption as most businesses worry about losing control over data and do not intend to migrate completely to the cloud. To address this concern,  Cloud Security Alliance a non-profit organisation has launched various initiatives to improve and enhance Cloud Security knowledge.

Preparation material

They have also published a guidance document on Cloud Security, “Security Guidance for Critical Areas of Focus in Cloud Computing,” which is it in its third version. CSA has launched the  Certificate of Cloud Security Knowledge (CCSK) exam to test knowledge of Cloud Security based on key concepts of the CSA guidance and ENISA whitepaper, "Cloud Computing: Benefits, Risks and Recommendations for Information Security". In this blog post  I will give an overview of the CCSK exam and detail my experience of preparing and passing the exam. This exam is a 90 minute open book online exam comprising of 60 multiple choice questions. The cost of the exam is $345 which includes 2 attempts. The reference material for the the exam is the CSA guidance document and ENISA white paper. I studied these two documents and also used the Internet for understanding topics which I could not comprehend from them. I have included links to the references I studied.

Period and method of study

I prepared  for this exam over a three month period in which I printed and read the CSA guidance and ENISA whitepaper. I read the CSA guidance 3 times. First reading was a cursory reading to understand and comprehend the Cloud Security concepts. In this reading I underlined the important concepts and topics which I did not understand.  In the second reading I reread the topics I did not comprehend earlier and also utilise Internet to clarify various concepts not clearly explained in the CSA guidance.  I the final reading 1 week before the exam I reviewed the I also reviewed the ENISA whitepaper once. However I did not do an indepth study as the weightage for this document was only 8%.  It is essential that you are familiar with both these documents so as to minimise the search time for questions which you cannot answer and need to refer the text. I found the domains of Application Security (10) and IdEA (12) toughest and used various youtube videos and articles to understand the concept of IdEA Identity, Entitlement and Access Management.

Exam Experience

  On 10th November 2016 I gave the exam in the evening and passed with 93% success rate. As the exam is online and open book it is essential to have a well organised setup to give the exam. Ensure your PC or laptop is setup properly with the UPS and proper battery backup. Additionally a reliable Internet connection is also essential to ensure that exam does not stop midway. As done by most people on the LinkedIn study group for exam I used two devices. The first device is used to give the online exam and other is kept ready to search for answers in the documents. Almost 60% questions were straightforward and do not require any reference to the text. However some questions required me to search the text of the documents to get the correct answer. Most questions were not very conceptual and did not require any deep application of knowledge. After passing exam I felt it could have been made tougher to check the understanding of concepts and ensure a better understanding of Cloud security. The best strategy is answer the exam is to complete the 60 questions in an hour and marking few questions in which you are not sure. Make sure this is not more than 10 or 15. Then use the final 30 mins to review all questions and confirm answers for all marked questions. If feasible mark the individual domains in a CSA guidance document ( printed copy )  with flags for easy referral.

Useful References

Besides the two main documents, it is useful to reference and utilise the following material

• CCSK preparation guide - This document contains a list of key concepts covered in the exam. Please ensure that  you are aware of all  these topics and know answers  to various questions raised. This is essential as some questions are straight from this list. I have given a snapshot below of the the list I am referring.

• LinkedIn CCSK study group -  There is a group for candidates who are preparing for the exam. I would urge you to join this group and also go through the CCSK Study Guide document which contains various useful references, sample questions and details of key concepts referred in previous para.
• Jericho forum  videos on YouTube  It is essential that you understand the concepts of Identity management for the exam by seeing the YOUTUBE videos by Jericho forum. They explain in very simple terms the key concepts of Identity Management. These topics are also covered in two domains that is chapter number 10 and 12 one dealing with application security and IdEA. These two domains are the longest and most difficult to understand in the entire document. I also saw some videos on SAML and XACML to understand  these technologies better
• Basic Cloud Computing concepts -  I would also urge you to review basic concepts of cloud computing to understand the topic better.  I did this  by doing two online courses on cloud computing from Plural Sight. Another useful reference could be the COMPTIA Cloud Essentials or Cloud + certification material.

What I Gained From The CCSK Exam

The exam helped me to put aside time  to study Cloud Security concepts in detail from a very useful and industry certified Reference Guide. It also help me look up various security concepts to enhance my knowledge of Information Security. Finally passing the exam will help me demonstrate my knowledge of Cloud Security.

What could be improved

Though I was very satisfied with the exam and the guidance documents I feel the following points can help improve  the exam and the study material.

• The questions can be more conceptual to check understanding of concepts.
• The guidance document should contain more references to real world examples of the topics covered to ensure people have practical understanding of Cloud security
• Certain chapters of the CSA guidance do not have references and in certain cases the references are not good enough. I would request CSA to improve the guidance document  by including additional and relevant references.
• Another suggestion would be to have a cost effective online training on Cloud Security concepts to spread awareness and knowledge of Cloud Security. The present training is costly and is not within budget of most candidates

Exam review to be submitted after the exam

The best part of the exam is that the result is given in a few seconds after you press the submit button. After the exam you are asked to submit your feedback.  The questions and my feedback is given below

1. Overall, how difficult did you find the examination?

The exam was reasonably difficult

2. How useful was the CSA guide "Security Guidance for Critical Areas in Cloud Computing" in preparing for the examination?

The CSA guide was useful both for preparing the exam as well as learning about Cloud Security. The guide requires to have more diagrams

3. How useful was the ENISA whitepaper "Cloud Computing: Benefits, Risks and Recommendations for Information Security" in preparing for the examination?

The ENISA guide is useful but too lengthy for the amount of questions asked.

( suggestion is to either remove it or provide a short summary of it )

Certain suggestions

1. Domain 7 - too much focus on Traditional Security very little on BC and DR which are more important.

2. Domain 10 - Too lengthy - IdEA portion to be integrated with Domain 12 and duplicacy removed.

3. A short tutorial required on IdEA - Take details from Jericho forum identity videos or they can be be included as a reference.

4. Certain domains contain no references such as D4

5. More practical examples to be given to understand the concepts better.

Overall it was very satisfying to study the the CSA Guidance and learn Cloud Security concepts which enable me to pass the exam. By providing a vendor neutral online exam the Cloud Security Alliance is doing an exceptional job in spreading awareness of Cloud Security concepts  among users, businesses and industry.

Please do post your comments and queries about the exam.

References

1. Jericho Forum Cloud Cube Model
2. NIST SP 800-145 (NIST Definition of Cloud Computing)
3. Jericho Forum Identity Commandments
4. CSA CCSK preparation guide
5. Useful Youtube Videos
1. Identity Management 101: Unwrapping Identity Management
2. Federated Identity: Unwrapping Identity Management
3. Intro. to SAML: What, How and Why
4. Introduction to SAML - Chalktalk on what is it, how it is used
5. Cloud Identity: Unwrapping Identity Management
6. How Identity, Entity and Entitlement work in the cloud